Re: Recording for my DebConf talk about CVEs

ng. In practice I find the opposite: I often spend little DLA time backporting (especially if the change was already identified, backports are most often trivial), and the vast majority of my time actually testing the changes, including manual tests targeting each CVE-impacted area :) Cheers! Sylvain Beucler Debian LTS Team

Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246

? [0] https://security-tracker.debian.org/tracker/source-package/jq [1] https://github.com/jqlang/jq/issues/2986 [2] https://bugs.debian.org/1058763 Ideally you can contact MITRE through https://cveform.mitre.org/ to mark CVE-2023-49355 as a duplicate. Cheers! Sylvain Beucler Debian LTS Team

Re: Debian Security Tracker - `no-dsa` Clarification

e the triage is meant to guide the Debian Security / LTS Teams' actions only, and is not particularly fine-grained. Cheers! Sylvain Beucler Debian LTS Team On 21/11/2022 11:01, Hadas Bloom wrote: My name is Hadas, I'm in the Snyk Security Group. I've been in contact with you a whil

Re: FYI php disable_function bypass bug

y release a new fixed version themselves. Thanks for the info. Cheers! Sylvain Beucler Debian LTS Team

Re: no-dsa for Samba CVEs in Debian.

Hello Andrew, On Tue, May 18, 2021 at 09:38:30AM +1200, Andrew Bartlett wrote: > Yes, due to the various cycles, freeze windows and support lifetimes, > Debian almost always ships unsupported Samba versions, and even if the > series is supported, the point release is not, because those are not > f

Re: Is this the right place to discuss no-dsa choices?

LTS (stretch/oldstable) specifically, which is extended support and is usually performed by the LTS team without involving the package maintainers, you may want to reach debian-...@lists.debian.org. Cheers! Sylvain Beucler Debian LTS Team On Wed, May 12, 2021 at 07:34:56PM +1200, Andrew Bartlett w

Re: Revert "CVE-2019-15690/libvncserver: reference embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot"

Hi, First, it is a bit stressful when one's work is reverted without direct communication; this requires constant checking whether there are related commit to one's past days of work, and given the volume this also can be just missed. I would recommend e.g. a quick mail in such situation, WDYT? N

Re: Status of php-mbstring vs. libonig

Hi, On 25/11/2019 15:20, Salvatore Bonaccorso wrote: > On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote: >> On 22/11/2019 21:23, Sylvain Beucler wrote: >>> I see in 'embedded-code-copies': >>> >>>   libonig >>>       - p

Re: Status of php-mbstring vs. libonig

Hi, On 22/11/2019 21:23, Sylvain Beucler wrote: > I see in 'embedded-code-copies': > >   libonig >       - php5 5.3.2-1 (embed) > > (i.e. from 2010) > > Jessie seems to properly link to libonig (dependency of e.g. > libapache2-mod-php5). > > Stretch

Status of php-mbstring vs. libonig

Hi, I see in 'embedded-code-copies':   libonig       - php5 5.3.2-1 (embed) (i.e. from 2010) Jessie seems to properly link to libonig (dependency of e.g. libapache2-mod-php5). Stretch and Buster however (probably since the new phpX.X-mbstring package) do not link libonig anymore, despite build

Re: Verified Boot, Secure Boot, dm-verity, debcheckroot

Hi, On 16/11/2019 15:22, Elmar Stellnberger wrote: > >> There are tools that can help with checking all files on the hard drive >> such as `debsums`. However, while `debsums` is more popular, it is >> unsuitable. >> >> Quote https://www.elstel.org/debcheckroot/ >> >> ... >> During development of V

gnutls/nettle (CVE-2018-16868/CVE-2018-16869)

Hi, I'm working on CVE-2018-16868/CVE-2018-16869, a side-channel attack that affects gnutls and nettle, disclosed 2018-12, tagged low/local. Unlike what I read in data/CVE/list, I understand that the nettle fix is not just a new function - it's a rewrite of the RSA functions, completemented by a