Re: Security tracker suggestions

Hi Adrian, On Thu, Jun 26, 2025 at 02:59:06AM +0300, Adrian Bunk wrote: > Hi, > > below are some items I have for security tracker development. > > No commitment from me to work on any of these, but if this > is considered useful I can turn them into salsa issues. > These all seem like ideas t

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

On Sun, May 18, 2025 at 06:43:37PM +0200, Salvatore Bonaccorso wrote: > Hi Santiago, > > On Fri, May 16, 2025 at 03:20:36PM -0300, Santiago Ruano Rincón wrote: > > > > Would you be OK if we track the above proposal on a salsa issue in, > > https://salsa.debian.org/security-tracker-team/security-t

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi Santiago, On Fri, May 16, 2025 at 03:20:36PM -0300, Santiago Ruano Rincón wrote: > Dear security team, > > El 10/05/25 a las 16:14, Samuel Henrique escribió: > > Hello Salvatore, sorry about the late reply, I was in MiniDebConf Maceió. > > > > On Thu, 1 May 2025 at 06:24, Salvatore Bonaccorso

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Dear security team, El 10/05/25 a las 16:14, Samuel Henrique escribió: > Hello Salvatore, sorry about the late reply, I was in MiniDebConf Maceió. > > On Thu, 1 May 2025 at 06:24, Salvatore Bonaccorso wrote: > > Yes the A2 would go in the direction we are thingking, internally we > > have said t

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello Salvatore, sorry about the late reply, I was in MiniDebConf Maceió. On Thu, 1 May 2025 at 06:24, Salvatore Bonaccorso wrote: > Yes the A2 would go in the direction we are thingking, internally we > have said to it a new "nonissue" state, which can apply as well at > suite entry levels (this

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi Samuel, On Sun, Apr 13, 2025 at 04:47:38PM +0100, Samuel Henrique wrote: > Hello Salvatore, > > On Sun, 13 Apr 2025 at 16:32, Salvatore Bonaccorso wrote: > > I have not gone to all details of your proposal, but the high level > > view is IMHO as described in short above. For instance for the

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello Salvatore, On Sun, 13 Apr 2025 at 16:32, Salvatore Bonaccorso wrote: > I have not gone to all details of your proposal, but the high level > view is IMHO as described in short above. For instance for the zlib > isues that would then move the entries from the ignored (which is a > substate o

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi, On Sun, Apr 13, 2025 at 04:06:38PM +0100, Samuel Henrique wrote: > Hello everyone, > > On Sun, 2 Mar 2025 at 20:26, Samuel Henrique wrote: > > Just checking if you would have time to look into this. > > Sending another ping, this proposal is now 1 year old. > > For clarity, I'm not request

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, On Sun, 2 Mar 2025 at 20:26, Samuel Henrique wrote: > Just checking if you would have time to look into this. Sending another ping, this proposal is now 1 year old. For clarity, I'm not requesting the team to do any work here. I can work on the changes, I just need a decision on

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello Salvatore, On Sun, 1 Dec 2024 at 14:08, Salvatore Bonaccorso wrote: > On Wed, Nov 27, 2024 at 11:28:50PM +, Samuel Henrique wrote: > > On Sat, 2 Nov 2024 at 20:02, Samuel Henrique wrote: > > > On Tue, 29 Oct 2024 at 19:43, Salvatore Bonaccorso > > > wrote: > > > > As mentioned in an

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi Samuel, On Wed, Nov 27, 2024 at 11:28:50PM +, Samuel Henrique wrote: > Hello Salvatore, > > On Sat, 2 Nov 2024 at 20:02, Samuel Henrique wrote: > > On Tue, 29 Oct 2024 at 19:43, Salvatore Bonaccorso > > wrote: > > > As mentioned in an earlier message: What I would love to see is to > >

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello Salvatore, On Sat, 2 Nov 2024 at 20:02, Samuel Henrique wrote: > On Tue, 29 Oct 2024 at 19:43, Salvatore Bonaccorso wrote: > > As mentioned in an earlier message: What I would love to see is to > > actually have a substate which makes the situation clear, and still > > beeing technically c

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, I'll merge my replies to Moritz and Salvatore into a single email. Moritz, On Tue, 29 Oct 2024 at 19:15, Moritz Mühlenhoff wrote: > I'm also in favour of changing the tracking. The current procedure addresses a > fringe use case (supporting rebuilds of source packages) in an inc

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi Samuel, On Tue, Oct 29, 2024 at 07:06:23PM +, Samuel Henrique wrote: > Hello everyone, > > On Wed, 4 Sept 2024 at 12:47, Emilio Pozuelo Monfort wrote: > > One issue I see with using not-affected for this is that not-affected > > effectively marks all older versions as that. However, in th

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, On Wed, 4 Sept 2024 at 12:47, Emilio Pozuelo Monfort wrote: > One issue I see with using not-affected for this is that not-affected > effectively marks all older versions as that. However, in this case, a source > could be affected (e.g. in bookworm) and then in sid we've stopped

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

On 31/08/2024 20:07, Samuel Henrique wrote: Hello everyone, I've written another revision of my proposal, this is version 3 of it, the previous ones are on this email thread on debian-security@lists.debian.org. I did get some feedback from the Security Team privately, it wasn't anything confide

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, I've written another revision of my proposal, this is version 3 of it, the previous ones are on this email thread on debian-security@lists.debian.org. I did get some feedback from the Security Team privately, it wasn't anything confidential, it's just that some members of the team

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, Just wondering if the Security team could spend some time availiating my proposal. Feedback from others is always welcomed too, but in order to go ahead I would like to understand where the team stands. Cheers, -- Samuel Henrique

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, I've done some small updates to the proposal, mostly improving readability and making my suggestion more clear. v2 below: I would like to propose something which will lower the amount of reported false-positive CVEs to our users by about 20%. # tl;dr We don't have a unique way o

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

* [Wed, Apr 03, 2024 at 11:11:20PM +0100] Samuel Henrique: On the proposed solution I also mention that we can use the "(free text comment)" section to indicate that, while sticking to "not-affected", this would simplify things as no new value is needed. But parsing the cases where only the sourc

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

On Wed, 3 Apr 2024 at 17:04, Gian Piero Carrubba wrote: > > * [Wed, Apr 03, 2024 at 09:21:41AM +0100] Samuel Henrique: > ># Alternative solutions: > >If we really want to distinguish the case when we don't produce any affected > >packages but the source contains the vulnerability (a build with dif

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

* [Wed, Apr 03, 2024 at 09:21:41AM +0100] Samuel Henrique: # Alternative solutions: If we really want to distinguish the case when we don't produce any affected packages but the source contains the vulnerability (a build with different flags might result in an affected package), we can create a n

Re: Security

On 2023-05-12 16:27:59 -0700 (-0700), Jeffrey Chimene wrote: [...] > So far, this official Debian list is in line with my expectations. > For every 1 person on a Debian list, there are 10 who will tell > you it's a waste of time. So far, the best "stop wasting our time" > line is that Debian is unl

Re: Security

On 5/12/23 16:08, Jonathan Hutchins wrote: Here's hoping that this message is not lost in the flood of potentially thousands of read notifications to your mailing list post.  Hope you learned your lesson on that. I appreciate your concern that your message might have gotten lost. There aren'

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Am 09.04.22 um 23:31 schrieb Moritz Mühlenhoff: Friedhelm Waitzmann wrote: For the oldstable distribution (buster), these problems have been fixed in version 91.8.0esr-1~deb10u1. Where can I get this from for buster and architecture i386?

Re: [SECURITY] [DSA 5173-1] linux security update

On Tue, Jul 05, 2022 at 12:01:31AM +0200, Ben Hutchings wrote: > On Mon, 2022-07-04 at 22:17 +0200, Kurt Roeckx wrote: > > On Sun, Jul 03, 2022 at 03:49:12PM +, Ben Hutchings wrote: > > > > > > For the oldstable distribution (buster), these problems have been > > > fixed in version 4.19.249-2.

Re: [SECURITY] [DSA 5173-1] linux security update

On Mon, 2022-07-04 at 22:17 +0200, Kurt Roeckx wrote: > On Sun, Jul 03, 2022 at 03:49:12PM +, Ben Hutchings wrote: > > > > For the oldstable distribution (buster), these problems have been > > fixed in version 4.19.249-2. > > It seems that linux-image-amd64 does not depend on > linux-image-4.

Re: [SECURITY] [DSA 5173-1] linux security update

On Sun, Jul 03, 2022 at 03:49:12PM +, Ben Hutchings wrote: > > For the oldstable distribution (buster), these problems have been > fixed in version 4.19.249-2. It seems that linux-image-amd64 does not depend on linux-image-4.19.0-21-amd64 but still on linux-image-4.19.0-20-amd64, so the fixed

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Am 19.04.22 um 12:15 schrieb Elmar Stellnberger:   Today I have received response on my g++ bug report at gcc.gnu.org. Gcc 8.3.0 as used in Debian 10 is no longer supported as the 8 branch has a newer version which is gcc 8.5. Why do Debian maintainers not update gcc, if there is a known bug t

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Today I have received response on my g++ bug report at gcc.gnu.org. Gcc 8.3.0 as used in Debian 10 is no longer supported as the 8 branch has a newer version which is gcc 8.5. Why do Debian maintainers not update gcc, if there is a known bug that prevents updated sources like firefox-esr-91.8

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

The patch from yesterday could be tested by manually shipping the executable. Today I have developed another patch (since the first one did not resolve it), one that compares against the backtrace with Debian 11 which is known to have a working gcc. The assumption that the Firefox and Qt5/moc

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Just make sure you comment out the tests. It will greatly speed up compilation and one of these tests was even hanging two times: ./a.out -test.short -test.timeout=240s It is a known Debian Bug that the Go tests (a programming language) fail with with gcc-8. If not you would have to connect

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Likely it is possible to comment out the tournament checks after compilation (which did not succeed to find this error any way) in debian/rules; I would do it like this: check: check22: $(check_stamp) $(check_stamp): $(build_stamp) $(MAKE) -f debian/rules2 $@ (here I have renamed chec

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

I have now downloaded the source package and examined the backtrace of building Firefox and examined all the differences between gcc 8.3.0-1 (known bad from Debian10) and gcc 9.2.0 with gcc 9.2.1 being known to be good for moc/Qt5 from Ubuntu 19.10. There was only one difference I found along

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Why not? On 16.04.22 16:05, Elmar Stellnberger wrote: >Given that this should not be possible for some reason, please > share your knowledge about these bugs, so that people like me > can try to find a fix. > > Elmar On 11.04.22 23:57, Moritz Muehlenhoff wrote: It is possible; if someone t

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Maybe the Qt/moc and the gcc/Firefox bugs are unrelated. I have not heard anything about it here yet. I have found a page that tells the moc error can be resolved by upgrading from Qt 5.4.1 -> 5.4.2. https://topic.alibabacloud.com/a/usrincludec641bitsstl_relops67parse-error-at-std_1_31_30235235.

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Fri, Apr 15, 2022 at 04:52:55PM +0200, Elmar Stellnberger wrote: > ... > exist. It truely is this g++ bug that prevents Firefox and any > Qt programs from building under Buster/i586. I have noted that > there are also some amd64 targets on the OBS that expose the > exact same g++ bug. My questio

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Elmar Stellnberger on Thursday., 2022-04-14T18:51:01+0200: Where can I get this from for buster and architecture i386? does not have it. Friedhelm

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On 14.04.22 14:52, Elmar Stellnberger wrote: I am also running Debian 10 on my Asus eeePC (Pentium M). I am mainly using it as a dictionary. Although I am performing security updates quite regularly I have not run into this issue. Having updated just now I am with Firefox 78.15.0-esr-1~deb10

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Thu, Apr 14, 2022 at 02:50:32PM +0200, Elmar Stellnberger wrote: > On Sat, Apr 09, 2022 at 11:31:01PM +0200, Moritz Mühlenhoff wrote: > > Friedhelm Waitzmann wrote: > > >> For the oldstable distribution (buster), these problems have > > >> been fixed in version 91.8.0esr-1~deb10u1. > > > > > >

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Sat, Apr 09, 2022 at 11:31:01PM +0200, Moritz Mühlenhoff wrote: > Friedhelm Waitzmann wrote: > >> For the oldstable distribution (buster), these problems have > >> been fixed in version 91.8.0esr-1~deb10u1. > > > > Where can I get this from for buster and architecture i386? > >

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Thu, Apr 14, 2022 at 11:01:06AM +0200, Maurice Dirr wrote: > Are you running KDE programs on a Pentium 4? > How can that work without hardware acceleration? > Well QCoan is a plain Qt program, not a KDE app, but Yes I am running KDE apps on that PIV. You have to use > export LIBGL_ALWAYS_SO

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Are you running KDE programs on a Pentium 4? How can that work without hardware acceleration? On 14.04.22 10:52, Elmar Stellnberger wrote: >Could it be that also other programs are affected by this issue? > > I have been building Coan (one of my programs) recently on the OBS and it > > did n

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Wed, Apr 13, 2022 at 09:52:13PM +0200, Elmar Stellnberger wrote: > On 09.04.22 23:31, Moritz Mühlenhoff wrote: > > Friedhelm Waitzmann wrote: > >>> For the oldstable distribution (buster), these problems have > >>> been fixed in version 91.8.0esr-1~deb10u1. > >> > >> Where can I get this from f

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On 09.04.22 23:31, Moritz Mühlenhoff wrote: > Friedhelm Waitzmann wrote: >>> For the oldstable distribution (buster), these problems have >>> been fixed in version 91.8.0esr-1~deb10u1. >> >> Where can I get this from for buster and architecture i386? >>

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Mon, Apr 11, 2022 at 01:45:56PM +0200, Odo Poppinger wrote: > > The Firefox ESR91 series triggers an internal compiler error > > with the GCC version included in Debian 10, so there's no build > > available currently. > > I am still using i386 on some machines. Isn´t it possible to build with >

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

I am still using i386 on some machines. Isn´t it possible to build with another gcc or to update gcc? On 09.04.22 23:31, Moritz Mühlenhoff wrote: Friedhelm Waitzmann wrote: For the oldstable distribution (buster), these problems have been fixed in version 91.8.0esr-1~deb10u1. Where can I ge

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Friedhelm Waitzmann wrote: >> For the oldstable distribution (buster), these problems have >> been fixed in version 91.8.0esr-1~deb10u1. > > Where can I get this from for buster and architecture i386? >

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Wed, 2022-04-06 at 17:11:21 + Moritz Muehlenhoff wrote in the mailing list debian-security-announce: For the oldstable distribution (buster), these problems have been fixed in version 91.8.0esr-1~deb10u1. Where can I get this from for buster and architecture i386?

Re: thank *you*, team@security.d.o! (was Re: [SECURITY] [DSA 5000-1] openjdk-11 security update)

On 02.11.21 01:07, Holger Levsen wrote: hey hey, hear hear! On Mon, Nov 01, 2021 at 07:44:34PM +, Moritz Muehlenhoff wrote: - Debian Security Advisory DSA-5000-1 secur...@debian.org WHHO! th

Re: thank *you*, team@security.d.o! (was Re: [SECURITY] [DSA 5000-1] openjdk-11 security update)

Hello, On Tue 02 Nov 2021 at 12:07AM GMT, Holger Levsen wrote: > hey hey, hear hear! > > On Mon, Nov 01, 2021 at 07:44:34PM +, Moritz Muehlenhoff wrote: >> - >> Debian Security Advisory DSA-5000-1 secur.

Re: thank *you*, team@security.d.o! (was Re: [SECURITY] [DSA 5000-1] openjdk-11 security update)

On 02/11/2021 00:07, Holger Levsen wrote: hey hey, hear hear! On Mon, Nov 01, 2021 at 07:44:34PM +, Moritz Muehlenhoff wrote: - Debian Security Advisory DSA-5000-1 secur...@debian.org WHHO!

thank *you*, team@security.d.o! (was Re: [SECURITY] [DSA 5000-1] openjdk-11 security update)

hey hey, hear hear! On Mon, Nov 01, 2021 at 07:44:34PM +, Moritz Muehlenhoff wrote: > - > Debian Security Advisory DSA-5000-1 secur...@debian.org WHHO! that's *something* to *celebrate*!!1 Very

Re: [SECURITY] [DSA 4774-1] linux security update

On 10/19/20 3:12 PM, Salvatore Bonaccorso wrote: > - > Debian Security Advisory DSA-4774-1 secur...@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > October 19, 2020

Re: [SECURITY] [DSA 4016-1] irssi security update

Security about your app is very important for your privacy and you must try this app. - https://tototechy.com/podcast-addict-for-pc-free-download-windows-7-8-10-mac/ -- Sent from: http://debian.2.n7.nabble.com/Debian-Security-f2050754.html

Re: Re: [SECURITY] [DSA 4371-1] apt security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, 2019-01-24 at 23:37 +0100, Edgar Remmel wrote: > Thanks a lot Yves-Alexis for reply and advice! > > > Also it's likely that > > you need to ask this to Raspbian, not Debian. > > Please give me a 2.nd try in this list. If it will become obvi

Re: Re: [SECURITY] [DSA 4371-1] apt security update

Thanks a lot Yves-Alexis for reply and advice! > Also it's likely that > you need to ask this to Raspbian, not Debian. Please give me a 2.nd try in this list. If it will become obviosly to be a problem of Raspbian I will change to them. > It would help to paste the exact error messages. The com

Re: [SECURITY] [DSA 4371-1] apt security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, 2019-01-24 at 15:08 +0100, Edgar Remmel wrote: > Hello, Hi Edgar, adding debian-security mailing list since it's the proper place to ask about his. > > the above security update was linked by a security forum. > > As the commands worked f

Re: [SECURITY] [DSA 4272-1] linux security update

Hi, On Wed, Aug 15, 2018 at 04:02:59PM +0200, Matus UHLAR - fantomas wrote: > Hello, > > On 14.08.18 21:52, Salvatore Bonaccorso wrote: > > CVE-2018-5391 (FragmentSmack) > > > >Juha-Matti Tilli discovered a flaw in the way the Linux kernel > >handled reassembly of fragmented IPv4 and IPv

Re: [SECURITY] [DSA 4272-1] linux security update

Hello, On 14.08.18 21:52, Salvatore Bonaccorso wrote: CVE-2018-5391 (FragmentSmack) Juha-Matti Tilli discovered a flaw in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker can take advantage of this flaw to trigger time and calculatio

Re: [SECURITY] [DSA 4187-1] linux security update

On Fri, 04 May 2018, Davide Prina wrote: > On 04/05/2018 04:06, Paul Wise wrote: > > On Thu, May 3, 2018 at 4:53 PM, richard lucassen wrote: > > > > > There is also an big increase in time before random is initialized: > > ... > > > One of the consequences is that openntpd (or a program like > > >

Re: [SECURITY] [DSA 4187-1] linux security update

On 04/05/2018 04:06, Paul Wise wrote: On Thu, May 3, 2018 at 4:53 PM, richard lucassen wrote: There is also an big increase in time before random is initialized: ... One of the consequences is that openntpd (or a program like rdate) hangs until the crng is initialized. What do these two pro

Re: [SECURITY] [DSA 4187-1] linux security update

On Fri, 4 May 2018 10:06:58 +0800 Paul Wise wrote: > > One of the consequences is that openntpd (or a program like > > rdate) hangs until the crng is initialized. > > What do these two programs require entropy for? That's the question. The only thing I saw that these two programs normally send

Re: [SECURITY] [DSA 4187-1] linux security update

On Thu, May 3, 2018 at 4:53 PM, richard lucassen wrote: > There is also an big increase in time before random is initialized: ... > One of the consequences is that openntpd (or a program like > rdate) hangs until the crng is initialized. What do these two programs require entropy for? -- bye, p

Re: [SECURITY] [DSA 4187-1] linux security update

On Thu, May 03, 2018 at 10:53:00AM +0200, richard lucassen wrote: > > > There are multiple reports on #ganeti that this update breaks > > > networking in certain circumstances, probably multiple tun/tap > > > device configurations. No more details or a proper bug report yet > > > as I haven't expe

Re: [SECURITY] [DSA 4187-1] linux security update

On Thu, 03 May 2018 01:44:06 +0100 Ben Hutchings wrote: > > There are multiple reports on #ganeti that this update breaks > > networking in certain circumstances, probably multiple tun/tap > > device configurations. No more details or a proper bug report yet > > as I haven't experienced this myse

Re: [SECURITY] [DSA 4187-1] linux security update

On Thu, 2018-05-03 at 00:06 +0100, Dominic Hargreaves wrote: > On Tue, May 01, 2018 at 05:12:02PM +, Ben Hutchings wrote: > > - > > Debian Security Advisory DSA-4187-1 secur...@debian.org > > https://www.d

Re: [SECURITY] [DSA 4187-1] linux security update

On Tue, May 01, 2018 at 05:12:02PM +, Ben Hutchings wrote: > - > Debian Security Advisory DSA-4187-1 secur...@debian.org > https://www.debian.org/security/Ben Hutchings > May 01

Re: [SECURITY] [DSA 4078-1] linux security update

On Fri, 12 Jan 2018, Moritz Mühlenhoff wrote: > Frank Nord schrieb: > > Peaking at ubuntu: > > https://usn.ubuntu.com/usn/usn-3522-3/ > > "USN-3522-1 fixed a vulnerability in the Linux kernel to address > > Meltdown (CVE-2017-5754). Unfortunately, that update introduced > > a regression where a fe

Re: [SECURITY] [DSA 4078-1] linux security update

Frank Nord schrieb: > Peaking at ubuntu: > https://usn.ubuntu.com/usn/usn-3522-3/ > "USN-3522-1 fixed a vulnerability in the Linux kernel to address > Meltdown (CVE-2017-5754). Unfortunately, that update introduced > a regression where a few systems failed to boot successfully. This > update fixes

Re: [SECURITY] [DSA 4078-1] linux security update

Hello, Am 2018-01-11 um 12:29 schrieb Frank Nord: > Hello, > > > Am 2018-01-11 um 11:58 schrieb Henrique de Moraes Holschuh: >> On Thu, 11 Jan 2018, Frank Nord wrote: >>> I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU, >>> P7550 @ 2.6 GHz). > >>> 3.20170707.1~deb9u1 f

Re: [SECURITY] [DSA 4078-1] linux security update

Hello, Am 2018-01-11 um 11:58 schrieb Henrique de Moraes Holschuh: > On Thu, 11 Jan 2018, Frank Nord wrote: >> I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU, >> P7550 @ 2.6 GHz). >> 3.20170707.1~deb9u1 from stretch. What's the recommended >> microcode-version for this

Re: [SECURITY] [DSA 4078-1] linux security update

On Thu, 11 Jan 2018, Frank Nord wrote: > I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU, > P7550 @ 2.6 GHz). ... > 3.20170707.1~deb9u1 from stretch. What's the recommended > microcode-version for this kernel? The one you have is currently fine. Intel has not published

Re: [SECURITY] [DSA 4078-1] linux security update

Hello, Am 2018-01-04 um 23:25 schrieb Yves-Alexis Perez: > - > Debian Security Advisory DSA-4078-1 secur...@debian.org > https://www.debian.org/security/Yves-Alexis Perez > January 0

Re: Security support for chromium in jessie

On Tue, Aug 15, 2017 at 1:09 PM, Emilio Pozuelo Monfort wrote: > I think we should do this for as long as it's reasonably possible, given > firefox > updates will get harder and harder (they will require newer versions of rustc, > which may need to be bootstrapped) so having another supported brow

Re: [SECURITY] [DSA 4016-1] irssi security update

On Fri, Nov 03, 2017 at 07:51:34PM +, Salvatore Bonaccorso wrote: > CVE-2017-15721 > > Joseph Bisch discovered that Irssi does not properly handle > incorrectly formatted DCC CTCP messages. A malicious IRC server can > take advantage of this flaw to cause Irssi to crash, resulting

Re: [SECURITY] [DSA 3995-1] libxfont security update

On Mon, Oct 16, 2017 at 07:44:39PM +0200, Julien Cristau wrote: > I don't believe it does. The only relevant piece of software I'm aware of > from a security point of view is Xorg, which uses libxfont2 in stretch. What about 3rd-party software using libxfont1? > Julien cu Adrian --

Re: [SECURITY] [DSA 3995-1] libxfont security update

I don't believe it does. The only relevant piece of software I'm aware of from a security point of view is Xorg, which uses libxfont2 in stretch. Julien On October 16, 2017 6:56:40 PM GMT+02:00, Adrian Bunk wrote: >On Tue, Oct 10, 2017 at 09:22:11PM +0200, Moritz Muehlenhoff wrote: >> >--

Re: [SECURITY] [DSA 3995-1] libxfont security update

On Tue, Oct 10, 2017 at 09:22:11PM +0200, Moritz Muehlenhoff wrote: > - > Debian Security Advisory DSA-3995-1 secur...@debian.org > https://www.debian.org/security/ Moritz Muehlenhoff > O

Re: Security support for chromium in jessie

On 31/07/17 05:23, Michael Gilbert wrote: > Hi all, > > I do not have enough free time to be able to keep up with security > updates to chromium in jessie (oldstable) any more. It is technically > feasible to keep it working in a jessie environment, but each update > has been more and more work.

Re: [SECURITY] [DSA 3909-1] samba security update

On Fri, 2017-07-14 at 16:19 +0200, Sven Hartge wrote: > On 14.07.2017 14:25, Yves-Alexis Perez wrote: > > > For the oldstable distribution (jessie), this problem has been fixed > > in version 2:4.2.14+dfsg-0+deb8u7. > > Is this just me or has the update for Jessie x86_64 been built in an > unclea

Re: [SECURITY] [DSA 3909-1] samba security update

On 14.07.2017 16:19, Sven Hartge wrote: > For me the binary packages have dependencies unfulfillable in Jessie: > > The following packages have unmet dependencies: > samba-common-bin : Depends: libncurses5 (>= 6) but 5.9+20140913-1+b1 is > to be installed > Depends: libreadlin

Re: [SECURITY] [DSA 3909-1] samba security update

On 14.07.2017 14:25, Yves-Alexis Perez wrote: > For the oldstable distribution (jessie), this problem has been fixed > in version 2:4.2.14+dfsg-0+deb8u7. Is this just me or has the update for Jessie x86_64 been built in an unclean environment or from the wrong sources? For me the binary packages

Re: [SECURITY] [DSA 3823-1] eject security update

Hi On Tue, Apr 18, 2017 at 10:50:19AM +0900, Hideki Yamane wrote: > I'm just curious, Ubuntu developer said that there was no embargo for > eject package vulnerability with Debian, is it true and if so, why? > > https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627/comments/3 Yes this is

Re: [SECURITY] [DSA 3823-1] eject security update

Hi, I'm just curious, Ubuntu developer said that there was no embargo for eject package vulnerability with Debian, is it true and if so, why? https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627/comments/3 -- Hideki Yamane

Re: [SECURITY] [DSA 3817-1] jbig2dec security update

On 24/03/17 22:32, Moritz Muehlenhoff wrote: > - > Debian Security Advisory DSA-3817-1 secur...@debian.org > https://www.debian.org/security/ Moritz Muehlenhoff > March 24, 2017

Re: [SECURITY] [DSA 3726-1] imagemagick security update

On Sunday, 27 November 2016 04:09:30 EST Luciano Bello wrote: > CVE ID : CVE-2016-7799 CVE-2016-7906 CVE-2016-8677 The list of fixed CVEs fixed in the DSA was incomplete. It should be: CVE-2016-7799 CVE-2016-7906 CVE-2016-8677 CVE-2016-8862 CVE-2016-9556 CVE-2016-9559 The website was fi

Re: Security features in the upcoming release (Stretch)

My plan is to have the KDE and GNOME desktop environments working with SE Linux enforcing mode on Stretch along with the most important apps such as Google Chrome/Chromium. I hope to have something ready to test in Unstable in a few weeks. On 23 September 2016 11:21:55 pm AEST, "m.la...@t-onlin

Re: Security features in the upcoming release (Stretch)

On 9/23/2016 9:44 PM, Darko Gavrilovic wrote: I think there is an Apparmor progress page, no? https://wiki.debian.org/AppArmor/Progress Quoting above page: "AppArmor/Progress (last edited 2015-08-14 09:33:50 ..." :< Just wondering, if you like Fedora/RH SELinux & AppArmor implementation

Re: Security features in the upcoming release (Stretch)

I think there is an Apparmor progress page, no? https://wiki.debian.org/AppArmor/Progress Just wondering, if you like Fedora/RH SELinux & AppArmor implementation better, then why not just stick to deploying them? On Fri, Sep 23, 2016 at 9:49 PM, stefano frabetti wrote: >> He, and those like me,

Re: Security features in the upcoming release (Stretch)

> He, and those like me, deserve a polite/germane/relevant response. Bravo! +1

Re: Security features in the upcoming release (Stretch)

On 9/23/2016 12:42 PM, Reed Black wrote: On Fri, Sep 23, 2016 at 6:42 AM, Jonathan Hutchins mailto:hutch...@tarcanfel.org>> wrote: It is difficult for me to rationalize a serious concern for "security" with the idea that one should lie back and expect the packaging team to ta

Re: Security features in the upcoming release (Stretch)

On Fri, Sep 23, 2016 at 6:42 AM, Jonathan Hutchins wrote: > It is difficult for me to rationalize a serious concern for "security" > with the idea that one should lie back and expect the packaging team to > take care of it all for you. If you are concerned with security, you > should be actively

Re: Security features in the upcoming release (Stretch)

It is difficult for me to rationalize a serious concern for "security" with the idea that one should lie back and expect the packaging team to take care of it all for you. If you are concerned with security, you should be actively configuring security features yourself, not expecting that someone

Re: [SECURITY] [DSA 3672-1] irssi security update

Hi Martin, On Wed, Sep 21, 2016 at 10:45:14PM +0200, martin f krafft wrote: > also sprach Moritz Muehlenhoff [2016-09-21 22:40 +0200]: > > No, the mailing announcements and the Debian Security Tracker are the > > canonical > > source of information. The entries on the website are added subsequen

Re: [SECURITY] [DSA 3672-1] irssi security update

also sprach Moritz Muehlenhoff [2016-09-21 22:40 +0200]: > No, the mailing announcements and the Debian Security Tracker are the > canonical > source of information. The entries on the website are added subsequently by > the Debian WWW team. You are listing https://www.debian.org/security/ in th

Re: [SECURITY] [DSA 3672-1] irssi security update

B0;115;0cOn Wed, Sep 21, 2016 at 10:14:34PM +0200, martin f krafft wrote: > also sprach Salvatore Bonaccorso [2016-09-21 21:53 +0200]: > > - > > Debian Security Advisory DSA-3672-1 secur...@debian.org > > htt

Re: [SECURITY] [DSA 3672-1] irssi security update

also sprach Salvatore Bonaccorso [2016-09-21 21:53 +0200]: > - > Debian Security Advisory DSA-3672-1 secur...@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > September

Re: [SECURITY] [DSA 3671-1] mutt security update

Hi Moritz, there seems to be a typo on the announcement, the title refers to mutt, but the update refers to wireshark. Just letting you know. On 20 September 2016 at 16:43, Moritz Muehlenhoff wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - --

Re: [SECURITY] [DSA 3671-1] mutt security update

On 09/20/2016 03:02 PM, Steven Chamberlain wrote: > Hello, > > Moritz Muehlenhoff wrote: >> Package: wireshark > > The subject line says mutt? > > Thanks, > Regards, Hi, Forwarded Message ---- Subject: Re: [SECURITY] [DSA 3671-1] mutt securi

  1   2   3   4   5   6   7   8   9   10   >