Re: [SECURITY] [DSA 3177-1] mod-gnutls security update

On Mar/11, Stephan Beck wrote: > Is there any reason for the circumstance that this DSA3177-1 (March > 10) is being sent after DSA3181-1, and not, as it would be expected, > between the announce dates of DSA3176-1 (February 26) and DSA3178-1 > (March 2)? Just curious. None other than the fact I've

Re: inspircd: CVE-2012-1836 patch incomplete

On 2015-03-31, Guillaume Delacour wrote: > Upstream confirm me that the fix is correct for this CVE. The > package uploaded on mentors was not modified since my first mail and > is ready for upload if anybody can/want upload it to stable. I'm waiting for CVE assignments from MITRE, after which I

Re: [SECURITY] [DSA 3224-1] libx11 security update

On 2015-04-13, Henrique de Moraes Holschuh wrote: > The use of bin-NMUs for this is causing utter havock here due to > multi-arch: > [...] > (obviously a straight apt upgrade run or aptitude upgrade run will > give similar results). Indeed; this is tracked via https://bugs.debian.org/782505, and

Re: working for wheezy-security until wheezy-lts starts

On 2016-03-01, Mike Gabriel wrote: > @Security Team: Shall we (LTS contributors) handle wheezy-security > updates like described below until Debian wheezy LTS comes into play? > >o Pick a package that has open CVE issues in wheezy, e.g. from > above list >o Add the package to data/

Re: [SECURITY] [DSA 3541-1] roundcube security update

On 2016-04-05, donoban wrote: > Why this took so long? Roundcube team fixed this 2015-12-26: > > https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released > > And it also seems a easy fix to backport: > > https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa0

[tracker] New sub-states for issues tagged no-dsa

After some discussion about what no-dsa really means, I've added 2 new sub-states to the tracker, and they can be used as follows: CVE-2018-10012345 - foo (bug #9876543) [stretch] - shadow (Minor issue, later) [jessie] - shadow (Minor issue, later) [wheezy]

Report from the Debian Security Team Sprint in Hamburg (May 2018)

), Moritz Muehlenhoff (jmm), Salvatore Bonaccorso (carnil), Sébastien Delafond (seb), and Yves-Alexis Perez (corsac). We'd like to thank the Mini-DebConf organizers for providing the facilities for our sprint, as well as all donors to the Debian project who helped to cover a large part of our exp

Re: "Version less than 0.0" in OVAL definitions

Hi, the Debian Security team periodically gets requests and/or bug reports about the OVAL exports, and our general stance is that although we can't provide support for them, I'll gladly review and accept PRs on the OVAL generation code if people are interested in fixing whatever issues they find