CAN to CVE: changing changelogs?

'old-style' CAN id's? regards, Thijs Kinkhorst signature.asc Description: This is a digitally signed message part

Re: CAN to CVE: changing changelogs?

On Wed, 2005-10-26 at 12:36 +0200, Moritz Muehlenhoff wrote: > > Are there any thoughts on changing changelogs retroactively? Might it > > even be an idea to add a lintian check for 'old-style' CAN id's? > > You could change them retroactively (with a little note that you did so), > but it's not s

Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability

Michael Stone wrote: Vulnerability : format string attack Problem-Type : local Debian-specific: no CVE ID : CVE-2006-0083 Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitary

Re: [SECURITY] [DSA 1342-1] New xfs packages fix privilege escalation

On Monday 30 July 2007 20:53, Moritz Muehlenhoff wrote: > Package: xfs > Vulnerability : race condition > Problem-Type : local > Debian-specific: no Since this is in a Debian-supplied init script, this should read "Debian-specific: yes", right? If so, maybe it can still be changed on

Re: [SECURITY] [DSA 1370-1] New phpmyadmin packages fix several vulnerabilities

On Mon, September 10, 2007 13:22, Matthias Reichl wrote: > Something seems to have gone wrong with the sarge updates: the -3sarge4 > file is present on security.debian.org/pool/..., but > http://security.debian.org/dists/sarge/updates/main/binary-i386/Packages > still references the old -3sarge3 pa

Re: [SECURITY] [DSA 1569-1] New cacti packages fix multiple vulnerabilities

guys, > > as i alerted you on IRC, this update renders cacti unusable. see: #479618 > and #479621 . > > it's pretty clear that the upload was done without any testing, and > furthermore without first submitting a bug on the cacti package. tsk tsk > :) > >

Re: [SECURITY] [DSA 1573-1] New php5 packages fix several vulnerabilities

Hi all, On Sunday 11 May 2008 17:16, Thijs Kinkhorst wrote: > Package: rdesktop Thank you for your comments, yes, I'm aware that the subject is wrong. Unfortunately due to what seems a bug in Debian's mailing list management software, when I resend it it gets rejected.

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

Michel Messerschmidt wrote: > The information about sarge is not consistent with > http://security-tracker.debian.net/tracker/CVE-2008-0166: > > Source Package Release Version Status > openssl (PTS) sarge, sarge (security) 0.9.7e-3sarge5 vulnerable >etch

Re: [DSA 1629-1] Etch postfix packages older than base (was Re: New postfix packages fix privilege escalation)

On Tuesday 19 August 2008 02:07, Ewen McNeill wrote: > It appears that this security patched package actually has an older > version number than the one in Debian Etch base. Yes, this was an oversight, perhaps because the Postfix maintainer doesn't use i386 and therefore missed the binNMU. All ot

http.d.n. broken (was: Re: https://wiki.debian.org/LTS/Using => broken?)

Hi, On Thu, February 5, 2015 13:57, Ml Ml wrote: > Looks good! > > Who can report this? :) I've CC'ed this message to Raphael, the maintainer of http.debian.net. Cheers, Thijs > On Thu, Feb 5, 2015 at 1:51 PM, Michael Stone wrote: >> On Thu, Feb 05, 2015 at 01:34:36PM +0100, Ml Ml wrote: >>>

Re: https://wiki.debian.org/LTS/Using => broken?

On Thu, February 5, 2015 15:40, Raphael Geissert wrote: >> Jens, you wrote the original wiki page, is there a reason it specifies >> http.debian.net rather than a debian.org resource? >> Mike Stone > > There's httpredir.debian.org if you wish, same codebase. Maybe a d-d-a post suggesting that peop

Re: Should we be alarmed at our state of security support?

Hi John, On Wed, February 18, 2015 15:11, John Goerzen wrote: > Hi folks, > > So I recently downloaded and installed debsecan on several of my > machines. These are all fully up-to-date machines, running either > wheezy or jessie. For now I'll just focus on wheezy since it's where > our security

Re: Missing tiff3 patch in security repo

Hi John, On Wed, February 18, 2015 14:51, John Goerzen wrote: > CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... > > - libtiff4 (remotely exploitable, high urgency) The reason is explained when you follow this li

Re: Should we be alarmed at our state of security support?

On Wed, February 18, 2015 15:44, Thijs Kinkhorst wrote: > you can e.g. see a motivation for why libtiff4 is not that urgent to fix, > similar for php5 and the useful note that clamav will be fixed through Where I said php5 I meant python2.6 (all these interpreters are the same to me...)

Re: Missing tiff3 patch in security repo

On Wed, February 18, 2015 18:50, John Goerzen wrote: > On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote: >> Hi John, >> >> On Wed, February 18, 2015 14:51, John Goerzen wrote: >>> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... >>> <

Re: Should we be alarmed at our state of security support?

On Thu, February 19, 2015 14:29, John Goerzen wrote: > But how else is someone going to learn that when security-tracker says > "vulnerable", in hundreds of instances, that may be wrong, other than by > asking? I didn't find this documented anywhere. I think where your misunderstanding originates

Re: [SECURITY] [DSA 3328-1] wordpress security update

ng.php line 508. > > Can anyone confirm this? Confirmed, sorry for that. We will release an updated package a.s.a.p. Regards, Thijs Kinkhorst Debian Security Team -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Cont

RE: [SECURITY] [DSA 3386-2] unzip regression update

Hi David, On Mon, November 9, 2015 23:25, David McDonald wrote: > Hi Salvatore, > > Your e-mail below states: > > "For the stable distribution (jessie), this problem has been fixed in > version 6.0-16+deb8u2" (Note bene the last digit) > > However, https://www.debian.org/security/2015/dsa-33

Re: embedding openssl source in sslcan

On Fri, December 23, 2016 18:53, Moritz Mühlenhoff wrote: > Sebastian Andrzej Siewior schrieb: > > Please use t...@security.debian.org if you want to reach the security > team, not debian-security@ldo. > >> tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its >> source? > > That's f

Re: FWD: Squirrelmail XSS + SQL security bug?

Hello People, I'm part of the SquirrelMail development team and have assisted Jeroen in preparing the recent upload of a new SquirrelMail package. Let me comment on some of the issues raised. First off, Debian is using an archaic version of SquirrelMail, being more than two years old (which is

Re: FWD: Squirrelmail XSS + SQL security bug?

> I completely agree with Matt. This was the idea I wanted to say in my > former post. Don't mix development docs (like changelog) with security ones > (security advisories, etc). IMHO, the correct procedure for > SquirrelMail (or other important project) would be to open a security > section where

slocate 2.6-1.3.3 fails to install

Hello people, When upgrading to the recent slocate security update, it fails to install on one of my woody systems. It installs on my other systems, but I can't find where the problem is. I get the following messages. Any help in resolving this is appreciated. Regards, Thijs Kink

Re: slocate 2.6-1.3.3 fails to install

On Mon, April 18, 2005 09:35, Sigmund Straumsnes wrote: > Check /usr/bin/slocate with lsattr. > > rootkits may set attributes to prevent overwriting infected files, so you > could check for intrusion. Thanks, you are indeed correct that the attributes had been changed. I will start investigating

Re: Fixing stupid PHP application design flaws

On Sat, April 30, 2005 14:54, Martin Schulze wrote: >> "Simple makefile" doesn't match the typical person installing a web >> application. A .tar.gz may already be too difficult, they want to be able >> to ftp their files to their provider and it should work. Also, this > > Such people should stay

Security support for testing - what does it mean?

Hello people, In the latest release update we can read that "official security support for sarge" has begun. But I wonder what that means. Recent DSA's (eg 722, 723 from today) still mention only woody and sid. I had expected to see sarge included there aswell. What has changed exactly since thi

Re: Bug#308282: [phpbb2 #308282] upstream patch

On Tue, May 10, 2005 14:55, Ulf Harnhammar wrote: > Protecting against this type of attack is much more complicated than > this. As Jeroen noted, HTML entities are interpreted, so you have to > protect against things like "javascript:". Some browsers allow varying > amounts of whitespace inside pro

Re: [Debian-med-packaging] Bug#496366: The possibility of attack with the help of symlinks in some Debian packages

On Monday 25 August 2008 05:56, Charles Plessy wrote: > I have not followed the discussions on -devel closely. What is the > relevance of this bug for the releasability of the package? Upstream is > already at a much higher version number and I am not able to solve the > prolem by myself. > > Since

Re: Bug#496851: yelp: does not correctly handle format strings for certain error messages

On Thursday 28 August 2008 03:51, Michael Gilbert wrote: > >> what about a getting a fix for this issue into stable? > > > >  it doesn't affect stable > > ok, can someone update the tracker [1] to reflect that this issue does > not effect etch (yelp 2.14) and sarge (yelp 2.6)? I've updated the etc

Re: Freeze exceptions for iceape/iceweasel/xulrunner?

On Saturday 10 January 2009 17:50, Francesco Poli wrote: > > > Otherwise, are there plans to do so? > > > > RC bugfixes are usually unblocked without the need for asking. Also, > > security bugfixes for ice* packages are allowed by habit. > > Nonetheless, iceape, iceweasel, and xulrunner are 20 day

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

On sneon 14 Febrewaris 2009, Florian Weimer wrote: > > Our servers use commercial certificates, with "GTE CyberTrust Global > > Root" as the root certificate. It apparently is a v1 x509 certificate... > > It's uses 1024 bit RSA, it is more than ten years old, and GTE > Cybertrust does not exist any

Re: debian-security-announce - Upgrade instructions

Hi, On tongersdei 21 Maaie 2009, FTF 3k3 wrote: > The "Upgrade instructions" section of each email contains instructions > for apt-get instead of aptitude which is Debian recommended package > manager. In some documents, aptitude is indeed preferred over apt-get because of the dependency resolvi

Re: What is best practice for managing sources.list for security and stability?

Hi John, On moandei 25 Maaie 2009, john wrote: > The recent key-change forced me to use the main stable repos to get > the new keys (e.g apt-get install debian-archive-keyring ) > . and got me thinking... > > Is the approach I outlined the "best" way to maintain the security and > stability of th

Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution

On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote: >> For the oldstable distribution (etch), this problem will be fixed soon. >> > > 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which > appears to fix this problem, but no subsequent advisory has been released. > Is this an ove

Re: Version Numbers in DSAs

On freed 14 Augustus 2009, Nico Golde wrote: > Joerg, is there any way dak could know about these version > numbers or can't it by design? If so, any idea why the > epochs are not included in the file names? Right, in my idea the root cause for this is that filenames do not have epochs, and for c

GnuPG 1.4.10 RC1 available from Debian Experimental

Hi, The recent release candidate 1 for GnuPG 1.4.10 has been packaged and uploaded to Debian's "experimental" distribution, in order to facilitate testing. If you wish, please try it out and of course report bugs found. All cautions around release candidates and the experimental distribution of

Re: problem with security mirror?

On Sun, November 8, 2009 13:34, Yves-Alexis Perez wrote: > Hey, > > apt-get update on my lenny box gives the following warning: > > W: GPG error: http://security.debian.org lenny/updates Release: The > following signatures were invalid: BADSIG 9AA38DCD55BE302B Debian > Archive Automatic Signing Key

Re: squirrelmail SA34627

On Mon, January 25, 2010 21:05, Florian Weimer wrote: > * Adrian Minta: > >> Hi, >> Does squirrelmail 1.4.15-4+lenny2 has fixes for SA34627 ? > > According to , > it's still vulnerable. Indeed. Backporting the fix for this is not trivial s

Re: squirrelmail package in lenny

Hi Benjamin, On Sun, February 21, 2010 17:19, Benjamin Vetter wrote: > I'm wondering why the squirrelmail package has a php4 -or- php5 > dependency http://packages.debian.org/en/lenny/squirrelmail > I updated from etch to lenny long time ago, but I still had etch's php4 > installed through this op

Re: CVE-2009-3555 not addressed in OpenSSL

Hi Kurt, On Thursday 11 November 2010 19:43:33 Kurt Roeckx wrote: > So I've prepared a package based on the ubuntu patch. I also went > over every commit between the 0.9.8l and 0.9.8m release and am > reasonly confident this patch should work properly. > > The current package is available at: >

Re: CVE-2009-3555 not addressed in OpenSSL

On Saturday 13 November 2010 18:21:45 Jordon Bedwell wrote: > On Sat, 2010-11-13 at 18:14 +0100, Thijs Kinkhorst wrote: > > I have tested it in some different environments with different types of > > configurations and the packages work very fine for me. > > Just one quest

Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression

Hi Gerfried, On Mon, November 15, 2010 12:24, Gerfried Fuchs wrote: > Hi! > > * Thijs Kinkhorst [2010-11-13 20:37:28 CET]: >> Since a few months, Microsoft's servers for MSN have changed the >> protocol, >> making Pidgin non-functional for use with MS

Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression

On Monday 15 November 2010 13:59:01 Gerfried Fuchs wrote: > Also, you just stated that he is not a part of the security team - that > unfortunately doesn't get us anywhere though. Were his statements in > that respect untrue? I would have expected at least a single message > with respect to some-k

Re: how to apply DSA-2157-1

On Sunday 06 February 2011 17:05:23 Michael Gilbert wrote: > > I am usiong postgres on squeeze. > > > > > > > > Reading DSA-2157-1 I can see that I must upgrade to 8.4.7-0squeeze1 but > > I can't find that package using http://www.debian.org/distrib/packages > > or apt. > > Unfortunately, the

Re: Some obsolete packages on squeeze-security

Hi Dominic, On Mon, February 7, 2011 18:18, Dominic Hargreaves wrote: > squeeze-security (i386 at least) has the following binary packages > which are not in squeeze. They are therefore selected as candidates for > install even though they represent an unmaintained branch of code. > The i386 packa

Re: sun-java6 updates for {old,}stable?

Hi Dominic, On Monday 21 February 2011 14:11:45 Dominic Hargreaves wrote: > Are there any plans to update the sun-java6 packages in lenny and > squeeze for the recent floating point DoS issue? Yes: http://lists.debian.org/debian-release/2011/02/msg00240.html Thijs signature.asc Description: T

Re: [SECURITY] [DSA-2158-1] cgiirc security update

On Wednesday 23 February 2011 10:12:08 Philipp Kern wrote: > Hi, > > On Wed, Feb 09, 2011 at 09:32:48PM +, Steve Kemp wrote: > > Michael Brooks (Sitewatch) discovered a reflective XSS flaw in > > cgiirc, a web based IRC client, which could lead to the execution > > of arbitrary javascript. > >

Re: packages not listed on http://security-tracker.debian.org/tracker/status/release/stable

Hi dave, On Tue, May 17, 2011 14:56, dave b wrote: > Hi it would seem that policykit-1 is not listed on > http://security-tracker.debian.org/tracker/status/release/stable as a > vulnerable source package (regarding CVE-2011-1485 ) ... ( although > CVE-2011-1485 appears to have been fixed in debia

Re: [SECURITY] [DSA 2318-1] cyrus-imapd-2.2 security update

Hi Vladislav, On Mon, October 10, 2011 12:04, Vladislav Kurz wrote: > i wonder if there is something wrong with this DSA. I manage a lot of > servers with cyrus, but the update is available only on one of them > (squeeze, amd64), and not on the others (squeeze/lenny, i386). > I do not use nntp, so

Re: Bug#645881: critical update 29 available

On Wed, October 19, 2011 12:50, Sylvestre Ledru wrote: > CC debian release & security > > Le mercredi 19 octobre 2011 à 12:21 +0200, Thijs Kinkhorst a écrit : >> Upstream has released Java SE 6 update 29 yesterday: >> http://www.oracle.com/technetwork/topics/security/j

Re: Bug#645881: critical update 29 available

On Wed, October 19, 2011 14:15, Matthias Klose wrote: > On 10/19/2011 02:09 PM, Thijs Kinkhorst wrote: >> Have we been in contact with Oracle upstream and explained that we are >> eager to comply with their wish to move entirely to openjdk for our next >> release, but have the

Re: Bug#648595: broken links under www.d.o/security/audit/

Hi Paul, Op zondag 13 november 2011 09:59:19 schreef Paul Wise: > Package: www.debian.org > Severity: normal > X-Debbugs-CC: debian-security@lists.debian.org > > These two links are referenced by the Debian security audit pages but > the domain has been taken by squatters. Could someone from the

RE: need help with openssh attack

On Thu, December 29, 2011 16:37, Nicolas Carusso wrote: > > How about creating a Referense list with all the suggestions that we are > doing? > If all of you agree, Let's start now. > > SECURITY LIST > ** There's already the Securing Debian HOWTO: http://www.debian.org/doc/manuals/

Re: [SECURITY] [DSA 2403-1] php5 security update

On Mon, February 6, 2012 03:24, Carlos Alberto Lopez Perez wrote: > On 05/02/12 22:52, Luk Claes wrote: >> On 02/05/2012 05:23 PM, Carlos Alberto Lopez Perez wrote: >>> On 04/02/12 01:12, Luk Claes wrote: On 02/03/2012 10:35 PM, Mario Antonio wrote: > Do you think that there will be a fix

GnuPG 1.4.12 now in experimental; please test

Hi, The new upstream release of GnuPG, 1.4.12, is now packaged in experimental. Some other changes were made as well, for example for the hardening build flags and multiarch release goals. If you're interested, please don't hesitate to try it out in your environment. The basic plan is to upload i

Re: [DSA 2422-1] file security update

On Thu, March 1, 2012 08:43, Pascal Hambourg wrote: >> For the stable distribution (squeeze), this problem has been fixed in >> version 5.04-5+squeeze1. > > This update is not available for some architectures yet. > Is this normal ? It's not intended but caused by a limitation of the archive softw

Re: [SECURITY] [DSA 2422-1] file security update

On Sat, March 3, 2012 02:52, Chris Frey wrote: > I've done the latest update, but apt-cache show file still shows > version 5.04-5 available, instead of 5.04-5+squeeze1. You are probably using one of the following archs: armel i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips Unfortunately these builds

Re: [Pkg-ia32-libs-maintainers] A security bug in Debian Squeeze libtiff (+ non-updated ia32-libs??)

Hi, On Sat, April 7, 2012 06:24, Mikulas Patocka wrote: > There is a security bug in Debian Squeeze libtiff 3.9.4-5+sq. Thanks for reporting. Just to clarify, which package version is this exactly? There seems to be something missing from the version number you quote. > BTW. how does Debian secu

Re: linux-image-2.6

Hi, On Thu, May 10, 2012 09:45, Benjamin Vetter wrote: > my apt wants to update linux-image-2.6 ? (amd64) > > the last-modified stamp of the .deb on the mirrors is 06-May, so quite a > few days have already passed > > http://ftp.de.debian.org/debian/pool/main/l/linux-2.6/ > > i don't see any advis

Re: Re: linux-image-2.6

On Thu, May 10, 2012 12:39, Mark Rushing wrote: > This mistake made it onto a few machines here before I noticed and came > to check... it's an okay update to have installed, in the meantime > though, yes? I mean, it's not some untested work-in-progress that > slipped in... that I should revert fr

Re: [SECURITY] [DSA 2482-1] arpwatch security update

On Sat, June 2, 2012 15:03, Vincent Blut wrote: > Wrong subject: s/arpwatch/libgdata/ Yes, sorry for the confusion, a corrected version has already been sent. Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas..

Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies

On Mon, July 2, 2012 13:38, Silvio Cesare wrote: > On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz wrote: >> The ia32-libs stuff are all false positives (assuming the package was >> updated after the security fixes came out, I'm not 100% sure about that >> :) And the openssl source is expected to c

Re: How to manage CVE

Hi Olivier, On Mon, August 6, 2012 10:20, Olivier Sallou wrote: > a CVE has been created for the bug id below in logol package. > > In the meanwhile the issue has been fixed and uploaded. > > Can anyone tell me how to manage CVEs? CVE id is in the bug report, but > should I do something else to de

Re: sun-java6-plugin outdated and vulnerable to an actively exploited security issue

Hi Adam, On Thu, August 16, 2012 07:56, echo083 wrote: > The sun-java6 in the stable branch is the version 1.6.0_26 is there a > plan for any security upgrade ? I'm afraid that's not possible. Oracle has changed licensing such that it's no longer allowed for Debian to distribute newer versions. T

Re: Use of DSA number for general announcements (was: [DSA 2548-1] Debian Security Team PGP/GPG key change notice)

Hi David, On Fri, September 14, 2012 03:28, David Prevot wrote: >> This is a notice to inform you, that our previous PGP/GPG key expired. > > Thanks for notifying us on debian-security-announce@l.d.o, but I > disagree that such an announcement deserves a DSA number. DSA-2360 was > also a misuse of

Re: DSA for apache2 2.2.16-6+squeeze8

Hi Adrian, On Tue, September 18, 2012 10:58, Adrian Minta wrote: > is there a DSA for apache2 2.2.16-6+squeeze8 ? No, there is not. apache2 2.2.16-6+squeeze8 is in "squeeze-proposed-updates", a preparation area for packages that will be part of the next Squeeze point update (6.0.6). It is not rel

Re: [SECURITY] [DSA 2670-1] wordpress security update

On Wed, November 7, 2012 09:33, Raphael Hertzog wrote: >> Are there any plans to further upgrade squeeze in this manner? > > I leave this to Yves-Alexis... It would be nice to formalize this > approach with the security team. I think we should do this only when it has been shown that applying the

Re: Zero Day MySQL Buffer Overflow

Hi Daniel, On Tue, December 4, 2012 18:33, daniel curtis wrote: > Thank You, I should look there first (Security Tracker). But I see, > that two of three CVE's are marked as 'vulnerable' for all branches; > stable, testing and unstable. Frankly, only first CVE is Fixed for > Squeeze. > It is norm

Re: [SECURITY] [DSA 2605-1] asterisk security update

On Mon, January 14, 2013 17:53, Carlos Alberto Lopez Perez wrote: > Seems that the upgrade is causing some serious issues (segfaults) on > stable: > > http://bugs.debian.org/698118 > http://bugs.debian.org/698112 The maintainer has made updated packages available for test in response to this probl

Re: PHP5 in Wheezy vulnerable to CVE-2013-2110?

On Thu, June 20, 2013 09:08, jaros...@thinline.cz wrote: > Can someone please confirm that the Wheezy package is really not > vulnerable? I tried to use the test code from PHP (attached below) on > multiple PHP versions, but it doesn't cause segfaults (as it's supposed > to) on any of those I tried

Re: [SECURITY] [DSA 2725-1] tomcat6 security update

On Thu, July 18, 2013 19:58, Moritz Muehlenhoff wrote: > Debian Security Advisory DSA-2725-1 secur...@debian.org > Package: tomcat6 > For the oldstable distribution (squeeze), these problems have been fixed > in version 6.0.35-1+squeeze3. Due to an error the update for

Re: apt can't reach security.debian.org

On Thu, September 5, 2013 23:17, Luke L wrote: > as root, I issue: > apt-get update > > I get errors such as: > Err http://security.debian.org squeeze/updates/main amd64 Packages > 503 Forwarding failure This error is most probably generated by some intermediate proxy between your system and se

Re: [NodeJS NPM] security concerns

Hi Pedro, On Wed, October 2, 2013 00:57, Pedro Worcel wrote: > NPM nodejs package manager doesn't check for https signatures comunicating > with the central repo, which could give an attacker with MITM capabilities > the possibility to execute code. > > The issue is here

Bug#739815: RFA: signing-party -- Various OpenPGP related tools

Package: wnpp Severity: normal We request an adopter for the signing-party package. There's currently a number of co-maintainers but the majority of them have indicated to have no time to contribute a lot to the package. The package is an interesting collection of tools and in the BTS there's a n

Checking for services to be restarted on a default Debian installation

Hi all, When using APT to install security updates, by default services using the upgraded libraries are not restarted. Take for example openssl updates: merely doing apt-get update && apt-get upgrade is not enough to be safe: you also need to restart Apache, Postfix, ... Although well-trained

Re: Checking for services to be restarted on a default Debian installation

On Wed, September 3, 2014 15:05, Michael Stone wrote: > On Tue, Sep 02, 2014 at 01:41:05PM -0700, Jameson Graef Rollins wrote: >>This package is "Priority: optional", and therefore not installed by >>default. What about just making it "important" or "required"? > > On my system it pulled in more t

Re: bash 4.2 for squeeze

Hi, On Wed, September 24, 2014 21:43, Darko Gavrilovic wrote: > Hi, is there a bash upgrade for squeeze to address below cve? > > https://www.debian.org/security/2014/dsa-3032 Updates to squeeze-lts are announced on the debian-lts-announce list. There you will find that this bug has indeed been

Re: Bash still vulnerable (4.2+dfsg-0.1+deb7u1)

Hi Denny, On Thu, September 25, 2014 19:35, Denny Bortfeldt wrote: > Is it possible to fix also the 2nd part so that bash is really not > vulnerable at all? I saw that Gentoo patched the bash also twice. It's indeed known that the bash fixes are incomplete. I would like to stress that the curren

Re: please fix CVE-2014-6271£¨bash£© for debian6.0

available through the Squeeze LTS repository. This page has more information for you: https://wiki.debian.org/LTS/Using Kind regards, Thijs Kinkhorst Debian Security Team -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Troub

FAQ about the bash Shellshock issue

All, Our collegues at Red Hat have published a list of frequently asked questions regarding the bash ('shellshock') flaws: https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about- the-shellshock-bash-flaws/ Basically, all answers that are given there apply to Debian just as

Re: [SECURITY] [DSA 3053-1] openssl security update

On Wed, October 22, 2014 17:17, Jason Fergus wrote: >> > Now that the jessie release is well underway, is it possible either to >> > request unblocks for security uploads or to begin to support a >> > jessie/testing suite in security.debian.org? >> >> Technically nothing is blocked yet (except udeb

Re: Patch / update for znc to disable weak ciphers and SSLv2/SSLv3 protocols

Hi Chris, On Mon, October 27, 2014 07:48, Chris wrote: > the ZNC IRC Bouncer (https://packages.debian.org/wheezy/znc) finally > allows to choose own ciphers and to disable SSLv2/SSLv3 protocols with > this pull requests: > > https://github.com/znc/znc/pull/716 > https://github.com/znc/znc/pull/717

Re: No announce for file update ?

On Wed, November 12, 2014 10:23, Sébastien NOBILI wrote: > Hi, > > I received an upgrade notification from apticron about "file" packages > (file & > libmagic1) for Wheezy. > > It seems no announce has been sent about this upgrade > (http://www.debian.org/security/). > > Is it safe to upgrade ? Ye

Re: SSL 3.0 and older ciphers selected in applications

Hi Daniel, On Mon, December 8, 2014 09:16, Daniel Pocock wrote: > I've made some changes to TLS code in reSIProcate > > - setting OpenSSL's SSL_OP_NO_SSLv3 by default when using SSLv23_method() > > - adding configuration options to override the options to > SSL_CTX_set_options (as it is possible t

Re: SSL 3.0 and older ciphers selected in applications

On Mon, December 8, 2014 11:17, Daniel Pocock wrote: > In the library package (libresiprocate-1.9.deb) there is no default > SSL/TLS mode. It uses whatever the project using the library selects. > If some developer wants to enable dynamic selection of TLS version by > using SSLv23_method then they

Re: Issues during Debian Wheezy upgrade libc6:amd64

Hi Stephane, > I tried to upgrade my Debian Wheezy amd64 arch. > I encountered this issue : > > dpkg: error processing libc6: amd64 (--configure): > the libc6 package: amd64 2.13-38 + deb7u7 can not be configured because > the version of libc6: i386 is different (2.13-38 + deb7u6) > Errors were