On Sun, 01 Jun 2025 at 11:10:05 +0200, Guilhem Moulin wrote:
> Roundcube webmail upstream has recently released 1.6.10 [0]
Meant 1.6.11 (and 1.5.10).
--
Guilhem.
signature.asc
Description: PGP signature
Source: roundcube
Version: 1.6.10+dfsg-2
Severity: grave
Control: found -1 1.6.5+dfsg-1+deb12u4
Control: found -1 1.4.15+dfsg.1-1+deb11u4
Tags: security upstream
Justification: user security hole
Roundcube webmail upstream has recently released 1.6.10 [0] which fixes
the following vulnerability:
Hi,
On Sat, 24 May 2025 at 17:41:42 +0200, Cyril Brulebois wrote:
> And I'm only spotting one place where cryptsetup makes its way into
> /target, via partman-crypto's finish.d/crypto_aptinstall:
>
>if grep -q " device-mapper$" /proc/misc; then
># We can't check the root node directly
split_row
+values are not checked in 0x041f tag processing. (Closes: #1103782)
+ * Fix CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not
+enforce minimum w0 and w1 values. (Closes: #1103783)
+
+ -- Guilhem Moulin Sun, 18 May 2025 13:58:06 +0200
+
libraw (0.20.2-2.1
2025-05-16 15:01:36.0 +0200
@@ -1,3 +1,9 @@
+dropbear (2022.83-1+deb12u3) bookworm; urgency=high
+
+ * Fix CVE-2025-47203: Shell injection vulnerability in multihop handling.
+
+ -- Guilhem Moulin Fri, 16 May 2025 15:01:36 +0200
+
dropbear (2022.83-1+deb12u2) bookworm; urgency=m
Control: tag -1 + moreinfo
Hi,
On Fri, 02 May 2025 at 17:31:19 -0300, Ana Claudia de Oliveira wrote:
> It gives the impression the email was send but it didn't send. I don't
> have mta configured.
Do you have an existing /usr/sbin/sendmail (or the mailer defined by
$CONFIG{'mailer-send'} in caff
Source: openssh
Version: 1:9.9p2-1
Severity: important
Tags: patch fixed-upstream
Hi,
Since 2025.87-1 dropbear(8) and dbclient(1) are now built without
support for the ‘hmac-sha1’ integrity algorithm, ‘ssh-rsa’ key
algorithm, and ‘diffie-hellman-group14-sha1’ key exchange algorithm.
That change
Hi,
On Wed, 12 Mar 2025 at 15:13:03 -0400, Daniel Kahn Gillmor wrote:
> On Wed 2025-03-12 18:13:49 +0100, Andreas Metzler wrote:
>> php-crypt-gpg 1.6.9-3 can be built against gnupg 2.2.46-1 but fails
>> against gnupg 2.2.46-3 and later. And vice versa the patched testsuite
>> of php-crypt-gpg 1.6.
Control: reassign -1 roundcube-core 1.6.5+dfsg-1+deb12u4
Control: tag -1 moreinfo unreproducible
Hi,
On Thu, 06 Mar 2025 at 03:12:52 +, Mario Joussen wrote:
> I tried to install roundcube with the sqlite3 database today on a fresh
> Debian 12 system.
> Unfortunately the installation didn't s
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: haskell-gi-pa...@packages.debian.org
Control: affects -1 + src:haskell-gi-pango
User: release.debian@packages.debian.org
Usertags: binnmu
nmu haskell-gi-pango_1.0.30-1 . ANY -i386 . sid . -m "Rebuild with
libpango-1.0-0=1.56.1
Pango
d/.gitignore file to exclude d/p/*.patch from upstream gitignore(5)'d
+ rules.
+
+ -- Guilhem Moulin Sun, 09 Feb 2025 11:45:11 +0100
+
sssd (2.8.2-4) unstable; urgency=medium
[ Sam Morris ]
diff -Nru sssd-2.8.2/debian/.gitlab-ci.yml sssd-2.8.2/debian/.gitlab-ci.yml
--- sssd-2.
Control: reassign -1 php-pear
Control: forcemerge 1090887 -1
Control: affects 1090887 roundcube-core
On Thu, 16 Jan 2025 at 12:16:36 +0100, Francois Mescam wrote:
> Since I've install php 8.2-4
I assume you mean 8.4 not 8.2, at least that's what the bottom of your
report says.
> every hour I've
Did you already have openssh-server installed at the time you tried
installed dropbear, and/or did you have anything listening on tcp/22?
--
Guilhem.
signature.asc
Description: PGP signature
* Adjust d/salsa-ci.yml for bookworm.
+
+ -- Guilhem Moulin Sat, 21 Dec 2024 18:18:53 +0100
+
sqlparse (0.4.2-1) unstable; urgency=medium
* Team upload.
diff -Nru sqlparse-0.4.2/debian/patches/CVE-2023-30608.patch
sqlparse-0.4.2/debian/patches/CVE-2023-30608.patch
--- sqlparse-0.4.2/debian/p
est
pn svn-buildpackage
pn w3m
-- no debconf information
--
Guilhem.
From 63e5c19737fcf33198077c2a5c4ca65d478b1982 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin
Date: Mon, 23 Dec 2024 17:01:31 +0100
Subject: [PATCH] debdiff: Always call dpkg-source(1) when `--a
* Fix CVE-2024-45620: Incorrect handling length of buffers or files in
+pkcs15init. (Closes: #1082864)
+ * Add d/salsa-ci.yml for Salsa CI.
+
+ -- Guilhem Moulin Sun, 22 Dec 2024 19:35:04 +0100
+
opensc (0.23.0-0.3+deb12u1) bookworm; urgency=medium
* Team upload
diff -Nru --exclude '*.pa
st d/salsa-ci.yml for bookworm.
+ * Adjust d/gbp.conf for bookworm.
+
+ -- Guilhem Moulin Sat, 21 Dec 2024 15:28:17 +0100
+
python-urllib3 (1.26.12-1) unstable; urgency=medium
* Team upload.
diff -Nru python-urllib3-1.26.12/debian/gbp.conf
python-urllib3-1.26.12/debian/gbp.conf
--- python-ur
Package: php-pear
Version: 1:1.10.13+submodules+notgz+2022032202-2
Severity: important
Tags: fixed-upstream
Control: forwarded -1 https://github.com/pear/pear-core/pull/135
The following deprecation warning is spewed with PHP8.4 (now in unstable):
PHP Deprecated: Calling get_class() without
On Sun, 10 Nov 2024 at 20:28:10 -0400, k...@va1der.ca wrote:
> However, I suggest whether or not the network adapter requirement is
> documented (even if it wasn't documented it's a no-brainer), the resulting
> behaviour of the script in the absence of a network adapter added to
> /etc/initramfs-to
On Tue, 12 Nov 2024 at 15:02:21 +0100, Fabien Wernli wrote:
> I'm having the exact same issue with my fresh install of Debian Bookworm
> on an HP Elitebook 840 G11. I installed dropbear-initramfs and whenever I
> boot without the RTL8153 usb network dongle, I have a looping output on
> pts/0 saying
Hi,
On Wed, 06 Nov 2024 at 09:31:36 +0900, Charles Plessy wrote:
> So if you know a good way to enable debci to provide the needed locale
> to debci, please let me know.
I believe that the thread starting with
https://lists.debian.org/msgid-search/yqgfe7ef7wux9...@torres.zugschlus.de
was for test
On Mon, 04 Nov 2024 at 17:43:07 +, Tj wrote:
> This really is not an lvm problem; lvm never should try to activate an
> incomplete volume group especially if some of the logical volumes span
> the physical volume that is missing - and that is the case here due to
> the cryptroot hook script not
Control: unarchive 1018730
Control: reassign -1 lvm2 2.03.15-1
Control: forcemerge 1018730 -1
Control: affects -1 cryptsetup-initramfs
On Sun, 03 Nov 2024 at 20:25:18 +, Tj wrote:
> As a result VG fails to activate.
That's https://bugs.debian.org/1034836#75 . You can use the ‘initramfs’
cryp
Control: tag -1 unreproducible moreinfo
On Thu, 12 Sep 2024 at 20:12:17 +0200, Paweł Bogusławski wrote:
> if one creates /etc/initramfs-tools/scripts/local-top/crypti, crypti
> won't be called before cryptroot on boot.
Works here, on bookworm as well as sid systems. Which files do you have in
sc
On Tue, 10 Sep 2024 at 13:40:06 +0200, Alexandre Rossi wrote:
>>> Bug #1076420 [src:uwsgi] uwsgi: move away from cdbs
>>> […]
>>> Added blocking bug(s) of 1076420: 1078557
>>
>> Wrong bug number? #1078557 is for a leaf package and has nothing to do
>> with uwsgi or CDBS.
>
> Sorry for that, fixing
Control: unblock 1076420 by 1078557
On Tue, 10 Sep 2024 at 11:33:07 +, Debian Bug Tracking System wrote:
> Processing commands for cont...@bugs.debian.org:
>> block 1076420 by 1078557
> Bug #1076420 [src:uwsgi] uwsgi: move away from cdbs
> […]
> Added blocking bug(s) of 1076420: 1078557
Wrong
Hi,
On Sat, 31 Aug 2024 at 15:14:42 +, Johannes Berg wrote:
> Since I have four devices with the same passphrase (they end
> up building a btrfs array, so they're all needed), it'd be
> nice to (try) using the passphrase for the first, so I don't
> have to enter it four times.
See /usr/share/
Hi Paul,
On Sun, 25 Aug 2024 at 09:56:59 +0200, Paul Gevers wrote:
> Well, if those are currently only run on amd64 and i386, it might be worth
> indeed to stop marking them flaky and only run on amd64 (or mark them
> skippable and only "exit 77" on i386 on failure, such that failure on amd64
> is
On Sat, 24 Aug 2024 at 21:25:03 +0200, Paul Gevers wrote:
> On 24-08-2024 20:53, Guilhem Moulin wrote:
>> Awesome, thanks! Right now these tests have “Architecture: amd64 i386”,
>> is the runner able to run i386 too or should I remove it from the list?
>
> Tests with isolat
On Sat, 24 Aug 2024 at 19:16:01 +0200, Paul Gevers wrote:
> On 24-08-2024 19:10, Guilhem Moulin wrote:
>> Great news that would be much appreciated, thanks!
>
> Done.
>
> I triggered a migration-reference/0 run in testing.
Awesome, thanks! Right now these tests have “Arc
Hi Paul,
On Sat, 24 Aug 2024 at 17:50:22 +0200, Paul Gevers wrote:
> On Sun, 04 Aug 2024 22:19:30 + Debian FTP Masters
> wrote:
>> * DEP-8: Mark cryptroot-* as flaky. To be re-evaluated if/when the
>> tests only run on environment where KVM is available. (Closes: #1073052)
>
> On amd64 we
Control: tag -1 moreinfo
Hi,
On Fri, 23 Aug 2024 at 13:22:01 +1200, jfp wrote:
> I get the decrypt prompt on the console, I enter the passphrase then the boot
> continues.
You enter the passphrase a local console not from an SSH client right?
Note that if you don't need remote unlocking you can
On Mon, 19 Aug 2024 at 22:40:32 -0400, briag...@disroot.org wrote:
> I tried again on a new machine. I was able to reproduce the issue by
> following the steps I outlined before. I then did a full reinstall - but
> this time after switching to the sid repos and running full-upgrade I
> installed sy
On Mon, 19 Aug 2024 at 15:01:38 -0400, Brian Smith wrote:
> I decided to do a fresh install to diagnose the issue. I grabbed the latest
> mini.iso and did a fresh install with encryped LVM. I was able to boot with no
> issues. I then updated my apt sources to point to sid instead of trixie and
> r
Hi,
On Thu, 15 Aug 2024 at 22:03:26 +, Einhard Leichtfuß wrote:
> when exporting an addressbook via the Roundcube web UI ("Export all"),
> any group without members is silently ignored.
Looks like this issue and the others 3 you just reported are upstream
issues, please report them at the ups
Package: autopkgtest
Version: 5.39
Severity: normal
Tags: patch
Hi,
It appears that running autopkgtest-build-qemu on a sid system produces
unbootable images for bullseye LTS and older suites.
AFAICT that's because autopkgtest-build-qemu creates the guest's root
filestem using the host's mkfs.ex
> $ pullimap --debug SECTION
> No such directory: /home/user/.local/share at
> /usr/share/perl5/Net/IMAP/InterIMAP.pm line 102.
>
> If you need a certain directory and it does not exist... create it?
Per the XDG Base Directory Specification $XDG_DATA_HOME/pullimap (or
~/.local/share/pullimap if X
Package: roundcube-core
Version: 1.6.8+dfsg-1
Severity: normal
Tags: upstream pending
Control: found -1 1.6.5+dfsg-1+deb12u3
Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/9571
The upstream fix for CVE-2024-42008 (from 1.6.8 and backported to
1.6.5+dfsg-1+deb12u3)
sets a
Source: roundcube
Version: 1.6.7+dfsg-1
Severity: important
Found: -1 1.4.15+dfsg.1-1+deb11u3
Found: -1 1.6.5+dfsg-1+deb12u2
Tags: upstream security
Roundcube webmail upstream has recently released 1.6.8 [0] which fixes
the following vulnerabilities:
* CVE-2024-42008: XSS vulnerability in servin
: #1066058)
+ * Fix CVE-2024-2494: Missing check for negative array lengths in RPC server
+de-serialization routines. (Closes: #1067461)
+ * Fix CVE-2024-2496: NULL pointer dereference in the
+udevConnectListAllInterfaces() function.
+
+ -- Guilhem Moulin Tue, 30 Jul 2024 21:35:28 +0200
Hi,
On Fri, 12 Jul 2024 at 15:05:03 +, Mark Brandis wrote:
> the computer boots from an encrypted partition which works fine. During
> startup an additional NVMe is mounted decrypted via crypttab and then
> mounted to /data.
>
> This no longer works. I have to login as root and execute the fol
On Tue, 09 Jul 2024 at 14:20:59 +0200, Guilhem Moulin wrote:
> On Sat, 29 Jun 2024 at 15:52:49 +0200, Lee Garrett wrote:
>> Hi Guilhem, could you give quick feedback on this? I'm also happy to prepare
>> a NMU for bookworm if you can't find the time for it.
>
>
when the
+‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was
+used. (Closes: #1069768)
+
+ -- Guilhem Moulin Tue, 09 Jul 2024 15:51:42 +0200
+
dropbear (2020.81-3+deb11u1) bullseye; urgency=medium
* Fix CVE-2021-36369: Due to a non-RFC-compliant check of the
+‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was
+used. (Closes: #1069768)
+
+ -- Guilhem Moulin Tue, 09 Jul 2024 14:22:02 +0200
+
dropbear (2022.83-1+deb12u1) bookworm; urgency=medium
* Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with
On Sat, 29 Jun 2024 at 15:52:49 +0200, Lee Garrett wrote:
> Hi Guilhem, could you give quick feedback on this? I'm also happy to prepare
> a NMU for bookworm if you can't find the time for it.
In my view this issue doesn't warrant an (o)s-pu upload on its own, but
the fix is trivial so I can do it
Hi Sakari,
On Fri, 05 Jul 2024 at 08:23:56 +, Sakari Ailus wrote:
> The removal of the intermediate certificates (or not including the current
> ones) however is an issue as the server using the issued certificate still
> needs to provide them to the clients.
The path pointed to by ‛certifica
nment.
+ * d/gbp.conf: Set 'debian-branch = debian/bookworm'.
+
+ -- Guilhem Moulin Fri, 14 Jun 2024 01:20:13 +0200
+
lacme (0.8.2-1) unstable; urgency=medium
* New upstream bugfix release.
diff -Nru lacme-0.8.2/debian/gbp.conf lacme-0.8.2/debian/gbp.conf
--- lacme-0.8.2/debian/gbp.conf 2023-
nst current Let's Encrypt staging environment.
+
+ -- Guilhem Moulin Thu, 13 Jun 2024 19:19:07 +0200
+
lacme (0.8.0-2+deb11u1) bullseye; urgency=medium
* client: Handle "ready" → "processing" → "valid" status change during
diff -Nru lacme-0.8.0/debian/patche
+ * Non-maintainer upload.
+ * Fix CVE-2024-3651: Specially crafted inputs to idna.encode() can consume
+significant resources, which may lead to denial of service.
+(Closes: #1069127)
+
+ -- Guilhem Moulin Thu, 30 May 2024 14:31:22 +0200
+
python-idna (3.3-1) unstable; urgency=medium
ency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2024-3651: Specially crafted inputs to idna.encode() can consume
+significant resources, which may lead to denial of service.
+(Closes: #1069127)
+
+ -- Guilhem Moulin Thu, 30 May 2024 13:49:43 +0200
+
python-idna (2.10-1) unstable; urgenc
Package: lacme
Version: 0.8.2-1
Severity: grave
Justification: renders package unusable
Let's Encrypt has recently rotated its intermediate certificates [0].
The previous intermediate certificates (lets-encrypt-r[34].pem and
lets-encrypt-e[12].pem) are concatenated along side the roots
(isrgrootx1
On Mon, 03 Jun 2024 at 00:14:39 +0100, Luca Boccassi wrote:
> On Mon, 3 Jun 2024 at 00:09, Guilhem Moulin wrote:
>> On Sun, 02 Jun 2024 at 23:35:57 +0100, Luca Boccassi wrote:
>>> I gather the initramfs scripts are not calling a deferred close after
>>> mounting the r
On Sun, 02 Jun 2024 at 23:35:57 +0100, Luca Boccassi wrote:
> Yes, the purpose of the option is to leave that device alone, as it
> cannot be closed from the host os, as programs will be running from
> it.
It doesn't leave the device alone though as it still tries to detach it.
> I gather the ini
Control: tag -1 = pending
Hi,
On Mon, 27 May 2024 at 23:32:13 +0100, Luca Boccassi wrote:
> Please consider applying the same change in the initramfs-tools
> cryptsetup scripts, so that x-initrd.attach is recognized (and no
> warning is printed), and so that it is added if missing. Thanks.
While
Source: roundcube
Version: 1.6.6+dfsg-2
Severity: important
Control: found -1 1.6.5+dfsg-1~deb12u1
Control: found -1 1.4.15+dfsg.1-1~deb11u2
Control: found -1 1.3.17+dfsg.1-1~deb10u5
Tags: security upstream
Roundcube webmail upstream has recently released 1.6.7 [0] which fixes
the following vulner
Hi,
On Tue, 16 Apr 2024 at 21:35:22 +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for python-idna.
>
> CVE-2024-3651[0]:
> | potential DoS via resource consumption via specially crafted inputs to
> | idna.encode()
I'm preparing an update for this issue for Buster
Control: tag -1 pending
Hi,
On Tue, 26 Mar 2024 at 13:44:28 +0100, Simon Chopin wrote:
> interimap is packing structs that are sensible to the time_t transition.
> Please see the attached debdiff as a *very* crude attempt to fix it in
> Ubuntu. I'm hoping it'll be possible to come up with a neate
Package: release-notes
Severity: wishlist
Hi,
cryptsetup 2:2.7.0~rc0-1 has a backward incompatible change for plain
mode when relying on defaults cipher and password hashing algorithm.
The change affects users upgrading from bookworm to trixie. Plain mode
is generally advised against but it sti
Hi Tomasz,
On Fri, 5 Apr 2024 at 01:11:41 +0200, Tomasz Buchert wrote:
> Looking into older versions and appropriately patching them will take
> more time.
I'm preparing an update for this issue for Buster LTS and can hand
tested debdiffs over to the Security Team for newer suites if you'd
like.
On Sat, 27 Apr 2024 at 02:07:21 +0200, Christoph Anton Mitterer wrote:
> So you say it's a glibc thingy, that this doesn't show up anymore?
Yup, that's what I wrote https://bugs.debian.org/1032235#97
| It was intentional, see the article
|
https://developers.redhat.com/articles/2021/12/17/why-gl
Hi,
On Sat, 27 Apr 2024 at 00:33:51 +0200, Christoph Anton Mitterer wrote:
> Now the problem is that argon2 is statically linked, so there's no
> libpthread showing up in its ldd, and thus copy_exec doesn't realise it
> needs to invoke copy_libgcc.
Even it weren't, libpthread wouldn't show up sin
Control: reassign -1 dropbear-bin 2022.83-1+deb12u1
Control: retitle -1: The 'no-agent-forwarding' key restriction disables server
alive message support
Control: tag -1 upstream
On Wed, 24 Apr 2024 at 18:38:26 +0200, Guilhem Moulin wrote:
> On Wed, 24 Apr 2024 at 17:10:57 +0200, G
Control: tag -1 - moreinfo unreproducible
On Wed, 24 Apr 2024 at 17:10:57 +0200, Guilhem Moulin wrote:
>> It should be trivially reproducible by running `ssh -o ServerAliveCountMax=3
>> -o ServerAliveInterval=1 root@yourdropbearserver`. The client should then
>> disconne
On Wed, 24 Apr 2024 at 16:32:09 +0200, Lee Garrett wrote:
> Although the dropbear man page is not explicit, I'm assuming it refers to
> TCP keepalive.
I think this assumption is incorrect:
https://sources.debian.org/src/dropbear/2024.84-1/src/common-session.c/#L497
> It should be trivially reprod
Control: tag -1 unreproducible moreinfo
Hi,
On Wed, 24 Apr 2024 at 14:42:43 +0200, Lee Garrett wrote:
> After some debugging, it turns out that ServerAliveInterval != 0 will cause
> the
> ssh client to reset the connection, which dropbear will count as unlock
> attempt,
> and after three tries
Hi Chris,
On Mon, 22 Apr 2024 at 01:43:26 +0200, Chris Hofstaedtler wrote:
> I've prepared an NMU for netcat-openbsd (versioned as 1.226-1.1) and
> uploaded it to DELAYED/7. Please feel free to tell me if I
> should delay it longer.
Ooops sorry, that bug fell off-screen. No issue with the NMU, f
Control: reopen -1
Control: tag -1 - unreproducible moreinfo
On Sun, 14 Apr 2024 at 21:26:25 +0200, Guilhem Moulin wrote:
> At this point something triggered rebuilding a new initramfs image, but
> that's not src:cryptsetup as none of its binary packages have been
> upgraded y
On Sat, 13 Apr 2024 at 10:06:32 -0400, Wesley Schwengle wrote:
> I had the same issue a while back, because of the t64 transitioning I chaulked
> it up to that. I fixed it as described in Ubuntu bug:
>
> https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1958594
libcryptsetup12 doesn't
On Fri, 12 Apr 2024 at 14:37:16 +0200, Guilhem Moulin wrote:
> What is that “GUI” view? src:cryptsetup doesn't provide that, I wonder
> if it might be what needs libphtread.
FWIW, I later noticed you used a splash screen (plymouth) and thought it
might be because of that, but I s
Control: tag -1 + unreproducible moreinfo
On Fri, 12 Apr 2024 at 12:45:09 +0200, Milan Broz wrote:
> Just FYI (for upstream code): if cryptsetup/libcryptsetup is linked with
> OpenSSL >= 3.2,
> it does not need libphtread (as threads are implemented in OpenSSL for Argon2
> internally).
Thanks f
On Sat, 06 Apr 2024 at 13:37:23 +0200, Christian Schwamborn wrote:
> Just out of curiosity: Why aren't those patches the current stable
> bookworm package of roundcube-plugins-extra included?
Because the issues were not fixed in time for the Bookworm freeze. An
upload to bookworm-backports might
On Tue, 19 Mar 2024 at 13:50:34 +0100, Daniel Gröber wrote:
> Ah, that makes sense. Well that's easy enough for me to fix then not sure
> how I missed that while staring at the hook script. I really should have my
> green tea before reporting bugs ;)
>
> Sorry for the noise.
No worries :-) I beli
Control: tag -1 moreinfo
Hi,
On Tue, 19 Mar 2024 at 12:37:08 +0100, Daniel Gröber wrote:
> In that setup there's really no point to reusing the hosts' private
> keys and expose them in the initrd unencrypted.
Agreed, but AFAICT that's not the case anymore since 2015.68-1. New
host keys are gene
Hi Sebastian,
Great to hear OpenSSL 3.2 will soon be entering sid! :-)
On Wed, 06 Mar 2024 at 07:59:53 +0100, Sebastian Andrzej Siewior wrote:
> I'm currently puzzled where to look at. Could you please have a look?
It seems openssl-req(1ssl) now generates X.509 version 3 certificates by
default.
Hi Helmut,
On Tue, 27 Feb 2024 at 14:28:33 +0100, Helmut Grohne wrote:
> Please reupload the patch to experimental (with a version higher than
> unstable) assuming that cryptsetup-nuke-password will use version 5 as I
> am in contact with Raphael Hertzog.
Done in 2:2.7.0-1+exp2. Note though that
ound in the ‘cryptsetup’ binary
package have spewed a loud warning for plain devices from crypttab(5)
where ‘cipher=’ or ‘hash=’ are not explicitly specified. The
cryptsetup(8) executable now issue such a warning as well.
-- Guilhem Moulin Wed, 29 Nov 2023 17:19:10 +0100
Also
On Tue, 27 Feb 2024 at 13:19:16 +0100, Helmut Grohne wrote:
> Can you explain why you reverted? We need this change in unstable
> sooner rather than later to move forward with base-files and I already
> announced my intention to NMU.
The first message of this bug reads:
| * Please upload these c
On Wed, 14 Feb 2024 at 13:58:00 +, Patrick Schleizer wrote:
> This is not a bug in a downstream distribution.
> […]
> Could this be fixed in Debian please?
I don't see how this would be a bug in cryptsetup-initramfs when
mkinitramfs(8) explicitely says DESTDIR should not be mounted with the
no
Control: reassign -1 roundcube-mysql
Control: tag - 1 unreproducible
On Tue, 13 Feb 2024 at 11:47:12 +, Andrew Gallagher via
Pkg-roundcube-maintainers wrote:
> When upgrading roundcube to the latest version, the mariadb schema
> upgrade fails due to a missing table "roundcube.filestore".
> Th
Control: tag -1 moreinfo
Hi,
On Fri, 02 Feb 2024 at 18:44:43 -0500, abrasamji wrote:
> update-initramfs log excerpt with set -x:
>
> Calling hook cryptkeyctl
> + PREREQ=cryptroot
> + . /usr/share/initramfs-tools/hook-functions
> + [ ! -x /tmp/user/0/mkinitramfs_LhQz6c/lib/cryptsetup/scripts/decry
On Thu, 01 Feb 2024 at 17:08:39 +0100, Jordi Mallach wrote:
> Upstream fixed this in
> https://github.com/roundcube/roundcubemail/commit/504cdb89a5ed2c0c3491f99abb206dfb42b1200b
> and the patch applies well to the bookworm branch.
That branch aims at following upstream's 1.6.x so I'm reluctant to
On Thu, 25 Jan 2024 at 04:44:12 +0100, Guilhem Moulin wrote:
> [ Changes ]
>
> Fix CVE-2023-34194: Reachable assertion (and application exit) via a
> crafted XML document with a '\0' located after whitespace.
Per https://bugs.debian.org/1061473#12 I guess you'd like C
Control: tags -1 - moreinfo
On Mon, 29 Jan 2024 at 21:55:37 +, Adam D. Barratt wrote:
>
> On Thu, 2024-01-25 at 04:45 +0100, Guilhem Moulin wrote:
>> Fix CVE-2023-34194: Reachable assertion (and application exit) via a
>> crafted XML document with a '\0&#x
Control: reassign -1 roundcube-core 1.6.6+dfsg-1
Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/5051
Control: tag -1 upstream
On Sat, 27 Jan 2024 at 15:38:43 +0100, BohwaZ wrote:
> I am suggesting this patch here as upstream doesn't want to fix
> this longstanding issue:
>
size to 4G as the previous size was
+too small for bullseye-security updates (kernel etc.).
+ * Salsa CI: Target bullseye and disable lintian job.
+
+ -- Guilhem Moulin Fri, 26 Jan 2024 12:00:26 +0100
+
dropbear (2020.81-3) unstable; urgency=medium
* Initramfs: Use 10 placeholders in
ently end up with a
+connection for which some security features have been downgraded or
+disabled, aka a Terrapin attack. (Closes: #1059001)
+
+ -- Guilhem Moulin Fri, 26 Jan 2024 10:01:00 +0100
+
dropbear (2022.83-1) unstable; urgency=medium
* New upstream release 2022.83. Suppor
ument with a '\0' located after whitespace.
+ (Closes: #1059315)
+
+ -- Guilhem Moulin Thu, 25 Jan 2024 04:27:36 +0100
+
tinyxml (2.6.2-6) unstable; urgency=medium
* Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
tinyxml-2.6.2/
d XML document with a '\0' located after whitespace.
+ (Closes: #1059315)
+
+ -- Guilhem Moulin Thu, 25 Jan 2024 04:12:05 +0100
+
tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium
* Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
tinyxml-
On Thu, 25 Jan 2024 at 03:54:46 +0100, Guilhem Moulin wrote:
> [x] attach debdiff against the package in oldstable
Oops, doing that now :-)
--
Guilhem.
diffstat for xerces-c-3.2.3+debian xerces-c-3.2.3+debian
changelog |
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: xerce...@packages.debian.org
Control: affects -1 + src:xerces-c
[ Reason ]
xerces-c 3.2.3+debian-3 is vulnerable to CVE-2023-37536 (Integer
overflows in DFAContentMo
Hi,
On Tue, 19 Dec 2023 at 09:08:00 +0100, Salvatore Bonaccorso wrote:
> The following vulnerability was published for dropbear.
>
> CVE-2023-48795[0]:
> […]
> Dropbear commit [1] implements the Strict KEX mode as well. In my
> understanding of [2] the issue might be less of a security concern for
Hi,
On Tue, 23 Jan 2024 at 10:15:02 +0100, Raphael Hertzog wrote:
> when do you plan to upload a cryptsetup moving the files to /usr?
I can have a look after the week-end or in early February. There are
other issues I'd like to fix in the next upload.
| I see that this may sound scary. We'll ge
On Sun, 31 Dec 2023 at 22:07:07 +0800, YunQiang Su wrote:
> systemd-cryptsetup doesn't have suspend support.
> cryptsetup-suspend will fails.
Hence a wishlish bug? :-) FWIW I'm part of the cryptsetup packaging
team, which is upstream for cryptsetup-suspend. cryptsetup-suspend
supports all unlock
On Sun, 31 Dec 2023 at 21:22:36 +0800, YunQiang Su wrote:
>> Is there any reason to not just use systemd-cryptenroll?
>
> Yes. I tried to use systemd-cryptenroll, while it cannot work with
> cryptsetup-suspend.
> I need a way to suspend or hibernate without disks decrypted.
Seems like this should
Hi,
On Sun, 31 Dec 2023 at 18:49:30 +0800, YunQiang Su wrote:
> 2 mthods are supported for 2 FA:
> - Yubikey Challenge
> - TPM2 Keypair
If your concern is to make these work with cryptsetup-initramfs, there
are #1023700 and #1031254 open against src:cryptsetup. The plan is to
have that in trixie
Hi,
On Thu, 28 Dec 2023 at 13:28:53 -0500, de...@blough.us wrote:
> Thanks for doing this.
>
> I don't have a lot of free time at the moment, so please feel free to NMU.
Thanks for the fast reply! 3.2.4+debian-1.1 is now in trixie, you'll
find the commits and tag at
https://salsa.debian.org/lts-
On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote:
> There are some minor changes staged in the salsa git repo. It would be good
> to include them as well. Feel free to push the patch to git and upload.
> Alternatively a merge request works as well of course.
Thanks for the fast response!
d in buster-security, bullseye, bookworm and sid, evade the
infinite loop by blindly advancing the pointer.
Cheers,
--
Guilhem.
[0] https://www.forescout.com/resources/sierra21-vulnerabilities
From: Guilhem Moulin
Date: Sat, 30 Dec 2023 14:15:54 +0100
Subject: Avoid reachable assertion via crafte
Hi,
Upstream has now released 3.2.5 which fixes the issue
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411&styleName=Text&projectId=10510
The fix can be found at
https://github.com/apache/xerces-c/pull/54
https://github.com/apache/xerces-c/commit/e0024267504188e42
Control: tag -1 - moreinfo
Hi,
On Thu, 21 Dec 2023 at 21:59:40 +, Jonathan Wiltshire wrote:
> On Mon, Dec 18, 2023 at 02:10:20PM +0100, Guilhem Moulin wrote:
>> [ Reason ]
>>
>> 1. cryptsetup-suspend 2:2.6.1-4~deb12u1 was found incompatible with
>> systemd 254.1
1 - 100 of 1044 matches
Mail list logo
