At 2024-08-18 21:19 Salvatore Bonaccorso wrote:
The following vulnerability was published for fence-agents.
CVE-2024-5651[0]:
| A flaw was found in fence agents that rely on SSH/Telnet. This
| vulnerability can allow a Remote Code Execution (RCE) primitive by
| supplying an arbitrary command to
Control: forwarded -1 https://issues.shibboleth.net/jira/browse/CPPXT-151
Hi Graham,
Thanks for the report!
I think it's just some fallout from the upstream wiki migration.
Let's see if they can provide a quick fix.
--
Regards,
Feri.
Salvatore Bonaccorso writes:
> MITRE has assigned CVE-2021-31826 for this issue.
Thanks. I guess you don't want a new security upload for this, but I'll
certainly include it in the changelog of the unstable upload. (And in
the changelog of the next security upload, whenever that happens.)
--
Markus Koschany writes:
> Am Freitag, den 26.03.2021, 16:37 +0100 schrieb wf...@niif.hu:
>
>> Thorsten Rehm writes:
>>
>>> In my opinion the crmsh package should be more strict with the
>>> pacemaker-cli-utils package
>>
>> Sorry for not looking into this sooner. What do you mean by being
>>
Hi Andreas,
Sorry for not responding sooner, some mail forwarding problem
intervened. Looks like there's another serious problem with the
security upload breaking the buster upgrade path, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981088. I haven't
asked the Security Team yet, but if
Control: tag 985054 + pending
Andreas Beckmann writes:
> That's something I haven't come across so far ;-) (Conditional usage
> of /usr/share/doc content in postinst, unconditional usage of the
> generated side effect in postrm purge.)
> Please move the bits needed by the package out of /usr/sha
wf...@niif.hu writes:
> Andreas Beckmann writes:
>
>> According to policy 7.2 you cannot rely on the depends being available
>> during purge, only the essential packages are available for sure.
>
> I can't see coturn rely on any of its dependencies during purge, do you?
Hi Andreas,
Have you got
Moritz Muehlenhoff writes:
> debdiff looks fine, please upload when you had a chance to test it
The updated packages work fine in our infrastructure.
I uploaded the full source package.
--
Thanks,
Feri
Andreas Beckmann writes:
> According to policy 7.2 you cannot rely on the depends being available
> during purge, only the essential packages are available for sure.
Hi Andreas,
I can't see coturn rely on any of its dependencies during purge, do you?
> (this was observed in a piuparts nodocs t
Hi,
The patch in this bug report very much shrinks the window of the
vulnerability, but doesn't close it completely: the file is still
created with default permissions, then chmodded as a separate step.
It's hard, but not impossible to still win the race and open the file
before the chmod, enablin
Bill Blough writes:
> I've uploaded xalan 1.12 to unstable. If you would like me to NMU
> xml-security-c with the necessary changes (attached to 977568), I would
> be happy to do so.
Hi Bill,
Thanks for the patch, I included it in the xml-security-c 2.0.2-4
upload.
--
Regards,
Feri
Moritz Mühlenhoff writes:
> On Sat, Nov 07, 2020 at 08:56:38PM +0100, wf...@niif.hu wrote:
>
>> I propose a security upload with the debdiff below. The patch series
>> posted by upstream against 2.0.3 applies cleanly to the buster source,
>> and is hereby included. I'll try to do some testing
Yavor Doganov writes:
> wf...@niif.hu wrote:
>
>> Yavor Doganov writes:
>>
>>> Thanks; I'll fix this shortly -- the upload will depend on my sponsor
>>> though. Meanwhile, feel free to upload libgphoto2 whenever you like
>>> and raise the severity of this bug to serious.
>>
>> Did so, thanks.
Hi,
I'd like to upload the new versions of gphoto2 and libgphoto2 to fix
this migration bug (and to make use of them in qstopmotion). If you
agree, please accept my membership request on Salsa and I'll go ahead.
--
Thanks,
Feri
wf...@niif.hu writes:
> Helmut Grohne writes:
>
>> On Wed, Nov 27, 2019 at 11:58:53PM +, Sandro Tosi wrote:
>>
>>> - Convert your Package to Python3. This is the preferred option.
>>
>> Upstream here. While tcvt started on Python2, much of its development
>> actually happend on Python3, so ju
Helmut Grohne writes:
> On Wed, Nov 27, 2019 at 11:58:53PM +, Sandro Tosi wrote:
>
>> - Convert your Package to Python3. This is the preferred option.
>
> Upstream here. While tcvt started on Python2, much of its development
> actually happend on Python3, so just changing the #! should work.
gregor herrmann writes:
> Upstream has now closed the CPAN RT ticket and released a 0.31
> version which fixes the issue (differently).
>
> I've "backported" the fix (i.e. took most of the 0.31 diff and added
> it as a quilt patch) and pushed it to git. For convenience I'm also
> attaching the pa
Niko Tyni writes:
> I've reported this upstream with the attached proposed patch.
Hi Niko,
I tried to apply the Radius.pm part to the installed package, but it
failed at first due to a whitespace error: the installed file is
indented with TAB characters, not spaces like your patch. After
adjus
Dear Security Team,
I'm ready to upload libqb-1.0.1-1+deb9u1 with the following debdiff:
diff -Nru libqb-1.0.1/debian/changelog libqb-1.0.1/debian/changelog
--- libqb-1.0.1/debian/changelog2016-12-07 14:55:45.0 +0100
+++ libqb-1.0.1/debian/changelog2019-06-16 23:41:50.
On Wed, 24 Apr 2019 17:50:02 +0200 wf...@niif.hu wrote:
> On Mon, 22 Apr 2019 09:07:04 +0200 Salvatore Bonaccorso
> wrote:
>
>>> Please see https://www.openwall.com/lists/oss-security/2019/04/17/1
>>
>> Please note that when fixing the issues, in the original patchsets
>> there were some behav
On Mon, 22 Apr 2019 09:07:04 +0200 Salvatore Bonaccorso
wrote:
>> Please see https://www.openwall.com/lists/oss-security/2019/04/17/1
>
> Please note that when fixing the issues, in the original patchsets
> there were some behaviour regressions, I think they should be adressed
> in the followup
Valentin Vidic writes:
> On Mon, Mar 25, 2019 at 03:45:58PM +0100, Andreas Beckmann wrote:
>
>> In that case you should probably add Breaks+Replaces against all of the
>> old -dev packages that were merged, just to be on the safe side.
>
> Yes, that is the plan. I think
Moritz Muehlenhoff writes:
> On Tue, Mar 12, 2019 at 10:19:00AM +0100, wf...@niif.hu wrote:
>
>> The resulting packages works fine in my setup. However, I failed to
>> reproduce the original issue under stretch. After consulting upstream,
>> it turns out that the old Xerces library actually hel
Salvatore Bonaccorso writes:
> On Sat, Mar 09, 2019 at 07:25:52PM +0100, wf...@niif.hu wrote:
>
>> I reserved a CVE from Mitre, backported the probable patch to
>> xmltooling 1.6.0-4+deb9u1 in stable and prepared a tentative package
>> with it, please see the debdiff below. I plan to add more
>>
Sam Hartman writes:
> Don't wait for me on shibboleth-resolver or moonshot-gss-eap to file the
> removal requests.
> They are both basically broken in unstable, so there's no reason to
> block.
Hi,
Removal requests filed.
Please let me know if you need any help; for example I can see that
vers
25 matches
Mail list logo
