On Sep 20, 2012, at 1:46 PM, Michael Hanke <m...@debian.org> wrote: > On Thu, Sep 20, 2012 at 11:33:39AM -0500, Jaime Frey wrote: >> These security issues have been fixed in the just-released Condor 7.8.4. >> >> Michael, here are the commit hashes in the Condor git repo for the fixes: >> CVE-2012-3491: 1fff5d40 >> CVE-2012-3493: d2f33972 > > These two do not apply cleanly against 7.8.2: > > Applying patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch > patching file src/condor_schedd.V6/schedd.cpp > Hunk #1 succeeded at 2961 with fuzz 1 (offset 94 lines). > Hunk #2 FAILED at 10251. > 1 out of 2 hunks FAILED -- rejects in file src/condor_schedd.V6/schedd.cpp > patching file src/condor_schedd.V6/scheduler.h > Hunk #1 FAILED at 291. > 1 out of 1 hunk FAILED -- rejects in file src/condor_schedd.V6/scheduler.h > Patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch does not > apply (enforce with -f) > > > Applying patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch > patching file src/condor_startd.V6/command.cpp > Hunk #1 succeeded at 624 (offset 79 lines). > patching file src/condor_startd.V6/command.h > Hunk #1 FAILED at 83. > 1 out of 1 hunk FAILED -- rejects in file src/condor_startd.V6/command.h > patching file src/condor_startd.V6/startd_main.cpp > Hunk #1 succeeded at 267 (offset -6 lines). > Patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch does not > apply (enforce with -f) > > > Before I dig deeper, could you please confirm that cherry-picking the > four commits alone will fully address the security vulnerabilities? If > that is the case, it seems that at least one more commit is missing. > > Looking into the 7.8 branch in the condor repo, it seems that quite a > bit more has happened -- a long list of bug fixes. I wonder (7.8 being a > stable maintenance branch) whether it wouldn't be a better idea to aim > for an upload of 7.8.4 as a whole. Is there something in it that is not > a bugfix of some kind?
The commits were made on the V7_6-branch, then merged into the V7_8-branch. We had to manually resolve conflicts during the merge, as the affected code had been modified during the 7.7.x series. Thus, there's no commit that can be cleanly cherry-picked. I can provide patch files that will apply cleanly. We should certainly get Condor 7.8.4 into Unstable. It only contains bug fixes. I would prefer it if we could get it into Debian Testing as well, but I thought we were too far into the freeze for that. Thanks and regards, Jaime Frey UW-Madison Condor Team -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
