Hi Lars, On Wed, Jan 18, 2017 at 12:45:45PM +0100, Lars Tangvald wrote: > Hi, > > On 01/18/2017 12:39 PM, Salvatore Bonaccorso wrote: > >Hi Lars, > > > >On Wed, Jan 18, 2017 at 10:33:30AM +0100, Lars Tangvald wrote: > >>Hi, > >> > >>The update builds and passes testing. > >>I've attached debdiff output for Wheezy and Jessie for this update. Aside > >>from the changelog, the only change to packaging is a patch for a test > >>(main.events_2) that was failing because of a hardcoded date. > >Thanks for preparing the update. > > > >>diff -r mysql-5.5-5.5.53/debian/changelog > >>../mysql-5.5/mysql-5.5/debian/changelog > >>0a1,14 > >>>mysql-5.5 (5.5.54-0+deb8u1) jessie-security; urgency=high > >>> > >>> * Imported upstream version 5.5.54 to fix security issues: > >>> - > >>> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html > >>> - CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258 > >>> - CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313 > >>> - CVE-2017-3317 CVE-2017-3318 > >>> (Closes: #851233) > >>> * Fix failing test main.events_2 > >>> The test was failing due to hardcoded date (2017-01-01). Added patch > >>> pending upstream fix. > >>> > >>> -- Lars Tangvald <lars.tangv...@oracle.com> Tue, 17 Jan 2017 13:04:58 > >>> +0100 > >This looks good, but see one change which seem included below: > > > >>5c19 > >>< - CVE-2016-7440 CVE-2016-5584 > >>--- > >>> - CVE-2016-6662 CVE-2016-7440 CVE-2016-5584 > >Did you build not on top of the last update? Because we corrected the > >CVE ids in the 5.5.53-0+deb8u1 upload. CVE-2016-6662 does not belong > >there, and was already fixed in the DSA-3666-1 with mysql-5.5 > >5.5.52-0+deb8u1, cf. the resulting changelog for 5.5.53-0+deb8u1 in > >https://bugs.debian.org/841050#62 for the DSA-3666-1 upload . I don't > >remember exactly, but I though I had asked someone of the mysql > >packaging team to import the final changes to the packaging > >repository. > Aha, yes. I see the vcs hasn't got the 5.5.53 packages imported properly. > I'll do the import and rebuild, thanks.
Thanks! > >With that fixed, and build with -sa (to include the orig tarball) > >please do upload to security-master. > Do we have access to upload here? I think the security team have handled the > upload in the past. yes it nees to be a key in the DD keyring. Do you have a DD in the mysql-pkg team who could sponsor the upload? Regards, Salvatore