Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8

2017-04-28 Thread Adam D. Barratt 
On Fri, 2017-04-28 at 00:25 +0200, Aurelien Jarno wrote:
> On 2017-04-27 22:58, Aurelien Jarno wrote:
> > On 2017-04-23 21:18, Adam D. Barratt wrote:
> > > On Thu, 2017-04-13 at 23:19 +0200, Aurelien Jarno wrote:
> > > > I would like to upload a new glibc package for the next jessie release.
> > > > Here is the changelog with some additional comment:
> > > > 
> > > >   * Update from upstream stable branch:
> > > > - Fix PowerPC sqrt inaccuracy.  Closes: #855606.
> > > > 
> > > > This fixes a regression introduced in glibc 2.19-18+deb8u7, which
> > > > slightly lower the precision of the sqrt function on PowerPC. This
> > > > notably causes failures in the postgresql testsuite. This code is
> > > > already present in stretch/sid.
> > > > 
> > > >   * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to 
> > > > fix a
> > > > NULL pointer dereference in libresolv when receiving a T_UNSPEC 
> > > > internal
> > > > QTYPE (CVE-2015-5180).  Closes: #796106.
> > > > 
> > > > This is a long standing security issue that has been fixed recently.
> > > > It basically change the value of a constant so that it can't only be
> > > > generated internally. The patch is already present in stretch/sid.
> > > 
> > > While I doubt that either of the above should have any noticeable effect
> > > on the installer, I'd appreciate a d-i ack in any case; CCing.
> > 
> > As said on IRC, I have been pointed that the second patch actually
> > breaks the breaks libnss/libnss-dns ABI. This means that the resolver
> > might not work correctly if all the binaries using libnss are restarted.
> > The same way there might be an issue on the d-i side if the libc in d-i
> > and libnss-dns-udeb are out of sync.
> > 
> > Therefore I'll do a new upload without the patch fixing CVE-2015-5180,
> > leaving only the PowerPC fix. That should be either today or tomorrow.
> > 
> > Sorry about this complication.
> 
> I have just uploaded glibc_2.19-18+deb8u9.

Flagged for acceptance.

Regards,

Adam

Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8

2017-04-27 Thread Aurelien Jarno 
On 2017-04-27 22:58, Aurelien Jarno wrote:
> On 2017-04-23 21:18, Adam D. Barratt wrote:
> > On Thu, 2017-04-13 at 23:19 +0200, Aurelien Jarno wrote:
> > > I would like to upload a new glibc package for the next jessie release.
> > > Here is the changelog with some additional comment:
> > > 
> > >   * Update from upstream stable branch:
> > > - Fix PowerPC sqrt inaccuracy.  Closes: #855606.
> > > 
> > > This fixes a regression introduced in glibc 2.19-18+deb8u7, which
> > > slightly lower the precision of the sqrt function on PowerPC. This
> > > notably causes failures in the postgresql testsuite. This code is
> > > already present in stretch/sid.
> > > 
> > >   * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to 
> > > fix a
> > > NULL pointer dereference in libresolv when receiving a T_UNSPEC 
> > > internal
> > > QTYPE (CVE-2015-5180).  Closes: #796106.
> > > 
> > > This is a long standing security issue that has been fixed recently.
> > > It basically change the value of a constant so that it can't only be
> > > generated internally. The patch is already present in stretch/sid.
> > 
> > While I doubt that either of the above should have any noticeable effect
> > on the installer, I'd appreciate a d-i ack in any case; CCing.
> 
> As said on IRC, I have been pointed that the second patch actually
> breaks the breaks libnss/libnss-dns ABI. This means that the resolver
> might not work correctly if all the binaries using libnss are restarted.
> The same way there might be an issue on the d-i side if the libc in d-i
> and libnss-dns-udeb are out of sync.
> 
> Therefore I'll do a new upload without the patch fixing CVE-2015-5180,
> leaving only the PowerPC fix. That should be either today or tomorrow.
> 
> Sorry about this complication.

I have just uploaded glibc_2.19-18+deb8u9.

Regards,
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net


signature.asc
Description: PGP signature

Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8

2017-04-27 Thread Aurelien Jarno 
On 2017-04-23 21:18, Adam D. Barratt wrote:
> On Thu, 2017-04-13 at 23:19 +0200, Aurelien Jarno wrote:
> > I would like to upload a new glibc package for the next jessie release.
> > Here is the changelog with some additional comment:
> > 
> >   * Update from upstream stable branch:
> > - Fix PowerPC sqrt inaccuracy.  Closes: #855606.
> > 
> > This fixes a regression introduced in glibc 2.19-18+deb8u7, which
> > slightly lower the precision of the sqrt function on PowerPC. This
> > notably causes failures in the postgresql testsuite. This code is
> > already present in stretch/sid.
> > 
> >   * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a
> > NULL pointer dereference in libresolv when receiving a T_UNSPEC internal
> > QTYPE (CVE-2015-5180).  Closes: #796106.
> > 
> > This is a long standing security issue that has been fixed recently.
> > It basically change the value of a constant so that it can't only be
> > generated internally. The patch is already present in stretch/sid.
> 
> While I doubt that either of the above should have any noticeable effect
> on the installer, I'd appreciate a d-i ack in any case; CCing.

As said on IRC, I have been pointed that the second patch actually
breaks the breaks libnss/libnss-dns ABI. This means that the resolver
might not work correctly if all the binaries using libnss are restarted.
The same way there might be an issue on the d-i side if the libc in d-i
and libnss-dns-udeb are out of sync.

Therefore I'll do a new upload without the patch fixing CVE-2015-5180,
leaving only the PowerPC fix. That should be either today or tomorrow.

Sorry about this complication.

Regards,
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net


signature.asc
Description: PGP signature

Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8

2017-04-25 Thread Adam D. Barratt 
Control: tags -1 + pending

On Mon, 2017-04-24 at 08:45 +0200, Aurelien Jarno wrote:
> On 2017-04-23 21:58, Adam D. Barratt wrote:
> > Control: tags -1 + confirmd
> > 
> > On Sun, 2017-04-23 at 22:52 +0200, Cyril Brulebois wrote:
> > > Adam D. Barratt  (2017-04-23):
> > > > While I doubt that either of the above should have any noticeable effect
> > > > on the installer, I'd appreciate a d-i ack in any case; CCing.
> > > 
> > > No objections, thanks.
> > 
> > Thanks for the quick response.
> > 
> > Aurelien, please feel free to upload.
> 
> I have just upload it.

Flagged for acceptance, thanks.

Regards,

Adam

Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8

2017-04-24 Thread Aurelien Jarno 
On 2017-04-23 21:58, Adam D. Barratt wrote:
> Control: tags -1 + confirmd
> 
> On Sun, 2017-04-23 at 22:52 +0200, Cyril Brulebois wrote:
> > Adam D. Barratt  (2017-04-23):
> > > While I doubt that either of the above should have any noticeable effect
> > > on the installer, I'd appreciate a d-i ack in any case; CCing.
> > 
> > No objections, thanks.
> 
> Thanks for the quick response.
> 
> Aurelien, please feel free to upload.

I have just upload it.

Thanks,
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net


signature.asc
Description: PGP signature

Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8

2017-04-23 Thread Adam D. Barratt 
Control: tags -1 + confirmd

On Sun, 2017-04-23 at 22:52 +0200, Cyril Brulebois wrote:
> Adam D. Barratt  (2017-04-23):
> > While I doubt that either of the above should have any noticeable effect
> > on the installer, I'd appreciate a d-i ack in any case; CCing.
> 
> No objections, thanks.

Thanks for the quick response.

Aurelien, please feel free to upload.

Regards,

Adam

Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8

2017-04-23 Thread Cyril Brulebois 
Adam D. Barratt  (2017-04-23):
> While I doubt that either of the above should have any noticeable effect
> on the installer, I'd appreciate a d-i ack in any case; CCing.

No objections, thanks.


KiBi.


signature.asc
Description: Digital signature

Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8

2017-04-23 Thread Adam D. Barratt 
On Thu, 2017-04-13 at 23:19 +0200, Aurelien Jarno wrote:
> I would like to upload a new glibc package for the next jessie release.
> Here is the changelog with some additional comment:
> 
>   * Update from upstream stable branch:
> - Fix PowerPC sqrt inaccuracy.  Closes: #855606.
> 
> This fixes a regression introduced in glibc 2.19-18+deb8u7, which
> slightly lower the precision of the sqrt function on PowerPC. This
> notably causes failures in the postgresql testsuite. This code is
> already present in stretch/sid.
> 
>   * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a
> NULL pointer dereference in libresolv when receiving a T_UNSPEC internal
> QTYPE (CVE-2015-5180).  Closes: #796106.
> 
> This is a long standing security issue that has been fixed recently.
> It basically change the value of a constant so that it can't only be
> generated internally. The patch is already present in stretch/sid.

While I doubt that either of the above should have any noticeable effect
on the installer, I'd appreciate a d-i ack in any case; CCing.

Regards,

Adam