Re: PHP5 status
On 12/02/2019 15:44, Roberto C. Sánchez wrote: > On Tue, Feb 12, 2019 at 07:44:41AM +0530, Abhijith PA wrote: >> >> That was very stupid of me. I was working on CVE-2018-1000888 in >> php-pear and this ships via php5 in jessie. I didn't noticed php5 >> already entered dla-needed.txt and I went directly changing php-pear to >> php5. Anyway I release DLA for my upload. >> > No worries, we all make mistakes :-) > > It took me several tries to figure out why the 5.6.40 build failed after > incorporating your change, but I was able to determine that the change > introduced by your patch is now included upstream. I have an updated > 5.6.40 build ready and I was waiting on the assignment of CVEs by > upstream. > > I wonder if it would make more sense to go ahead with uploading 5.6.40 > and publish a revision to the DLA, or whether I should continue to wait > on the CVE assignments. Thoughts? I would publish it now, saying in the DLA that CVE assignment is pending, see e.g. the new flatpak DSA. Then once the CVEs are assigned, you just add them to the DLA entry in data/DLA/list, and you're done. Cheers, Emilio
Re: [SECURITY] [DSA 4371-1] apt security update
On Mon, Feb 11, 2019 at 01:58:24PM +0100, Emilio Pozuelo Monfort wrote: >On 11/02/2019 02:38, Steve McIntyre wrote: >> >> Next: live images? cloud images? > >I found cloud images for openstack in > >https://cloud.debian.org/images/cloud/OpenStack/archive/ ACK. >But can't find any jessie live images in > >https://cdimage.debian.org/debian-cd/ > >Are those archived somewhere else? Under http://cdimage.debian.org/cdimage/archive/ alongside the installer images. >For any of those, I suppose users could update apt following the >upgrade instructions. However, it wouldn't hurt to have updated >images with the new apt. I'd be happy to test any new images if you >can fire a build. May be a few days, we have the stretch point release this weekend and that's my priority. -- Steve McIntyre, Cambridge, UK.st...@einval.com Mature Sporty Personal More Innovation More Adult A Man in Dandism Powered Midship Specialty signature.asc Description: PGP signature
Re: [SECURITY] [DSA 4371-1] apt security update
On Mon, Feb 11, 2019 at 01:38:05AM +, Steve McIntyre wrote: >On Fri, Feb 08, 2019 at 11:23:54AM +0100, Emilio Pozuelo Monfort wrote: >> >>I have done an automated install (ncurses frontend, installing GNOME) using >>the >>netinst/amd64 image, with an LVM encrypted volume. I have also tested the CD1 >>media, using the graphical installer, doing an SSH server install using the >>guided partitioning (full disk). Both installations went well and the systems >>seem alright. >> >>Is there any more tests that you would suggest? If you don't have anything >>particular in mind, I'd be happy to respin this as 8.11.1 and publish it. > >OK, that sounds fine. I've just started a build now as 8.11.1 for the >4 LTS arches. I'll do a little bit of smoke testing, then publish in >the normal place (https://cdimage.debian.org/cdimage/archive) and >report back. Now done. -- Steve McIntyre, Cambridge, UK.st...@einval.com "I suspect most samba developers are already technically insane... Of course, since many of them are Australians, you can't tell." -- Linus Torvalds signature.asc Description: PGP signature
Bug#922246: www/lts: if DLA-1234-1 and DLA-1234-2 exist, only that last one shows up in indexes
package: www.debian.org x-debbugs-cc: debian-lts@lists.debian.org Hi, this is a bug to track fixing this small glitch in the new /lts/security/ area: On Mon, Feb 11, 2019 at 04:26:38PM -0500, Antoine Beaupré wrote: > > On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote: > >> * The /lts/security//index.*.html files show the last advisory for > >> the cases where there are several files with the same beginning (e.g. > >> for DSA- and DSA--2, both html files are generated, but the > >> index only points to the -2 file). If this is not the intended > >> behaviour, changes in index.wml and Makefiles are needed. > > I think we want the other DLAs linked from the indexes as well. > > shall we file a bug to not forget this? > I looked into this, and couldn't figure it out. > Please do file a bug for now, I have no idea how to fix this... done :) -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Bug#922247: security-tracker: please use new urlpath for DLAs on www.d.o
package: security-tracker x-debbugs-cc: debian-lts@lists.debian.org Hi, this is a bug to track fixing this small glitch in the new www.debian.org/lts/security/ area: On Mon, Feb 11, 2019 at 04:26:38PM -0500, Antoine Beaupré wrote: > >> * Adaptation in the security tracker so the new URL paths are used from > >> now on is also needed. > > right. shall we file a bug to not forget this? > Sure, please do. done. Salvatore also prepared a patch for this. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Bug#859122: about 500 DLAs missing from the website
Hi Salvatore,
On Tue, Feb 12, 2019 at 08:13:18AM +0100, Salvatore Bonaccorso wrote:
> I have the attached patch commited in a local branch, but want first
> to confirm is this the final intended URL to reach the DLAs?
> -return
> url.absolute("https://www.debian.org/security/%d/dla-%d;
> +return
> url.absolute("https://www.debian.org/security/lts/%d/dla-%d;
the DLAs are visible on https://www.debian.org/lts/security/ now and I
believe thats a good url ment to stay ;)
--
tschau,
Holger
---
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
signature.asc
Description: PGP signature
Re: Bug#859122: about 500 DLAs missing from the website
On Mon, Feb 11, 2019 at 03:56:41PM -0500, Antoine Beaupré wrote: > It's true there's a lot of junk in there... I suspect most of the `.pl` > scripts in there could actually be symlink to the main secteam scripts, > because they are basically the same. > > I also suspect most of the stuff is unused, even from the secteam's > point of view. For example, `check-cve-refs.pl` assumes there's a > `security/data` directory in the website, which is not the case > (anymore?). I'll also leave that to the security/www teams considerations ;) > I would suggest removing those from at least the LTS > section and have done so in the following MR: > https://salsa.debian.org/webmaster-team/webwml/merge_requests/55 I've reviewed, merged and pushed this now. Thank you! > > * This new /lts section of the website is not referenced yet in other > > places of the Debian website. I'm not sure if it should be referenced in > > /security, in /releases/, or in both. There is also the temptation > > of creating a link in the homepage but there is also the suggestion of > > reducing the links in the homepage, so... For now, I'll try to add it to > > the sitemap and see how many references to the LTS wiki page we have > > currently, to see if any of them can be replaced with link to this > > section in the website. But I'll wait some days to do it because it's > > not clear for me if you want to populate the section to cover all the > > aspects of LTS, or keep it only/mainly for security stuff. > I would avoid putting the LTS work too proeminently on the website at > this point, to be honest. The goal of publishing those advisories there, > for me, is coherence: they were already partly present and I wanted to > have them *all* available *somewhere* with a predictable URL and RSS > feeds (as opposed to, say the mailing list). agreed. > We shouldn't get into the slippery debate of how much we want LTS > content on the website, in my opinion. at least for here and now! :) -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Bug#859122: about 500 DLAs missing from the website
Hi, On Mon, Feb 11, 2019 at 04:26:38PM -0500, Antoine Beaupré wrote: > > I think we want the other DLAs linked from the indexes as well. > > shall we file a bug to not forget this? > I looked into this, and couldn't figure it out. > Please do file a bug for now, I have no idea how to fix this... ok, will do. > >> that sets the redirect from > >> https://www.debian.org/security/any_year/dla-whatever to > >> https://www.debian.org/security/lts/any_year/dla-whatever > > right. shall we file a bug to not forget this? > Filed the patch here: > https://salsa.debian.org/anarcat/dsa-puppet/merge_requests/1 cool, thank you. > Reviews welcome. I'm particularly doubtful of the dla-map thing - it's > not in the source repo, but can I assume it's present on the website > deployment? I cannot comment on that dla-map, the rest looks good to me. (And simpler than I expected.) > >> * Adaptation in the security tracker so the new URL paths are used from > >> now on is also needed. > > right. shall we file a bug to not forget this? ok, will do. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
