Re: Vulnerable git in bullseye - what's the process?

2023-01-29 Thread David 
On Sat, 28 Jan 2023 at 03:56, Tixy  wrote:
> On Fri, 2023-01-27 at 11:28 +, Brad Rogers wrote:
> > On Fri, 27 Jan 2023 11:36:12 +0100 "Sijmen J. Mulder"  
> > wrote:

> > > I was surprised to find that the recent git vulnerability hasn't yet
> > > been addressed in Bullseye:

> > > https://security-tracker.debian.org/tracker/CVE-2022-41903

> > The security-tracker CVE page you cited has links to all the
> > information you requested.

> Does it? It links to a bug which says it's been fixed in sid. And the
> PTS shows it was fixed yesterday in old-stable and sid. But no sign I
> can see that anything is being done for stable (Bullseye) which is what
> Sijmen asked about. (I wouldn't know where to look for stable security
> update activity).

Announcement today regarding Stable (Bullseye) distribution:
  https://lists.debian.org/debian-security-announce/2023/msg00022.html

Re: Vulnerable git in bullseye - what's the process?

2023-01-27 Thread Brad Rogers 
On Fri, 27 Jan 2023 16:56:31 +
Tixy  wrote:

Hello Tixy,

>Does it? It links to a bug which says it's been fixed in sid. And the

To be fair, the page lists more than just that;  It lists the status
for everything from Buster to Sid.

Add that to the info given by Greg Wooledge (thank you Greg) about the
Security Team's activities, and we can see that's all the info there is.

-- 
 Regards  _   "Valid sig separator is {dash}{dash}{space}"
 / )  "The blindingly obvious is never immediately apparent"
/ _)rad   "Is it only me that has a working delete key?"
No rotten apple's gonna spoil my fun
Get The Funk Out - Extreme


pgpJZt3xARPc7.pgp
Description: OpenPGP digital signature

Re: Vulnerable git in bullseye - what's the process?

2023-01-27 Thread Greg Wooledge 
On Fri, Jan 27, 2023 at 04:56:31PM +, Tixy wrote:
> On Fri, 2023-01-27 at 11:28 +, Brad Rogers wrote:
> > The security-tracker CVE page you cited has links to all the
> > information you requested.
> 
> Does it? It links to a bug which says it's been fixed in sid. And the
> PTS shows it was fixed yesterday in old-stable and sid. But no sign I
> can see that anything is being done for stable (Bullseye) which is what
> Sijmen asked about. (I wouldn't know where to look for stable security
> update activity).

The inner workings of the security team are not open to the public.
The CVE tracker gives all of the information that anyone outside of
the security team knows.

In the case of 
what it tells us is that the bug has been fixed in buster, but not yet
in bullseye or bookworm.

Nobody is going to have any more details than that, until the security
team releases their fix for stable, or until the sid package migrates
into bookworm via natural processes.

Re: Vulnerable git in bullseye - what's the process?

2023-01-27 Thread Tixy 
On Fri, 2023-01-27 at 11:28 +, Brad Rogers wrote:
> On Fri, 27 Jan 2023 11:36:12 +0100
> "Sijmen J. Mulder"  wrote:
> 
> Hello Sijmen,
> 
> The security-tracker CVE page you cited has links to all the
> information you requested.
> 

Does it? It links to a bug which says it's been fixed in sid. And the
PTS shows it was fixed yesterday in old-stable and sid. But no sign I
can see that anything is being done for stable (Bullseye) which is what
Sijmen asked about. (I wouldn't know where to look for stable security
update activity).

-- 
Tixy

Re: Vulnerable git in bullseye - what's the process?

2023-01-27 Thread Brad Rogers 
On Fri, 27 Jan 2023 11:36:12 +0100
"Sijmen J. Mulder"  wrote:

Hello Sijmen,

The security-tracker CVE page you cited has links to all the
information you requested.

-- 
 Regards  _   "Valid sig separator is {dash}{dash}{space}"
 / )  "The blindingly obvious is never immediately apparent"
/ _)rad   "Is it only me that has a working delete key?"
They really dig me man, and I dig them
To Be Someone (Didn't We Have A Nice Time) - The Jam


pgpAM6n31g7lf.pgp
Description: OpenPGP digital signature

Re: Vulnerable git in bullseye - what's the process?

2023-01-27 Thread David 
On Fri, 27 Jan 2023 at 21:36, Sijmen J. Mulder  wrote:
>
> Hi all,
>
> I was surprised to find that the recent git vulnerability hasn't yet
> been addressed in Bullseye:

Hi. More info here:
  https://www.debian.org/security/faq
and here:
  https://security-tracker.debian.org/tracker/

Re git, it has already been fixed in Unstable, which usually occurs
first due to being closest to the latest version and therefore the
closest to upstream fix.

Testing generally will be slower due to deliberate
migration delay, and Stable in general will be slower because it
requires fixes to be backported to older versions. Debian Stable
avoids version changes whenever possible, even for security
fixes.

Vulnerable git in bullseye - what's the process?

2023-01-27 Thread Sijmen J. Mulder 
Hi all,

I was surprised to find that the recent git vulnerability hasn't yet
been addressed in Bullseye:

https://security-tracker.debian.org/tracker/CVE-2022-41903

My question isn't about the situation of this package per se but about
the process. I found this diagram:

https://wiki.debian.org/DebianReleases#Workflow

It shows how packages go from unstable to testing, stable, etc. with
'security' having a direct route from the security team. 

Now what I wonder is, is that part of the process visible somewhere?
Can I see if there are yet patches submitted, if there are builds
failing, etc? Generally just interested in seeing what's going on
there. Perhaps contribute.

(Let me be clear - I am NOT demanding support from anyone or
complaining.)

Sijmen