Re: [Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
Hi, Am 02.03.2010 17:08, wrote Jamie Strandboge: NAK. The debdiff drops the changes introduced in hardy1 and hardy2. Please update the debdiff and I'll review it. I'm sorry, could you elaborate what change the debdiff drops? Change of hardy1 to hardy2 was switched libneon-gnutls-dev to libneon-dev the debdiff does not touch this change, does it? Or does the debdiff need to include all changes against some other base version and not against subversion_1.5.1dfsg1-1ubuntu2~hardy2 ? Or are you concerned about the version number? I changed 1.5.1dfsg1-1ubuntu2~hardy2 to 1.5.1dfsg1-1ubuntu2.1~hardy1 Maybe it should be 1.5.1dfsg1-1ubuntu2.1~hardy2 instead? Best regards, Arnd -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
Actually, it is my mistake. I was thinking that you were taking the package from intrepid and therefore lost the hardy changes, when in fact you were taking the hardy-backports version and applying the patch. I think since you did it this way you should use '1.5.1dfsg1-1ubuntu2~hardy3' instead. I'll adjust and upload. Sorry for the confusion. -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
Hi John, thanks for taking some time to look into this. Any progress so far? Best regards, Arnd -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
NAK. The debdiff drops the changes introduced in hardy1 and hardy2. Please update the debdiff and I'll review it. -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
I meant to also say that a debdiff should not be required-- it should be a matter of someone from the backports team processing the request (I've not reviewed this particular case though). -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
The patch http://launchpadlibrarian.net/30423782/subversion_1.5.1dfsg1-1ubuntu2.1~hardy1.debdiff posted by Arnd looks reasonable to me, and should be applied to hardy- backports. This will require a core-dev sponsor to upload. The -backports team ACKs the debdiff and apologizes for the ridiculously and unreasonably long delay in getting this out :( -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
Wow, clearly the coffee didn't kick in well this morning I can upload the debdiff. Doing so now! -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
** Changed in: hardy-backports Status: New = Fix Committed -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
*groan* Looks like I'm not allowed to upload there anymore... Requesting core-dev sponsorship on said patch! ** Changed in: hardy-backports Status: Fix Committed = In Progress -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
Re: [Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
On 02/09/2010 05:15 PM, Arnd wrote: Hi John, John Vivirito wrote: Since you have diff on the bug. Is this still up to date? other than that i subscribed the team to look at i Yes bug is still valid. Most recent version in the backports repos is 1.5.1dfsg1-1ubuntu2~hardy2 which is still vulnerable to the mentioned attack. Best regards, Arnd Ok thanks for the reply, someone should look at this and decide what to do with it. -- Sincerely Yours, John Vivirito https://launchpad.net/~gnomefreak https://wiki.ubuntu.com/JohnVivirito Linux User# 414246 How can i get lost, if i have no where to go -- Metallica from Unforgiven III -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
Subscribed Ubuntu Security Team to review the diff above -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
Re: [Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
On 02/03/2010 08:15 AM, Arnd wrote: Hi John, John Vivirito wrote: On 02/03/2010 05:18 AM, mark wrote: Mind you, it does say in the Ubuntu release notes that backports aren't going to have security fixes etc on them... So its one of those problems I suppose The fix will be pushed to *-security repo not backports if and when its fixed as you seem more familiar with the backports / backports-security process. What can I do to move this bug forward? Best regards, Arnd Since you have diff on the bug. Is this still up to date? other than that i subscribed the team to look at it -- Sincerely Yours, John Vivirito https://launchpad.net/~gnomefreak https://wiki.ubuntu.com/JohnVivirito Linux User# 414246 How can i get lost, if i have no where to go -- Metallica from Unforgiven III -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
Re: [Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
Hi John, John Vivirito wrote: Since you have diff on the bug. Is this still up to date? other than that i subscribed the team to look at i Yes bug is still valid. Most recent version in the backports repos is 1.5.1dfsg1-1ubuntu2~hardy2 which is still vulnerable to the mentioned attack. Best regards, Arnd -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
I cannot believe this hasn't been fixed, makes me seriously re-think the idea of possibly moving to something like Ubuntu Server for production environment! -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
Mind you, it does say in the Ubuntu release notes that backports aren't going to have security fixes etc on them... So its one of those problems I suppose -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
I understand that the ubuntu security team does not officially support backports. But in this particular case, where the security fix was already done for the exact same packet in intrepid, I simply have problems to understand that noone takes a few secs to start a rebuild of the package. Maybe, the backports repository should be renamed to something more adequate. I propose backdoors... -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
Re: [Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
On 02/03/2010 05:18 AM, mark wrote: Mind you, it does say in the Ubuntu release notes that backports aren't going to have security fixes etc on them... So its one of those problems I suppose The fix will be pushed to *-security repo not backports if and when its fixed -- Sincerely Yours, John Vivirito https://launchpad.net/~gnomefreak https://wiki.ubuntu.com/JohnVivirito Linux User# 414246 How can i get lost, if i have no where to go -- Metallica from Unforgiven III -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
Re: [Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
Hi John, John Vivirito wrote: On 02/03/2010 05:18 AM, mark wrote: Mind you, it does say in the Ubuntu release notes that backports aren't going to have security fixes etc on them... So its one of those problems I suppose The fix will be pushed to *-security repo not backports if and when its fixed as you seem more familiar with the backports / backports-security process. What can I do to move this bug forward? Best regards, Arnd -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
Ping? -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
What should I do to get this fix uploaded to the ubuntu backports repositories? -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
It's quite embarrassing that this is still not even confirmed. Maybe the ubuntu backports process is somehow broken? This is a known, easy to fix security bug. It's ridiculous that I had to report it in the first place. -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5
I copied the fix from intrepid and uploaded the resulting package to my PPA: https://launchpad.net/~arnd-arndnet/+archive/ppa ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-2411 ** Visibility changed to: Public -- Please backport security fix for USN-812-1 in subversion 1.5 https://bugs.launchpad.net/bugs/411849 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
