Bug#811428: [debian-mysql] Bug#811428: Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Hi Robie, On Wed, Jan 27, 2016 at 06:32:24PM +, Robie Basak wrote: > On Wed, Jan 27, 2016 at 07:15:24PM +0100, Salvatore Bonaccorso wrote: > > Yes the dak mails for security-master are only sent to the security > > team. I can confirm that > > > > mysql-5.5_5.5.47-0+deb8u1_amd64.changes ACCEPTED into stable->embargoed > > > > and > > > > mysql-5.5_5.5.47-0+deb7u1_amd64.changes ACCEPTED into oldstable->embargoed > > > > The buildd have picked up the work and builds are coming in. > > Great. Thanks! Please let us know if we can help with anything else. Sure. At the moment nothing. The build on arm64, armel and armhf failed for the jessie-build but I guess it's a transient issue (I have given back those and now they are in building status). Regards, Salvatore
Bug#811428: [debian-mysql] Bug#811428: Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Hi Salvatore, On Tue, Jan 26, 2016 at 08:17:30PM +0100, Salvatore Bonaccorso wrote: > On Tue, Jan 26, 2016 at 06:36:06PM +, Robie Basak wrote: > > Hi Salvatore, > > > > On Tue, Jan 26, 2016 at 01:19:26PM +0100, Salvatore Bonaccorso wrote: > > > Thank you looks good to me. > > > > > > I haven't seen the same for jessie, but assuming it is basically the > > > same and matching what you showed me initially from git, let's go > > > ahead with an upload. > > > > FYI, we're still working on this. I've hit some kind of issue with my > > build chroot that I created from scratch for this task, so I think it > > may be a bug in sid somewhere. I'm investigating. I'd prefer to > > understand the root cause so that I can be sure that we don't upload bad > > binaries. > > Thanks for the status-update! Now uploaded. I took care to follow your instructions and the ones listed at https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security carefully. I expected email confirmations back but haven't received anything. Can you check if it worked, please? If anyone's interested, the reason for the delay was that debootstrap 1.0.76 regresses chroots created with mk-sbuild, so the chroots I created to build were broken and causing build failures. I filed https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812811 and reverted the offending commit locally to work around this. A second issue is that parallel builds are broken in the packaging in wheezy and jessie. These is fixed in testing. I thought it would be quicker to work around for now by not parallel building rather than delay further by attempting to cherry-pick the fix. Robie signature.asc Description: Digital signature
Bug#811428: [debian-mysql] Bug#811428: Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
On Wed, Jan 27, 2016 at 07:15:24PM +0100, Salvatore Bonaccorso wrote: > Yes the dak mails for security-master are only sent to the security > team. I can confirm that > > mysql-5.5_5.5.47-0+deb8u1_amd64.changes ACCEPTED into stable->embargoed > > and > > mysql-5.5_5.5.47-0+deb7u1_amd64.changes ACCEPTED into oldstable->embargoed > > The buildd have picked up the work and builds are coming in. Great. Thanks! Please let us know if we can help with anything else. signature.asc Description: Digital signature
Bug#811428: [debian-mysql] Bug#811428: Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Hi Robie, On Wed, Jan 27, 2016 at 05:10:58PM +, Robie Basak wrote: > Hi Salvatore, > > On Tue, Jan 26, 2016 at 08:17:30PM +0100, Salvatore Bonaccorso wrote: > > On Tue, Jan 26, 2016 at 06:36:06PM +, Robie Basak wrote: > > > Hi Salvatore, > > > > > > On Tue, Jan 26, 2016 at 01:19:26PM +0100, Salvatore Bonaccorso wrote: > > > > Thank you looks good to me. > > > > > > > > I haven't seen the same for jessie, but assuming it is basically the > > > > same and matching what you showed me initially from git, let's go > > > > ahead with an upload. > > > > > > FYI, we're still working on this. I've hit some kind of issue with my > > > build chroot that I created from scratch for this task, so I think it > > > may be a bug in sid somewhere. I'm investigating. I'd prefer to > > > understand the root cause so that I can be sure that we don't upload bad > > > binaries. > > > > Thanks for the status-update! > > Now uploaded. I took care to follow your instructions and the ones > listed at > https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security > carefully. I expected email confirmations back but haven't received > anything. Can you check if it worked, please? Yes the dak mails for security-master are only sent to the security team. I can confirm that mysql-5.5_5.5.47-0+deb8u1_amd64.changes ACCEPTED into stable->embargoed and mysql-5.5_5.5.47-0+deb7u1_amd64.changes ACCEPTED into oldstable->embargoed The buildd have picked up the work and builds are coming in. > If anyone's interested, the reason for the delay was that debootstrap > 1.0.76 regresses chroots created with mk-sbuild, so the chroots I > created to build were broken and causing build failures. I filed > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812811 and reverted > the offending commit locally to work around this. > > A second issue is that parallel builds are broken in the packaging in > wheezy and jessie. These is fixed in testing. I thought it would be > quicker to work around for now by not parallel building rather than > delay further by attempting to cherry-pick the fix. Thanks for this additional information. Regards, Salvatore signature.asc Description: PGP signature
Bug#811428: [debian-mysql] Bug#811428: Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Hi Lars, On Tue, Jan 26, 2016 at 01:11:45AM -0800, Lars Tangvald wrote: > Wheezy package has been built and tested > > At the moment it's just on my personal github at > https://github.com/ltangvald/mysql-5.5/tree/debian/wheezy, but we > should get it uploaded to Alioth soon. > Attaching the debdiff and debian/ diff. Thank you looks good to me. I haven't seen the same for jessie, but assuming it is basically the same and matching what you showed me initially from git, let's go ahead with an upload. Please remember to do the jessie-security first (built with -sa) and then after ~20 minutes the wheezy-security one (explicitly without -sa, and not including the orig source tarball; this is due to some limitation in the archive software). The upload needs to be signed by a a key in the DD keyring. I will then wait for the builds and then take care of releasing the packages with a DSA. Regards, Salvatore signature.asc Description: Digital signature
Bug#811428: [debian-mysql] Bug#811428: Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Hi Salvatore, On Tue, Jan 26, 2016 at 01:19:26PM +0100, Salvatore Bonaccorso wrote: > Thank you looks good to me. > > I haven't seen the same for jessie, but assuming it is basically the > same and matching what you showed me initially from git, let's go > ahead with an upload. FYI, we're still working on this. I've hit some kind of issue with my build chroot that I created from scratch for this task, so I think it may be a bug in sid somewhere. I'm investigating. I'd prefer to understand the root cause so that I can be sure that we don't upload bad binaries. > Please remember to do the jessie-security first (built with -sa) and > then after ~20 minutes the wheezy-security one (explicitly without > -sa, and not including the orig source tarball; this is due to some > limitation in the archive software). > > The upload needs to be signed by a a key in the DD keyring. > > I will then wait for the builds and then take care of releasing the > packages with a DSA. Ack. Robie signature.asc Description: Digital signature
Bug#811428: [debian-mysql] Bug#811428: Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Hi Robie, On Tue, Jan 26, 2016 at 06:36:06PM +, Robie Basak wrote: > Hi Salvatore, > > On Tue, Jan 26, 2016 at 01:19:26PM +0100, Salvatore Bonaccorso wrote: > > Thank you looks good to me. > > > > I haven't seen the same for jessie, but assuming it is basically the > > same and matching what you showed me initially from git, let's go > > ahead with an upload. > > FYI, we're still working on this. I've hit some kind of issue with my > build chroot that I created from scratch for this task, so I think it > may be a bug in sid somewhere. I'm investigating. I'd prefer to > understand the root cause so that I can be sure that we don't upload bad > binaries. Thanks for the status-update! Regards, Salvatore
Bug#811428: [debian-mysql] Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Hi Lars, On Fri, Jan 22, 2016 at 08:25:30AM -0800, Lars Tangvald wrote: > Hi Salvatore, > > I'll get the wheezy-security package built and tested and send an update as > soon as it's done. Great thanks! In meanwhile could you please send the resulting debdiff for the jessie-security upload to us, for a short review? If it is then fine we can already have the jessie-security package uploaded to security-master and let the buildd daemons pick the work. Regards, Salvatore
Bug#811428: [debian-mysql] Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Hi, I'll get it sent over shortly. -- Lars On 01/25/2016 08:57 AM, Salvatore Bonaccorso wrote: Hi Lars, On Fri, Jan 22, 2016 at 08:25:30AM -0800, Lars Tangvald wrote: Hi Salvatore, I'll get the wheezy-security package built and tested and send an update as soon as it's done. Great thanks! In meanwhile could you please send the resulting debdiff for the jessie-security upload to us, for a short review? If it is then fine we can already have the jessie-security package uploaded to security-master and let the buildd daemons pick the work. Regards, Salvatore
Bug#811428: [debian-mysql] Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Hi Salvatore, I'll get the wheezy-security package built and tested and send an update as soon as it's done. regards, Lars Tangvald - Original Message - From: car...@debian.org To: robie.ba...@ubuntu.com Cc: 811...@bugs.debian.org, t...@security.debian.org Sent: Thursday, January 21, 2016 8:15:30 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: [debian-mysql] Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU Hi Robie, On Thu, Jan 21, 2016 at 09:46:13AM +, Robie Basak wrote: > Dear Security Team, > > You have asked us to be prompt with helping to prepare security updates > for you, and we have done so. We have kept the bug updated like you > asked us last time. The sources are tested and ready. We notified the > bug as requested, but haven't heard from you. Please let us know how you > want to coordinate uploading this. Thanks for preparing an update. We usually would see a debdiff from the resulting built package (in case of a new upstream import this can get big, so some autogenerated files can be filtered out). We have collected important information for us in advisory preparation in https://wiki.debian.org/DebianSecurity/AdvisoryCreation especially relevant from the developers point of view preparing the update https://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecurityDev . The changelog itself looks good to me from a quick skim trough. It addresses all the information we would like to have seen there (CVE references, bug fixed, reference to Oracle CPU). Thank you. Important question first: What is the status for the wheezy-security package for those issues? Plase make sure for the following: Once you have both, built the jessie-security one with -sa to include the original orig.tar.gz and the wheezy-security one explicitly without -sa to not include the orig source tarball. Then we need a bit of coordination for the upload order, since mysql-5.5 is a special case with same source orig.tar.gz for both wheezy and jessie. Someone of your team with GPG key in the DD keyring might then upload first the jessie-security one to security-master, and after it gets accepted there, upload the wheezy-security one. Regards, Salvatore ___ pkg-mysql-maint mailing list pkg-mysql-ma...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Dear Security Team, You have asked us to be prompt with helping to prepare security updates for you, and we have done so. We have kept the bug updated like you asked us last time. The sources are tested and ready. We notified the bug as requested, but haven't heard from you. Please let us know how you want to coordinate uploading this. Thanks, Robie signature.asc Description: Digital signature
Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Hi Robie, On Thu, Jan 21, 2016 at 09:46:13AM +, Robie Basak wrote: > Dear Security Team, > > You have asked us to be prompt with helping to prepare security updates > for you, and we have done so. We have kept the bug updated like you > asked us last time. The sources are tested and ready. We notified the > bug as requested, but haven't heard from you. Please let us know how you > want to coordinate uploading this. Thanks for preparing an update. We usually would see a debdiff from the resulting built package (in case of a new upstream import this can get big, so some autogenerated files can be filtered out). We have collected important information for us in advisory preparation in https://wiki.debian.org/DebianSecurity/AdvisoryCreation especially relevant from the developers point of view preparing the update https://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecurityDev . The changelog itself looks good to me from a quick skim trough. It addresses all the information we would like to have seen there (CVE references, bug fixed, reference to Oracle CPU). Thank you. Important question first: What is the status for the wheezy-security package for those issues? Plase make sure for the following: Once you have both, built the jessie-security one with -sa to include the original orig.tar.gz and the wheezy-security one explicitly without -sa to not include the orig source tarball. Then we need a bit of coordination for the upload order, since mysql-5.5 is a special case with same source orig.tar.gz for both wheezy and jessie. Someone of your team with GPG key in the DD keyring might then upload first the jessie-security one to security-master, and after it gets accepted there, upload the wheezy-security one. Regards, Salvatore signature.asc Description: PGP signature
Bug#811428: [debian-mysql] Bug#811428: Bug#811428: Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
On 01/20/2016 12:59 AM, Clint Byrum wrote: Is anyone working on the build/test/upload of the final binaries? I'm working with Robie to get the upload ready. Dep8 tests have passed on stable, and the changes made by the security team for previous releases should all be merged into my github tree. Once it's merged into Alioth we'll need someone to take over for tag and upload. -- Lars Tangvald
Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
http://anonscm.debian.org/cgit/pkg-mysql/mysql-5.5.git/ is updated. I'll send a notice to the security team. They may want us to do the upload, in which case we'll need someone who has the permissions to do so :) -- Lars Tangvald
Bug#811428: [debian-mysql] Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
The updated changelog containing the CPU information can be found at https://github.com/ltangvald/mysql-5.5 The final commit is the only change from https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.5.git -- Lars Tangvald
Bug#811428: [debian-mysql] Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
The Critical Patch Update is out: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html The following vulnerabilities are fixed by upgrading from MySQL 5.5.46 to 5.5.47: CVE-2016-0505 CVE-2016-0546 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0596 CVE-2016-0616 Regards, Norvald H. Ryeng
Bug#811428: [debian-mysql] Bug#811428: Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Is anyone working on the build/test/upload of the final binaries? Excerpts from Norvald H. Ryeng's message of 2016-01-19 13:02:57 -0800: > The Critical Patch Update is out: > http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html > > The following vulnerabilities are fixed by upgrading from MySQL 5.5.46 to > 5.5.47: > > CVE-2016-0505 > CVE-2016-0546 > CVE-2016-0597 > CVE-2016-0598 > CVE-2016-0600 > CVE-2016-0606 > CVE-2016-0608 > CVE-2016-0609 > CVE-2016-0596 > CVE-2016-0616 > > Regards, > > Norvald H. Ryeng >
Bug#811428: [debian-mysql] Bug#811428: Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
The git tree is missing a copyright update made by the security team, which will need to be merged. -- Lars Tangvald On 01/19/2016 10:02 PM, Norvald H. Ryeng wrote: The Critical Patch Update is out: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html The following vulnerabilities are fixed by upgrading from MySQL 5.5.46 to 5.5.47: CVE-2016-0505 CVE-2016-0546 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0596 CVE-2016-0616 Regards, Norvald H. Ryeng ___ pkg-mysql-maint mailing list pkg-mysql-ma...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
Bug#811428: mysql-5.5: Multiple security fixes from the January 2016 CPU
Source: mysql-5.5 Version: 5.5.46-0+deb8u1 Severity: grave Tags: security upstream fixed-upstream The Oracle Critical Patch Update for January 2016 will be released on Tuesday, January 19. According to the pre-release announcement [1], it will contain information about CVEs fixed in MySQL 5.5.47. The CVE numbers will be available when the CPU is released. All necessary work to upgrade to 5.5.47 has already been done in git. Someone just needs to tag it and upload. Regards, Norvald H. Ryeng [1] http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html