Bug#933002: docker.io: CVE-2019-13139
On Sun, 2019-08-18 at 16:22 +0100, Adam D. Barratt wrote: > On Sun, 2019-08-18 at 16:56 +0200, Arnaud Rebillout wrote: > > * The bug you want to fix in stable must be fixed in unstable > > already (and not waiting in NEW or the delayed queue) > > > > My issue with this particular bug (#933002) is that for now, > > docker.io doesn't build in unstable. It will take a while before > > it > > builds again, as there was changes in the dependency tree. > > > > On the other hand, fixing this bug in stable is just a matter of > > importing the patch from upstream and rebuilding the package. > > > > So how am I supposed to handle that? Waiting for docker.io to be > > fixed and built again in unstable will delay the fix in stable for > > weeks, I don't think it's a good option. > > Nevertheless, that is the case I'm afraid. Updates to stable via > proposed-updates are not appropriate for urgent security updates - > that is what the security archive is for. For the record, this fix became part of DSA 4521. > Looking at > https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=docker.io > , there doesn't appear to be a bug filed for the build failure, so > there's no indication of what the issues are, nor what needs to be > done to fix them. and it looks like the build failures got fixed. Regards, Adam
Bug#933002: docker.io: CVE-2019-13139
On Sun, 2019-08-18 at 16:56 +0200, Arnaud Rebillout wrote: > * The bug you want to fix in stable must be fixed in unstable > already (and not waiting in NEW or the delayed queue) > > My issue with this particular bug (#933002) is that for now, > docker.io doesn't build in unstable. It will take a while before it > builds again, as there was changes in the dependency tree. > > On the other hand, fixing this bug in stable is just a matter of > importing the patch from upstream and rebuilding the package. > > So how am I supposed to handle that? Waiting for docker.io to be > fixed and built again in unstable will delay the fix in stable for > weeks, I don't think it's a good option. Nevertheless, that is the case I'm afraid. Updates to stable via proposed-updates are not appropriate for urgent security updates - that is what the security archive is for. Looking at https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=docker.io , there doesn't appear to be a bug filed for the build failure, so there's no indication of what the issues are, nor what needs to be done to fix them. Regards, Adam
Bug#933002: docker.io: CVE-2019-13139
Dear Release Team, I'm new to the process of uploading to stable, I need your guidance on that one. From the buster announce: * The bug you want to fix in stable must be fixed in unstable already (and not waiting in NEW or the delayed queue) My issue with this particular bug (#933002) is that for now, docker.io doesn't build in unstable. It will take a while before it builds again, as there was changes in the dependency tree. On the other hand, fixing this bug in stable is just a matter of importing the patch from upstream and rebuilding the package. So how am I supposed to handle that? Waiting for docker.io to be fixed and built again in unstable will delay the fix in stable for weeks, I don't think it's a good option. Best regards, Arnaud
Bug#933002: docker.io: CVE-2019-13139
On 8/13/19 12:35 PM, Salvatore Bonaccorso wrote: On Tue, Aug 13, 2019 at 11:31:41AM +0200, Arnaud Rebillout wrote: This is fixed in unstable. Thanks! Oh well, not fixed in unstable yet actually, as the package doesn't build anymore due to changes in the dependency tree... This one is marked as no-dsa. But if something is not yet marked it can as well mean we simply have not assessed it for buster or stretch. Feel free to CC the security team alias when unsure. For getting packages via a point release there are some steps outlined here: https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable When involving security some guidelines are given at https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#s5.6.4 and https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security Thanks for all the references! Arnaud
Bug#933002: docker.io: CVE-2019-13139
Hi On Tue, Aug 13, 2019 at 11:31:41AM +0200, Arnaud Rebillout wrote: > This is fixed in unstable. Thanks! > Question from a non-experienced DM: what's the procedure to get this > into stable? It seems that I shouldn't file a bug to release.debian.org, > and instead get in touch with the security team. > > What's the workflow? Should I file a bug against the pseudo-package > security.debian.org? Or should I just follow up on this bug and CC security? This one is marked as no-dsa. But if something is not yet marked it can as well mean we simply have not assessed it for buster or stretch. Feel free to CC the security team alias when unsure. For getting packages via a point release there are some steps outlined here: https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable When involving security some guidelines are given at https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#s5.6.4 and https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security . Hope this helps! Regards, Salvatore
Bug#933002: docker.io: CVE-2019-13139
This is fixed in unstable. Question from a non-experienced DM: what's the procedure to get this into stable? It seems that I shouldn't file a bug to release.debian.org, and instead get in touch with the security team. What's the workflow? Should I file a bug against the pseudo-package security.debian.org? Or should I just follow up on this bug and CC security? Thanks! Arnaud
Bug#933002: docker.io: CVE-2019-13139
Source: docker.io Version: 18.09.1+dfsg1-7.1 Severity: grave Tags: security upstream Forwarded: https://github.com/moby/moby/pull/38944 Control: fixed -1 18.09.5+dfsg1-1 Hi, The following vulnerability was published for docker.io. CVE-2019-13139[0]: command injection due to a missing validation of the git ref command If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13139 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13139 [1] https://github.com/moby/moby/pull/38944 [2] https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/ Regards, Salvatore