On Sep 20, 2012, at 1:46 PM, Michael Hanke m...@debian.org wrote:
On Thu, Sep 20, 2012 at 11:33:39AM -0500, Jaime Frey wrote:
These security issues have been fixed in the just-released Condor 7.8.4.
Michael, here are the commit hashes in the Condor git repo for the fixes:
CVE-2012-3491: 1fff5d40
CVE-2012-3493: d2f33972
These two do not apply cleanly against 7.8.2:
Applying patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch
patching file src/condor_schedd.V6/schedd.cpp
Hunk #1 succeeded at 2961 with fuzz 1 (offset 94 lines).
Hunk #2 FAILED at 10251.
1 out of 2 hunks FAILED -- rejects in file src/condor_schedd.V6/schedd.cpp
patching file src/condor_schedd.V6/scheduler.h
Hunk #1 FAILED at 291.
1 out of 1 hunk FAILED -- rejects in file src/condor_schedd.V6/scheduler.h
Patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch does not
apply (enforce with -f)
Applying patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch
patching file src/condor_startd.V6/command.cpp
Hunk #1 succeeded at 624 (offset 79 lines).
patching file src/condor_startd.V6/command.h
Hunk #1 FAILED at 83.
1 out of 1 hunk FAILED -- rejects in file src/condor_startd.V6/command.h
patching file src/condor_startd.V6/startd_main.cpp
Hunk #1 succeeded at 267 (offset -6 lines).
Patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch does not
apply (enforce with -f)
Before I dig deeper, could you please confirm that cherry-picking the
four commits alone will fully address the security vulnerabilities? If
that is the case, it seems that at least one more commit is missing.
Looking into the 7.8 branch in the condor repo, it seems that quite a
bit more has happened -- a long list of bug fixes. I wonder (7.8 being a
stable maintenance branch) whether it wouldn't be a better idea to aim
for an upload of 7.8.4 as a whole. Is there something in it that is not
a bugfix of some kind?
The commits were made on the V7_6-branch, then merged into the V7_8-branch. We
had to manually resolve conflicts during the merge, as the affected code had
been modified during the 7.7.x series. Thus, there's no commit that can be
cleanly cherry-picked. I can provide patch files that will apply cleanly.
We should certainly get Condor 7.8.4 into Unstable. It only contains bug fixes.
I would prefer it if we could get it into Debian Testing as well, but I thought
we were too far into the freeze for that.
Thanks and regards,
Jaime Frey
UW-Madison Condor Team
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org