Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU
- car...@debian.org wrote: > Hi Lars, > > On Wed, Jan 18, 2017 at 06:41:40AM -0800, Lars Tangvald wrote: > > > > - car...@debian.org wrote: > > > > > > > > >With that fixed, and build with -sa (to include the orig > tarball) > > > > >please do upload to security-master. > > > > Do we have access to upload here? I think the security team > have > > > handled the > > > > upload in the past. > > > > > > yes it nees to be a key in the DD keyring. Do you have a DD in > the > > > mysql-pkg team who could sponsor the upload? > > > > > > > Not really, unfortunately (Otto is a DD, but he's only involved > with > > the MariaDB packaging). > > It's an issue for us, since it also causes problems with uploads to > > unstable. > > Ok. I though in the past James Page was sponsoring the uploads. > Alright, in that case, let me know when you have finished the > packaging with the small changes mentioned, I can take care of > sponsoring the upload. > I might be going a bit senile, since I forgot he's got access as well, but for the last months he's been occupied, so I don't think he's available now. I'll let you know when the new build is ready, thanks. -- Lars > Regards, > Salvatore
Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU
Hi Lars, On Wed, Jan 18, 2017 at 06:41:40AM -0800, Lars Tangvald wrote: > > - car...@debian.org wrote: > > > > > >With that fixed, and build with -sa (to include the orig tarball) > > > >please do upload to security-master. > > > Do we have access to upload here? I think the security team have > > handled the > > > upload in the past. > > > > yes it nees to be a key in the DD keyring. Do you have a DD in the > > mysql-pkg team who could sponsor the upload? > > > > Not really, unfortunately (Otto is a DD, but he's only involved with > the MariaDB packaging). > It's an issue for us, since it also causes problems with uploads to > unstable. Ok. I though in the past James Page was sponsoring the uploads. Alright, in that case, let me know when you have finished the packaging with the small changes mentioned, I can take care of sponsoring the upload. Regards, Salvatore
Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU
- car...@debian.org wrote: > > >With that fixed, and build with -sa (to include the orig tarball) > > >please do upload to security-master. > > Do we have access to upload here? I think the security team have > handled the > > upload in the past. > > yes it nees to be a key in the DD keyring. Do you have a DD in the > mysql-pkg team who could sponsor the upload? > Not really, unfortunately (Otto is a DD, but he's only involved with the MariaDB packaging). It's an issue for us, since it also causes problems with uploads to unstable. -- Lars
Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU
Hi Lars, On Wed, Jan 18, 2017 at 12:45:45PM +0100, Lars Tangvald wrote: > Hi, > > On 01/18/2017 12:39 PM, Salvatore Bonaccorso wrote: > >Hi Lars, > > > >On Wed, Jan 18, 2017 at 10:33:30AM +0100, Lars Tangvald wrote: > >>Hi, > >> > >>The update builds and passes testing. > >>I've attached debdiff output for Wheezy and Jessie for this update. Aside > >>from the changelog, the only change to packaging is a patch for a test > >>(main.events_2) that was failing because of a hardcoded date. > >Thanks for preparing the update. > > > >>diff -r mysql-5.5-5.5.53/debian/changelog > >>../mysql-5.5/mysql-5.5/debian/changelog > >>0a1,14 > >>>mysql-5.5 (5.5.54-0+deb8u1) jessie-security; urgency=high > >>> > >>> * Imported upstream version 5.5.54 to fix security issues: > >>> - > >>> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html > >>> - CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258 > >>> - CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313 > >>> - CVE-2017-3317 CVE-2017-3318 > >>> (Closes: #851233) > >>> * Fix failing test main.events_2 > >>> The test was failing due to hardcoded date (2017-01-01). Added patch > >>> pending upstream fix. > >>> > >>> -- Lars TangvaldTue, 17 Jan 2017 13:04:58 > >>> +0100 > >This looks good, but see one change which seem included below: > > > >>5c19 > >>< - CVE-2016-7440 CVE-2016-5584 > >>--- > >>> - CVE-2016-6662 CVE-2016-7440 CVE-2016-5584 > >Did you build not on top of the last update? Because we corrected the > >CVE ids in the 5.5.53-0+deb8u1 upload. CVE-2016-6662 does not belong > >there, and was already fixed in the DSA-3666-1 with mysql-5.5 > >5.5.52-0+deb8u1, cf. the resulting changelog for 5.5.53-0+deb8u1 in > >https://bugs.debian.org/841050#62 for the DSA-3666-1 upload . I don't > >remember exactly, but I though I had asked someone of the mysql > >packaging team to import the final changes to the packaging > >repository. > Aha, yes. I see the vcs hasn't got the 5.5.53 packages imported properly. > I'll do the import and rebuild, thanks. Thanks! > >With that fixed, and build with -sa (to include the orig tarball) > >please do upload to security-master. > Do we have access to upload here? I think the security team have handled the > upload in the past. yes it nees to be a key in the DD keyring. Do you have a DD in the mysql-pkg team who could sponsor the upload? Regards, Salvatore
Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU
Hi, On 01/18/2017 12:39 PM, Salvatore Bonaccorso wrote: Hi Lars, On Wed, Jan 18, 2017 at 10:33:30AM +0100, Lars Tangvald wrote: Hi, The update builds and passes testing. I've attached debdiff output for Wheezy and Jessie for this update. Aside from the changelog, the only change to packaging is a patch for a test (main.events_2) that was failing because of a hardcoded date. Thanks for preparing the update. diff -r mysql-5.5-5.5.53/debian/changelog ../mysql-5.5/mysql-5.5/debian/changelog 0a1,14 mysql-5.5 (5.5.54-0+deb8u1) jessie-security; urgency=high * Imported upstream version 5.5.54 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html - CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258 - CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313 - CVE-2017-3317 CVE-2017-3318 (Closes: #851233) * Fix failing test main.events_2 The test was failing due to hardcoded date (2017-01-01). Added patch pending upstream fix. -- Lars TangvaldTue, 17 Jan 2017 13:04:58 +0100 This looks good, but see one change which seem included below: 5c19 < - CVE-2016-7440 CVE-2016-5584 --- - CVE-2016-6662 CVE-2016-7440 CVE-2016-5584 Did you build not on top of the last update? Because we corrected the CVE ids in the 5.5.53-0+deb8u1 upload. CVE-2016-6662 does not belong there, and was already fixed in the DSA-3666-1 with mysql-5.5 5.5.52-0+deb8u1, cf. the resulting changelog for 5.5.53-0+deb8u1 in https://bugs.debian.org/841050#62 for the DSA-3666-1 upload . I don't remember exactly, but I though I had asked someone of the mysql packaging team to import the final changes to the packaging repository. Aha, yes. I see the vcs hasn't got the 5.5.53 packages imported properly. I'll do the import and rebuild, thanks. With that fixed, and build with -sa (to include the orig tarball) please do upload to security-master. Do we have access to upload here? I think the security team have handled the upload in the past. -- Lars Thanks for your work! Regards, Salvatore
Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU
Hi Lars, On Wed, Jan 18, 2017 at 10:33:30AM +0100, Lars Tangvald wrote: > Hi, > > The update builds and passes testing. > I've attached debdiff output for Wheezy and Jessie for this update. Aside > from the changelog, the only change to packaging is a patch for a test > (main.events_2) that was failing because of a hardcoded date. Thanks for preparing the update. > diff -r mysql-5.5-5.5.53/debian/changelog > ../mysql-5.5/mysql-5.5/debian/changelog > 0a1,14 > > mysql-5.5 (5.5.54-0+deb8u1) jessie-security; urgency=high > > > > * Imported upstream version 5.5.54 to fix security issues: > > - > > http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html > > - CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258 > > - CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313 > > - CVE-2017-3317 CVE-2017-3318 > > (Closes: #851233) > > * Fix failing test main.events_2 > > The test was failing due to hardcoded date (2017-01-01). Added patch > > pending upstream fix. > > > > -- Lars TangvaldTue, 17 Jan 2017 13:04:58 > > +0100 This looks good, but see one change which seem included below: > 5c19 > < - CVE-2016-7440 CVE-2016-5584 > --- > > - CVE-2016-6662 CVE-2016-7440 CVE-2016-5584 Did you build not on top of the last update? Because we corrected the CVE ids in the 5.5.53-0+deb8u1 upload. CVE-2016-6662 does not belong there, and was already fixed in the DSA-3666-1 with mysql-5.5 5.5.52-0+deb8u1, cf. the resulting changelog for 5.5.53-0+deb8u1 in https://bugs.debian.org/841050#62 for the DSA-3666-1 upload . I don't remember exactly, but I though I had asked someone of the mysql packaging team to import the final changes to the packaging repository. With that fixed, and build with -sa (to include the orig tarball) please do upload to security-master. Thanks for your work! Regards, Salvatore
Bug#851233: [debian-mysql] Bug#851233: Security fixes from the January 2017 CPU
CVE List for 5.5: CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258 CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313 CVE-2017-3317 CVE-2017-3318 -- Lars On 01/13/2017 09:19 AM, Norvald H. Ryeng wrote: Source: mysql-5.5 Version: 5.5.53-0+deb8u1 Severity: grave Tags: security upstream fixed-upstream The Oracle Critical Patch Update for January 2017 will be released on Tuesday, January 17. According to the pre-release announcement [1], it will contain information about CVEs fixed in MySQL 5.5.54. The CVE numbers will be available when the CPU is released. Regards, Norvald H. Ryeng [1] http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html ___ pkg-mysql-maint mailing list pkg-mysql-ma...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
Bug#851233: [debian-mysql] Bug#851233: Security fixes from the January 2017 CPU
I've built and tested the updates, and will pass debdiffs on to the security team once the CVE list is available. -- Lars - norvald.ry...@oracle.com wrote: > Source: mysql-5.5 > Version: 5.5.53-0+deb8u1 > Severity: grave > Tags: security upstream fixed-upstream > > The Oracle Critical Patch Update for January 2017 will be released on > > Tuesday, January 17. According to the pre-release announcement [1], it > > will contain information about CVEs fixed in MySQL 5.5.54. > > The CVE numbers will be available when the CPU is released. > > Regards, > > Norvald H. Ryeng > > [1] > http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html > > ___ > pkg-mysql-maint mailing list > pkg-mysql-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
Bug#851233: Security fixes from the January 2017 CPU
Source: mysql-5.5 Version: 5.5.53-0+deb8u1 Severity: grave Tags: security upstream fixed-upstream The Oracle Critical Patch Update for January 2017 will be released on Tuesday, January 17. According to the pre-release announcement [1], it will contain information about CVEs fixed in MySQL 5.5.54. The CVE numbers will be available when the CPU is released. Regards, Norvald H. Ryeng [1] http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html