Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU

2017-01-18 Thread Lars Tangvald 

- car...@debian.org wrote:

> Hi Lars,
> 
> On Wed, Jan 18, 2017 at 06:41:40AM -0800, Lars Tangvald wrote:
> > 
> > - car...@debian.org wrote:
> > 
> > 
> > > > >With that fixed, and build with -sa (to include the orig
> tarball)
> > > > >please do upload to security-master.
> > > > Do we have access to upload here? I think the security team
> have
> > > handled the
> > > > upload in the past.
> > > 
> > > yes it nees to be a key in the DD keyring. Do you have a DD in
> the
> > > mysql-pkg team who could sponsor the upload?
> > > 
> > 
> > Not really, unfortunately (Otto is a DD, but he's only involved
> with
> > the MariaDB packaging).
> > It's an issue for us, since it also causes problems with uploads to
> > unstable.
> 
> Ok. I though in the past James Page was sponsoring the uploads.
> Alright, in that case, let me know when you have finished the
> packaging with the small changes mentioned, I can take care of
> sponsoring the upload.
> 
I might be going a bit senile, since I forgot he's got access as well, but for 
the last months he's been occupied, so I don't think he's available now.
I'll let you know when the new build is ready, thanks.

--
Lars
> Regards,
> Salvatore

Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU

2017-01-18 Thread Salvatore Bonaccorso 
Hi Lars,

On Wed, Jan 18, 2017 at 06:41:40AM -0800, Lars Tangvald wrote:
> 
> - car...@debian.org wrote:
> 
> 
> > > >With that fixed, and build with -sa (to include the orig tarball)
> > > >please do upload to security-master.
> > > Do we have access to upload here? I think the security team have
> > handled the
> > > upload in the past.
> > 
> > yes it nees to be a key in the DD keyring. Do you have a DD in the
> > mysql-pkg team who could sponsor the upload?
> > 
> 
> Not really, unfortunately (Otto is a DD, but he's only involved with
> the MariaDB packaging).
> It's an issue for us, since it also causes problems with uploads to
> unstable.

Ok. I though in the past James Page was sponsoring the uploads.
Alright, in that case, let me know when you have finished the
packaging with the small changes mentioned, I can take care of
sponsoring the upload.

Regards,
Salvatore

Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU

2017-01-18 Thread Lars Tangvald 

- car...@debian.org wrote:


> > >With that fixed, and build with -sa (to include the orig tarball)
> > >please do upload to security-master.
> > Do we have access to upload here? I think the security team have
> handled the
> > upload in the past.
> 
> yes it nees to be a key in the DD keyring. Do you have a DD in the
> mysql-pkg team who could sponsor the upload?
> 

Not really, unfortunately (Otto is a DD, but he's only involved with the 
MariaDB packaging).
It's an issue for us, since it also causes problems with uploads to unstable.

--
Lars

Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU

2017-01-18 Thread Salvatore Bonaccorso 
Hi Lars,

On Wed, Jan 18, 2017 at 12:45:45PM +0100, Lars Tangvald wrote:
> Hi,
> 
> On 01/18/2017 12:39 PM, Salvatore Bonaccorso wrote:
> >Hi Lars,
> >
> >On Wed, Jan 18, 2017 at 10:33:30AM +0100, Lars Tangvald wrote:
> >>Hi,
> >>
> >>The update builds and passes testing.
> >>I've attached debdiff output for Wheezy and Jessie for this update. Aside
> >>from the changelog, the only change to packaging is a patch for a test
> >>(main.events_2) that was failing because of a hardcoded date.
> >Thanks for preparing the update.
> >
> >>diff -r mysql-5.5-5.5.53/debian/changelog 
> >>../mysql-5.5/mysql-5.5/debian/changelog
> >>0a1,14
> >>>mysql-5.5 (5.5.54-0+deb8u1) jessie-security; urgency=high
> >>>
> >>>   * Imported upstream version 5.5.54 to fix security issues:
> >>> - 
> >>> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
> >>> - CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258
> >>> - CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313
> >>> - CVE-2017-3317 CVE-2017-3318
> >>> (Closes: #851233)
> >>>   * Fix failing test main.events_2
> >>> The test was failing due to hardcoded date (2017-01-01). Added patch
> >>> pending upstream fix.
> >>>
> >>>  -- Lars Tangvald   Tue, 17 Jan 2017 13:04:58 
> >>> +0100
> >This looks good, but see one change which seem included below:
> >
> >>5c19
> >>< - CVE-2016-7440 CVE-2016-5584
> >>---
> >>> - CVE-2016-6662 CVE-2016-7440 CVE-2016-5584
> >Did you build not on top of the last update? Because we corrected the
> >CVE ids in the 5.5.53-0+deb8u1 upload. CVE-2016-6662 does not belong
> >there, and was already fixed in the DSA-3666-1 with mysql-5.5
> >5.5.52-0+deb8u1, cf. the resulting changelog for 5.5.53-0+deb8u1 in
> >https://bugs.debian.org/841050#62 for the DSA-3666-1 upload . I don't
> >remember exactly, but I though I had asked someone of the mysql
> >packaging team to import the final changes to the packaging
> >repository.
> Aha, yes. I see the vcs hasn't got the 5.5.53 packages imported properly.
> I'll do the import and rebuild, thanks.

Thanks!

> >With that fixed, and build with -sa (to include the orig tarball)
> >please do upload to security-master.
> Do we have access to upload here? I think the security team have handled the
> upload in the past.

yes it nees to be a key in the DD keyring. Do you have a DD in the
mysql-pkg team who could sponsor the upload?

Regards,
Salvatore

Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU

2017-01-18 Thread Lars Tangvald 

Hi,

On 01/18/2017 12:39 PM, Salvatore Bonaccorso wrote:

Hi Lars,

On Wed, Jan 18, 2017 at 10:33:30AM +0100, Lars Tangvald wrote:

Hi,

The update builds and passes testing.
I've attached debdiff output for Wheezy and Jessie for this update. Aside
from the changelog, the only change to packaging is a patch for a test
(main.events_2) that was failing because of a hardcoded date.

Thanks for preparing the update.


diff -r mysql-5.5-5.5.53/debian/changelog 
../mysql-5.5/mysql-5.5/debian/changelog
0a1,14

mysql-5.5 (5.5.54-0+deb8u1) jessie-security; urgency=high

   * Imported upstream version 5.5.54 to fix security issues:
 - 
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
 - CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258
 - CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313
 - CVE-2017-3317 CVE-2017-3318
 (Closes: #851233)
   * Fix failing test main.events_2
 The test was failing due to hardcoded date (2017-01-01). Added patch
 pending upstream fix.

  -- Lars Tangvald   Tue, 17 Jan 2017 13:04:58 +0100

This looks good, but see one change which seem included below:


5c19
< - CVE-2016-7440 CVE-2016-5584
---

 - CVE-2016-6662 CVE-2016-7440 CVE-2016-5584

Did you build not on top of the last update? Because we corrected the
CVE ids in the 5.5.53-0+deb8u1 upload. CVE-2016-6662 does not belong
there, and was already fixed in the DSA-3666-1 with mysql-5.5
5.5.52-0+deb8u1, cf. the resulting changelog for 5.5.53-0+deb8u1 in
https://bugs.debian.org/841050#62 for the DSA-3666-1 upload . I don't
remember exactly, but I though I had asked someone of the mysql
packaging team to import the final changes to the packaging
repository.
Aha, yes. I see the vcs hasn't got the 5.5.53 packages imported 
properly. I'll do the import and rebuild, thanks.

With that fixed, and build with -sa (to include the orig tarball)
please do upload to security-master.
Do we have access to upload here? I think the security team have handled 
the upload in the past.


--
Lars

Thanks for your work!

Regards,
Salvatore

Bug#851233: [debian-mysql] Bug#851233: Bug#851233: Security fixes from the January 2017 CPU

2017-01-18 Thread Salvatore Bonaccorso 
Hi Lars,

On Wed, Jan 18, 2017 at 10:33:30AM +0100, Lars Tangvald wrote:
> Hi,
> 
> The update builds and passes testing.
> I've attached debdiff output for Wheezy and Jessie for this update. Aside
> from the changelog, the only change to packaging is a patch for a test
> (main.events_2) that was failing because of a hardcoded date.

Thanks for preparing the update.

> diff -r mysql-5.5-5.5.53/debian/changelog 
> ../mysql-5.5/mysql-5.5/debian/changelog
> 0a1,14
> > mysql-5.5 (5.5.54-0+deb8u1) jessie-security; urgency=high
> > 
> >   * Imported upstream version 5.5.54 to fix security issues:
> > - 
> > http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
> > - CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258
> > - CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313
> > - CVE-2017-3317 CVE-2017-3318
> > (Closes: #851233)
> >   * Fix failing test main.events_2
> > The test was failing due to hardcoded date (2017-01-01). Added patch
> > pending upstream fix.
> > 
> >  -- Lars Tangvald   Tue, 17 Jan 2017 13:04:58 
> > +0100

This looks good, but see one change which seem included below:

> 5c19
> < - CVE-2016-7440 CVE-2016-5584
> ---
> > - CVE-2016-6662 CVE-2016-7440 CVE-2016-5584

Did you build not on top of the last update? Because we corrected the
CVE ids in the 5.5.53-0+deb8u1 upload. CVE-2016-6662 does not belong
there, and was already fixed in the DSA-3666-1 with mysql-5.5
5.5.52-0+deb8u1, cf. the resulting changelog for 5.5.53-0+deb8u1 in
https://bugs.debian.org/841050#62 for the DSA-3666-1 upload . I don't
remember exactly, but I though I had asked someone of the mysql
packaging team to import the final changes to the packaging
repository.

With that fixed, and build with -sa (to include the orig tarball)
please do upload to security-master.

Thanks for your work!

Regards,
Salvatore

Bug#851233: [debian-mysql] Bug#851233: Security fixes from the January 2017 CPU

2017-01-18 Thread Lars Tangvald 

CVE List for 5.5:

CVE-2017-3238
CVE-2017-3243
CVE-2017-3244
CVE-2017-3258
CVE-2017-3265
CVE-2017-3291
CVE-2017-3312
CVE-2017-3313
CVE-2017-3317
CVE-2017-3318

--
Lars
On 01/13/2017 09:19 AM, Norvald H. Ryeng wrote:

Source: mysql-5.5
Version: 5.5.53-0+deb8u1
Severity: grave
Tags: security upstream fixed-upstream

The Oracle Critical Patch Update for January 2017 will be released on
Tuesday, January 17. According to the pre-release announcement [1], it
will contain information about CVEs fixed in MySQL 5.5.54.

The CVE numbers will be available when the CPU is released.

Regards,

Norvald H. Ryeng

[1] http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

___
pkg-mysql-maint mailing list
pkg-mysql-ma...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint

Bug#851233: [debian-mysql] Bug#851233: Security fixes from the January 2017 CPU

2017-01-17 Thread Lars Tangvald 
I've built and tested the updates, and will pass debdiffs on to the security 
team once the CVE list is available.

--
Lars
- norvald.ry...@oracle.com wrote:

> Source: mysql-5.5
> Version: 5.5.53-0+deb8u1
> Severity: grave
> Tags: security upstream fixed-upstream
> 
> The Oracle Critical Patch Update for January 2017 will be released on 
> 
> Tuesday, January 17. According to the pre-release announcement [1], it
>  
> will contain information about CVEs fixed in MySQL 5.5.54.
> 
> The CVE numbers will be available when the CPU is released.
> 
> Regards,
> 
> Norvald H. Ryeng
> 
> [1]
> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
> 
> ___
> pkg-mysql-maint mailing list
> pkg-mysql-ma...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint

Bug#851233: Security fixes from the January 2017 CPU

2017-01-13 Thread Norvald H. Ryeng 
Source: mysql-5.5
Version: 5.5.53-0+deb8u1
Severity: grave
Tags: security upstream fixed-upstream

The Oracle Critical Patch Update for January 2017 will be released on  
Tuesday, January 17. According to the pre-release announcement [1], it  
will contain information about CVEs fixed in MySQL 5.5.54.

The CVE numbers will be available when the CPU is released.

Regards,

Norvald H. Ryeng

[1] http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html