Re: working for wheezy-security until wheezy-lts starts

On Wed, 2016-04-13 at 21:51 +1000, Brian May wrote: [...] > (dvswitch) [...] This is known to be broken with newer libav and has not been fixed upstream.  (I think I was able to make it build, but it then crashed at run-time.)  Definitely a candidate for removal. Ben. -- Ben Hutchings

Re: working for wheezy-security until wheezy-lts starts

Brian May writes: > So guessing the solution might be to backport the stretch version to > wheezy? Backporting ffmpeg could prove challenging, this is the version from jessie-backports: The following packages have unmet dependencies: sbuild-build-depends-ffmpeg-dummy :

Re: working for wheezy-security until wheezy-lts starts

Brian May writes: > libpostproc-dev will be uninstallable - does this matter? Whoops. Just noticed that libpostproc-dev is provided by the old libav, however not provided by the new libav. I had thought it was another source package. So any packages that depend on it will need

Re: working for wheezy-security until wheezy-lts starts

On Thu, Apr 21, 2016 at 11:19:18AM +1000, Brian May wrote: > Is any binary packages going to break if we just upload the new libav > without changing anything else? Does it matter if this causes FTBFS in > supported packages before if/we fix them too? yes, if you break packages like this you

Re: working for wheezy-security until wheezy-lts starts

Brian May writes: > The current list of packages that fail to build against the new libav is > (the building is still ongoing): All build logs in https://people.debian.org/~bam/wheezy/libav/amd64/buildlogs/ Looks like a total of 85 packages failed to build and 46 packages

Re: working for wheezy-security until wheezy-lts starts

Brian May writes: > The following packages have unmet dependencies: > libpostproc-dev : Depends: libavutil-dev (= 6:0.8.17-2) but 6:11.6-1~deb7u1 > is to be installed > E: Unable to correct problems, you have held broken packages. Ok, so looks like we would need a new version

Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]

Hi Guido, On Mon, Mar 28, 2016 at 11:49:55AM +0200, Guido Günther wrote: > Hi Salvatore, > On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote: > > Hi Guido, > > > > On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote: > [..snip..] > > > O.k. to grab lxc fixing

Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]

Hi Salvatore, On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote: > Hi Guido, > > On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote: [..snip..] > > O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ? > > Honestly I tend to actually mark this as no-dsa. My argument

DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]

Hi, On Tue, Mar 01, 2016 at 08:01:20PM +0100, Moritz Muehlenhoff wrote: > On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote: > > On 2016-03-01, Mike Gabriel wrote: > > > @Security Team: Shall we (LTS contributors) handle wheezy-security > > > updates like

Re: working for wheezy-security until wheezy-lts starts

Antoine Beaupré writes: > I am not aware of any such tool. How did you do the following comparison > - by hand? Yes, I did. What I imagine is having same tool that will look at an input file (e.g. debian/changelog) and find everything that looks like a CVE, and then

Re: working for wheezy-security until wheezy-lts starts

On 2016-03-21 19:16:24, Brian May wrote: > Brian May writes: > >>> Wonder how many of the CVEs the Ubuntu version fixes. >> >> Will have a look at this now. > > Comparing the changelog with our security tracker (by hand; not sure if > anybody has written a tool to automate this,

Re: working for wheezy-security until wheezy-lts starts

Brian May writes: >> Wonder how many of the CVEs the Ubuntu version fixes. > > Will have a look at this now. Comparing the changelog with our security tracker (by hand; not sure if anybody has written a tool to automate this, if not might be a good idea): Not fixed in

Re: working for wheezy-security until wheezy-lts starts

Brian May writes: > So one possible strategy might be to take Ubuntu's package as is and > port it to Debian wheezy. Have rebuilt Ubuntu's xen package for wheezy. The results are available for testing. https://people.debian.org/~bam/wheezy/xen/ The most significant change I

Re: working for wheezy-security until wheezy-lts starts

Moritz Muehlenhoff writes: > It was pointed out on IRC that Ubuntu precise has a Xen 4.1 package, so > you might want to compare fixes with their package. Thanks for this. I will check this out later when I have more time. Just a very quick glance for now: Debian wheezy has

Re: working for wheezy-security until wheezy-lts starts

On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote: > Guido Günther writes:> > > > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches > > don't seem to be applied so the tracker looks correct, there's plenty of > > work left. > > > > Are you going to

Re: working for wheezy-security until wheezy-lts starts

On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote: > Guido Günther writes:> > > > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches > > don't seem to be applied so the tracker looks correct, there's plenty of > > work left. > > > > Are you going to

Re: working for wheezy-security until wheezy-lts starts

Have attached patches for two security issues in the wheezy version. CVE-2015-2752.diff CVE-2015-8104+CVE-2015-5307.patch Not tested in anyway, except they apply ok. Am currently looking at CVE-2015-7969; I am beginning to think wheezy is not vulnerable. Still need to double check this. Out of

Re: working for wheezy-security until wheezy-lts starts

Guido Günther writes:> > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches > don't seem to be applied so the tracker looks correct, there's plenty of > work left. > > Are you going to look at the Wheezy packages? Looking now. Just looking at CVE-2015-2756 -

Re: working for wheezy-security until wheezy-lts starts

On Sun, Mar 13, 2016 at 12:52:09PM +0100, Guido Günther wrote: > Looking at > > > http://metadata.ftp-master.debian.org/changelogs/main/x/xen/xen_4.1.4-3+deb7u9_changelog > > and the source package the current practice is to pull in the individual > patches. Ack. > I wonder if somebody

Re: working for wheezy-security until wheezy-lts starts

Hi Brian, On Sun, Mar 13, 2016 at 11:13:31AM +1100, Brian May wrote: > Moritz Mühlenhoff writes: > > > 1. We're already one wheezy update behind for xen (since some of > > the changes were invasive and complex). It would be great if > > someone from the Freexian sponsor pool

Re: working for wheezy-security until wheezy-lts starts

Am 13.03.2016 um 04:32 schrieb Brian May: > Brian May writes: > >>> 2. Spend some time on investigating what it takes to backport >>> libav from jessie to wheezy. 11.x is still supported by >>> libav upstream and we could share triage work for jessie/wheezy >>> going forwards.

Re: working for wheezy-security until wheezy-lts starts

Brian May writes: >> 2. Spend some time on investigating what it takes to backport >> libav from jessie to wheezy. 11.x is still supported by >> libav upstream and we could share triage work for jessie/wheezy >> going forwards. 0.8 has simply too much missing. >> There will be a

Re: working for wheezy-security until wheezy-lts starts

Moritz Mühlenhoff writes: > 1. We're already one wheezy update behind for xen (since some of > the changes were invasive and complex). It would be great if > someone from the Freexian sponsor pool would work on a wheezy > update for Xen. It's probably a solid day of work,

Re: working for wheezy-security until wheezy-lts starts

On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote: > On 2016-03-01, Mike Gabriel wrote: > > @Security Team: Shall we (LTS contributors) handle wheezy-security > > updates like described below until Debian wheezy LTS comes into play? > > > >o Pick a

Re: working for wheezy-security until wheezy-lts starts

On 2016-03-01, Mike Gabriel wrote: > @Security Team: Shall we (LTS contributors) handle wheezy-security > updates like described below until Debian wheezy LTS comes into play? > >o Pick a package that has open CVE issues in wheezy, e.g. from > above list >o

Re: working for wheezy-security until wheezy-lts starts

On Di 01 Mär 2016 08:44:08 CET, Guido Günther wrote: On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote: [..snip..] >>Issues that are unfixed in wheezy but fixed in squeeze: >>* aptdaemon-> CVE-2015-1323 >>* cakephp -> TEMP-000-698CF7 >>* dhcpcd

Re: working for wheezy-security until wheezy-lts starts

On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote: [..snip..] > >>Issues that are unfixed in wheezy but fixed in squeeze: > >>* aptdaemon-> CVE-2015-1323 > >>* cakephp -> TEMP-000-698CF7 > >>* dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700

Re: working for wheezy-security until wheezy-lts starts

Hi Guido, On Mo 29 Feb 2016 21:54:11 CET, Guido Günther wrote: * prepare a fixed package * test the package * send a .debdiff to t...@security.debian.org * wait for feedback and ideally permission to upload to wheezy-security That's what I'm doing at the moment (sending the debdiff

Re: working for wheezy-security until wheezy-lts starts

Hi, On Mon, Feb 29, 2016 at 03:25:46PM +, Mike Gabriel wrote: > For this, we can run bin/lts-needs-forward-port.py from the secure-testing > repo and see what issues we fixed in squeeze and port those fixes to the > package version in wheezy-security. Package updates must be coordinated with >