On Wed, 2016-04-13 at 21:51 +1000, Brian May wrote:
[...]
> (dvswitch)
[...]
This is known to be broken with newer libav and has not been fixed
upstream. (I think I was able to make it build, but it then crashed at
run-time.) Definitely a candidate for removal.
Ben.
--
Ben Hutchings
Brian May writes:
> So guessing the solution might be to backport the stretch version to
> wheezy?
Backporting ffmpeg could prove challenging, this is the version from
jessie-backports:
The following packages have unmet dependencies:
sbuild-build-depends-ffmpeg-dummy :
Brian May writes:
> libpostproc-dev will be uninstallable - does this matter?
Whoops. Just noticed that libpostproc-dev is provided by the old libav,
however not provided by the new libav. I had thought it was another
source package.
So any packages that depend on it will need
On Thu, Apr 21, 2016 at 11:19:18AM +1000, Brian May wrote:
> Is any binary packages going to break if we just upload the new libav
> without changing anything else? Does it matter if this causes FTBFS in
> supported packages before if/we fix them too?
yes, if you break packages like this you
Brian May writes:
> The current list of packages that fail to build against the new libav is
> (the building is still ongoing):
All build logs in
https://people.debian.org/~bam/wheezy/libav/amd64/buildlogs/
Looks like a total of 85 packages failed to build and 46 packages
Brian May writes:
> The following packages have unmet dependencies:
> libpostproc-dev : Depends: libavutil-dev (= 6:0.8.17-2) but 6:11.6-1~deb7u1
> is to be installed
> E: Unable to correct problems, you have held broken packages.
Ok, so looks like we would need a new version
Hi Guido,
On Mon, Mar 28, 2016 at 11:49:55AM +0200, Guido Günther wrote:
> Hi Salvatore,
> On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote:
> > Hi Guido,
> >
> > On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote:
> [..snip..]
> > > O.k. to grab lxc fixing
Hi Salvatore,
On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote:
> Hi Guido,
>
> On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote:
[..snip..]
> > O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ?
>
> Honestly I tend to actually mark this as no-dsa. My argument
Hi,
On Tue, Mar 01, 2016 at 08:01:20PM +0100, Moritz Muehlenhoff wrote:
> On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote:
> > On 2016-03-01, Mike Gabriel wrote:
> > > @Security Team: Shall we (LTS contributors) handle wheezy-security
> > > updates like
Antoine Beaupré writes:
> I am not aware of any such tool. How did you do the following comparison
> - by hand?
Yes, I did.
What I imagine is having same tool that will look at an input file
(e.g. debian/changelog) and find everything that looks like a CVE, and
then
On 2016-03-21 19:16:24, Brian May wrote:
> Brian May writes:
>
>>> Wonder how many of the CVEs the Ubuntu version fixes.
>>
>> Will have a look at this now.
>
> Comparing the changelog with our security tracker (by hand; not sure if
> anybody has written a tool to automate this,
Brian May writes:
>> Wonder how many of the CVEs the Ubuntu version fixes.
>
> Will have a look at this now.
Comparing the changelog with our security tracker (by hand; not sure if
anybody has written a tool to automate this, if not might be a good
idea):
Not fixed in
Brian May writes:
> So one possible strategy might be to take Ubuntu's package as is and
> port it to Debian wheezy.
Have rebuilt Ubuntu's xen package for wheezy.
The results are available for testing.
https://people.debian.org/~bam/wheezy/xen/
The most significant change I
Moritz Muehlenhoff writes:
> It was pointed out on IRC that Ubuntu precise has a Xen 4.1 package, so
> you might want to compare fixes with their package.
Thanks for this. I will check this out later when I have more time.
Just a very quick glance for now:
Debian wheezy has
On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote:
> Guido Günther writes:>
>
> > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> > don't seem to be applied so the tracker looks correct, there's plenty of
> > work left.
> >
> > Are you going to
On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote:
> Guido Günther writes:>
>
> > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> > don't seem to be applied so the tracker looks correct, there's plenty of
> > work left.
> >
> > Are you going to
Have attached patches for two security issues in the wheezy version.
CVE-2015-2752.diff
CVE-2015-8104+CVE-2015-5307.patch
Not tested in anyway, except they apply ok.
Am currently looking at CVE-2015-7969; I am beginning to think wheezy is
not vulnerable. Still need to double check this.
Out of
Guido Günther writes:>
> Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> don't seem to be applied so the tracker looks correct, there's plenty of
> work left.
>
> Are you going to look at the Wheezy packages?
Looking now.
Just looking at CVE-2015-2756 -
On Sun, Mar 13, 2016 at 12:52:09PM +0100, Guido Günther wrote:
> Looking at
>
>
> http://metadata.ftp-master.debian.org/changelogs/main/x/xen/xen_4.1.4-3+deb7u9_changelog
>
> and the source package the current practice is to pull in the individual
> patches.
Ack.
> I wonder if somebody
Hi Brian,
On Sun, Mar 13, 2016 at 11:13:31AM +1100, Brian May wrote:
> Moritz Mühlenhoff writes:
>
> > 1. We're already one wheezy update behind for xen (since some of
> > the changes were invasive and complex). It would be great if
> > someone from the Freexian sponsor pool
Am 13.03.2016 um 04:32 schrieb Brian May:
> Brian May writes:
>
>>> 2. Spend some time on investigating what it takes to backport
>>> libav from jessie to wheezy. 11.x is still supported by
>>> libav upstream and we could share triage work for jessie/wheezy
>>> going forwards.
Brian May writes:
>> 2. Spend some time on investigating what it takes to backport
>> libav from jessie to wheezy. 11.x is still supported by
>> libav upstream and we could share triage work for jessie/wheezy
>> going forwards. 0.8 has simply too much missing.
>> There will be a
Moritz Mühlenhoff writes:
> 1. We're already one wheezy update behind for xen (since some of
> the changes were invasive and complex). It would be great if
> someone from the Freexian sponsor pool would work on a wheezy
> update for Xen. It's probably a solid day of work,
On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote:
> On 2016-03-01, Mike Gabriel wrote:
> > @Security Team: Shall we (LTS contributors) handle wheezy-security
> > updates like described below until Debian wheezy LTS comes into play?
> >
> >o Pick a
On 2016-03-01, Mike Gabriel wrote:
> @Security Team: Shall we (LTS contributors) handle wheezy-security
> updates like described below until Debian wheezy LTS comes into play?
>
>o Pick a package that has open CVE issues in wheezy, e.g. from
> above list
>o
On Di 01 Mär 2016 08:44:08 CET, Guido Günther wrote:
On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote:
[..snip..]
>>Issues that are unfixed in wheezy but fixed in squeeze:
>>* aptdaemon-> CVE-2015-1323
>>* cakephp -> TEMP-000-698CF7
>>* dhcpcd
On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote:
[..snip..]
> >>Issues that are unfixed in wheezy but fixed in squeeze:
> >>* aptdaemon-> CVE-2015-1323
> >>* cakephp -> TEMP-000-698CF7
> >>* dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
Hi Guido,
On Mo 29 Feb 2016 21:54:11 CET, Guido Günther wrote:
* prepare a fixed package
* test the package
* send a .debdiff to t...@security.debian.org
* wait for feedback and ideally permission to upload to wheezy-security
That's what I'm doing at the moment (sending the debdiff
Hi,
On Mon, Feb 29, 2016 at 03:25:46PM +, Mike Gabriel wrote:
> For this, we can run bin/lts-needs-forward-port.py from the secure-testing
> repo and see what issues we fixed in squeeze and port those fixes to the
> package version in wheezy-security. Package updates must be coordinated with
>
29 matches
Mail list logo