On Wed, 2016-04-13 at 21:51 +1000, Brian May wrote:
[...]
> (dvswitch)
[...]
This is known to be broken with newer libav and has not been fixed
upstream. (I think I was able to make it build, but it then crashed at
run-time.) Definitely a candidate for removal.
Ben.
--
Ben Hutchings
Brian May writes:
> So guessing the solution might be to backport the stretch version to
> wheezy?
Backporting ffmpeg could prove challenging, this is the version from
jessie-backports:
The following packages have unmet dependencies:
sbuild-build-depends-ffmpeg-dummy :
Brian May writes:
> libpostproc-dev will be uninstallable - does this matter?
Whoops. Just noticed that libpostproc-dev is provided by the old libav,
however not provided by the new libav. I had thought it was another
source package.
So any packages that depend on it will need
On Thu, Apr 21, 2016 at 11:19:18AM +1000, Brian May wrote:
> Is any binary packages going to break if we just upload the new libav
> without changing anything else? Does it matter if this causes FTBFS in
> supported packages before if/we fix them too?
yes, if you break packages like this you
Brian May writes:
> The current list of packages that fail to build against the new libav is
> (the building is still ongoing):
All build logs in
https://people.debian.org/~bam/wheezy/libav/amd64/buildlogs/
Looks like a total of 85 packages failed to build and 46 packages
Brian May writes:
> The following packages have unmet dependencies:
> libpostproc-dev : Depends: libavutil-dev (= 6:0.8.17-2) but 6:11.6-1~deb7u1
> is to be installed
> E: Unable to correct problems, you have held broken packages.
Ok, so looks like we would need a new version
Hi Guido,
On Mon, Mar 28, 2016 at 11:49:55AM +0200, Guido Günther wrote:
> Hi Salvatore,
> On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote:
> > Hi Guido,
> >
> > On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote:
> [..snip..]
> > > O.k. to grab lxc fixing
Hi Salvatore,
On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote:
> Hi Guido,
>
> On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote:
[..snip..]
> > O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ?
>
> Honestly I tend to actually mark this as no-dsa. My argument
Hi,
On Tue, Mar 01, 2016 at 08:01:20PM +0100, Moritz Muehlenhoff wrote:
> On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote:
> > On 2016-03-01, Mike Gabriel wrote:
> > > @Security Team: Shall we (LTS contributors) handle wheezy-security
> > > updates like
Antoine Beaupré writes:
> I am not aware of any such tool. How did you do the following comparison
> - by hand?
Yes, I did.
What I imagine is having same tool that will look at an input file
(e.g. debian/changelog) and find everything that looks like a CVE, and
then
On 2016-03-21 19:16:24, Brian May wrote:
> Brian May writes:
>
>>> Wonder how many of the CVEs the Ubuntu version fixes.
>>
>> Will have a look at this now.
>
> Comparing the changelog with our security tracker (by hand; not sure if
> anybody has written a tool to automate this,
Brian May writes:
>> Wonder how many of the CVEs the Ubuntu version fixes.
>
> Will have a look at this now.
Comparing the changelog with our security tracker (by hand; not sure if
anybody has written a tool to automate this, if not might be a good
idea):
Not fixed in
Brian May writes:
> So one possible strategy might be to take Ubuntu's package as is and
> port it to Debian wheezy.
Have rebuilt Ubuntu's xen package for wheezy.
The results are available for testing.
https://people.debian.org/~bam/wheezy/xen/
The most significant change I
Moritz Muehlenhoff writes:
> It was pointed out on IRC that Ubuntu precise has a Xen 4.1 package, so
> you might want to compare fixes with their package.
Thanks for this. I will check this out later when I have more time.
Just a very quick glance for now:
Debian wheezy has
On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote:
> Guido Günther writes:>
>
> > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> > don't seem to be applied so the tracker looks correct, there's plenty of
> > work left.
> >
> > Are you going to
On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote:
> Guido Günther writes:>
>
> > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> > don't seem to be applied so the tracker looks correct, there's plenty of
> > work left.
> >
> > Are you going to
Have attached patches for two security issues in the wheezy version.
CVE-2015-2752.diff
CVE-2015-8104+CVE-2015-5307.patch
Not tested in anyway, except they apply ok.
Am currently looking at CVE-2015-7969; I am beginning to think wheezy is
not vulnerable. Still need to double check this.
Out of
Guido Günther writes:>
> Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> don't seem to be applied so the tracker looks correct, there's plenty of
> work left.
>
> Are you going to look at the Wheezy packages?
Looking now.
Just looking at CVE-2015-2756 -
On Sun, Mar 13, 2016 at 12:52:09PM +0100, Guido Günther wrote:
> Looking at
>
>
> http://metadata.ftp-master.debian.org/changelogs/main/x/xen/xen_4.1.4-3+deb7u9_changelog
>
> and the source package the current practice is to pull in the individual
> patches.
Ack.
> I wonder if somebody
Hi Brian,
On Sun, Mar 13, 2016 at 11:13:31AM +1100, Brian May wrote:
> Moritz Mühlenhoff writes:
>
> > 1. We're already one wheezy update behind for xen (since some of
> > the changes were invasive and complex). It would be great if
> > someone from the Freexian sponsor pool
Am 13.03.2016 um 04:32 schrieb Brian May:
> Brian May writes:
>
>>> 2. Spend some time on investigating what it takes to backport
>>> libav from jessie to wheezy. 11.x is still supported by
>>> libav upstream and we could share triage work for jessie/wheezy
>>> going forwards.
Brian May writes:
>> 2. Spend some time on investigating what it takes to backport
>> libav from jessie to wheezy. 11.x is still supported by
>> libav upstream and we could share triage work for jessie/wheezy
>> going forwards. 0.8 has simply too much missing.
>> There will be a
Moritz Mühlenhoff writes:
> 1. We're already one wheezy update behind for xen (since some of
> the changes were invasive and complex). It would be great if
> someone from the Freexian sponsor pool would work on a wheezy
> update for Xen. It's probably a solid day of work,
On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote:
> On 2016-03-01, Mike Gabriel wrote:
> > @Security Team: Shall we (LTS contributors) handle wheezy-security
> > updates like described below until Debian wheezy LTS comes into play?
> >
> >o Pick a
On 2016-03-01, Mike Gabriel wrote:
> @Security Team: Shall we (LTS contributors) handle wheezy-security
> updates like described below until Debian wheezy LTS comes into play?
>
>o Pick a package that has open CVE issues in wheezy, e.g. from
> above list
>o
On Di 01 Mär 2016 08:44:08 CET, Guido Günther wrote:
On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote:
[..snip..]
>>Issues that are unfixed in wheezy but fixed in squeeze:
>>* aptdaemon-> CVE-2015-1323
>>* cakephp -> TEMP-000-698CF7
>>* dhcpcd
On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote:
[..snip..]
> >>Issues that are unfixed in wheezy but fixed in squeeze:
> >>* aptdaemon-> CVE-2015-1323
> >>* cakephp -> TEMP-000-698CF7
> >>* dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
Hi Guido,
On Mo 29 Feb 2016 21:54:11 CET, Guido Günther wrote:
* prepare a fixed package
* test the package
* send a .debdiff to t...@security.debian.org
* wait for feedback and ideally permission to upload to wheezy-security
That's what I'm doing at the moment (sending the debdiff
Hi,
On Mon, Feb 29, 2016 at 03:25:46PM +, Mike Gabriel wrote:
> For this, we can run bin/lts-needs-forward-port.py from the secure-testing
> repo and see what issues we fixed in squeeze and port those fixes to the
> package version in wheezy-security. Package updates must be coordinated with
>
Hi all,
as of today, the Debian squeeze LTS support will cease and squeeze
will finally enter the archived archives of Debian.
.oO( /me gets out his handkerchief ...)
As (paid) LTS contributor you may wonder what to do next, esp. until
the official Debian wheezy LTS support period starts
30 matches
Mail list logo