Re: libemail-address-perl, no "squeeze update of ..." mail sent, yet

2015-09-29 Thread Mike Gabriel

Hi Raphael,

On  Di 29 Sep 2015 13:55:06 CEST, Raphael Hertzog wrote:


On Tue, 29 Sep 2015, Mike Gabriel wrote:

Is there a reason that no "squeeze update of ..." mail has been sent for
libemail-address-perl, yet, (i.e., when triaging the latest security issue
in that package)?


Yes, the fix is so easy that sending the above mail would take more time
than fixing the package and the package is part of the Perl team which
is rather happy when we do the work and push our update in their
git repository (I believe all DD have write access to their git
repositories).


ok. Thanks for the answer. Will continue with fixing  
libemail-address-perl, then.


Best,
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb


pgpmJJQxRI81T.pgp
Description: Digitale PGP-Signatur


Re: flightgear upload for squeeze

2015-09-29 Thread Raphael Hertzog
Hi,

On Tue, 29 Sep 2015, Chris Lamb wrote:
> Here's my proposed debdiff for the flightgear update in squeeze:
> 
> https://gist.githubusercontent.com/lamby/0021615a8e1d4b7b260e/raw/4b38276c3a982f98208d6752ed492b0050ae5a5d/%253Cstdin%253E

We prefer attached debdiff so that we can review just by replying. I can't
really comment on the fix and I assume that it has been tested in some way
(at least to ensure that the game still works).

+flightgear (1.9.1-1.1+deb6u11) squeeze-lts; urgency=high
+
+  * Fix "TEMP-0780712-D0DD02: permissive file access allowed from nasal"
+by backporting fix and additional routines from jessie.
+
+ -- Chris Lamb   Mon, 28 Sep 2015 21:24:41 +0200

The TEMP-* identifiers are not meant to be referenced as they are
supposed to be temporary... in this case, the "-0780712-" means that
there's a Debian bug to track this: #780712 and you should just reference
that bug.

For packages without a proper patch system, we usually don't add
a patch system but we might still keep a copy of the patch
added in debian/patches/ for historical purpose.

Apart from those details, the update looks good. Feel free to upload the
fixed package, draft a DLA, wait the ACCEPTED mail, send the DLA (with a
GPG signed mail to debian-lts-announce).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/



Accepted vorbis-tools 1.4.0-1+deb6u1 (source amd64) into squeeze-lts

2015-09-29 Thread Mike Gabriel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 29 Sep 2015 10:30:16 +0200
Source: vorbis-tools
Binary: vorbis-tools vorbis-tools-dbg
Architecture: source amd64
Version: 1.4.0-1+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Xiph.org Maintainers 
Changed-By: Mike Gabriel 
Description: 
 vorbis-tools - several Ogg Vorbis tools
 vorbis-tools-dbg - several Ogg Vorbis tools (debug files)
Closes: 771363 776086 797461
Changes: 
 vorbis-tools (1.4.0-1+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * debian/patches:
 + Add 0009-Fix-oggenc-crash-on-closing-raw-input-files.patch. Fix
   crash on closing raw input. (CVE-2014-9640). (Closes: #771363).
 + Add 0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch. Fix
   buffer overflow on bad AIFF input (CVE-2015-6749). (Closes: #797461).
 + Add 0016-Validate-channel-count-in-audio-header.patch. Prevent
   out-of-bounds memory access (CVE-2014-9638, CVE-2014-9639).
   (Closes: #776086).
 + Update no_debian_subdir.diff to avoid patch fuzziness.
Checksums-Sha1: 
 7cb404aeedfe1b16c6d58b4f21e6446367ad 2071 vorbis-tools_1.4.0-1+deb6u1.dsc
 b012c9e2807e9078be4e4686baefd202672e9475 8486 
vorbis-tools_1.4.0-1+deb6u1.diff.gz
 caacea79542df425afcc1d226eec0cf91687173b 291050 
vorbis-tools_1.4.0-1+deb6u1_amd64.deb
 2e7c516293aba0d5510ad2930673914747e1f1e1 189468 
vorbis-tools-dbg_1.4.0-1+deb6u1_amd64.deb
Checksums-Sha256: 
 9167034e9ba8d9383962e23f460761039eeba8559373af876d975f7f15a87b26 2071 
vorbis-tools_1.4.0-1+deb6u1.dsc
 e9a739b20f400b794d6f4c017975ffb926eb8b058de770827616c610cb70a406 8486 
vorbis-tools_1.4.0-1+deb6u1.diff.gz
 ee9b096e6df4be59dfba318964809c26fd83689a2048c551f5508d7927e712fe 291050 
vorbis-tools_1.4.0-1+deb6u1_amd64.deb
 2685b31884f681d54e3a2eb6a9bd13d86ed6c6f4a3e5f600c000cb59bc785625 189468 
vorbis-tools-dbg_1.4.0-1+deb6u1_amd64.deb
Files: 
 af5c613487ac9174be65d081605119ea 2071 sound optional 
vorbis-tools_1.4.0-1+deb6u1.dsc
 ca9db9ff3763732cf74ece50d503b659 8486 sound optional 
vorbis-tools_1.4.0-1+deb6u1.diff.gz
 35ac2bcece570cd6cf101a86b8621973 291050 sound optional 
vorbis-tools_1.4.0-1+deb6u1_amd64.deb
 5357007da15fdd60cb93d66627baaba1 189468 debug extra 
vorbis-tools-dbg_1.4.0-1+deb6u1_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWClEnAAoJEJr0azAldxsxaJAP/2cGgnoey6QRi/fZLeDd3c+z
U8l1xTmK/ZnI4UnHY2hnv4oKR/Em2Kl8CLcS+25+FlEp51TMXyXVMslVlF97aCt+
VwGhTvjGAD6s0RvcP0WRvaqPLqUuwK0ijdgsFMSq4piHrHkcgY9fHmZlFEPsmkNW
eO9Pc/rUsIFCO+Q7FNHfL8wARGrlgSSF/JLr2WeVsvlyjK72HZxxaVY1ilt2BAQT
nEWbd6MXZRODMSh8ULy2y2hVd3/MUf+fB+KtuUAiHanScn3N/mQW3UG6J/1as5LL
mFLJ/9XTsNecFGziZfBOIiaOscjUTWJHhj2p4Om6osLWviBY1q0iSrRm9oY/I4iR
I1DX3LNvAyG26BKCSS9RVC2J0Ea5es1QkZ1Tu5Mp/lncCKmJMwIRPMga1JxW7DbR
x38MrUNq/5tzsfI+2BZTSF3Xv0143A7UMP2KgF4oFyL9Oxiaf4SY/zeNtn+3e9/f
cCfJ0zsbX9MwA+6ZbB+QQm6TTINkjGMHuMOBb+0Uz6SKwDLLJa3BvMhoS0KJ299D
Gi6KPLGBzyZjWOLDDXhIswM5ZSOom2XWAiAUPB2TxA5e0VusW53G/Yu9HpojOCoG
79XSJcfJFRsqZT7Ispd8sOxPtgBIbQMS1ouCux/8q5J4WXIUEUwMiXkuH00kyoEn
nlbT6hPGmDf6/Kbu4IF4
=3QrS
-END PGP SIGNATURE-



Re: [SECURITY] [DLA 317-1] vorbis-tools security update

2015-09-29 Thread Mike Gabriel

HI Raphael,

On  Di 29 Sep 2015 11:45:19 CEST, Raphael Hertzog wrote:


Hello Mike,

On Tue, 29 Sep 2015, Mike Gabriel wrote:

Package: vorbis-tools
Version: 1.4.0-1+deb6u1


This package seems to have never been uploaded to squeeze-lts...

You are supposed to wait until you get an ACCEPTED mail before sending out
the announce. Did you get this mail?

At least I don't see anything in
https://lists.debian.org/debian-lts-changes/2015/09/threads.html

Please correct that ASAP.

Cheers,


I received the ACCEPTED mail the same moment I received the above mail.

Indeed, I was too fast with the DLA announcement. Sorry.

Mike
--

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net



pgpxj9BStoRF4.pgp
Description: Digitale PGP-Signatur


libemail-address-perl, no "squeeze update of ..." mail sent, yet

2015-09-29 Thread Mike Gabriel

Hi all,

I just took over updating libemail-address-perl in squeeze-lts via  
secure-testing SVN repo.


Is there a reason that no "squeeze update of ..." mail has been sent  
for libemail-address-perl, yet, (i.e., when triaging the latest  
security issue in that package)?


Greets,
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb


pgptW_0f7VawL.pgp
Description: Digitale PGP-Signatur


flightgear upload for squeeze

2015-09-29 Thread Chris Lamb
Hi,

Here's my proposed debdiff for the flightgear update in squeeze:

https://gist.githubusercontent.com/lamby/0021615a8e1d4b7b260e/raw/4b38276c3a982f98208d6752ed492b0050ae5a5d/%253Cstdin%253E

It's a little more convoluted than I would prefer as I needed to
backport a handful of utilities and headers in order that the backported
itself patch applied with minimal mangling.

(Part of training, hence the low-priority package.)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-



Re: [SECURITY] [DLA 317-1] vorbis-tools security update

2015-09-29 Thread Raphael Hertzog
Hello Mike,

On Tue, 29 Sep 2015, Mike Gabriel wrote:
> Package: vorbis-tools
> Version: 1.4.0-1+deb6u1

This package seems to have never been uploaded to squeeze-lts...

You are supposed to wait until you get an ACCEPTED mail before sending out
the announce. Did you get this mail?

At least I don't see anything in
https://lists.debian.org/debian-lts-changes/2015/09/threads.html

Please correct that ASAP.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/



Offering mysql-5.5 as an option in squeeze-lts

2015-09-29 Thread Raphael Hertzog
Hello,

currently we are shipping mysql-5.1 which is no longer supported upstream
and which might have multiple unfixed vulnerabilities (Oracle doesn't
disclose enough details to either verify it or fix them).

We should really offer squeeze users to switch to a supported version
of mysql and that would be version 5.5.

Who would like to drive this forward?

As a first step, I would suggest that we backport 5.5.44-0+deb7u1
for squeeze and we drop the unversioned packages: libmysqld-pic,
libmysqld-dev, libmysqlclient-dev, mysql-common, mysql-server,
mysql-client.

The goal is to not rebuild applications, they would continue
to use the old libmysqlclient16 but would connect to the 5.5
server.

For mysql-common, it might be necessary to build it from mysql-5.5
but we should ensure it also works with mysql-5.1...

And then we perform some test upgrades, and some application tests, and
try to smooth the rough edges. When we're happy we send out a DLA
indicating that mysql-5.1 is EOL but that they can switch to mysql-5.5
if they desire (although it requires a manual upgrade).

What do you think ?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/



Re: libemail-address-perl, no "squeeze update of ..." mail sent, yet

2015-09-29 Thread Raphael Hertzog
On Tue, 29 Sep 2015, Mike Gabriel wrote:
> Is there a reason that no "squeeze update of ..." mail has been sent for
> libemail-address-perl, yet, (i.e., when triaging the latest security issue
> in that package)?

Yes, the fix is so easy that sending the above mail would take more time
than fixing the package and the package is part of the Perl team which
is rather happy when we do the work and push our update in their
git repository (I believe all DD have write access to their git
repositories).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/



Re: libemail-address-perl, no "squeeze update of ..." mail sent, yet

2015-09-29 Thread Mike Gabriel

Hi again,

On  Di 29 Sep 2015 15:06:23 CEST, Mike Gabriel wrote:


Hi Raphael,

On  Di 29 Sep 2015 13:55:06 CEST, Raphael Hertzog wrote:


On Tue, 29 Sep 2015, Mike Gabriel wrote:

Is there a reason that no "squeeze update of ..." mail has been sent for
libemail-address-perl, yet, (i.e., when triaging the latest security issue
in that package)?


Yes, the fix is so easy that sending the above mail would take more time
than fixing the package and the package is part of the Perl team which
is rather happy when we do the work and push our update in their
git repository (I believe all DD have write access to their git
repositories).


ok. Thanks for the answer. Will continue with fixing  
libemail-address-perl, then.


Best,
Mike


another question about this simple fix-up (SORRY)...

As it seems the issue is only referenced via a TEMP-* ID [1] in the  
Debian Security Tracker. Furthermore, no bug is referenced there [1],  
either. And... the issue is already fixed in testing/unstable.


Shall I file a new bug with exact affected versions (as found in  
jessie, wheezy, squeeze-lts) and attach it to the TEMP-* security  
tracker ID and then reference that new bug in my squeeze-lts upload?


Thanks for input,
Mike

[1] https://security-tracker.debian.org/tracker/TEMP-000-F41FA7
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb


pgpOnyJgi_sN2.pgp
Description: Digitale PGP-Signatur


Re: libemail-address-perl, no "squeeze update of ..." mail sent, yet

2015-09-29 Thread Mike Gabriel

Hi again,

On  Di 29 Sep 2015 15:06:23 CEST, Mike Gabriel wrote:


Hi Raphael,

On  Di 29 Sep 2015 13:55:06 CEST, Raphael Hertzog wrote:


On Tue, 29 Sep 2015, Mike Gabriel wrote:

Is there a reason that no "squeeze update of ..." mail has been sent for
libemail-address-perl, yet, (i.e., when triaging the latest security issue
in that package)?


Yes, the fix is so easy that sending the above mail would take more time
than fixing the package and the package is part of the Perl team which
is rather happy when we do the work and push our update in their
git repository (I believe all DD have write access to their git
repositories).


ok. Thanks for the answer. Will continue with fixing  
libemail-address-perl, then.


Best,
Mike


another question about this simple fix-up (SORRY)...

As it seems the issue is only referenced via a TEMP-* ID [1] in the  
Debian Security Tracker. Furthermore, no bug is referenced there [1],  
either. And... the issue is already fixed in testing/unstable.


Shall I file a new bug with exact affected versions (as found in  
jessie, wheezy, squeeze-lts) and attach it to the TEMP-* security  
tracker ID and then reference that new bug in my squeeze-lts upload?


Thanks for input,
Mike

[1] https://security-tracker.debian.org/tracker/TEMP-000-F41FA7
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb


pgpSnmK_kM4Gj.pgp
Description: Digitale PGP-Signatur


Re: libemail-address-perl, no "squeeze update of ..." mail sent, yet

2015-09-29 Thread Raphael Hertzog
On Tue, 29 Sep 2015, Mike Gabriel wrote:
> another question about this simple fix-up (SORRY)...
> 
> As it seems the issue is only referenced via a TEMP-* ID [1] in the Debian
> Security Tracker. Furthermore, no bug is referenced there [1], either.
> And... the issue is already fixed in testing/unstable.

Then you don't put any reference in the changelog except
maybe a clear description and the upstream commit ?

But you pay attention to this to properly mark the entry
as solved in the security tracker:
https://lists.debian.org/debian-lts/2015/09/msg00058.html

> Shall I file a new bug with exact affected versions (as found in jessie,
> wheezy, squeeze-lts) and attach it to the TEMP-* security tracker ID and
> then reference that new bug in my squeeze-lts upload?

I don't think that it's required.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/



Re: Marking TEMP-* issues as resolved

2015-09-29 Thread Salvatore Bonaccorso
Hi Mike,

On Wed, Sep 30, 2015 at 04:19:09AM +, Mike Gabriel wrote:
> Hi Guido,
> 
> On  So 27 Sep 2015 17:03:51 CEST, Guido Günther wrote:
> 
> >Hi,
> >On Sun, Sep 27, 2015 at 10:42:20AM +0200, Salvatore Bonaccorso wrote:
> >>Hi Gudio,
> >>
> >>On Sun, Sep 27, 2015 at 10:17:14AM +0200, Guido Günther wrote:
> >>> Hi,
> >>>
> >>> for the glibc update I'm preparing three issues that don't have a CVE
> >>> assigned yet so they can't be marked as resolved via the entry in
> >>> data/DLA/list. Is the correct way to tag these by just adding:
> >>>
> >>> [squeeze] - eglibc 2.11.3-4+deb6u7
> >>>
> >>> to the entries in data/CVE/list after the upload?
> >>
> >>yes, but please as well ad a note so that once the CVE is assigned,
> >>the entry is moved to the correct data/{DSA,DLA}/list.
> >>
> >>Something like (no rule, but makes it easier to update once CVE
> >>assigned):
> >>
> >>> NOTE: Added workaround entry for DSA--1/DLA-XXX-1 until CVE
> >>> assigned.
> >
> >Done. Thanks!
> > -- Guido
> 
> I just tried to learn from the above discussion and add that work-around
> note for libemail-address-perl (which I did now via rev36901).
> 
> However, I could not find any work-around note for eglibc in the
> data/CVE/list, not in the file itself nor in the commit history.
> 
> Is it possible that you forgot to actually commit that change (or such)? The
> commit directly after the above mail seems to be rev36841, but that only
> contains references to upstream fixes, not a reference from data/CVE/list to
> a DLA in data/DLA/list.

Have a look at revision 36863

It adds

[squeeze] - eglibc 2.11.3-4+deb6u7
NOTE: Added workaround entry for DLA-316-1 until CVE assigned.

(and removed previous [squeeze] - eglibc  (Reason) lines for
the same CVE entry).

HTH,

Regards,
Salvatore



Accepted libemail-address-perl 1.889-2+deb6u2 (source all) into squeeze-lts

2015-09-29 Thread Mike Gabriel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 29 Sep 2015 17:13:43 +0200
Source: libemail-address-perl
Binary: libemail-address-perl
Architecture: source all
Version: 1.889-2+deb6u2
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Perl Group 
Changed-By: Mike Gabriel 
Description: 
 libemail-address-perl - RFC 2822 Address Parsing and Creation
Changes: 
 libemail-address-perl (1.889-2+deb6u2) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * Set default depth of parsing nestable comments to 1. This prevents
 possible DoS attack in software which uses Email::Address for
 parsing string input to list of email addresses.
   * Patch file provided for reference/documentation as
 debian/patches/0001_nested-comments-default-to-1-level.patch, also
 referencing the original upstream commit.
Checksums-Sha1: 
 b7e43c94c5fbdf7eebf6495d9d2006ef12c099cb 2127 
libemail-address-perl_1.889-2+deb6u2.dsc
 1eab1c1566b0c25dea3d845d1e7952f236b7cfff 4018 
libemail-address-perl_1.889-2+deb6u2.diff.gz
 2926a102dc8e34a9c75c129e78a73b645476eba0 27252 
libemail-address-perl_1.889-2+deb6u2_all.deb
Checksums-Sha256: 
 0b88f1ad54f1835f12a157c651a2a41cae76a7012c8c58343871782454ee11e6 2127 
libemail-address-perl_1.889-2+deb6u2.dsc
 092a199055839ecf4792e01fa54fcf586b3e87cdcc0549d93040427b3f2a6440 4018 
libemail-address-perl_1.889-2+deb6u2.diff.gz
 3138af97c455c2027ca0051f2601b4c026f63636051e99f920c1bc5c09d58b85 27252 
libemail-address-perl_1.889-2+deb6u2_all.deb
Files: 
 7dcd70f4a7c957ef3997d4e89666a591 2127 perl optional 
libemail-address-perl_1.889-2+deb6u2.dsc
 bfb05312c60704a19330c014ff17bb28 4018 perl optional 
libemail-address-perl_1.889-2+deb6u2.diff.gz
 b628c89564f56dde98dcfce443fd89e4 27252 perl optional 
libemail-address-perl_1.889-2+deb6u2_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWC1q0AAoJEJr0azAldxsxWqIP/05amo+i+mMoTZCxOOx/eZI2
UnMOrLu8xWxTYqo/7RBR6lYa00Wgxw/Yp466YkwLgV6ZifWm/Y9LQYuY0w4VjR1L
3GoHMOBZPpEbcEIe5hk7KLeV/YhapPLLpQja7+1uKQUst58FmQMZ0AfksMlX0yHR
Dw0obWm+9cPBCXjPqjmmQboQzdm0tGZFXzFAXRfT2wI25kcJeWw8IhzAVxMTrxfz
5nqeDcfwQDToBjU0n4TSN1zoJO/UC+RWIYkaQo8njTl/3/N0Atiwl5sW2ZSD8JdE
Nrk5N0w5tatXMQlSRu/l2m3IZEkXnw1aJRlGjL3J2+OzC8gdfFXbzuL2r7mVmyqU
18YTMOHPwtiHqP8iRgg0gkYYj6q7n9EvZALZ5WZZUSzFvONsz6Roq/XKrid3lqPR
Ww94Mm10x3gbJ1yo7Yk5yWy/8irD0fsuoZRjhewxxEnQj6cQSgXz5RGMry4Ix67Z
vbJ8Jd48eK36SLn9VXF5/UF3t45BIxxj3EIIY1CNQlhQRu01a4jf0d73tKb6sfeD
iuIO0F4xHlVx9A3gcyaxvf9WiY4QUWBg/sgS2/PS2WrtkwCoU1spHQkt4ucWBx2s
zwtEOaeZurqibNsfAT0QPQczkhMkvxF9Ir97P8+fR7ixgPHGiFk1ZTbiJ/5BefPe
eG/EgIBCG7wlhnBuko7U
=pa5T
-END PGP SIGNATURE-



Re: Marking TEMP-* issues as resolved

2015-09-29 Thread Mike Gabriel

Hi Guido,

On  So 27 Sep 2015 17:03:51 CEST, Guido Günther wrote:


Hi,
On Sun, Sep 27, 2015 at 10:42:20AM +0200, Salvatore Bonaccorso wrote:

Hi Gudio,

On Sun, Sep 27, 2015 at 10:17:14AM +0200, Guido Günther wrote:
> Hi,
>
> for the glibc update I'm preparing three issues that don't have a CVE
> assigned yet so they can't be marked as resolved via the entry in
> data/DLA/list. Is the correct way to tag these by just adding:
>
> [squeeze] - eglibc 2.11.3-4+deb6u7
>
> to the entries in data/CVE/list after the upload?

yes, but please as well ad a note so that once the CVE is assigned,
the entry is moved to the correct data/{DSA,DLA}/list.

Something like (no rule, but makes it easier to update once CVE
assigned):

> NOTE: Added workaround entry for DSA--1/DLA-XXX-1 until CVE
> assigned.


Done. Thanks!
 -- Guido


I just tried to learn from the above discussion and add that  
work-around note for libemail-address-perl (which I did now via  
rev36901).


However, I could not find any work-around note for eglibc in the  
data/CVE/list, not in the file itself nor in the commit history.


Is it possible that you forgot to actually commit that change (or  
such)? The commit directly after the above mail seems to be rev36841,  
but that only contains references to upstream fixes, not a reference  
from data/CVE/list to a DLA in data/DLA/list.


Just curious and eager to learn more about the workflow of Debian  
security and LTS,

Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb


pgptakRsUo9yk.pgp
Description: Digitale PGP-Signatur