LTS work report, February 2016

2016-03-01 Thread Damyan Ivanov 
Here's the summary of my work on Debian LTS for February 2016:

 * investigating about update of ntp
 * update libebml in squeeze-lts

This is my first month working on Debian LTS and I managed to work 
only 3.9 hours out of the allocated 11.25. The reason for this was 
mostly me not trying hard enough to find packages to work on. As a way 
to compensate this, I plan to spend some time on the triaging part of 
the process in March.


-- Damyan

Re: working for wheezy-security until wheezy-lts starts

2016-03-01 Thread Moritz Muehlenhoff 
On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote:
> On 2016-03-01, Mike Gabriel  wrote:
> > @Security Team: Shall we (LTS contributors) handle wheezy-security  
> > updates like described below until Debian wheezy LTS comes into play?
> >
> >o Pick a package that has open CVE issues in wheezy, e.g. from 
> >  above list
> >o Add the package to data/dsa-needed.txt, if not already there:

Don't add anything to dsa-needed.txt directly, but rather ask team@ first 
whether this actually qualifies for a DSA. Packages get only added there
after individual assessment.

Cheers,
Moritz

Re: working for wheezy-security until wheezy-lts starts

2016-03-01 Thread Sébastien Delafond 
On 2016-03-01, Mike Gabriel  wrote:
> @Security Team: Shall we (LTS contributors) handle wheezy-security  
> updates like described below until Debian wheezy LTS comes into play?
>
>o Pick a package that has open CVE issues in wheezy, e.g. from 
>  above list
>o Add the package to data/dsa-needed.txt, if not already there:
>  - packages with issues to be solved in wheezy only, should be
>suffixed with "/oldstable" (i.e., gosa/oldstable)
>  - packages with issues in jessie and wheezy, should probably
>just be added by the package name (without suffix), right?
>
> From then on, the workflow can be the same workflow as used for
> normal security updates (as already described earlier in this
> thread):
>
>o Fix the issue in the package (grab the current package from  
>   oldstable's archive).
>o Test your fixes.
>o Provide a .debdiff to
>  t...@security.debian.org and to the
>  Debian bug, if any related bug exists.
>
>o Wait for feedback from the release team on how to proceed.
>
>o As a courtesy, you could check the same package in jessie and
>  see if the fix for oldstable is easily forward-portable. Thus,
>  maybe providing a jessie-security .debdiff for the package can
>  be an option.
>
> The removal of the entry placed into data/dsa-needed.txt should then
> be handled by the Security Team, once the fixed package version has
> been uploaded.  More Feedback?  Mike

Looking good to me; we can refine the process incrementally, if need
be.

Thanks a lot for the help,

--Seb

Re: Unsupported packages for Wheezy LTS

2016-03-01 Thread Markus Koschany 
Am 29.02.2016 um 18:04 schrieb Raphael Hertzog:
> On Mon, 29 Feb 2016, Markus Koschany wrote:
>> Matthias Klose, the OpenJDK maintainer, stated that he intends to
>> support OpenJDK 6 until Ubuntu 12.04 reaches EOL in April 2017 [1] and I
>> think it should be feasible to mirror this approach for Wheezy LTS
>> provided everyone agrees to keep OpenJDK 6 supported until then.
> 
> I have no objection but I also don't see the point of supporting
> something only half of the LTS period.

Fair enough. Then let's focus on the switch to make OpenJDK 7 the
default in Wheezy LTS.

>> We discussed the switch to OpenJDK 7 last month [2] and I think the
>> problematic packages are only those that strictly depend on
>> openjdk-6-jre like tunnelx and rcran-r-java. Everything else that
>> declares an alternative dependency on java6-runtime or default-jre
>> should be fine because OpenJDK 7 provides these dependencies.
> 
> I suggest that we can already fix those, possibly via
> wheezy-proposed-updates so that they are fixed before the last
> wheezy point release.

I will handle the switch to OpenJDK 7 and coordinate this with the
Debian Release Team. I have updated https://wiki.debian.org/LTS/TODO
accordingly.

>> In addition I would also suggest to add Tomcat 6 to the list of
>> unsupported packages when it is declared EOL on December 31, 2016 [3]
>> and recommend the switch to Tomcat 7.
> 
> OK. Then we should probably have some "Wheezy LTS release notes" where we
> can add some recommendations like "Use Tomcat 7 if you want security
> support until the end of Wheezy LTS because Tomcat 6 will be EOL on
> 2016-12-31."
> 
> We could then also document the situation of OpenJDK 6.
> 
> And we should also fix debian-security-support to be able to document well
> in advance that some packages won't be supported past a given date...
> right now I don't think that the software takes the EOL date into account.

I transformed these suggestions into TODO items on
https://wiki.debian.org/LTS/TODO. Everyone feel free to work on this and
don't forget to claim the task by adding your names behind it.

Regards,

Markus





signature.asc
Description: OpenPGP digital signature

Re: Wiki update LTS/Using and EOL announcement

2016-03-01 Thread Markus Koschany 
Am 01.03.2016 um 13:16 schrieb Bonno Bloksma (list account):
> Hi,
> 
> On 2016-02-29 20:27, Paul Gevers wrote:
>>> I know, but that is not what I meant. I meant (and wrote), upgrade via 
>>> wheezy.
>>
>> I think that (what you wrote ealier) would be a sensible recommendation to 
>> make.
>>
>> We're only keeping Wheezy around for system setups that were established 
>> while Wheezy was stable, we've tried to bring all Squeeze systems via Wheezy 
>> and then immediately to Jessie.
> 
> So the announcement should probably read something like:
> We recommend that you upgrade your systems to at least Debian 7 "Wheezy" and 
> then to the current Debian 8 stable release "Jessie" if you can.
> Instructions to upgrade from Squeeze to Wheezy can be found at
> 
>   https://wiki.debian.org/LTS/Using

Hi,

I have already sent the announcement to debian-lts-announce.

> Also the info at the above link is rather sparse. "Recommendations for 
> upgrading from Squeeze LTS to Wheezy LTS"
> Should there not also be a link to the old Squeeze to Wheezy upgrade 
> instructions?
> There were several gotcha's if I remember.

I have just added the links to the official release notes for Wheezy and
the issues to be aware of. Please feel free to add more recommendations
to the Wiki, if you think they may be useful for others.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature

RE: Wiki update LTS/Using and EOL announcement

2016-03-01 Thread Bonno Bloksma (list account) 
Hi,

On 2016-02-29 20:27, Paul Gevers wrote:
>> I know, but that is not what I meant. I meant (and wrote), upgrade via 
>> wheezy.
>
> I think that (what you wrote ealier) would be a sensible recommendation to 
> make.
> 
> We're only keeping Wheezy around for system setups that were established 
> while Wheezy was stable, we've tried to bring all Squeeze systems via Wheezy 
> and then immediately to Jessie.

So the announcement should probably read something like:
We recommend that you upgrade your systems to at least Debian 7 "Wheezy" and 
then to the current Debian 8 stable release "Jessie" if you can.
Instructions to upgrade from Squeeze to Wheezy can be found at

https://wiki.debian.org/LTS/Using


Also the info at the above link is rather sparse. "Recommendations for 
upgrading from Squeeze LTS to Wheezy LTS"
Should there not also be a link to the old Squeeze to Wheezy upgrade 
instructions?
There were several gotcha's if I remember.

Bonno Bloksma

[SECURITY] Debian 6 Squeeze has reached end-of-life

2016-03-01 Thread Markus Koschany 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

The Debian Long Term Support (LTS) Team hereby announces that Debian 6
("Squeeze") support has reached its end-of-life on February 29, 2016,
five years after its initial release on February 6, 2011.

There will be no further security support for Debian 6.0.

The LTS Team will prepare the transition to Debian 7 ("wheezy"), which
is the current oldstable release. The LTS team will take over support
from the Security Team on April 26, 2016.

Debian 7 will also receive Long Term Support for five years after its
initial release with support ending on May 31, 2018.

We recommend that you upgrade your systems. Instructions can be found
at

https://wiki.debian.org/LTS/Using

Debian and its LTS Team would like to thank all contributing users,
developers and sponsors who are making it possible to extend the life
of previous stable releases, and who have made this LTS a success.

If you rely on Debian LTS, please consider joining the team, providing
patches, testing or funding the efforts. More information can be found
at

https://wiki.debian.org/LTS/

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQJ8BAEBCgBmBQJW1X5gXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkSy0QALLH3SoYYSwzwIIfa1jfjcn5
pl4BPQBgEBBigf1srFDJFOoRBgVBVChXDLiQtej9z3HfHwAuQ/cRvGOYwmTcOFc4
02DtKOCSdgQyc3H4W4YdNoST/K/d8ERB/yQ6IYkHwAOKnDtIdHLn/L4mlsgGviL4
IH1XK2JbUAcqIcJJDDKi20by53WsDB9p8rPiEeSNC5SWSwlt+GRGVTDQSVq+Rhcb
9oFtt4iCYOl7K1kX+Z51aI3CtVBPuW6RposcVIj1xFzO0llfVhzcOQFck7qPdaA7
8/kAasnNuRLxF3Ay3oftU9jCKbi2ew1AXQhxuE0BAdYl9YfDnebAICvsQsgwW56d
/rmwRkwLlVs2D/DqeSgkCpcLPrBIvw68nWJKLWIS5nKDaFTNJ113AszILFbbzgfs
qtY0CkEl/8Ee2BipN5h0lQfLJrgdwNsDaSkgBCZ3jMHZa0fsH/6+qLz52fVM9P8u
4M1F4s8ZsY8pV1UStBBCIvOzCW98MlHmgRimfN8rOCgKXPkXYXutbEVy/HiflnCy
p3roY9xBNbeivQtVaH455FajuGtci+K5JspAL+BDIiiB1SK4h+lEJKE1UraS4+Ez
CggXHl3pa+tNaeg4/jWzm79J5NiGIfosvhfvLc7HusLONYtFWoDFI9Zx3MG2P57L
v9RNP641ExEj4j7oeG9A
=uka/
-END PGP SIGNATURE-

Re: working for wheezy-security until wheezy-lts starts

2016-03-01 Thread Mike Gabriel 

On  Di 01 Mär 2016 08:44:08 CET, Guido Günther wrote:


On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote:
[..snip..]

>>Issues that are unfixed in wheezy but fixed in squeeze:
>>* aptdaemon-> CVE-2015-1323
>>* cakephp  -> TEMP-000-698CF7
>>* dhcpcd   -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
>>* eglibc   -> CVE-2014-9761
>>* extplorer-> CVE-2015-0896
>>* fuseiso  -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E
>>* gosa -> CVE-2014-9760 CVE-2015-8771
>>* gtk+2.0  -> CVE-2013-7447
>>* icu  -> CVE-2015-2632
>>* imagemagick  -> TEMP-0773834-5EB6CF
>>* imlib2   -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764
>>* inspircd -> CVE-2015-8702
>>* libebml  -> CVE-2015-8790 CVE-2015-8791
>>* libidn   -> CVE-2015-2059 TEMP-000-54045E
>>* libmatroska  -> CVE-2015-8792
>>* libsndfile   -> CVE-2014-9756 CVE-2015-7805
>>* libstruts1.2-java-> CVE-2015-0899
>>* libtorrent-rasterbar -> CVE-2015-5685
>>* mono -> CVE-2009-0689
>>* nss  -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938
>>* optipng  -> CVE-2015-7801
>>* phpmyadmin   -> CVE-2016-2039 CVE-2016-2041
>>* pixman   -> CVE-2014-9766
>>* python-tornado   -> CVE-2014-9720
>>* roundcube-> CVE-2015-8770
>>* srtp -> CVE-2015-6360
>>* tomcat6  -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033
>>CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227
>>CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
>>CVE-2016-0706 CVE-2016-0714 CVE-2016-0763
>
>I'm focusing on these picking older ones over newer ones to not stomp
>onto the security teams toes.

Do you announce anywhere, that you will start working on a specific package?
Wouldn't it make sense to put all the packages listed below into
data/dsa-needed.txt (with approval from the Security Team) and then put our
names behind those package names?


In order to avoid double work I added these to dsa-needed.txt and put my
name on the line.

Cheers,
 -- Guido


Ack.

@Security Team: Shall we (LTS contributors) handle wheezy-security  
updates like described below until Debian wheezy LTS comes into play?


  o Pick a package that has open CVE issues in wheezy, e.g. from above list
  o Add the package to data/dsa-needed.txt, if not already there:
- packages with issues to be solved in wheezy only, should be suffixed
  with "/oldstable" (i.e., gosa/oldstable)
- packages with issues in jessie and wheezy, should probably just be added
  by the package name (without suffix), right?

From then on, the workflow can be the same workflow as used for  
normal security updates (as already described earlier in this thread):


  o Fix the issue in the package (grab the current package from  
oldstable's archive).

  o Test your fixes.
  o Provide a .debdiff to t...@security.debian.org and to the Debian bug,
if any related bug exists.
  o Wait for feedback from the release team on how to proceed.
  o As a courtesy, you could check the same package in jessie and see if
the fix for oldstable is easily forward-portable. Thus, maybe providing a
jessie-security .debdiff for the package can be an option.

The removal of the entry placed into data/dsa-needed.txt should then  
be handled by the Security Team, once the fixed package version has  
been uploaded.


More Feedback?
Mike
--

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net



pgpBSc_26ZXaG.pgp
Description: Digitale PGP-Signatur