Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Antoine Beaupré]

On 2017-10-31 15:45:31, Raphael Hertzog wrote:
> On Tue, 31 Oct 2017, Antoine Beaupré wrote:
>> I'll take care of it then. Should I just reuse the old DLA id? or
>> simply mention the old DLA id in the announcement? Or mention all the
>> CVEs fixed in the old DLA in the new DLA?
>> 
>> Not actually sure how to merge this. :)
>
> You prepare your DLA like usual but then you also document the CVE
> fixed by the old DLA in the mail sent to debian-lts-announce. But when
> you generate your template with bin/gen-DLA you only pass the newly fixed
> CVE (to not fix the same CVE twice in data/DLA/list).

Excellent, this will come out this afternoon once the package is
accepted.

A.

-- 
A genius is someone who discovers that the stone that falls and the
moon that doesn't fall represent one and the same phenomenon.
 - Ernesto Sabato

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Raphael Hertzog]

On Tue, 31 Oct 2017, Antoine Beaupré wrote:
> I'll take care of it then. Should I just reuse the old DLA id? or
> simply mention the old DLA id in the announcement? Or mention all the
> CVEs fixed in the old DLA in the new DLA?
> 
> Not actually sure how to merge this. :)

You prepare your DLA like usual but then you also document the CVE
fixed by the old DLA in the mail sent to debian-lts-announce. But when
you generate your template with bin/gen-DLA you only pass the newly fixed
CVE (to not fix the same CVE twice in data/DLA/list).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Antoine Beaupré]

On 2017-10-31 14:13:13, Raphael Hertzog wrote:
> On Tue, 31 Oct 2017, Antoine Beaupré wrote:
>> > Please send it again and add a small sentence explaining that you send an
>> > old advisory that never made it to the list... IOW if you expect
>> > confusion, add an explanation to clear it up.
>> 
>> I will be looking at a GM update later today - should i merge that
>> announcement in?
>
> That also works, sure.

I'll take care of it then. Should I just reuse the old DLA id? or
simply mention the old DLA id in the announcement? Or mention all the
CVEs fixed in the old DLA in the new DLA?

Not actually sure how to merge this. :)

A.

-- 
If you have come here to help me, you are wasting our time.
But if you have come because your liberation is bound up with mine, then
let us work together.- Aboriginal activists group, Queensland, 1970s

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Raphael Hertzog]

On Tue, 31 Oct 2017, Antoine Beaupré wrote:
> > Please send it again and add a small sentence explaining that you send an
> > old advisory that never made it to the list... IOW if you expect
> > confusion, add an explanation to clear it up.
> 
> I will be looking at a GM update later today - should i merge that
> announcement in?

That also works, sure.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Antoine Beaupré]

On 2017-10-31 11:56:31, Raphael Hertzog wrote:
> Hi,
>
> On Sat, 28 Oct 2017, Brian May wrote:
>> I didn't realize until after I uploaded the newer version associated
>> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by
>> DLA-1140-1.
>> 
>> Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still
>> didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been
>> published it would cause confusion.
>
> Please send it again and add a small sentence explaining that you send an
> old advisory that never made it to the list... IOW if you expect
> confusion, add an explanation to clear it up.

I will be looking at a GM update later today - should i merge that
announcement in?

> But not sending the announce is not a good option IMO. FWIW checking that the
> announce went through is part of my routine for each DLA.

Agreed. What I do is that I have the DLA template in my secure-testing
SVN checkout after I sent it, and leave it there until I have verified
it shows up in the archives.

(Or that I received it, but my email client (notmuch) strangely makes
that quite difficult, as it deduplicates multiple messages with the same
message ID, so I can't really tell if I actually received my own
messages! That will fortunately be fixed in the 0.26 release though... )

A.

-- 
Il n'existe aucune limite sacrée ou non à l'action de l'homme dans
l'univers. Depuis nos origines nous avons le choix: être aveuglé par
la vérité ou coudre nos paupières.
- [no one is innocent]

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Raphael Hertzog]

Hi,

On Sat, 28 Oct 2017, Brian May wrote:
> I didn't realize until after I uploaded the newer version associated
> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by
> DLA-1140-1.
> 
> Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still
> didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been
> published it would cause confusion.

Please send it again and add a small sentence explaining that you send an
old advisory that never made it to the list... IOW if you expect
confusion, add an explanation to clear it up.

But not sending the announce is not a good option IMO. FWIW checking that the
announce went through is part of my routine for each DLA.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Brian May]

Antoine Beaupré  writes:

> Somehow the DLA-1130-1 that was associated with this upload never made
> it to the mailing list archive here:

Yes, I commented on that in a recent email.

I didn't realize until after I uploaded the newer version associated
with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by
DLA-1140-1.

Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still
didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been
published it would cause confusion.
-- 
Brian May 

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Antoine Beaupré]

On 2017-10-27 19:05:07, Hugo Lefeuvre wrote:
> Hi Antoine, Brian,
>
>> Somehow the DLA-1130-1 that was associated with this upload never made
>> it to the mailing list archive here:
>> 
>> https://lists.debian.org/debian-lts-announce/2017/10/
>> 
>> I also didn't receive a copy, so I suspect it was never sent.
>> 
>> A.
>> 
>> PS: I realized this while reviewing my own announcements - it seems I
>> failed to sent DLA-1144-1 myself... maybe we need better mechanisms to
>> catch those?
>
> Same for me, I had to send DLA 1133-1 three times before it reached the
> list. Like if the server would silently reject my emails. I wouldn't
> have noticed it without Ola's help.

My email finally got through today. According to #debian-lists, there
was an issue with the signature verification software, which was fixed
yesterday.

In my case, I also previously had issues because I added a new signing
subkey that took some time to propagate across Debian's infrastructure.

The main issue is we have currently no way of noticing when a number is
skipped. It would be nice to automate this stuff somehow, yet I can't
quite think of how... Maybe by adding (signed) DLA files themselves into
security tracker and have *that* send out the announcements?

A.
-- 
That's one of the remarkable things about life: it's never so bad that
it can't get worse.
- Calvin

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Hugo Lefeuvre]

Hi Antoine, Brian,

> Somehow the DLA-1130-1 that was associated with this upload never made
> it to the mailing list archive here:
> 
> https://lists.debian.org/debian-lts-announce/2017/10/
> 
> I also didn't receive a copy, so I suspect it was never sent.
> 
> A.
> 
> PS: I realized this while reviewing my own announcements - it seems I
> failed to sent DLA-1144-1 myself... maybe we need better mechanisms to
> catch those?

Same for me, I had to send DLA 1133-1 three times before it reached the
list. Like if the server would silently reject my emails. I wouldn't
have noticed it without Ola's help.

Cheers,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA


signature.asc
Description: PGP signature

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Antoine Beaupré]

Somehow the DLA-1130-1 that was associated with this upload never made
it to the mailing list archive here:

https://lists.debian.org/debian-lts-announce/2017/10/

I also didn't receive a copy, so I suspect it was never sent.

A.

PS: I realized this while reviewing my own announcements - it seems I
failed to sent DLA-1144-1 myself... maybe we need better mechanisms to
catch those?
-- 
All governments are run by liars and nothing they say should be
believed.
   - I. F. Stone

Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 10 Oct 2017 17:57:27 +1100
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev 
libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl 
graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat 
graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.16-1.1+deb7u10
Distribution: wheezy-security
Urgency: high
Maintainer: Daniel Kobras 
Changed-By: Brian May 
Description:
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing 
ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing 
ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++1-dev - format-independent image processing - C++ 
development files
 libgraphicsmagick++3 - format-independent image processing - C++ shared library
 libgraphicsmagick1-dev - format-independent image processing - C development 
files
 libgraphicsmagick3 - format-independent image processing - C shared library
Changes:
 graphicsmagick (1.3.16-1.1+deb7u10) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * Fix CVE-2017-14103: The ReadJNGImage and ReadOneJNGImage functions in
 coders/png.c did not properly manage image pointers after certain error
 conditions.
   * Fix CVE-2017-14314: heap-based buffer over-read in DrawDashPolygon() .
   * Fix CVE-2017-14504: NULL pointer dereference triggered by malformed file.
   * Fix CVE-2017-14733: Ensure we detect alpha images with too few colors.
   * Fix CVE-2017-14994: DCM_ReadNonNativeImages() can produce image list with
 no frames, resulting in null image pointer.
   * Fix CVE-2017-14997: unsigned underflow leading to astonishingly
 large allocation request.
Checksums-Sha1:
 b3f0f21f80d668f33e8ed77c42d8cb7102ede511 2686 
graphicsmagick_1.3.16-1.1+deb7u10.dsc
 f2ec0392d7a7d5cbe0d5bdff2931edbacedd73e9 8736761 
graphicsmagick_1.3.16.orig.tar.gz
 e3533915f279a72308144cc40d95d4268b070da3 198249 
graphicsmagick_1.3.16-1.1+deb7u10.debian.tar.gz
 1a01ead3adff128418be62e771addadd82699f12 1034612 
graphicsmagick_1.3.16-1.1+deb7u10_amd64.deb
 a2d8f7737d004ed53bceb8685602077374ae7262 1324250 
libgraphicsmagick3_1.3.16-1.1+deb7u10_amd64.deb
 2efcd0d4c5f8b43d9d1eef973047e9824a9b18e3 1822836 
libgraphicsmagick1-dev_1.3.16-1.1+deb7u10_amd64.deb
 4c5bbd57073ef1da04a8cae0ca42a89e899b4905 154678 
libgraphicsmagick++3_1.3.16-1.1+deb7u10_amd64.deb
 e1d1f9b293b249ea9c7078e34ee02a1d391b15cb 410866 
libgraphicsmagick++1-dev_1.3.16-1.1+deb7u10_amd64.deb
 bb82c88eca4330b67dcfa23c6edb0b0caad4526b 83436 
libgraphics-magick-perl_1.3.16-1.1+deb7u10_amd64.deb
 790b0db8917b9fb0d840abef9530a9c2ae627559 3270206 
graphicsmagick-dbg_1.3.16-1.1+deb7u10_amd64.deb
 e35712a8b3eb9f9cabf8f725146a2e996fdd636a 18674 
graphicsmagick-imagemagick-compat_1.3.16-1.1+deb7u10_all.deb
 0eee8b2f448d9170e8419e070dbe6cc9cad11b47 8 
graphicsmagick-libmagick-dev-compat_1.3.16-1.1+deb7u10_all.deb
Checksums-Sha256:
 2d0d2c265a502fb21631f18a3a71951ccde3a2acac9da91767434b2deecca307 2686 
graphicsmagick_1.3.16-1.1+deb7u10.dsc
 ae2229370926dea6c2423cc1adaf551d33f38102677332294439365aaac1514b 8736761 
graphicsmagick_1.3.16.orig.tar.gz
 ad8747b1768312ecce3ec335ad093bf25d33d4193465c0988f3896df6e4a2d30 198249 
graphicsmagick_1.3.16-1.1+deb7u10.debian.tar.gz
 1b2990c052a9b8f49d9f6af64564329bbac3e39cdf6e407695cc4b29e9b58b59 1034612 
graphicsmagick_1.3.16-1.1+deb7u10_amd64.deb
 cd9566db3b7e68d787baae7ceea335d12399b77338d736c04f98811729335fd1 1324250 
libgraphicsmagick3_1.3.16-1.1+deb7u10_amd64.deb
 ecf617ff5d5f2c151cfb4c17f6d6e312afe9bf346fb722f3d07eeb67dc7dbddc 1822836 
libgraphicsmagick1-dev_1.3.16-1.1+deb7u10_amd64.deb
 984a1f67c1c56ca14b82e7f08fdaf868e0c46e58daaa8ec45a7a561884f72999 154678 
libgraphicsmagick++3_1.3.16-1.1+deb7u10_amd64.deb
 e24a195090d1f45e91bfe0f28eae3cffcbd1ee587e0819f6af882fca782e99ec 410866 
libgraphicsmagick++1-dev_1.3.16-1.1+deb7u10_amd64.deb
 eda4efd41fe44fa9f0f6d591fcf7b84c74ada8427d165601160c0ff667fba40d 83436 
libgraphics-magick-perl_1.3.16-1.1+deb7u10_amd64.deb
 1bf44bc81ff895ae58bece36484e7f16b7598ab29530b162b97298a2006b04ef 3270206 
graphicsmagick-dbg_1.3.16-1.1+deb7u10_amd64.deb
 661a448bb14b60d4d93af3147a464fe1de9f784ec7bdc7221af0c33ba6ea68ab 18674 
graphicsmagick-imagemagick-compat_1.3.16-1.1+deb7u10_all.deb
 4e11c628270b7badcf99050ed6cb3327b72646ea50a288f96d616bdfb3e1848d 8 
graphicsmagick-libmagick-dev-compat_1.3.16-1.1+deb7u10_all.deb
Files:
 5d954dfe73d94199637115f7950039d8 2686 graphics optional 
graphicsmagick_1.3.16-1.1+deb7u10.dsc
 66a4b9c7af6165b5d293fed6ebe04e36 8736761 graphics optional 
graphicsmagick_1.3.16.orig.tar.gz
 bed4cd314cc38ede112c5a9dadfa925f 198249 graphics