Re: wheezy update of openafs
On Tue, Jan 23, 2018 at 06:52:52PM +0100, Emilio Pozuelo Monfort wrote: > On 23/01/18 17:29, Benjamin Kaduk wrote: > > Hi all, > > > > As recorded in #886799 (and the merged bugs), the recent linux > > kernel updates including meltdown remediation also included a kernel > > ABI change that breaks the openafs DKMS module (and non-DKMS module, > > for what it's worth). The fix for openafs is pretty simple; just > > cherry-pick a couple of upstream patches, but it's not entirely > > clear that this update should be considered a "security issue", and > > thus I am unclear on what process at > > https://wiki.debian.org/LTS/Development really applies. > > Should I just find a DD to sponsor the upload to wheezy-security and > > get the new package available, or is there some additional (review?) > > step as there would for a non-LTS security update or SRU? > > We could do some sort of a regression update. Or just a compatibility update. > Call it what you want :) > > Can you point to those patches? I just pushed my current state to the packaging git repo at https://anonscm.debian.org/cgit/pkg-k5-afs/openafs.git/log/?id=refs/heads/wheezy , though I was planning to do a little more testing with a clean build/etc. before requesting upload. Note that the last several updates to openafs in wheezy were done by the LTS team directly and not put into git, so I have some cleanup commits to attempt to synchronize the state in git with the state in the apt repo. It seems that with the single-debian-patch scheme openafs uses in wheezy, the debian-patch that is generated is not done reproducibly, with files being changed appearing in different order. The extracted source package does not differ other than the debian-changes file, though, which is I think as good as we can get. (Starting with jessie we switched to using separated patches for openafs.) Thanks, Ben
Re: wheezy update of openafs
On 23/01/18 17:29, Benjamin Kaduk wrote: > Hi all, > > As recorded in #886799 (and the merged bugs), the recent linux > kernel updates including meltdown remediation also included a kernel > ABI change that breaks the openafs DKMS module (and non-DKMS module, > for what it's worth). The fix for openafs is pretty simple; just > cherry-pick a couple of upstream patches, but it's not entirely > clear that this update should be considered a "security issue", and > thus I am unclear on what process at > https://wiki.debian.org/LTS/Development really applies. > Should I just find a DD to sponsor the upload to wheezy-security and > get the new package available, or is there some additional (review?) > step as there would for a non-LTS security update or SRU? We could do some sort of a regression update. Or just a compatibility update. Call it what you want :) Can you point to those patches? Cheers, Emilio
wheezy update of openafs
Hi all, As recorded in #886799 (and the merged bugs), the recent linux kernel updates including meltdown remediation also included a kernel ABI change that breaks the openafs DKMS module (and non-DKMS module, for what it's worth). The fix for openafs is pretty simple; just cherry-pick a couple of upstream patches, but it's not entirely clear that this update should be considered a "security issue", and thus I am unclear on what process at https://wiki.debian.org/LTS/Development really applies. Should I just find a DD to sponsor the upload to wheezy-security and get the new package available, or is there some additional (review?) step as there would for a non-LTS security update or SRU? Thanks, Ben
Re: Wheezy update of openafs?
Hi Thorsten, On Sun, Dec 10, 2017 at 07:49:33PM +0100, Thorsten Alteholz wrote: > Hi Benjamin and Anders, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of openafs: > https://security-tracker.debian.org/tracker/source-package/openafs > > Would you like to take care of this yourself? Thanks for checking in, but history and the size of my todo list indicate that I will not be able to take care of this myself. That said, the patch should cherry-pick/backport quite easily, as the code in question should not have really changed between wheezy and jessie. (I also think there are some non-security issues known with the version in wheezy that probably make it unsuitable for use in many sites, but I suppose that should not keep us from providing updates.) -Ben > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of openafs updates > for the LTS releases. > > Thank you very much. > > Thorsten Alteholz, >on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > >
Wheezy update of openafs?
Hi Benjamin and Anders, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of openafs: https://security-tracker.debian.org/tracker/source-package/openafs Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of openafs updates for the LTS releases. Thank you very much. Thorsten Alteholz, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Re: Wheezy update of openafs?
On Sat, Dec 03, 2016 at 11:27:49PM +0100, Chris Lamb wrote: > [Replying just to debian-lts] > > Guido Günther wrote: > > > Hello dear maintainer(s), > > > > the Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of openafs: > > https://security-tracker.debian.org/tracker/CVE-2016-9772 > > Don't forget to file a Debian bug next time. :) Filed now. Thanks for the reminder. Cheers, -- Guido
Re: Wheezy update of openafs?
Hi Ben, On Sat, Dec 03, 2016 at 08:36:49PM -0600, Benjamin Kaduk wrote: > On Sat, Dec 03, 2016 at 12:22:38PM +0100, Guido Günther wrote: > > Hello dear maintainer(s), > > > > the Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of openafs: > > https://security-tracker.debian.org/tracker/CVE-2016-9772 > > Have you determined whether the regular Debian Security Team is interested > in addressing these issues in jessie? Though carnil@ requested the > CVE number assignment, I do not see a debian bug for the issue and have > not (yet?) been in contact with the security team about it. It seems like > it would be rather strange for a fix to go into wheezy but not jessie I've just filed the bug (which I forgot to do before sending the mail) I think the security team will follow up shortly. > > > Would you like to take care of this yourself? > > > > If yes, please follow the workflow we have defined here: > > https://wiki.debian.org/LTS/Development > > > > If that workflow is a burden to you, feel free to just prepare an > > updated source package and send it to debian-lts@lists.debian.org > > (via a debdiff, or with an URL pointing to the source package, > > or even with a pointer to your packaging repository), and the members > > of the LTS team will take care of the rest. Indicate clearly whether you > > have tested the updated package or not. > > > > If you don't want to take care of this update, it's not a problem, we > > will do our best with your package. Just let us know whether you would > > like to review and/or test the updated package before it gets released. > > I will see if I can find time to prepare an update, though I think there are > a few things at higher priority on my Debian todo list at the moment. > If someone from the LTS team does get to it before I do, I'm happy to look > at the debdiff and provide another sanity check. Lamby already released an updated package yesterday so we're on the safe side for wheezy already. Thanks for following up on this! Cheers, -- Guido
Re: Wheezy update of openafs?
On Sat, Dec 03, 2016 at 12:22:38PM +0100, Guido Günther wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of openafs: > https://security-tracker.debian.org/tracker/CVE-2016-9772 Have you determined whether the regular Debian Security Team is interested in addressing these issues in jessie? Though carnil@ requested the CVE number assignment, I do not see a debian bug for the issue and have not (yet?) been in contact with the security team about it. It seems like it would be rather strange for a fix to go into wheezy but not jessie > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. I will see if I can find time to prepare an update, though I think there are a few things at higher priority on my Debian todo list at the moment. If someone from the LTS team does get to it before I do, I'm happy to look at the debdiff and provide another sanity check. -Ben
Re: Wheezy update of openafs?
[Replying just to debian-lts] Guido Günther wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of openafs: > https://security-tracker.debian.org/tracker/CVE-2016-9772 Don't forget to file a Debian bug next time. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Wheezy update of openafs?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of openafs: https://security-tracker.debian.org/tracker/CVE-2016-9772 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of openafs updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup