Re: Wheezy update of firefox-esr?
Hi, 2016-09-25 2:40 GMT+02:00 Mike Hommey: > On Sun, Sep 25, 2016 at 01:08:55AM +0200, Bálint Réczey wrote: >> Hi, >> >> 2016-09-24 15:34 GMT+02:00 Balint Reczey : >> > Hi, >> > >> > On 09/24/2016 12:51 AM, Mike Hommey wrote: >> >> On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote: >> >>> Hi, >> >>> >> >>> 2016-09-20 23:43 GMT+02:00 Chris Lamb : ... >> ARM builds are failing for the package due to looking for gcc-5 . :-( >> >> I'm fixing that shortly. > > That was fixed in 45.4.0esr-1~deb8u2. Thanks, I've cherry-picked the relevant change from git. The build failed for armel while it did succeed in my armel chroot. I have asked buildd admins to take a look at it. It seems to be an issue in the chroot. https://buildd.debian.org/status/package.php?p=firefox-esr=wheezy-security I'll send out the regression update email when the armel build is finished, too. Cheers, Balint
Re: Wheezy update of firefox-esr?
On Sun, Sep 25, 2016 at 01:08:55AM +0200, Bálint Réczey wrote: > Hi, > > 2016-09-24 15:34 GMT+02:00 Balint Reczey: > > Hi, > > > > On 09/24/2016 12:51 AM, Mike Hommey wrote: > >> On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote: > >>> Hi, > >>> > >>> 2016-09-20 23:43 GMT+02:00 Chris Lamb : > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of firefox-esr: > https://security-tracker.debian.org/tracker/source-package/firefox-esr > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of firefox-esr updates > for the LTS releases. (In case we don't get any answer for months, > we may also take it as an opt-out, too.) > >>> > >>> I think Mike would like the LTS Team to prepare the future updates: > >>> > >>> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote: > On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote: > > Hello Mike, > > > > Thank you for preparing the security update of firefox-esr. I have just > > sent a security announcement for your update in Wheezy to the > > debian-lts-announce mailing list. If you want to take care of this next > > time, please follow our guidelines which we have outlined at [1]. If > > this is a burden for you, no problem, we will do our best and take care > > of the rest. In this case we would like to ask you to send a short > > reminder to debian-lts, so that we can prepare the announcement in a > > timely manner. > > Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about > that. That these updates go through the same security-master doesn't > help making it obvious they are different. > > Anyways, I'd rather not have more work to do, so if can send > announcements, that works for me. Or you can deal with the backport > from back to back. > >>> ... > >>> > >>> I have added firefox-esr to lts-do-not-call and started preparing the > >>> update. > >> > >> Thanks. > > > > I have prepared the update. > > > > Please see the diff to jessie-security's version attached. > > > > Changes: > > > > firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium > > . > >[ Mike Hommey ] > >* New upstream release. > >* Fixes for mfsa2016-86, also known as: > > CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, > > CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, > > CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257. > > . > >* debian/control*, debian/rules: Compile with GCC 5 on testing/unstable > > on arm* because of crashes when building with GCC 6. (FTBFS) > >* debian/rules: Build with -fno-schedule-insns2 and > > -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles > > Firefox. Closes: #836533. > > . > >* config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h: > > Don't include mozalloc.h from the cstdlib wrapper. bz#1245076, > > bz#1259537. > > Closes: #822715. > >* build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) > > > > > > The binary packages for amd64 are also available for testing here: > > > > deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ > > > > I ran browser benchmarks to stress test the package and also visited a > > few sites manually. > > > > I plan uploading the package around 21:00 UTC. > > ARM builds are failing for the package due to looking for gcc-5 . :-( > > I'm fixing that shortly. That was fixed in 45.4.0esr-1~deb8u2. Mike
Re: Wheezy update of firefox-esr?
Hi, 2016-09-24 15:34 GMT+02:00 Balint Reczey: > Hi, > > On 09/24/2016 12:51 AM, Mike Hommey wrote: >> On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote: >>> Hi, >>> >>> 2016-09-20 23:43 GMT+02:00 Chris Lamb : Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of firefox-esr: https://security-tracker.debian.org/tracker/source-package/firefox-esr Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of firefox-esr updates for the LTS releases. (In case we don't get any answer for months, we may also take it as an opt-out, too.) >>> >>> I think Mike would like the LTS Team to prepare the future updates: >>> >>> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote: On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote: > Hello Mike, > > Thank you for preparing the security update of firefox-esr. I have just > sent a security announcement for your update in Wheezy to the > debian-lts-announce mailing list. If you want to take care of this next > time, please follow our guidelines which we have outlined at [1]. If > this is a burden for you, no problem, we will do our best and take care > of the rest. In this case we would like to ask you to send a short > reminder to debian-lts, so that we can prepare the announcement in a > timely manner. Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about that. That these updates go through the same security-master doesn't help making it obvious they are different. Anyways, I'd rather not have more work to do, so if can send announcements, that works for me. Or you can deal with the backport from back to back. >>> ... >>> >>> I have added firefox-esr to lts-do-not-call and started preparing the >>> update. >> >> Thanks. > > I have prepared the update. > > Please see the diff to jessie-security's version attached. > > Changes: > > firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium > . >[ Mike Hommey ] >* New upstream release. >* Fixes for mfsa2016-86, also known as: > CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, > CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, > CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257. > . >* debian/control*, debian/rules: Compile with GCC 5 on testing/unstable > on arm* because of crashes when building with GCC 6. (FTBFS) >* debian/rules: Build with -fno-schedule-insns2 and > -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles > Firefox. Closes: #836533. > . >* config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h: > Don't include mozalloc.h from the cstdlib wrapper. bz#1245076, > bz#1259537. > Closes: #822715. >* build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) > > > The binary packages for amd64 are also available for testing here: > > deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ > > I ran browser benchmarks to stress test the package and also visited a > few sites manually. > > I plan uploading the package around 21:00 UTC. ARM builds are failing for the package due to looking for gcc-5 . :-( I'm fixing that shortly. Thanks, Balint
Re: Wheezy update of firefox-esr?
Hi, On 09/24/2016 12:51 AM, Mike Hommey wrote: > On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote: >> Hi, >> >> 2016-09-20 23:43 GMT+02:00 Chris Lamb: >>> Hello dear maintainer(s), >>> >>> the Debian LTS team would like to fix the security issues which are >>> currently open in the Wheezy version of firefox-esr: >>> https://security-tracker.debian.org/tracker/source-package/firefox-esr >>> >>> Would you like to take care of this yourself? >>> >>> If yes, please follow the workflow we have defined here: >>> https://wiki.debian.org/LTS/Development >>> >>> If that workflow is a burden to you, feel free to just prepare an >>> updated source package and send it to debian-lts@lists.debian.org >>> (via a debdiff, or with an URL pointing to the source package, >>> or even with a pointer to your packaging repository), and the members >>> of the LTS team will take care of the rest. Indicate clearly whether you >>> have tested the updated package or not. >>> >>> If you don't want to take care of this update, it's not a problem, we >>> will do our best with your package. Just let us know whether you would >>> like to review and/or test the updated package before it gets released. >>> >>> You can also opt-out from receiving future similar emails in your >>> answer and then the LTS Team will take care of firefox-esr updates >>> for the LTS releases. (In case we don't get any answer for months, >>> we may also take it as an opt-out, too.) >> >> I think Mike would like the LTS Team to prepare the future updates: >> >> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote: >>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote: Hello Mike, Thank you for preparing the security update of firefox-esr. I have just sent a security announcement for your update in Wheezy to the debian-lts-announce mailing list. If you want to take care of this next time, please follow our guidelines which we have outlined at [1]. If this is a burden for you, no problem, we will do our best and take care of the rest. In this case we would like to ask you to send a short reminder to debian-lts, so that we can prepare the announcement in a timely manner. >>> >>> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about >>> that. That these updates go through the same security-master doesn't >>> help making it obvious they are different. >>> >>> Anyways, I'd rather not have more work to do, so if can send >>> announcements, that works for me. Or you can deal with the backport >>> from back to back. >> ... >> >> I have added firefox-esr to lts-do-not-call and started preparing the update. > > Thanks. I have prepared the update. Please see the diff to jessie-security's version attached. Changes: firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium . [ Mike Hommey ] * New upstream release. * Fixes for mfsa2016-86, also known as: CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257. . * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable on arm* because of crashes when building with GCC 6. (FTBFS) * debian/rules: Build with -fno-schedule-insns2 and -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles Firefox. Closes: #836533. . * config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h: Don't include mozalloc.h from the cstdlib wrapper. bz#1245076, bz#1259537. Closes: #822715. * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) The binary packages for amd64 are also available for testing here: deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ I ran browser benchmarks to stress test the package and also visited a few sites manually. I plan uploading the package around 21:00 UTC. Cheers, Balint diff -Nru firefox-esr-45.4.0esr/debian/changelog firefox-esr-45.4.0esr/debian/changelog --- firefox-esr-45.4.0esr/debian/changelog 2016-09-21 00:29:05.0 +0200 +++ firefox-esr-45.4.0esr/debian/changelog 2016-09-24 01:09:02.0 +0200 @@ -1,5 +1,6 @@ -firefox-esr (45.4.0esr-1~deb8u1) stable-security; urgency=medium +firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium + [ Mike Hommey ] * New upstream release. * Fixes for mfsa2016-86, also known as: CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, @@ -17,9 +18,9 @@ Closes: #822715. * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) - -- Mike Hommey Wed, 21 Sep 2016 07:09:32 +0900 + -- Balint Reczey Sat, 24 Sep 2016 01:08:45 +0200 -firefox-esr (45.3.0esr-1~deb8u1) stable-security; urgency=medium +firefox-esr (45.3.0esr-1~deb7u1) oldstable-security; urgency=medium * New upstream release. * Fixes
Re: Wheezy update of firefox-esr?
Hi, 2016-09-20 23:43 GMT+02:00 Chris Lamb: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of firefox-esr: > https://security-tracker.debian.org/tracker/source-package/firefox-esr > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of firefox-esr updates > for the LTS releases. (In case we don't get any answer for months, > we may also take it as an opt-out, too.) I think Mike would like the LTS Team to prepare the future updates: On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote: > On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote: > > Hello Mike, > > > > Thank you for preparing the security update of firefox-esr. I have just > > sent a security announcement for your update in Wheezy to the > > debian-lts-announce mailing list. If you want to take care of this next > > time, please follow our guidelines which we have outlined at [1]. If > > this is a burden for you, no problem, we will do our best and take care > > of the rest. In this case we would like to ask you to send a short > > reminder to debian-lts, so that we can prepare the announcement in a > > timely manner. > > Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about > that. That these updates go through the same security-master doesn't > help making it obvious they are different. > > Anyways, I'd rather not have more work to do, so if can send > announcements, that works for me. Or you can deal with the backport > from back to back. ... I have added firefox-esr to lts-do-not-call and started preparing the update. Cheers, Balint
Wheezy update of firefox-esr?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of firefox-esr: https://security-tracker.debian.org/tracker/source-package/firefox-esr Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of firefox-esr updates for the LTS releases. (In case we don't get any answer for months, we may also take it as an opt-out, too.) Thank you very much. Chris Lamb, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-