Re: Wheezy update of firefox-esr?

[Bálint Réczey]

Hi,

2016-09-25 2:40 GMT+02:00 Mike Hommey :
> On Sun, Sep 25, 2016 at 01:08:55AM +0200, Bálint Réczey wrote:
>> Hi,
>>
>> 2016-09-24 15:34 GMT+02:00 Balint Reczey :
>> > Hi,
>> >
>> > On 09/24/2016 12:51 AM, Mike Hommey wrote:
>> >> On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote:
>> >>> Hi,
>> >>>
>> >>> 2016-09-20 23:43 GMT+02:00 Chris Lamb :
...
>> ARM builds are failing for the package due to looking for gcc-5 . :-(
>>
>> I'm fixing that shortly.
>
> That was fixed in 45.4.0esr-1~deb8u2.

Thanks, I've cherry-picked the relevant change from git.
The build failed for armel while it did succeed in my armel chroot.
I have asked buildd admins to take a look at it. It seems to be an issue
in the chroot.

https://buildd.debian.org/status/package.php?p=firefox-esr=wheezy-security

I'll send out the regression update email when the armel build is finished, too.

Cheers,
Balint

Re: Wheezy update of firefox-esr?

[Mike Hommey]

On Sun, Sep 25, 2016 at 01:08:55AM +0200, Bálint Réczey wrote:
> Hi,
> 
> 2016-09-24 15:34 GMT+02:00 Balint Reczey :
> > Hi,
> >
> > On 09/24/2016 12:51 AM, Mike Hommey wrote:
> >> On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote:
> >>> Hi,
> >>>
> >>> 2016-09-20 23:43 GMT+02:00 Chris Lamb :
>  Hello dear maintainer(s),
> 
>  the Debian LTS team would like to fix the security issues which are
>  currently open in the Wheezy version of firefox-esr:
>  https://security-tracker.debian.org/tracker/source-package/firefox-esr
> 
>  Would you like to take care of this yourself?
> 
>  If yes, please follow the workflow we have defined here:
>  https://wiki.debian.org/LTS/Development
> 
>  If that workflow is a burden to you, feel free to just prepare an
>  updated source package and send it to debian-lts@lists.debian.org
>  (via a debdiff, or with an URL pointing to the source package,
>  or even with a pointer to your packaging repository), and the members
>  of the LTS team will take care of the rest. Indicate clearly whether you
>  have tested the updated package or not.
> 
>  If you don't want to take care of this update, it's not a problem, we
>  will do our best with your package. Just let us know whether you would
>  like to review and/or test the updated package before it gets released.
> 
>  You can also opt-out from receiving future similar emails in your
>  answer and then the LTS Team will take care of firefox-esr updates
>  for the LTS releases. (In case we don't get any answer for months,
>  we may also take it as an opt-out, too.)
> >>>
> >>> I think Mike would like the LTS Team to prepare the future updates:
> >>>
> >>> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote:
>  On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote:
> > Hello Mike,
> >
> > Thank you for preparing the security update of firefox-esr. I have just
> > sent a security announcement for your update in Wheezy to the
> > debian-lts-announce mailing list. If you want to take care of this next
> > time, please follow our guidelines which we have outlined at [1]. If
> > this is a burden for you, no problem, we will do our best and take care
> > of the rest. In this case we would like to ask you to send a short
> > reminder to debian-lts, so that we can prepare the announcement in a
> > timely manner.
> 
>  Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about
>  that. That these updates go through the same security-master doesn't
>  help making it obvious they are different.
> 
>  Anyways, I'd rather not have more work to do, so if can send
>  announcements, that works for me. Or you can deal with the backport
>  from back to back.
> >>> ...
> >>>
> >>> I have added firefox-esr to lts-do-not-call and started preparing the 
> >>> update.
> >>
> >> Thanks.
> >
> > I have prepared the update.
> >
> > Please see the diff to jessie-security's version attached.
> >
> > Changes:
> >
> >  firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium
> >  .
> >[ Mike Hommey ]
> >* New upstream release.
> >* Fixes for mfsa2016-86, also known as:
> >  CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274,
> >  CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281,
> >  CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257.
> >  .
> >* debian/control*, debian/rules: Compile with GCC 5 on testing/unstable
> >  on arm* because of crashes when building with GCC 6. (FTBFS)
> >* debian/rules: Build with -fno-schedule-insns2 and
> >  -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles
> >  Firefox. Closes: #836533.
> >  .
> >* config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h:
> >  Don't include mozalloc.h from the cstdlib wrapper. bz#1245076,
> > bz#1259537.
> >  Closes: #822715.
> >* build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS)
> >
> >
> > The binary packages for amd64 are also available for testing here:
> >
> >  deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/
> >
> > I ran browser benchmarks to stress test the package and also visited a
> > few sites manually.
> >
> > I plan uploading the package around 21:00 UTC.
> 
> ARM builds are failing for the package due to looking for gcc-5 . :-(
> 
> I'm fixing that shortly.

That was fixed in 45.4.0esr-1~deb8u2.

Mike

Re: Wheezy update of firefox-esr?

[Bálint Réczey]

Hi,

2016-09-24 15:34 GMT+02:00 Balint Reczey :
> Hi,
>
> On 09/24/2016 12:51 AM, Mike Hommey wrote:
>> On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote:
>>> Hi,
>>>
>>> 2016-09-20 23:43 GMT+02:00 Chris Lamb :
 Hello dear maintainer(s),

 the Debian LTS team would like to fix the security issues which are
 currently open in the Wheezy version of firefox-esr:
 https://security-tracker.debian.org/tracker/source-package/firefox-esr

 Would you like to take care of this yourself?

 If yes, please follow the workflow we have defined here:
 https://wiki.debian.org/LTS/Development

 If that workflow is a burden to you, feel free to just prepare an
 updated source package and send it to debian-lts@lists.debian.org
 (via a debdiff, or with an URL pointing to the source package,
 or even with a pointer to your packaging repository), and the members
 of the LTS team will take care of the rest. Indicate clearly whether you
 have tested the updated package or not.

 If you don't want to take care of this update, it's not a problem, we
 will do our best with your package. Just let us know whether you would
 like to review and/or test the updated package before it gets released.

 You can also opt-out from receiving future similar emails in your
 answer and then the LTS Team will take care of firefox-esr updates
 for the LTS releases. (In case we don't get any answer for months,
 we may also take it as an opt-out, too.)
>>>
>>> I think Mike would like the LTS Team to prepare the future updates:
>>>
>>> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote:
 On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote:
> Hello Mike,
>
> Thank you for preparing the security update of firefox-esr. I have just
> sent a security announcement for your update in Wheezy to the
> debian-lts-announce mailing list. If you want to take care of this next
> time, please follow our guidelines which we have outlined at [1]. If
> this is a burden for you, no problem, we will do our best and take care
> of the rest. In this case we would like to ask you to send a short
> reminder to debian-lts, so that we can prepare the announcement in a
> timely manner.

 Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about
 that. That these updates go through the same security-master doesn't
 help making it obvious they are different.

 Anyways, I'd rather not have more work to do, so if can send
 announcements, that works for me. Or you can deal with the backport
 from back to back.
>>> ...
>>>
>>> I have added firefox-esr to lts-do-not-call and started preparing the 
>>> update.
>>
>> Thanks.
>
> I have prepared the update.
>
> Please see the diff to jessie-security's version attached.
>
> Changes:
>
>  firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium
>  .
>[ Mike Hommey ]
>* New upstream release.
>* Fixes for mfsa2016-86, also known as:
>  CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274,
>  CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281,
>  CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257.
>  .
>* debian/control*, debian/rules: Compile with GCC 5 on testing/unstable
>  on arm* because of crashes when building with GCC 6. (FTBFS)
>* debian/rules: Build with -fno-schedule-insns2 and
>  -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles
>  Firefox. Closes: #836533.
>  .
>* config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h:
>  Don't include mozalloc.h from the cstdlib wrapper. bz#1245076,
> bz#1259537.
>  Closes: #822715.
>* build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS)
>
>
> The binary packages for amd64 are also available for testing here:
>
>  deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/
>
> I ran browser benchmarks to stress test the package and also visited a
> few sites manually.
>
> I plan uploading the package around 21:00 UTC.

ARM builds are failing for the package due to looking for gcc-5 . :-(

I'm fixing that shortly.

Thanks,
Balint

Re: Wheezy update of firefox-esr?

[Balint Reczey]

Hi,

On 09/24/2016 12:51 AM, Mike Hommey wrote:
> On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote:
>> Hi,
>>
>> 2016-09-20 23:43 GMT+02:00 Chris Lamb :
>>> Hello dear maintainer(s),
>>>
>>> the Debian LTS team would like to fix the security issues which are
>>> currently open in the Wheezy version of firefox-esr:
>>> https://security-tracker.debian.org/tracker/source-package/firefox-esr
>>>
>>> Would you like to take care of this yourself?
>>>
>>> If yes, please follow the workflow we have defined here:
>>> https://wiki.debian.org/LTS/Development
>>>
>>> If that workflow is a burden to you, feel free to just prepare an
>>> updated source package and send it to debian-lts@lists.debian.org
>>> (via a debdiff, or with an URL pointing to the source package,
>>> or even with a pointer to your packaging repository), and the members
>>> of the LTS team will take care of the rest. Indicate clearly whether you
>>> have tested the updated package or not.
>>>
>>> If you don't want to take care of this update, it's not a problem, we
>>> will do our best with your package. Just let us know whether you would
>>> like to review and/or test the updated package before it gets released.
>>>
>>> You can also opt-out from receiving future similar emails in your
>>> answer and then the LTS Team will take care of firefox-esr updates
>>> for the LTS releases. (In case we don't get any answer for months,
>>> we may also take it as an opt-out, too.)
>>
>> I think Mike would like the LTS Team to prepare the future updates:
>>
>> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote:
>>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote:
 Hello Mike,

 Thank you for preparing the security update of firefox-esr. I have just
 sent a security announcement for your update in Wheezy to the
 debian-lts-announce mailing list. If you want to take care of this next
 time, please follow our guidelines which we have outlined at [1]. If
 this is a burden for you, no problem, we will do our best and take care
 of the rest. In this case we would like to ask you to send a short
 reminder to debian-lts, so that we can prepare the announcement in a
 timely manner.
>>>
>>> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about
>>> that. That these updates go through the same security-master doesn't
>>> help making it obvious they are different.
>>>
>>> Anyways, I'd rather not have more work to do, so if can send
>>> announcements, that works for me. Or you can deal with the backport
>>> from back to back.
>> ...
>>
>> I have added firefox-esr to lts-do-not-call and started preparing the update.
> 
> Thanks.

I have prepared the update.

Please see the diff to jessie-security's version attached.

Changes:

 firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium
 .
   [ Mike Hommey ]
   * New upstream release.
   * Fixes for mfsa2016-86, also known as:
 CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274,
 CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281,
 CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257.
 .
   * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable
 on arm* because of crashes when building with GCC 6. (FTBFS)
   * debian/rules: Build with -fno-schedule-insns2 and
 -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles
 Firefox. Closes: #836533.
 .
   * config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h:
 Don't include mozalloc.h from the cstdlib wrapper. bz#1245076,
bz#1259537.
 Closes: #822715.
   * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS)


The binary packages for amd64 are also available for testing here:

 deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/

I ran browser benchmarks to stress test the package and also visited a
few sites manually.

I plan uploading the package around 21:00 UTC.

Cheers,
Balint

diff -Nru firefox-esr-45.4.0esr/debian/changelog firefox-esr-45.4.0esr/debian/changelog
--- firefox-esr-45.4.0esr/debian/changelog	2016-09-21 00:29:05.0 +0200
+++ firefox-esr-45.4.0esr/debian/changelog	2016-09-24 01:09:02.0 +0200
@@ -1,5 +1,6 @@
-firefox-esr (45.4.0esr-1~deb8u1) stable-security; urgency=medium
+firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium
 
+  [ Mike Hommey ]
   * New upstream release.
   * Fixes for mfsa2016-86, also known as:
 CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274,
@@ -17,9 +18,9 @@
 Closes: #822715.
   * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS)
 
- -- Mike Hommey   Wed, 21 Sep 2016 07:09:32 +0900
+ -- Balint Reczey   Sat, 24 Sep 2016 01:08:45 +0200
 
-firefox-esr (45.3.0esr-1~deb8u1) stable-security; urgency=medium
+firefox-esr (45.3.0esr-1~deb7u1) oldstable-security; urgency=medium
 
   * New upstream release.
   * Fixes 

Re: Wheezy update of firefox-esr?

[Bálint Réczey]

Hi,

2016-09-20 23:43 GMT+02:00 Chris Lamb :
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of firefox-esr:
> https://security-tracker.debian.org/tracker/source-package/firefox-esr
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of firefox-esr updates
> for the LTS releases. (In case we don't get any answer for months,
> we may also take it as an opt-out, too.)

I think Mike would like the LTS Team to prepare the future updates:

On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote:
> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote:
> > Hello Mike,
> >
> > Thank you for preparing the security update of firefox-esr. I have just
> > sent a security announcement for your update in Wheezy to the
> > debian-lts-announce mailing list. If you want to take care of this next
> > time, please follow our guidelines which we have outlined at [1]. If
> > this is a burden for you, no problem, we will do our best and take care
> > of the rest. In this case we would like to ask you to send a short
> > reminder to debian-lts, so that we can prepare the announcement in a
> > timely manner.
>
> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about
> that. That these updates go through the same security-master doesn't
> help making it obvious they are different.
>
> Anyways, I'd rather not have more work to do, so if can send
> announcements, that works for me. Or you can deal with the backport
> from back to back.
...

I have added firefox-esr to lts-do-not-call and started preparing the update.

Cheers,
Balint

Wheezy update of firefox-esr?

[Chris Lamb]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of firefox-esr:
https://security-tracker.debian.org/tracker/source-package/firefox-esr

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of firefox-esr updates
for the LTS releases. (In case we don't get any answer for months,
we may also take it as an opt-out, too.)

Thank you very much.

Chris Lamb,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-