Re: working for wheezy-security until wheezy-lts starts

To: Brian May <bam@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>
Cc: Guido Günther <agx@sigxcpu.org>, Mike Gabriel <sunweaver@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: working for wheezy-security until wheezy-lts starts
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Thu, 24 Mar 2016 10:48:14 -0400
Message-id: <[🔎] 87d1qk7x01.fsf@angela.anarcat.ath.cx>
In-reply-to: <[🔎] 871t73o20n.fsf@prune.linuxpenguins.xyz>
References: <20160229152546.Horde.bUTfXxHSPmDu0AWwU5x1bGj@mail.das-netzwerkteam.de> <[🔎] 20160303175559.GA22478@pisco.westfalen.local> <[🔎] 87y49n9qvo.fsf@prune.linuxpenguins.xyz> <[🔎] 20160313115209.GA6851@bogon.m.sigxcpu.org> <[🔎] 87fuvrw19o.fsf@prune.linuxpenguins.xyz> <[🔎] 20160316074449.GB30392@inutil.org> <[🔎] 8760wmx36x.fsf@prune.linuxpenguins.xyz> <[🔎] 874mbzo3i2.fsf@prune.linuxpenguins.xyz> <[🔎] 871t73o20n.fsf@prune.linuxpenguins.xyz>

On 2016-03-21 19:16:24, Brian May wrote:
> Brian May <bam@debian.org> writes:
>
>>> Wonder how many of the CVEs the Ubuntu version fixes.
>>
>> Will have a look at this now.
>
> Comparing the changelog with our security tracker (by hand; not sure if
> anybody has written a tool to automate this, if not might be a good
> idea):

I am not aware of any such tool. How did you do the following comparison
- by hand?

> Not fixed in backported Ubuntu precise version 4.1.6.1-0ubuntu0.12.04.10:
>     - CVE-2014-5146 (marked No DSA)
>     - CVE-2014-5149 (marked No DSA)
>     - CVE-2014-8104 (marked vulnerable; description says "Linux kernel
>     through 4.2.6" not sure if this means it is fixed or broken by 4.2.6)
>     - CVE-2014-8341 (marked No DSA)

2014-8104 is probably a typo, as it concerns OpenVPN according to the
security tracker. You probably mean CVE-2015-8104...

I'll look at what that one implies specifically.

> Fixed in backported Ubuntu precise version 4.1.6.1-0ubuntu0.12.04.10:
>     - CVE-2015-2152 / XSA-119
>     - CVE-2015-2752 / XSA-125
>     - CVE-2015-2756 / XSA-126
>     - CVE-2015-3259 / XSA-137
>     - CVE-2015-5165 / XSA-140
>     - CVE-2015-5307 / XSA-156
>     - CVE-2015-7504 / XSA-162 (not in Debian security tracker)
>     - CVE-2015-7969 / XSA-149
>     - CVE-2015-7970 / XSA-150
>     - CVE-2015-7971 / XSA-152
>     - CVE-2015-7972 / XSA-153
>     - CVE-2015-8339, CVE-2015-8340 / XSA-159
>     - CVE-2015-8550 / XSA-155
>     - CVE-2015-8554 / XSA-164
>     - CVE-2015-8555 / XSA-165
>     - TEMP-0000000-CE3B44 / XSA-166                          
>     - CVE-2016-1570 / XSA-167
>     - CVE-2016-1571 / XSA-168
>     - CVE-2016-2270 / XSA-154
>     - CVE-2016-2271 / XSA-170

That is an impressive list, and it does seem like we should merge our
efforts with Ubuntu here!

I was thinking that maybe there should be an announcement of the release
switch, but looking at the release notes of 4.1.5 and 4.1.6, it seems
just logical to follow those directly:

http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-4161.html
http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-415.html

... only bugfixes and CVEs there.

-- 
I've got to design so you can put it together out of garbage cans. In
part because that's what I started from, but mostly because I don’t
trust the industrial structure—they might decide to suppress us
weirdos and try to deny us the parts we need.
                       - Lee Felsenstein

Reply to:

Follow-Ups:
- Re: working for wheezy-security until wheezy-lts starts
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>

References:
- Re: working for wheezy-security until wheezy-lts starts
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Guido Günther <agx@sigxcpu.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>
- Re: working for wheezy-security until wheezy-lts starts
  - From: Brian May <bam@debian.org>

Prev by Date: Re: tracking security issues without CVEs
Next by Date: Re: Archive of squeeze-lts ?
Previous by thread: Re: working for wheezy-security until wheezy-lts starts
Next by thread: Re: working for wheezy-security until wheezy-lts starts
Index(es):
- Date
- Thread