Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 742386@bugs.debian.org, Gabriele Giacone <1o5g4r8o@gmail.com>
Subject: Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Sat, 19 Apr 2014 09:56:30 +0400
Message-id: <[🔎] 5352100E.1060902@msgid.tls.msk.ru>
Reply-to: Michael Tokarev <mjt@tls.msk.ru>, 742386@bugs.debian.org
In-reply-to: <[🔎] c3e4991dd0f08f294bbd5463d9dc5d7f@mail.adsl.funky-badger.org>
References: <20140323013159.GA21045@phenomenon> <532EADF2.20908@msgid.tls.msk.ru> <20140323114518.GA7688@phenomenon> <[🔎] 1397410763.24647.36.camel@jacala.jungle.funky-badger.org> <[🔎] 534ACE24.60103@msgid.tls.msk.ru> <[🔎] 1397412279.24647.49.camel@jacala.jungle.funky-badger.org> <[🔎] 534AD200.9000505@msgid.tls.msk.ru> <[🔎] 3a4fe9c8a642b15e50b3b355f8da580e@mail.adsl.funky-badger.org> <[🔎] 53511284.7070604@msgid.tls.msk.ru> <[🔎] c3e4991dd0f08f294bbd5463d9dc5d7f@mail.adsl.funky-badger.org>

18.04.2014 16:27, Adam D. Barratt wrote:
> On 2014-04-18 12:54, Michael Tokarev wrote:
>> 18.04.2014 15:40, Adam D. Barratt wrote:
>>> Not wishing to chase, just a gentle reminder that the window for getting updates in to 7.5 closes over the weekend. (Although getting in to 7.6 instead is presumably not a huge problem.)
>>
>> I've another security bugfix for qemu+qemu-kvm, CVE-2014-2894,
>> assigned today, see
>> https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02016.html
>> The fix is also one-liner.
>>
>> Maybe we can combine the two - this #742386 and CVE-2014-2894 - into single pu?
> 
> Looking at the source for the 2.0.0 packages uploaded to unstable yesterday, it looks like they contain the CVE fix? If so then the security-tracker needs updating, as https://security-tracker.debian.org/tracker/CVE-2014-2894 lists unstable as vulnerable. If the security team don't plan to issue a DSA for the issue (which I don't know if they've decided yet) then the patch looks sane enough to include in the p-u.

Yes, 2.0.0 contains the (last-minute) fix.

And no, this fix is definitely worth a DSA.

So I'm uploading +deb7u2 to wheezy-pu as has been already agreed before,
to catch the train to 7.5.  With intention to fix CVE-2014-2894 later.

Thanks,

/mjt

Reply to:

Follow-Ups:
- Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
  - From: Michael Tokarev <mjt@tls.msk.ru>
- Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
  - From: Michael Tokarev <mjt@tls.msk.ru>
- Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
  - From: Michael Tokarev <mjt@tls.msk.ru>
- Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: NEW changes in stable-new
Next by Date: RE: Bug#745019: problems with 2.6.32 kernel (and wheezy libnl3)
Previous by thread: Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
Next by thread: Bug#742386: wheezy-pu: package qemu/1.1.2+dfsg-6a+deb7u1
Index(es):
- Date
- Thread