Re: Please unblock libvirt 0.4.6-9
On Fri, Dec 12, 2008 at 11:49:56PM +0100, Guido Günther wrote:
> On Thu, Nov 13, 2008 at 11:31:38AM +0100, Guido Günther wrote:
> > On Thu, Nov 06, 2008 at 09:40:12AM +0100, Guido Günther wrote:
> > > Dear release managers,
> > > Libvirt 0.4.6-4 fixes almost all of the bugs reported against 0.4.4
> > > currently in lenny:
> > > http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=libvirt;repeatmerged=0
> > > The differences between 0.4.4 and 0.4.6 are mostly bugfixes and minor
> > > improvements (at least in the drivers we currently build Xen, Kvm,
> > > Storage, Network):
> > > http://libvirt.org/news.html
> > > 0.4.5/0.4.6 got lots of testing in experimental and everybody reporting
> > > a bug against virtinst/virt-viewer/virt-manager/libvirt tried these
> > > version so I'm pretty confident this release is as solid as 0.4.4.
> > > The API is the unchanged so there is little chance for breackage.
> > >
> > > Should there be any problems we can easily pull back to 0.4.4 since
> > > there aren't many reverse dependencies and even less that arent
> > > maintained under pkg-libvirt. Can we have 0.6.4-4 in Lenny?
> > Any news on letting libvirt 0.4.6-4 into Lenny?
> Is there any chance to move 0.4.6-9 into Lenny? The changes can be
> browsed by commit here:
> The debdiff against the version in Lenny is attached. It looks larger
> than it is because the doc build got fixed to not include all the '.in'
> 0.4.4 currently has an (though easy to fix) RC bug, so if the changes
> for 0.4.6 are to intrusive please remove 0.4.4 from Lenny to get rid of
> this issue.
libvirt 0.4.4 in Lenny is susceptible to CVE-2008-5086 (#509106).
0.5.1-4 (experimental) and 0.4.6-10 (unstable) have this fixed.