Re: Fwd: wheezy-backports: lxc security update: looking for sponsor + BSA requested

To: debian-backports@lists.debian.org
Subject: Re: Fwd: wheezy-backports: lxc security update: looking for sponsor + BSA requested
From: Antonio Terceiro <terceiro@debian.org>
Date: Thu, 30 Jul 2015 08:46:12 -0300
Message-id: <[🔎] 20150730114612.GA19667@debian.org>
Mail-followup-to: Antonio Terceiro <terceiro@debian.org>, debian-backports@lists.debian.org
In-reply-to: <[🔎] 55B919C1.7080807@iwakd.de>
References: <55B41204.7020508@iwakd.de> <[🔎] 55B919C1.7080807@iwakd.de>

Hi,

On Wed, Jul 29, 2015 at 08:21:53PM +0200, Christian Seiler wrote:
> Hello,
> 
> I didn't get any response to my email to backports-team@debian.org. If
> this were just a normal package update I'd be a _lot_ more patient,
> but this is security-related (especially CVE-2015-1331 might really
> hurt) and I'd very much like to get the fixed package into
> wheezy-backports as soon as possible, hence I'm resending this email
> here.
> 
> I would really appreciate it if somebody could sponsor this upload.

I can sponsor your upload, but looking at the debdiff wrt the existing
package in wheezy-backports the changelog seems a little messed up:

diff -Nru lxc-1.0.6/debian/changelog lxc-1.0.6/debian/changelog
--- lxc-1.0.6/debian/changelog	2015-05-19 03:39:38.000000000 -0300
+++ lxc-1.0.6/debian/changelog	2015-07-25 18:57:08.000000000 -0300
@@ -1,14 +1,22 @@
-lxc (1:1.0.6-6~bpo70+2) wheezy-backports; urgency=medium
+lxc (1:1.0.6-6+deb8u1~bpo70+1) wheezy-backports; urgency=high
 
-  * Fix FTBFS on ia64
+  * Rebuild for wheezy-backports.
+  * Fix FTBFS on ia64.
 
- -- Christian Seiler <christian@iwakd.de>  Tue, 19 May 2015 08:38:44 +0200
+ -- Christian Seiler <christian@iwakd.de>  Sat, 25 Jul 2015 23:56:21 +0200
 
-lxc (1:1.0.6-6~bpo70+1) wheezy-backports; urgency=medium
+lxc (1:1.0.6-6+deb8u1) jessie-security; urgency=high
 
-  * Rebuild for wheezy-backports (no changes).
+  * Non-maintainer upload by the Security Team.
+  * Add 0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch.
+    CVE-2015-1331: Directory traversal flaw that allows arbitrary file
+    creation as the root user. (Closes: #793298)
+  * Add 0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch.
+    CVE-2015-1334: Processes intended to be run inside of confined LXC
+    containers could escape their AppArmor or SELinux confinement.
+    (Closes: #793298)
 
- -- Christian Seiler <christian@iwakd.de>  Sun, 03 May 2015 20:38:41 +0200
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 22 Jul 2015 18:12:27 +0200
 
 lxc (1:1.0.6-6) unstable; urgency=low
 
I would expect the changelog to retain all previous entries that went in
the backports for a given suite and _add_ the ones since them.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Fwd: wheezy-backports: lxc security update: looking for sponsor + BSA requested
  - From: Christian Seiler <christian@iwakd.de>

References:
- Fwd: wheezy-backports: lxc security update: looking for sponsor + BSA requested
  - From: Christian Seiler <christian@iwakd.de>

Prev by Date: Re: Fwd: wheezy-backports: lxc security update: looking for sponsor + BSA requested
Next by Date: Re: Fwd: wheezy-backports: lxc security update: looking for sponsor + BSA requested
Previous by thread: Re: Fwd: wheezy-backports: lxc security update: looking for sponsor + BSA requested
Next by thread: Re: Fwd: wheezy-backports: lxc security update: looking for sponsor + BSA requested
Index(es):
- Date
- Thread