Hi, On Wed, Jul 29, 2015 at 08:21:53PM +0200, Christian Seiler wrote: > Hello, > > I didn't get any response to my email to firstname.lastname@example.org. If > this were just a normal package update I'd be a _lot_ more patient, > but this is security-related (especially CVE-2015-1331 might really > hurt) and I'd very much like to get the fixed package into > wheezy-backports as soon as possible, hence I'm resending this email > here. > > I would really appreciate it if somebody could sponsor this upload. I can sponsor your upload, but looking at the debdiff wrt the existing package in wheezy-backports the changelog seems a little messed up: diff -Nru lxc-1.0.6/debian/changelog lxc-1.0.6/debian/changelog --- lxc-1.0.6/debian/changelog 2015-05-19 03:39:38.000000000 -0300 +++ lxc-1.0.6/debian/changelog 2015-07-25 18:57:08.000000000 -0300 @@ -1,14 +1,22 @@ -lxc (1:1.0.6-6~bpo70+2) wheezy-backports; urgency=medium +lxc (1:1.0.6-6+deb8u1~bpo70+1) wheezy-backports; urgency=high - * Fix FTBFS on ia64 + * Rebuild for wheezy-backports. + * Fix FTBFS on ia64. - -- Christian Seiler <email@example.com> Tue, 19 May 2015 08:38:44 +0200 + -- Christian Seiler <firstname.lastname@example.org> Sat, 25 Jul 2015 23:56:21 +0200 -lxc (1:1.0.6-6~bpo70+1) wheezy-backports; urgency=medium +lxc (1:1.0.6-6+deb8u1) jessie-security; urgency=high - * Rebuild for wheezy-backports (no changes). + * Non-maintainer upload by the Security Team. + * Add 0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch. + CVE-2015-1331: Directory traversal flaw that allows arbitrary file + creation as the root user. (Closes: #793298) + * Add 0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch. + CVE-2015-1334: Processes intended to be run inside of confined LXC + containers could escape their AppArmor or SELinux confinement. + (Closes: #793298) - -- Christian Seiler <email@example.com> Sun, 03 May 2015 20:38:41 +0200 + -- Salvatore Bonaccorso <firstname.lastname@example.org> Wed, 22 Jul 2015 18:12:27 +0200 lxc (1:1.0.6-6) unstable; urgency=low I would expect the changelog to retain all previous entries that went in the backports for a given suite and _add_ the ones since them.
Description: Digital signature