Hello, I didn't get any response to my email to backports-team@debian.org. If this were just a normal package update I'd be a _lot_ more patient, but this is security-related (especially CVE-2015-1331 might really hurt) and I'd very much like to get the fixed package into wheezy-backports as soon as possible, hence I'm resending this email here. I would really appreciate it if somebody could sponsor this upload. Thanks! Regards, Christian -------- Forwarded Message -------- Subject: wheezy-backports: lxc security update: looking for sponsor + BSA requested Date: Sun, 26 Jul 2015 00:47:32 +0200 From: Christian Seiler <christian@iwakd.de> To: backports-team@debian.org Hello, (I'm sending this only to backports-team because it's security-related, otherwise I'd have used the backports list. If this is wrong, I apologize and please tell me what to do in the future in similar cases.) I'm maintaining the backported version of LXC in wheezy-backports, and there was a recent security update for LXC in jessie. DSA: https://www.debian.org/security/2015/dsa-3317 CVEs: https://security-tracker.debian.org/tracker/CVE-2015-1331 https://security-tracker.debian.org/tracker/CVE-2015-1334 I've backported it and uploaded the package to mentors.debian.net: http://mentors.debian.net/debian/pool/main/l/lxc/lxc_1.0.6-6+deb8u1~bpo70+1.dsc I've successfully built this in a clean wheezy VM and did some very simple functionality tests. It would be great if someone could sponsor this upload, and there's also the need for a BSA (my guess is that since I'm not a DD, the sponsor will have to send the mail to debian-backports-announce@). I've pre-written the announcement email (feel free to change anything you need to; I've copied the vulnerability descriptions from the DSA): ------------------------------------------------------------------------ Subject: [BSA-XXX] Security Update for lxc <Uploader> uploaded new packages for lxc which fixed the following security problems: CVE-2015-1331 Roman Fiedler discovered a directory traversal flaw in LXC when creating lock files. A local attacker could exploit this flaw to create an arbitrary file as the root user. CVE-2015-1334 Roman Fiedler discovered that LXC incorrectly trusted the container's proc filesystem to set up AppArmor profile changes and SELinux domain transitions. A malicious container could create a fake proc filesystem and use this flaw to run programs inside the container that are not confined by AppArmor or SELinux. For the wheezy-backports distribution the problems have been fixed in version 1.0.6-6+deb8u1~bpo70+1. ------------------------------------------------------------------------ Thanks! Regards, Christian
Attachment:
signature.asc
Description: OpenPGP digital signature