Re: squeeze update of virtualbox-ose?

To: Ben Hutchings <benh@debian.org>, virtualbox@packages.debian.org
Cc: debian-lts@lists.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Subject: Re: squeeze update of virtualbox-ose?
From: Ritesh Raj Sarraf <rrs@debian.org>
Date: Wed, 22 Jul 2015 14:19:47 +0530
Message-id: <[🔎] 55AF592B.20803@debian.org>
Reply-to: rrs@debian.org
In-reply-to: <[🔎] 1437072026.3469.50.camel@debian.org>
References: <[🔎] 1437072026.3469.50.camel@debian.org>

Hello Ben,

While I won't have the time to take this up, the other VBox maintainer,
Gianfranco (CCed), may have some time in the coming weeks to help out.

But meanwhile, we have other issues with VBox. Oracle is not prompt in
disclosing fixes for the vulnerabilities.

Take https://security-tracker.debian.org/tracker/CVE-2015-2594 as an
example.

The only fixed version is 4.3.30, because we don't have the patches for
older versions. We are still waiting on Oracle to provide the necessary
details.


On Friday 17 July 2015 12:10 AM, Ben Hutchings wrote:
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of virtualbox-ose:
> https://security-tracker.debian.org/tracker/CVE-2012-3221
> https://security-tracker.debian.org/tracker/CVE-2013-3792
> https://security-tracker.debian.org/tracker/CVE-2013-5892
> https://security-tracker.debian.org/tracker/CVE-2014-0404
> https://security-tracker.debian.org/tracker/CVE-2014-0406
> https://security-tracker.debian.org/tracker/CVE-2014-0407
> https://security-tracker.debian.org/tracker/CVE-2014-0981
> https://security-tracker.debian.org/tracker/CVE-2014-0983
> https://security-tracker.debian.org/tracker/CVE-2014-2486
> https://security-tracker.debian.org/tracker/CVE-2014-2488
> https://security-tracker.debian.org/tracker/CVE-2014-2489
> https://security-tracker.debian.org/tracker/CVE-2015-2594
>
> Would you like to take care of this yourself? We are still understaffed so
> any help is always highly appreciated.
>
> If yes, please follow the workflow we have defined here:
> http://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> Thank you very much.
>
> Ben Hutchings,
>   on behalf of the Debian LTS team.
>
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
>
>


-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- squeeze update of virtualbox-ose?
  - From: Ben Hutchings <benh@debian.org>

Prev by Date: Re: Suspend failing
Next by Date: Re: squeeze update of squid3?
Previous by thread: squeeze update of virtualbox-ose?
Next by thread: Re: squeeze update of virtualbox-ose?
Index(es):
- Date
- Thread