[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

working for wheezy-security until wheezy-lts starts

Hi all,

as of today, the Debian squeeze LTS support will cease and squeeze will finally enter the archived archives of Debian.

.oO( /me gets out his handkerchief ...)

As (paid) LTS contributor you may wonder what to do next, esp. until the official Debian wheezy LTS support period starts on 26th April 2016. At least I did wonder about that, today...

One thing, we can do, I guess, is helping out with the Debian Security Team regarding package updates in Debian wheezy.

For this, we can run bin/lts-needs-forward-port.py from the secure-testing repo and see what issues we fixed in squeeze and port those fixes to the package version in wheezy-security. Package updates must be coordinated with the Debian Security Team, not within the LTS team, though:

  * prepare a fixed package
  * test the package
  * send a .debdiff to team@security.debian.org
  * wait for feedback and ideally permission to upload to wheezy-security

(Is the above said correct? Please elaborate, if not).

Currently, we have these candidates of potentially easy-to-fix-in-wheezy packages:

Issues that are unfixed in wheezy but fixed in squeeze:
* aptdaemon            -> CVE-2015-1323
* cakephp              -> TEMP-0000000-698CF7
* dhcpcd               -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
* eglibc               -> CVE-2014-9761
* extplorer            -> CVE-2015-0896
* fuseiso              -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E
* gosa                 -> CVE-2014-9760 CVE-2015-8771
* gtk+2.0              -> CVE-2013-7447
* icu                  -> CVE-2015-2632
* imagemagick          -> TEMP-0773834-5EB6CF
* imlib2               -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764
* inspircd             -> CVE-2015-8702
* libebml              -> CVE-2015-8790 CVE-2015-8791
* libidn               -> CVE-2015-2059 TEMP-0000000-54045E
* libmatroska          -> CVE-2015-8792
* libsndfile           -> CVE-2014-9756 CVE-2015-7805
* libstruts1.2-java    -> CVE-2015-0899
* libtorrent-rasterbar -> CVE-2015-5685
* mono                 -> CVE-2009-0689
* nss                  -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938
* optipng              -> CVE-2015-7801
* phpmyadmin           -> CVE-2016-2039 CVE-2016-2041
* pixman               -> CVE-2014-9766
* python-tornado       -> CVE-2014-9720
* roundcube            -> CVE-2015-8770
* srtp                 -> CVE-2015-6360
* tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763

Issues that are no-dsa in wheezy but fixed in squeeze:
* augeas               -> CVE-2012-0786 CVE-2012-0787
* binutils             -> TEMP-0000000-A2945B
* busybox              -> TEMP-0803097-A74121
* chrony               -> CVE-2016-1567
* dbconfig-common      -> TEMP-0805638-5AC56F
* dwarfutils           -> CVE-2015-8750
* foomatic-filters     -> TEMP-0000000-ACBC4C
* imagemagick -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C
* libemail-address-perl -> TEMP-0000000-F41FA7
* libfcgi-perl         -> CVE-2012-6687
* librsvg              -> CVE-2015-7557
* libsndfile           -> CVE-2014-9496
* libunwind            -> CVE-2015-3239
* openslp-dfsg         -> CVE-2012-4428
* openssh              -> CVE-2015-5352 CVE-2015-5600
* php5                 -> CVE-2011-0420 CVE-2011-1657
* postgresql-8.4 -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 CVE-2015-5288
* python-scipy         -> CVE-2013-4251
* python2.6            -> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912
* qt4-x11 -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859 CVE-2015-1860
* remind               -> CVE-2015-5957
* ruby1.8              -> CVE-2009-5147
* ruby1.9.1            -> CVE-2009-5147
* t1utils              -> CVE-2015-3905
* texlive-extra        -> CVE-2012-2120
* tomcat6              -> CVE-2013-4590
* vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640 CVE-2015-6749

I am posting this CVE/package list here on purpose, because the said script may not be working anymore, once the squeeze Debian package repo section has been moved to archive.debian.org.

Furthermore, as it seems, we need to modify some bits and pieces in the secure-testing repo to get our workflow up-and-running for Debian wheezy LTS. Is anyone already working on that? What is the current status?

Has there already been a discussion that I am not aware of about how the LTS team can work on wheezy-security updates in a coordinated fashion until the 26th of April? If there has not been a discussion, yet, we should sort this out during this week. My proposal would be to prepare the Debian wheezy LTS workflow in the secure-testing SVN repo, so that our upcoming workflow can be very similar to what we are used to. For the interim phase until the 26th of April 2016, however, we need to run a modified approach.

Request for feedback and comments... (I have some concrete proposals in mind, but I want to check, if these issues have already been solved, first).



mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgpBown5fLizv.pgp
Description: Digitale PGP-Signatur

Reply to: