Hi Guido, On Mo 29 Feb 2016 21:54:11 CET, Guido Günther wrote:
* prepare a fixed package * test the package * send a .debdiff to team@security.debian.org * wait for feedback and ideally permission to upload to wheezy-securityThat's what I'm doing at the moment (sending the debdiff to the bug report in case there is one as well) for issues that are unfixed (not no-dsa, see below).
Ok.
[..snip..]Issues that are unfixed in wheezy but fixed in squeeze: * aptdaemon -> CVE-2015-1323 * cakephp -> TEMP-0000000-698CF7 * dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 * eglibc -> CVE-2014-9761 * extplorer -> CVE-2015-0896 * fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E * gosa -> CVE-2014-9760 CVE-2015-8771 * gtk+2.0 -> CVE-2013-7447 * icu -> CVE-2015-2632 * imagemagick -> TEMP-0773834-5EB6CF * imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 * inspircd -> CVE-2015-8702 * libebml -> CVE-2015-8790 CVE-2015-8791 * libidn -> CVE-2015-2059 TEMP-0000000-54045E * libmatroska -> CVE-2015-8792 * libsndfile -> CVE-2014-9756 CVE-2015-7805 * libstruts1.2-java -> CVE-2015-0899 * libtorrent-rasterbar -> CVE-2015-5685 * mono -> CVE-2009-0689 * nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 * optipng -> CVE-2015-7801 * phpmyadmin -> CVE-2016-2039 CVE-2016-2041 * pixman -> CVE-2014-9766 * python-tornado -> CVE-2014-9720 * roundcube -> CVE-2015-8770 * srtp -> CVE-2015-6360 * tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763I'm focusing on these picking older ones over newer ones to not stomp onto the security teams toes.
Do you announce anywhere, that you will start working on a specific package? Wouldn't it make sense to put all the packages listed below into data/dsa-needed.txt (with approval from the Security Team) and then put our names behind those package names?
@Security Team: Please guide the LTS contributors to a good way of supporting you. Would it make sense to add above packages to data/dsa-needed.txt so that then LTS contributors can grab packages from the dsa-needed.txt file and work on fixing the listed issues?
Issues that are no-dsa in wheezy but fixed in squeeze: * augeas -> CVE-2012-0786 CVE-2012-0787 * binutils -> TEMP-0000000-A2945B * busybox -> TEMP-0803097-A74121 * chrony -> CVE-2016-1567 * dbconfig-common -> TEMP-0805638-5AC56F * dwarfutils -> CVE-2015-8750 * foomatic-filters -> TEMP-0000000-ACBC4C * imagemagick -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C * libemail-address-perl -> TEMP-0000000-F41FA7 * libfcgi-perl -> CVE-2012-6687 * librsvg -> CVE-2015-7557 * libsndfile -> CVE-2014-9496 * libunwind -> CVE-2015-3239 * openslp-dfsg -> CVE-2012-4428 * openssh -> CVE-2015-5352 CVE-2015-5600 * php5 -> CVE-2011-0420 CVE-2011-1657 * postgresql-8.4 -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 CVE-2015-5288 * python-scipy -> CVE-2013-4251 * python2.6 -> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912 * qt4-x11 -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859 CVE-2015-1860 * remind -> CVE-2015-5957 * ruby1.8 -> CVE-2009-5147 * ruby1.9.1 -> CVE-2009-5147 * t1utils -> CVE-2015-3905 * texlive-extra -> CVE-2012-2120 * tomcat6 -> CVE-2013-4590 * vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640 CVE-2015-6749 """I think these would be adressed via stable point release updates in wheezy/jessie rather than going via the security team.
Yeah, if at all. I just listed them for completeness sake. Mike -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net
Attachment:
pgpjG2txRyuAz.pgp
Description: Digitale PGP-Signatur