[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: working for wheezy-security until wheezy-lts starts

On  Di 01 Mär 2016 08:44:08 CET, Guido Günther wrote:

On Tue, Mar 01, 2016 at 07:15:28AM +0000, Mike Gabriel wrote:
>>Issues that are unfixed in wheezy but fixed in squeeze:
>>* aptdaemon            -> CVE-2015-1323
>>* cakephp              -> TEMP-0000000-698CF7
>>* dhcpcd               -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
>>* eglibc               -> CVE-2014-9761
>>* extplorer            -> CVE-2015-0896
>>* fuseiso              -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E
>>* gosa                 -> CVE-2014-9760 CVE-2015-8771
>>* gtk+2.0              -> CVE-2013-7447
>>* icu                  -> CVE-2015-2632
>>* imagemagick          -> TEMP-0773834-5EB6CF
>>* imlib2               -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764
>>* inspircd             -> CVE-2015-8702
>>* libebml              -> CVE-2015-8790 CVE-2015-8791
>>* libidn               -> CVE-2015-2059 TEMP-0000000-54045E
>>* libmatroska          -> CVE-2015-8792
>>* libsndfile           -> CVE-2014-9756 CVE-2015-7805
>>* libstruts1.2-java    -> CVE-2015-0899
>>* libtorrent-rasterbar -> CVE-2015-5685
>>* mono                 -> CVE-2009-0689
>>* nss                  -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938
>>* optipng              -> CVE-2015-7801
>>* phpmyadmin           -> CVE-2016-2039 CVE-2016-2041
>>* pixman               -> CVE-2014-9766
>>* python-tornado       -> CVE-2014-9720
>>* roundcube            -> CVE-2015-8770
>>* srtp                 -> CVE-2015-6360
>>* tomcat6              -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033
>>CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227
>>CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
>>CVE-2016-0706 CVE-2016-0714 CVE-2016-0763
>I'm focusing on these picking older ones over newer ones to not stomp
>onto the security teams toes.

Do you announce anywhere, that you will start working on a specific package?
Wouldn't it make sense to put all the packages listed below into
data/dsa-needed.txt (with approval from the Security Team) and then put our
names behind those package names?

In order to avoid double work I added these to dsa-needed.txt and put my
name on the line.

 -- Guido


@Security Team: Shall we (LTS contributors) handle wheezy-security updates like described below until Debian wheezy LTS comes into play?

  o Pick a package that has open CVE issues in wheezy, e.g. from above list
  o Add the package to data/dsa-needed.txt, if not already there:
    - packages with issues to be solved in wheezy only, should be suffixed
      with "/oldstable" (i.e., gosa/oldstable)
    - packages with issues in jessie and wheezy, should probably just be added
      by the package name (without suffix), right?

From then on, the workflow can be the same workflow as used for normal security updates (as already described earlier in this thread):

o Fix the issue in the package (grab the current package from oldstable's archive).
  o Test your fixes.
  o Provide a .debdiff to team@security.debian.org and to the Debian bug,
    if any related bug exists.
  o Wait for feedback from the release team on how to proceed.
  o As a courtesy, you could check the same package in jessie and see if
    the fix for oldstable is easily forward-portable. Thus, maybe providing a
    jessie-security .debdiff for the package can be an option.

The removal of the entry placed into data/dsa-needed.txt should then be handled by the Security Team, once the fixed package version has been uploaded.

More Feedback?

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgp8XJyUUztms.pgp
Description: Digitale PGP-Signatur

Reply to: