On Di 01 Mär 2016 08:44:08 CET, Guido Günther wrote:
On Tue, Mar 01, 2016 at 07:15:28AM +0000, Mike Gabriel wrote: [..snip..]>>Issues that are unfixed in wheezy but fixed in squeeze: >>* aptdaemon -> CVE-2015-1323 >>* cakephp -> TEMP-0000000-698CF7 >>* dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 >>* eglibc -> CVE-2014-9761 >>* extplorer -> CVE-2015-0896 >>* fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E >>* gosa -> CVE-2014-9760 CVE-2015-8771 >>* gtk+2.0 -> CVE-2013-7447 >>* icu -> CVE-2015-2632 >>* imagemagick -> TEMP-0773834-5EB6CF >>* imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 >>* inspircd -> CVE-2015-8702 >>* libebml -> CVE-2015-8790 CVE-2015-8791 >>* libidn -> CVE-2015-2059 TEMP-0000000-54045E >>* libmatroska -> CVE-2015-8792 >>* libsndfile -> CVE-2014-9756 CVE-2015-7805 >>* libstruts1.2-java -> CVE-2015-0899 >>* libtorrent-rasterbar -> CVE-2015-5685 >>* mono -> CVE-2009-0689 >>* nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 >>* optipng -> CVE-2015-7801 >>* phpmyadmin -> CVE-2016-2039 CVE-2016-2041 >>* pixman -> CVE-2014-9766 >>* python-tornado -> CVE-2014-9720 >>* roundcube -> CVE-2015-8770 >>* srtp -> CVE-2015-6360 >>* tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 >>CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 >>CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 >>CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 > >I'm focusing on these picking older ones over newer ones to not stomp >onto the security teams toes. Do you announce anywhere, that you will start working on a specific package? Wouldn't it make sense to put all the packages listed below into data/dsa-needed.txt (with approval from the Security Team) and then put our names behind those package names?In order to avoid double work I added these to dsa-needed.txt and put my name on the line. Cheers, -- Guido
Ack.@Security Team: Shall we (LTS contributors) handle wheezy-security updates like described below until Debian wheezy LTS comes into play?
o Pick a package that has open CVE issues in wheezy, e.g. from above list o Add the package to data/dsa-needed.txt, if not already there: - packages with issues to be solved in wheezy only, should be suffixed with "/oldstable" (i.e., gosa/oldstable) - packages with issues in jessie and wheezy, should probably just be added by the package name (without suffix), right?From then on, the workflow can be the same workflow as used for normal security updates (as already described earlier in this thread):
o Fix the issue in the package (grab the current package from oldstable's archive).
o Test your fixes. o Provide a .debdiff to firstname.lastname@example.org and to the Debian bug, if any related bug exists. o Wait for feedback from the release team on how to proceed. o As a courtesy, you could check the same package in jessie and see if the fix for oldstable is easily forward-portable. Thus, maybe providing a jessie-security .debdiff for the package can be an option.The removal of the entry placed into data/dsa-needed.txt should then be handled by the Security Team, once the fixed package version has been uploaded.
More Feedback? Mike -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: email@example.com, http://sunweavers.net
Description: Digitale PGP-Signatur