Re: working for wheezy-security until wheezy-lts starts
On 2016-03-21 19:16:24, Brian May wrote:
> Brian May <email@example.com> writes:
>>> Wonder how many of the CVEs the Ubuntu version fixes.
>> Will have a look at this now.
> Comparing the changelog with our security tracker (by hand; not sure if
> anybody has written a tool to automate this, if not might be a good
I am not aware of any such tool. How did you do the following comparison
- by hand?
> Not fixed in backported Ubuntu precise version 188.8.131.52-0ubuntu0.12.04.10:
> - CVE-2014-5146 (marked No DSA)
> - CVE-2014-5149 (marked No DSA)
> - CVE-2014-8104 (marked vulnerable; description says "Linux kernel
> through 4.2.6" not sure if this means it is fixed or broken by 4.2.6)
> - CVE-2014-8341 (marked No DSA)
2014-8104 is probably a typo, as it concerns OpenVPN according to the
security tracker. You probably mean CVE-2015-8104...
I'll look at what that one implies specifically.
> Fixed in backported Ubuntu precise version 184.108.40.206-0ubuntu0.12.04.10:
> - CVE-2015-2152 / XSA-119
> - CVE-2015-2752 / XSA-125
> - CVE-2015-2756 / XSA-126
> - CVE-2015-3259 / XSA-137
> - CVE-2015-5165 / XSA-140
> - CVE-2015-5307 / XSA-156
> - CVE-2015-7504 / XSA-162 (not in Debian security tracker)
> - CVE-2015-7969 / XSA-149
> - CVE-2015-7970 / XSA-150
> - CVE-2015-7971 / XSA-152
> - CVE-2015-7972 / XSA-153
> - CVE-2015-8339, CVE-2015-8340 / XSA-159
> - CVE-2015-8550 / XSA-155
> - CVE-2015-8554 / XSA-164
> - CVE-2015-8555 / XSA-165
> - TEMP-0000000-CE3B44 / XSA-166
> - CVE-2016-1570 / XSA-167
> - CVE-2016-1571 / XSA-168
> - CVE-2016-2270 / XSA-154
> - CVE-2016-2271 / XSA-170
That is an impressive list, and it does seem like we should merge our
efforts with Ubuntu here!
I was thinking that maybe there should be an announcement of the release
switch, but looking at the release notes of 4.1.5 and 4.1.6, it seems
just logical to follow those directly:
... only bugfixes and CVEs there.
I've got to design so you can put it together out of garbage cans. In
part because that's what I started from, but mostly because I don’t
trust the industrial structure—they might decide to suppress us
weirdos and try to deny us the parts we need.
- Lee Felsenstein