Re: Drop support for libqb?
On 14/11/2019 19:51, Roberto C. Sánchez wrote:
> On Thu, Nov 14, 2019 at 01:31:27PM -0500, Roberto C. Sánchez wrote:
>> On Thu, Nov 14, 2019 at 05:19:03PM +0000, Holger Levsen wrote:
>>> On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote:
>>>>> We usually mark affected CVE as <end-of-life> in data/CVE/list and just
>>>>> add the package to security-support-ended.deb8 in
>>>>> debian-security-support. We then upload new versions of the package
>>>>> periodically and announce it via DLA. I believe now is a good time to do it.
>>>> Thanks for the information. I will start working on it today.
>>> As any DD can commit to debian-security-support.git and also can upload
>>> that package, just make sure to call it a team upload in d/changelog to
>>> appease lintian and possibly other tools.
>> I had not yet seen this message so I already submitted a MR. Should I
>> close that and make a direct commit?
>>> And then it would be ideal to upload the package to unstable and then
>>> file a SRM bug to update the package in stretch, in addition to
>>> uploading to jessie. (Probably this should also result in a DLA, not
>>> 100% sure though. Thoughts & comments definitly welcome.)
>> Looking at the previous updates, a DLA seems appropriate. I am in the
>> process of drafting the text.
>>> I believe it's fine if the version contraints (package version in
>>> unstable higher than testing higher than stable higher than oldstable)
>>> are temporarily not met, but I also believe it's important that they are
>>> in the long run & most of the time.
>>> If doing all this work is too much or tedious to you, please shout and I
>>> will be happy to finish this. Please just do at least the initial
>>> change in git to security-support-ended.deb8.
>> If I close the MR and commit directly, is it then a simple matter of
>> build and upload to unstable? That is, no other special steps are
> Some additional follow-up:
> - Can I go ahead and mark the CVE in question as <end-of-life> in
> data/CVE/list even before the update to debian-security-support is
Yeah that should be alright.
> - Any feedback on this proposed DLA text?
> Package : debian-security-support
> Version : 2019.11.15~deb8u1
> debian-security-support, the Debian security support coverage checker,
> has been updated in jessie.
> This marks the end of life of the libqb package in jessie. A recently
> reported vulnerability against libqb which allows users to overwrite
> arbitrary files via a symlink attack cannot be adequately addressed in
> libqb in jessie. Upstream no longer supports this version and no
> packages in jessie depend upon libqb, thus making it a leaf package.
> We recommend that if your systems or applications depend upon the libqb
> package provided from the Debian archive that you upgrade your systems
> to a more recent Debian release or find an alternate and up to date
> source of libqb packages.
Looks fine to me. I have also noticed that we didn't get a
debian-security-support update for the mysql-5.5 EOL, so if you can add a
paragraph about it in the announcement (the changes to the
debian-security-support were already there) that'd be great. Something such as:
In addition to that, MySQL 5.5 is no longer supported as upstream ended its
support and we are unable to backport fixes from newer versions due to the lack
of patch details. Options are to switch to MariaDB 10.0 in jessie or to a newer
version in more recent Debian releases.