Bug#827397: RFS: vlc/2.0.3-5+deb7u3
Hi Adam,
(answering in general, not in this particular situation)
>I've reviewed the upload, but I'm not sure if you coordinated it
>with the LTS team. I find a contradition:
> https://lists.debian.org/debian-lts/2016/06/msg00031.html
>says vlc is no longer supported in wheezy, yet in
> https://lists.debian.org/debian-lts/2016/06/msg00035.html
>the quoted mail sounds as if the upload is expected.
>
>Should I proceed?
I guess not
>As I haven't ever made a security upload before, mine nor sponsored, let me
>recap: I make a source-only upload targetted at wheezy-security to
>security-master, right?
>
>Tested on amd64, the patch indeed fixes the exploit posted in the CVE.
In general, for security pocket, you need to do:
- check/test the patch
- wait for an ack from security team
- upload (binary-upload, not sure if source only is allowed, but I think not IIRC) on security-master
e.g.
"dput security-master virtualbox_4.3.36-dfsg-1+deb8u1_amd64.changes"
you can see the accept email here
https://packages.qa.debian.org/v/virtualbox/news/20160129T103406Z.html
but I never and I think they really don't like it, pushed without having an explicit ack
from security team (and it should even be mentioned in the security policy)
BTW according to security tracker wheezy is EOL for that cve, no DSA is released, so I guess you won't
have the ack
https://security-tracker.debian.org/tracker/CVE-2016-5108
(well, since there is a patch and an upload ready they might give an exception, but I think
asking before is the right way to deal with this bug)
(as usual, not authoritative at all, I just did some CVE/virtualbox uploads in jessie, wheezy, squeeze-lts some time
ago)
G.
Reply to: