Re: Please unblock libvirt 0.4.6-9
Guido Günther wrote:
> On Fri, Dec 12, 2008 at 11:49:56PM +0100, Guido Günther wrote:
>> On Thu, Nov 13, 2008 at 11:31:38AM +0100, Guido Günther wrote:
>>> On Thu, Nov 06, 2008 at 09:40:12AM +0100, Guido Günther wrote:
>>>> Dear release managers,
>>>> Libvirt 0.4.6-4 fixes almost all of the bugs reported against 0.4.4
>>>> currently in lenny:
>>>> The differences between 0.4.4 and 0.4.6 are mostly bugfixes and minor
>>>> improvements (at least in the drivers we currently build Xen, Kvm,
>>>> Storage, Network):
>>>> 0.4.5/0.4.6 got lots of testing in experimental and everybody reporting
>>>> a bug against virtinst/virt-viewer/virt-manager/libvirt tried these
>>>> version so I'm pretty confident this release is as solid as 0.4.4.
>>>> The API is the unchanged so there is little chance for breackage.
>>>> Should there be any problems we can easily pull back to 0.4.4 since
>>>> there aren't many reverse dependencies and even less that arent
>>>> maintained under pkg-libvirt. Can we have 0.6.4-4 in Lenny?
>>> Any news on letting libvirt 0.4.6-4 into Lenny?
>> Is there any chance to move 0.4.6-9 into Lenny? The changes can be
>> browsed by commit here:
>> The debdiff against the version in Lenny is attached. It looks larger
>> than it is because the doc build got fixed to not include all the '.in'
>> 0.4.4 currently has an (though easy to fix) RC bug, so if the changes
>> for 0.4.6 are to intrusive please remove 0.4.4 from Lenny to get rid of
>> this issue.
> libvirt 0.4.4 in Lenny is susceptible to CVE-2008-5086 (#509106).
> 0.5.1-4 (experimental) and 0.4.6-10 (unstable) have this fixed.
585 files changed, 262442 insertions(+), 186066 deletions(-)
So including the one in unstable is probably not going to happen.
Removing 0.4.4 because you're too lame to fix an easy RC bug is also not
an option to me... so feel free to propose a tpu upload that would fix
the RC bug as well as this security issue.