Re: Status of some open security issues in Wheezy

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Wed, 2012-12-12 at 19:21 +0100, Moritz Muehlenhoff wrote:
> I made a systematic trackdown of open security issues in Wheezy and would like
> to summarise some issues in this mail. Some security blocks might be lost in
> the backlog, it would be nice if someone go through this list:

Thanks for the list. Cherry-picking a little:

> icecast2 / CVE-2011-4612
> I prepared a tpu backport a month ago. Can I go ahead and upload?
> (691186)

Replied.

> weechat / CVE-2012-5534 / CVE-2012-5854
> There's a tpu request in #693702

Replied.

> cityhash / CVE-2012-6051
> Given the circumstances (694999) I think removal from Wheezy is the way to go
> forward.

Removal hint added.

> gimp / CVE-2012-5576
> Blocked by missing s390x build. I've contacted the buildd maints, but got 
> no reponse. Can anyone of you trigger a giveback?

dpkg-shlibdeps: error: dpkg-query --control-path libc6:s390x shlibs died
from signal 6

That doesn't look too healthy. :-/ Given back; let's see what happens.

> qt4-x11 / CVE-2012-4929
> The transition of the fix is blocked by the ia64 build failure. No idea where
> that is coming from?

It often happens, we generally end up with a pile of give-backs which
eventually work. The maintainers have raised it at
https://lists.debian.org/debian-ia64/2012/12/msg00008.html

Regards,

Adam