Bug#725968: pu: package libvirt/0.9.12.2-1

To: Guido Günther <agx@sigxcpu.org>, 725968@bugs.debian.org
Cc: security@debian.org
Subject: Bug#725968: pu: package libvirt/0.9.12.2-1
From: Michael Biebl <biebl@debian.org>
Date: Tue, 15 Oct 2013 18:52:57 +0200
Message-id: <[🔎] 525D72E9.9050803@debian.org>
Reply-to: Michael Biebl <biebl@debian.org>, 725968@bugs.debian.org
In-reply-to: <[🔎] 20131010152245.GA816@bogon.sigxcpu.org>
References: <[🔎] 20131010130512.GA30902@bogon.sigxcpu.org> <[🔎] 20131010133833.GC3512@mraw.org> <[🔎] 20131010152245.GA816@bogon.sigxcpu.org>

Hi,

Am 10.10.2013 17:22, schrieb Guido Günther:
> On Thu, Oct 10, 2013 at 03:38:33PM +0200, Cyril Brulebois wrote:
> [..snip..] 
>> For the record, we tend to prefer having debdiff (or at least debian
>> changelogs) posted to the BTS. Right now I have absolutely no idea which
>> bugs you're trying to get fixed, and whether fixes landed in testing or
>> unstable.
> 
> libvirt (0.9.12.2-1) wheezy-proposed-updates; urgency=low
> 
>   * [77a7135] Adjust gbp.conf for Wheezy point releases
>   * [b457e3f] New upstream version 0.9.12.1
>   * [ae6e265] New upstream version 0.9.12.2
>   * [2d07b5c] Drop patches fixed upstream.
>         Include-stdint.h-for-uint32_t.patch
>         Revert-rpc-Discard-non-blocking-calls-only-when-nece.patch
>         fix-leak-virStorageBackendLogicalMakeVol.patch
>         qemu-Add-support-for-no-user-config.patch
>         qemu-Fix-off-by-one-error-while-unescaping-monitor-s.patch
>         rpc-Fix-crash-on-error-paths-of-message-dispatching.patch
>         security/CVE-2012-3445.patch
>         security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch
>         security/security-Fix-libvirtd-crash-possibility.patch
>         upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch
>         upstream/Fix-race-condition-when-destroying-guests.patch
> 
>  -- Guido Günther <agx@sigxcpu.org>  Tue, 01 Oct 2013 21:45:08 +0200
> 
> This also fixes CVE-2013-4311 once we have a fixed polkit in wheezy.

I talked to jmm about policykit-1 and CVE-2013-4288 on IRC today.
The result wasn't quite conclusive yet. I think jmm doesn't consider the
issue in policykit-1 important enough for a stable-security upload but I
forgot to ask him if he nonetheless wants a stable upload for this issue.

So I'd like a clear advice from the security what to do about
CVE-2013-4288 (Bug: #723717) in policykit-1/stable:
a/ Fix via stable-security
b/ Fix via stabe
c/ Ignore (not important enough).

I'm happy to do either a/ or b/ if the security team wants me to.

If c/, this means libvirt would have to remove that patch for its stable
upload
If we are going to fix policykit-1 in stable, libvirt should have a
versioned dep on policykit-1, to ensure it gets the correct version of
pkcheck.

Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#725968: pu: package libvirt/0.9.12.2-1
  - From: Guido Günther <agx@sigxcpu.org>
- Bug#725968: pu: package libvirt/0.9.12.2-1
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Bug#725968: pu: package libvirt/0.9.12.2-1
  - From: Guido Günther <agx@sigxcpu.org>
- Bug#725968: pu: package libvirt/0.9.12.2-1
  - From: Cyril Brulebois <kibi@debian.org>
- Bug#725968: pu: package libvirt/0.9.12.2-1
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: First autoremovals happen in about 8 days
Next by Date: old stable support due date
Previous by thread: Bug#725968: pu: package libvirt/0.9.12.2-1
Next by thread: Bug#725968: pu: package libvirt/0.9.12.2-1
Index(es):
- Date
- Thread