Hi, Am 10.10.2013 17:22, schrieb Guido Günther: > On Thu, Oct 10, 2013 at 03:38:33PM +0200, Cyril Brulebois wrote: > [..snip..] >> For the record, we tend to prefer having debdiff (or at least debian >> changelogs) posted to the BTS. Right now I have absolutely no idea which >> bugs you're trying to get fixed, and whether fixes landed in testing or >> unstable. > > libvirt (0.9.12.2-1) wheezy-proposed-updates; urgency=low > > * [77a7135] Adjust gbp.conf for Wheezy point releases > * [b457e3f] New upstream version 0.9.12.1 > * [ae6e265] New upstream version 0.9.12.2 > * [2d07b5c] Drop patches fixed upstream. > Include-stdint.h-for-uint32_t.patch > Revert-rpc-Discard-non-blocking-calls-only-when-nece.patch > fix-leak-virStorageBackendLogicalMakeVol.patch > qemu-Add-support-for-no-user-config.patch > qemu-Fix-off-by-one-error-while-unescaping-monitor-s.patch > rpc-Fix-crash-on-error-paths-of-message-dispatching.patch > security/CVE-2012-3445.patch > security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch > security/security-Fix-libvirtd-crash-possibility.patch > upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch > upstream/Fix-race-condition-when-destroying-guests.patch > > -- Guido Günther <agx@sigxcpu.org> Tue, 01 Oct 2013 21:45:08 +0200 > > This also fixes CVE-2013-4311 once we have a fixed polkit in wheezy. I talked to jmm about policykit-1 and CVE-2013-4288 on IRC today. The result wasn't quite conclusive yet. I think jmm doesn't consider the issue in policykit-1 important enough for a stable-security upload but I forgot to ask him if he nonetheless wants a stable upload for this issue. So I'd like a clear advice from the security what to do about CVE-2013-4288 (Bug: #723717) in policykit-1/stable: a/ Fix via stable-security b/ Fix via stabe c/ Ignore (not important enough). I'm happy to do either a/ or b/ if the security team wants me to. If c/, this means libvirt would have to remove that patch for its stable upload If we are going to fix policykit-1 in stable, libvirt should have a versioned dep on policykit-1, to ensure it gets the correct version of pkcheck. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Attachment:
signature.asc
Description: OpenPGP digital signature