Bug#725968: pu: package libvirt/0.9.12.2-1
On Tue, Oct 15, 2013 at 06:52:57PM +0200, Michael Biebl wrote:
> Hi,
>
> Am 10.10.2013 17:22, schrieb Guido Günther:
> > On Thu, Oct 10, 2013 at 03:38:33PM +0200, Cyril Brulebois wrote:
> > [..snip..]
> >> For the record, we tend to prefer having debdiff (or at least debian
> >> changelogs) posted to the BTS. Right now I have absolutely no idea which
> >> bugs you're trying to get fixed, and whether fixes landed in testing or
> >> unstable.
> >
> > libvirt (0.9.12.2-1) wheezy-proposed-updates; urgency=low
> >
> > * [77a7135] Adjust gbp.conf for Wheezy point releases
> > * [b457e3f] New upstream version 0.9.12.1
> > * [ae6e265] New upstream version 0.9.12.2
> > * [2d07b5c] Drop patches fixed upstream.
> > Include-stdint.h-for-uint32_t.patch
> > Revert-rpc-Discard-non-blocking-calls-only-when-nece.patch
> > fix-leak-virStorageBackendLogicalMakeVol.patch
> > qemu-Add-support-for-no-user-config.patch
> > qemu-Fix-off-by-one-error-while-unescaping-monitor-s.patch
> > rpc-Fix-crash-on-error-paths-of-message-dispatching.patch
> > security/CVE-2012-3445.patch
> > security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch
> > security/security-Fix-libvirtd-crash-possibility.patch
> > upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch
> > upstream/Fix-race-condition-when-destroying-guests.patch
> >
> > -- Guido Günther <agx@sigxcpu.org> Tue, 01 Oct 2013 21:45:08 +0200
> >
> > This also fixes CVE-2013-4311 once we have a fixed polkit in wheezy.
>
> I talked to jmm about policykit-1 and CVE-2013-4288 on IRC today.
> The result wasn't quite conclusive yet. I think jmm doesn't consider the
> issue in policykit-1 important enough for a stable-security upload but I
> forgot to ask him if he nonetheless wants a stable upload for this issue.
>
> So I'd like a clear advice from the security what to do about
> CVE-2013-4288 (Bug: #723717) in policykit-1/stable:
> a/ Fix via stable-security
> b/ Fix via stabe
> c/ Ignore (not important enough).
>
> I'm happy to do either a/ or b/ if the security team wants me to.
>
> If c/, this means libvirt would have to remove that patch for its stable
> upload
> If we are going to fix policykit-1 in stable, libvirt should have a
> versioned dep on policykit-1, to ensure it gets the correct version of
> pkcheck.
I suggest we go ahead with b.
Cheers,
Moritz
Reply to: