Bug#725968: pu: package libvirt/0.9.12.2-1

To: Michael Biebl <biebl@debian.org>
Cc: Guido Günther <agx@sigxcpu.org>, 725968@bugs.debian.org, security@debian.org
Subject: Bug#725968: pu: package libvirt/0.9.12.2-1
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 16 Oct 2013 17:19:47 +0200
Message-id: <[🔎] 20131016151947.GB25454@inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 725968@bugs.debian.org
In-reply-to: <[🔎] 525D72E9.9050803@debian.org>
References: <[🔎] 20131010130512.GA30902@bogon.sigxcpu.org> <[🔎] 20131010133833.GC3512@mraw.org> <[🔎] 20131010152245.GA816@bogon.sigxcpu.org> <[🔎] 525D72E9.9050803@debian.org>

On Tue, Oct 15, 2013 at 06:52:57PM +0200, Michael Biebl wrote:
> Hi,
> 
> Am 10.10.2013 17:22, schrieb Guido Günther:
> > On Thu, Oct 10, 2013 at 03:38:33PM +0200, Cyril Brulebois wrote:
> > [..snip..] 
> >> For the record, we tend to prefer having debdiff (or at least debian
> >> changelogs) posted to the BTS. Right now I have absolutely no idea which
> >> bugs you're trying to get fixed, and whether fixes landed in testing or
> >> unstable.
> > 
> > libvirt (0.9.12.2-1) wheezy-proposed-updates; urgency=low
> > 
> >   * [77a7135] Adjust gbp.conf for Wheezy point releases
> >   * [b457e3f] New upstream version 0.9.12.1
> >   * [ae6e265] New upstream version 0.9.12.2
> >   * [2d07b5c] Drop patches fixed upstream.
> >         Include-stdint.h-for-uint32_t.patch
> >         Revert-rpc-Discard-non-blocking-calls-only-when-nece.patch
> >         fix-leak-virStorageBackendLogicalMakeVol.patch
> >         qemu-Add-support-for-no-user-config.patch
> >         qemu-Fix-off-by-one-error-while-unescaping-monitor-s.patch
> >         rpc-Fix-crash-on-error-paths-of-message-dispatching.patch
> >         security/CVE-2012-3445.patch
> >         security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch
> >         security/security-Fix-libvirtd-crash-possibility.patch
> >         upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch
> >         upstream/Fix-race-condition-when-destroying-guests.patch
> > 
> >  -- Guido Günther <agx@sigxcpu.org>  Tue, 01 Oct 2013 21:45:08 +0200
> > 
> > This also fixes CVE-2013-4311 once we have a fixed polkit in wheezy.
> 
> I talked to jmm about policykit-1 and CVE-2013-4288 on IRC today.
> The result wasn't quite conclusive yet. I think jmm doesn't consider the
> issue in policykit-1 important enough for a stable-security upload but I
> forgot to ask him if he nonetheless wants a stable upload for this issue.
> 
> So I'd like a clear advice from the security what to do about
> CVE-2013-4288 (Bug: #723717) in policykit-1/stable:
> a/ Fix via stable-security
> b/ Fix via stabe
> c/ Ignore (not important enough).
> 
> I'm happy to do either a/ or b/ if the security team wants me to.
> 
> If c/, this means libvirt would have to remove that patch for its stable
> upload
> If we are going to fix policykit-1 in stable, libvirt should have a
> versioned dep on policykit-1, to ensure it gets the correct version of
> pkcheck.

I suggest we go ahead with b.

Cheers,
        Moritz

Reply to:

References:
- Bug#725968: pu: package libvirt/0.9.12.2-1
  - From: Guido Günther <agx@sigxcpu.org>
- Bug#725968: pu: package libvirt/0.9.12.2-1
  - From: Cyril Brulebois <kibi@debian.org>
- Bug#725968: pu: package libvirt/0.9.12.2-1
  - From: Guido Günther <agx@sigxcpu.org>
- Bug#725968: pu: package libvirt/0.9.12.2-1
  - From: Michael Biebl <biebl@debian.org>

Prev by Date: Bug#725864: Bug#726433: Unknown option on the command line
Next by Date: Bug#726558: pu: package policykit-1/0.105-3+deb7u1
Previous by thread: Bug#725968: pu: package libvirt/0.9.12.2-1
Next by thread: Processed: Re: Bug#725968: pu: package libvirt/0.9.12.2-1
Index(es):
- Date
- Thread