Your message dated Sat, 23 Jun 2018 12:32:13 +0100 with message-id <1529753533.11744.69.camel@adam-barratt.org.uk> and subject line Closing bugs for requests included in the EoL jessie point release has caused the Debian Bug report #831459, regarding jessie-pu: package virtualbox-guest-additions-iso to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 831459: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831459 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package virtualbox-guest-additions-iso
- From: Gianfranco Costamagna <locutusofborg@debian.org>
- Date: Sat, 16 Jul 2016 11:20:57 +0000 (UTC)
- Message-id: <1177709623.208073.1468668057398.JavaMail.yahoo@mail.yahoo.com>
- Reply-to: Gianfranco Costamagna <locutusofborg@debian.org>
- In-reply-to: <20160715182455.GA8314@eldamar.local>
- References: <1468126484.128989066@f299.i.mail.ru> <1468582462.5939.10.camel@debian.org> <21690786.5859062.1468599038625.JavaMail.yahoo@mail.yahoo.com> <20160715182455.GA8314@eldamar.local>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Forwarding the email from security team. the debdiff is the new iso file and a new changelog entry, nothing more. you can grab the file from here http://debomatic-amd64.debian.net/distribution#stable/virtualbox-guest-additions-iso/4.3.36-1+deb8u1/buildlog this is the changelog entry diff -Nru virtualbox-guest-additions-iso-4.3.18/debian/changelog virtualbox-guest-additions-iso-4.3.36/debian/changelog --- virtualbox-guest-additions-iso-4.3.18/debian/changelog 2015-03-26 11:39:19.000000000 +0100 +++ virtualbox-guest-additions-iso-4.3.36/debian/changelog 2016-07-16 13:19:14.000000000 +0200 @@ -1,3 +1,14 @@ +virtualbox-guest-additions-iso (4.3.36-1+deb8u1) jessie; urgency=medium + + * New upstream bugfix release. + - Addressed CVE-2016-0592, + CVE-2016-0495, CVE-2015-8104, + CVE-2015-7183, CVE-2015-5307, + CVE-2015-7183, CVE-2015-4813, + CVE-2015-4896, CVE-2015-3456 + + -- Gianfranco Costamagna <locutusofborg@debian.org> Fri, 15 Jul 2016 18:11:50 +0200 + virtualbox-guest-additions-iso (4.3.18-3) unstable; urgency=high * Reuploading the previous package, the -2 got removed because of Binary files /tmp/0fmDQ7p0Ij/virtualbox-guest-additions-iso-4.3.18/VBoxGuestAdditions_4.3.18.iso and /tmp/BRDWMDWXw8/virtualbox-guest-additions-iso-4.3.36/VBoxGuestAdditions_4.3.18.iso differ Binary files /tmp/0fmDQ7p0Ij/virtualbox-guest-additions-iso-4.3.18/VBoxGuestAdditions_4.3.36.iso and /tmp/BRDWMDWXw8/virtualbox-guest-additions-iso-4.3.36/VBoxGuestAdditions_4.3.36.iso differ cheers, Gianfranco Il Venerdì 15 Luglio 2016 20:25, Salvatore Bonaccorso <carnil@debian.org> ha scritto: Hi Gianfranco, On Fri, Jul 15, 2016 at 04:10:38PM +0000, Gianfranco Costamagna wrote: > Hi Security Team, a while ago we got virtualbox updated from 4.3.18 > to 4.3.36 as security > upload. > > This was a complete success, but now we have two "issues" 1) there > is a mismatch between virtualbox and virtualbox-guest-additions-iso > packages (this isn't a big issue, since it is just a warning) > > > 2) the guest-additions-iso package is an iso file that contains some > source code (from virtualbox) and builds kernel modules and some > tools used in the guest machines. > > I don't know, but it might be affected by some/many of the same CVEs > that we fixed in virtualbox, so I think it is a sane idea to have a > security upload also for this package. > > What is your opinion? I can upload a 4.3.36 in a few minutes if > needed, it is just a matter of packing an iso and creating a > changelog entry. The package beeing non-free in all supported suites is not really supported via security.d.o. Could you contact the stable release managers to have an update sheduled via a point release? Cf. https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable Regards, SalvatoreAttachment: debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
- To: 831459-done@bugs.debian.org, 837458-done@bugs.debian.org, 862030-done@bugs.debian.org, 876944-done@bugs.debian.org, 879161-done@bugs.debian.org, 885533-done@bugs.debian.org, 885584-done@bugs.debian.org, 885619-done@bugs.debian.org, 887047-done@bugs.debian.org, 887138-done@bugs.debian.org, 887559-done@bugs.debian.org, 887857-done@bugs.debian.org, 888019-done@bugs.debian.org, 888553-done@bugs.debian.org, 888767-done@bugs.debian.org, 891611-done@bugs.debian.org, 891974-done@bugs.debian.org, 893507-done@bugs.debian.org, 893804-done@bugs.debian.org, 893970-done@bugs.debian.org, 895144-done@bugs.debian.org, 895887-done@bugs.debian.org, 895935-done@bugs.debian.org, 896841-done@bugs.debian.org, 896919-done@bugs.debian.org, 896942-done@bugs.debian.org, 897369-done@bugs.debian.org, 897447-done@bugs.debian.org, 897911-done@bugs.debian.org, 899018-done@bugs.debian.org, 899030-done@bugs.debian.org, 901194-done@bugs.debian.org, 901276-done@bugs.debian.org, 901425-done@bugs.debian.org, 901613-done@bugs.debian.org, 901645-done@bugs.debian.org
- Subject: Closing bugs for requests included in the EoL jessie point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 23 Jun 2018 12:32:13 +0100
- Message-id: <1529753533.11744.69.camel@adam-barratt.org.uk>
Version: 8.11 Hi, The updates referenced by these bugs were included in today's EoL point release for jessie (8.11). Regards, Adam
--- End Message ---