Re: working for wheezy-security until wheezy-lts starts
Hi,
On Mon, Feb 29, 2016 at 03:25:46PM +0000, Mike Gabriel wrote:
> For this, we can run bin/lts-needs-forward-port.py from the secure-testing
> repo and see what issues we fixed in squeeze and port those fixes to the
> package version in wheezy-security. Package updates must be coordinated with
> the Debian Security Team, not within the LTS team, though:
>
> * prepare a fixed package
> * test the package
> * send a .debdiff to team@security.debian.org
> * wait for feedback and ideally permission to upload to wheezy-security
That's what I'm doing at the moment (sending the debdiff to the bug
report in case there is one as well) for issues that are unfixed (not
no-dsa, see below).
[..snip..]
> Issues that are unfixed in wheezy but fixed in squeeze:
> * aptdaemon -> CVE-2015-1323
> * cakephp -> TEMP-0000000-698CF7
> * dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
> * eglibc -> CVE-2014-9761
> * extplorer -> CVE-2015-0896
> * fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E
> * gosa -> CVE-2014-9760 CVE-2015-8771
> * gtk+2.0 -> CVE-2013-7447
> * icu -> CVE-2015-2632
> * imagemagick -> TEMP-0773834-5EB6CF
> * imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764
> * inspircd -> CVE-2015-8702
> * libebml -> CVE-2015-8790 CVE-2015-8791
> * libidn -> CVE-2015-2059 TEMP-0000000-54045E
> * libmatroska -> CVE-2015-8792
> * libsndfile -> CVE-2014-9756 CVE-2015-7805
> * libstruts1.2-java -> CVE-2015-0899
> * libtorrent-rasterbar -> CVE-2015-5685
> * mono -> CVE-2009-0689
> * nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938
> * optipng -> CVE-2015-7801
> * phpmyadmin -> CVE-2016-2039 CVE-2016-2041
> * pixman -> CVE-2014-9766
> * python-tornado -> CVE-2014-9720
> * roundcube -> CVE-2015-8770
> * srtp -> CVE-2015-6360
> * tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033
> CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227
> CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
> CVE-2016-0706 CVE-2016-0714 CVE-2016-0763
I'm focusing on these picking older ones over newer ones to not stomp
onto the security teams toes.
>
> Issues that are no-dsa in wheezy but fixed in squeeze:
> * augeas -> CVE-2012-0786 CVE-2012-0787
> * binutils -> TEMP-0000000-A2945B
> * busybox -> TEMP-0803097-A74121
> * chrony -> CVE-2016-1567
> * dbconfig-common -> TEMP-0805638-5AC56F
> * dwarfutils -> CVE-2015-8750
> * foomatic-filters -> TEMP-0000000-ACBC4C
> * imagemagick -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562
> CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C
> * libemail-address-perl -> TEMP-0000000-F41FA7
> * libfcgi-perl -> CVE-2012-6687
> * librsvg -> CVE-2015-7557
> * libsndfile -> CVE-2014-9496
> * libunwind -> CVE-2015-3239
> * openslp-dfsg -> CVE-2012-4428
> * openssh -> CVE-2015-5352 CVE-2015-5600
> * php5 -> CVE-2011-0420 CVE-2011-1657
> * postgresql-8.4 -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167
> CVE-2015-5288
> * python-scipy -> CVE-2013-4251
> * python2.6 -> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912
> * qt4-x11 -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859
> CVE-2015-1860
> * remind -> CVE-2015-5957
> * ruby1.8 -> CVE-2009-5147
> * ruby1.9.1 -> CVE-2009-5147
> * t1utils -> CVE-2015-3905
> * texlive-extra -> CVE-2012-2120
> * tomcat6 -> CVE-2013-4590
> * vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640
> CVE-2015-6749
> """
I think these would be adressed via stable point release updates in
wheezy/jessie rather than going via the security team.
Cheers,
-- Guido
Reply to: