Re: Security fixes for libXaw derivatives still not in potato-updates
Ben Collins <bcollins@debian.org> writes:
> On Fri, Mar 16, 2001 at 11:33:38AM -0500, Branden Robinson wrote:
> > On Fri, Mar 16, 2001 at 11:22:08AM -0500, Ben Collins wrote:
> > > On Fri, Mar 16, 2001 at 12:02:28AM -0800, Philippe Troin wrote:
> > > > I found out that the libXaw derivatives still have not been fixed for
> > > > the sparc arch (insecure /tmp handling, DSA037).
> > > >
> > > > Is that because nobody has stepped forward (in which case I would
> > > > volunteer to do it) or because of something else ?
> > >
> > > Is this from the xfree86 3.3.6 update? If so, it should already be
> > > there. If not, I don't show it on my build list.
> >
> > He's referring to xaw3d, nextaw, and xaw95.
>
> Oh yeah, those failed to compile on sparc because they assumed libc5
> packages. So I summarily ignored them on the buildd.
I got them to build and they're on
ftp-master.d.o:/home/phil/athena-security-update .
I will move them to incoming tonight so that they will be picked by
Saturday's dinstall/katie run, unless somebody objects.
Only nextaw had problems building.
I've noted that in potato 2.2r2, nextaw is actually linked to xlib6g
and thus is equivalent to nextawg:
Package: nextaw
Architecture: sparc
Version: 0.5.1-29
Depends: ldso (>= 1.8.9-1), libc6 (>= 2.0.105), libc6 (>= 2.0.99),
xlib6g (>= 3.3.2.3a-2)
Package: nextawg
Architecture: sparc
Version: 0.5.1-34
Depends: ldso (>= 1.8.9-1), libc6 (>= 2.0.105), xlib6g (>= 3.3.5)
Ideally, nextaw should be dropped. However since people might have
installed it, I built both nextaw and nextawg.
I had to *slightly* modify debian/rules to add "sparc" to the list of
architectures that need to build nextaw. Without this change, the
package does not build on sparc anyways.
What I'll do:
1. Open a grave bug against nextaw (not building on sparc/potato,
and add sparc to the list of arches needing to build nextaw). We
shouldn't have packages that cannot be rebuilt in the archive.
2. Since these package fix a security risk, and despite 1, these
packages will be moved to incoming tonight.
3. Draft an updated security advisory, and forward it to the powers
that be.
Phil.
Reply to: