On Thu, Sep 20, 2012 at 11:33:39AM -0500, Jaime Frey wrote: > These security issues have been fixed in the just-released Condor 7.8.4. > > Michael, here are the commit hashes in the Condor git repo for the fixes: > CVE-2012-3491: 1fff5d40 > CVE-2012-3493: d2f33972
These two do not apply cleanly against 7.8.2: Applying patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch patching file src/condor_schedd.V6/schedd.cpp Hunk #1 succeeded at 2961 with fuzz 1 (offset 94 lines). Hunk #2 FAILED at 10251. 1 out of 2 hunks FAILED -- rejects in file src/condor_schedd.V6/schedd.cpp patching file src/condor_schedd.V6/scheduler.h Hunk #1 FAILED at 291. 1 out of 1 hunk FAILED -- rejects in file src/condor_schedd.V6/scheduler.h Patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch does not apply (enforce with -f) Applying patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch patching file src/condor_startd.V6/command.cpp Hunk #1 succeeded at 624 (offset 79 lines). patching file src/condor_startd.V6/command.h Hunk #1 FAILED at 83. 1 out of 1 hunk FAILED -- rejects in file src/condor_startd.V6/command.h patching file src/condor_startd.V6/startd_main.cpp Hunk #1 succeeded at 267 (offset -6 lines). Patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch does not apply (enforce with -f) Before I dig deeper, could you please confirm that cherry-picking the four commits alone will fully address the security vulnerabilities? If that is the case, it seems that at least one more commit is missing. Looking into the 7.8 branch in the condor repo, it seems that quite a bit more has happened -- a long list of bug fixes. I wonder (7.8 being a stable maintenance branch) whether it wouldn't be a better idea to aim for an upload of 7.8.4 as a whole. Is there something in it that is not a bugfix of some kind? Cheers, Michael -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
