Bug#924642: stretch-pu: package rsync/3.1.2-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu There are a couple of CVEs that have been fixed by 3.1.2-1+deb9u2. After discussing this with a member of the security team it was not considered important enough to warrant a DSA, but it would be good if it could be included in a point release for stretch. The changelog is: * Apply CVEs from 2016 to the zlib code. closes:#924509 The only change was the addition of 4 patches to the zlib code. The uploaded version was compiled on a stretch system. Thanks! Paul -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.17.6-wurtel-ws (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init)
Bug#924642: stretch-pu: package rsync/3.1.2-1+deb9u1
On 2019-03-31 19:57, Adam D. Barratt wrote: Control: tags -1 + moreinfo On Fri, 2019-03-15 at 11:23 +0100, Paul Slootman wrote: There are a couple of CVEs that have been fixed by 3.1.2-1+deb9u2. After discussing this with a member of the security team it was not considered important enough to warrant a DSA, but it would be good if it could be included in a point release for stretch. The changelog is: * Apply CVEs from 2016 to the zlib code. closes:#924509 The only change was the addition of 4 patches to the zlib code. The uploaded version was compiled on a stretch system. There doesn't appear to be an uploaded version anywhere that I can see. This now happened, but Please attach a source debdiff to this report. this hasn't. If it had, I'd have asked you to rebuild the package so the changelog didn't claim it was uploaded to stretch-security (I'm still debating whether to do so anyway, as it'll be less confusing for users). Regards, Adam
Bug#924642: stretch-pu: package rsync/3.1.2-1+deb9u1
On Wed 03 Apr 2019, Adam D. Barratt wrote: > > > > There doesn't appear to be an uploaded version anywhere that I can see. > > This now happened, but > > > Please attach a source debdiff to this report. > > this hasn't. If it had, I'd have asked you to rebuild the package so the > changelog didn't claim it was uploaded to stretch-security (I'm still > debating whether to do so anyway, as it'll be less confusing for users). I'm willing to do whatever you think is best, please feel free to tell me what to do :-) Thanks and sorry for the bother, Paul
Bug#924642: stretch-pu: package rsync/3.1.2-1+deb9u1
On Wed, 2019-04-03 at 14:58 +0200, Paul Slootman wrote: > On Wed 03 Apr 2019, Adam D. Barratt wrote: > > > > > > There doesn't appear to be an uploaded version anywhere that I > > > can see. > > > > This now happened, but > > > > > Please attach a source debdiff to this report. > > > > this hasn't. If it had, I'd have asked you to rebuild the package > > so the > > changelog didn't claim it was uploaded to stretch-security (I'm > > still > > debating whether to do so anyway, as it'll be less confusing for > > users). > > I'm willing to do whatever you think is best, please feel free to > tell > me what to do :-) Apologies for having let this slip off the radar a little. I just flagged the current upload to be rejected. Please re-build the package with "stretch" in the changelog rather than "stretch-security", and feel free to go ahead with the re-upload once dak confirms that the reject has been actioned. Regards, Adam
Bug#924642: stretch-pu: package rsync/3.1.2-1+deb9u1
On Sun 14 Apr 2019, Adam D. Barratt wrote: > > Apologies for having let this slip off the radar a little. NP > I just flagged the current upload to be rejected. Please re-build the > package with "stretch" in the changelog rather than "stretch-security", > and feel free to go ahead with the re-upload once dak confirms that the > reject has been actioned. I've just uploaded it. Thanks, Paul
Bug#924642: stretch-pu: package rsync/3.1.2-1+deb9u1
Control: tags -1 + moreinfo On Fri, 2019-03-15 at 11:23 +0100, Paul Slootman wrote: > There are a couple of CVEs that have been fixed by 3.1.2-1+deb9u2. > After discussing this with a member of the security team it was not > considered important enough to warrant a DSA, but it would be good if > it > could be included in a point release for stretch. > > The changelog is: > > * Apply CVEs from 2016 to the zlib code. > closes:#924509 > > The only change was the addition of 4 patches to the zlib code. > > The uploaded version was compiled on a stretch system. > There doesn't appear to be an uploaded version anywhere that I can see. Please attach a source debdiff to this report. Regards, Adam
Bug#924642: stretch-pu: package rsync/3.1.2-1+deb9u1
On Sun, 2019-03-31 at 19:57 +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Fri, 2019-03-15 at 11:23 +0100, Paul Slootman wrote: > > There are a couple of CVEs that have been fixed by 3.1.2-1+deb9u2. > > After discussing this with a member of the security team it was not > > considered important enough to warrant a DSA, but it would be good > > if > > it > > could be included in a point release for stretch. > > > > The changelog is: > > > > * Apply CVEs from 2016 to the zlib code. > > closes:#924509 > > > > The only change was the addition of 4 patches to the zlib code. > > > > The uploaded version was compiled on a stretch system. > > > > There doesn't appear to be an uploaded version anywhere that I can > see. Because: Mar 15 10:54:14 /rsync_3.1.2-1+deb9u2_amd64.changes has bad PGP/GnuPG signature! > Please attach a source debdiff to this report. Regards, Adam
Bug#924642: stretch-pu: package rsync/3.1.2-1+deb9u1
On Sun 31 Mar 2019, Adam D. Barratt wrote: > > Because: > > Mar 15 10:54:14 /rsync_3.1.2-1+deb9u2_amd64.changes has bad PGP/GnuPG > signature! Damn, as this had to be built on a stretch system I had my old key on there :( Re-signed, and re-uploaded. Paul
