Re: fixing links for DLAs in the security tracker
Hi, On Wed, Mar 29, 2017 at 06:28:49AM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Tue, Mar 28, 2017 at 10:16:52PM +, Holger Levsen wrote: > > On Tue, Mar 28, 2017 at 10:35:34PM +0200, Moritz Muehlenhoff wrote: > > > Well, you don't have a web site comparable to > > > https://www.debian.org/security/2017/dsa-3796, so where should > > > it possibly link to? > > > > I guess it's time to create this "web site" then :) > > See as well https://bugs.debian.org/761945 (and respective clones for > debian-). The security-tracker side of this has been implemented now, Paul Wise did the corresponding work. But around 400 DLA's are not yet imported so many links will sow a page not found. A working example: https://security-tracker.debian.org/tracker/DLA-55-1 or https://security-tracker.debian.org/tracker/DLA-400-1 Regards, Salvatore p.s.: generally: for changes to the security-tracker, please do not use debian-lts but rather the security-tracker list (or even better/depending on case via bugreports).
Re: fixing links for DLAs in the security tracker
On Wed, Mar 29, 2017 at 12:28 PM, Salvatore Bonaccorso wrote: > See as well https://bugs.debian.org/761945 (and respective clones for > debian-). Committed a patch for this, carnil deployed it. One downside to this is that committing DLAs to the Debian website hasn't happened since 2016 DLA-445-2: https://security-tracker.debian.org/tracker/DLA-445-2 https://www.debian.org/security/2016/dla-445 https://security-tracker.debian.org/tracker/DLA-446-1 https://www.debian.org/security/2016/dla-446 (404) -- bye, pabs https://wiki.debian.org/PaulWise
Re: fixing links for DLAs in the security tracker
Hi, On Tue, Mar 28, 2017 at 10:16:52PM +, Holger Levsen wrote: > On Tue, Mar 28, 2017 at 10:35:34PM +0200, Moritz Muehlenhoff wrote: > > Well, you don't have a web site comparable to > > https://www.debian.org/security/2017/dsa-3796, so where should > > it possibly link to? > > I guess it's time to create this "web site" then :) See as well https://bugs.debian.org/761945 (and respective clones for debian-). Regards, Salvatore
Re: fixing links for DLAs in the security tracker
On Tue, Mar 28, 2017 at 10:35:34PM +0200, Moritz Muehlenhoff wrote: > Well, you don't have a web site comparable to > https://www.debian.org/security/2017/dsa-3796, so where should > it possibly link to? I guess it's time to create this "web site" then :) -- cheers, Holger signature.asc Description: Digital signature
Re: fixing links for DLAs in the security tracker
On Tue, Mar 28, 2017 at 04:08:19PM -0400, Antoine Beaupré wrote: > I constantly find myself struggling to find the actual DLA announcements > when I browse the security tracker. Take for example: > > https://security-tracker.debian.org/tracker/CVE-2016-8743 > > If you click on the DSA there: > > https://security-tracker.debian.org/tracker/DSA-3796-1 > > You have a nice "Source" link that brings you to: > > https://www.debian.org/security/2017/dsa-3796 > > Yet the DLA page doesn't have that feature: > > https://security-tracker.debian.org/tracker/DLA-841-1 Well, you don't have a web site comparable to https://www.debian.org/security/2017/dsa-3796, so where should it possibly link to? Cheers, Moritz
Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download
2017-03-28 21:07 GMT+02:00 Ola Lundqvist : > Hi Mathieu and Roberto Hi, > Mathieu, do you mean that they patches should apply cleanly and if they do > not, then we have missed some other important patch, or do you just mean > that they should generally apply cleanly? I don't know for sure, but I think that if a hunk doesn't apply it is an indication of a change that may be a requirement. For Roberto question on patch not applicable can be explained by: https://git.samba.org/?p=samba.git;a=commitdiff;h=8234c6a3c7 This doesn't look to be a requirement (not related to path traversal). > I'm asking as it is rather expected that patches do not apply cleanly when > we are dealing with these old versions in wheezy. I do not want to give a > precise estimate but something between 20 and 60% of the patches that I have > applied to the packages I have done updates to in wheezy have not applied > cleanly. Usually it is just minor things, but in some cases quite a lot of > work have to be put in understanding the problem and finding out a new fix. > > We should not be afraid to do that kind of work. > > We do have the possibility to update to the latest software also in wheezy > but that should really be done as a last resort, or only for packages that > have a very good reputation on backwards compatibility. At least that is how > I have understood the current practices. I mean we do not want to introduce > unnecessary regressions. The 3.6 branch was in maintenance mode since 2012-12-11, i.e after 3.6.10. So it is probably better to only cherry-pick the fixes and continue like Roberto did. I can help the testing. > Best regards Regards -- Mathieu
fixing links for DLAs in the security tracker
I constantly find myself struggling to find the actual DLA announcements when I browse the security tracker. Take for example: https://security-tracker.debian.org/tracker/CVE-2016-8743 If you click on the DSA there: https://security-tracker.debian.org/tracker/DSA-3796-1 You have a nice "Source" link that brings you to: https://www.debian.org/security/2017/dsa-3796 Yet the DLA page doesn't have that feature: https://security-tracker.debian.org/tracker/DLA-841-1 It's rather frustrating because then you need to dig around the mailing list archives - at this point I usually give up and punch the DLA string into my search engine or notmuch. But for our users and other security researchers, this must be even more confusing. Our Development instructions explicitly say this, but *why* don't we save the DLA template into SVN? It would be nice way for the security tracker to have access to it. Alternatively, should we patch the security tracker to point to a search engine for the DLA ID? What's a canonical link for DLA announcements anyways? Thanks for any feedback, A. -- Nothing incites to money-crimes like great poverty or great wealth. - Mark Twain
Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download
Hi Mathieu and Roberto Mathieu, do you mean that they patches should apply cleanly and if they do not, then we have missed some other important patch, or do you just mean that they should generally apply cleanly? I'm asking as it is rather expected that patches do not apply cleanly when we are dealing with these old versions in wheezy. I do not want to give a precise estimate but something between 20 and 60% of the patches that I have applied to the packages I have done updates to in wheezy have not applied cleanly. Usually it is just minor things, but in some cases quite a lot of work have to be put in understanding the problem and finding out a new fix. We should not be afraid to do that kind of work. We do have the possibility to update to the latest software also in wheezy but that should really be done as a last resort, or only for packages that have a very good reputation on backwards compatibility. At least that is how I have understood the current practices. I mean we do not want to introduce unnecessary regressions. Best regards // Ola On 28 March 2017 at 12:55, Roberto C. Sánchez wrote: > On Tue, Mar 28, 2017 at 11:34:44AM +0200, Mathieu Parent wrote: > > Hi, > > > > 2017-03-26 14:39 GMT+02:00 Roberto C. Sánchez : > > > On Thu, Mar 23, 2017 at 11:30:09AM +0100, Mathieu Parent wrote: > > >> > > >> See attached the backported patches for 3.6 (those are from the samba > > >> bugzilla which is still embargoed). > > >> > > >> Please take care of it. > > >> > > > > > > Hi Mathieu, > > > > > > I wanted to let you know that I had to make a minor tweak to patch > 08/15 > > > in order to get the build to succeed on wheezy. I wanted let everyone > > > know in the event that I have missed something important and for > general > > > awareness. > > > > Again, don't upload yet. We have 2 regressions (maybe 3) in jessie. > > > Yes, of course. I am still waiting for the resolution of at least > #858564 and #858590. > > > > I had to change this hunk: > > [...] > > > > Me too, I'm not a samba developer. If a patch doesn't apply, it's > > because of one in debian/patches, or > > maybe a requirement from 3.6. > > > > debian wheezy is based on 3.6.6, while latest 3.6 is 3.6.25. Maybe the > > first thing to do is to update to 3.6.25. > > > OK. I did wonder at first why jessie was updated to the latest 4.2 but > wheezy was not updated to the latest 3.6. > > > > > > > The resolution for this one is not obvious to me. I intend to dig into > > > it, but if anyone has a suggestion, I welcome it. > > > > Don't change the patches. They should apply cleanly. > > > OK. That is good to know. > > > Hope this helps. > > > It does help. I certainly don't want to cause a problem with a package > so widely used as Samba. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Update wheezy samba to 3.6.25?
Hi Roberto When you write that the latest patches do not apply cleanly. Do you mean that the code is substantially different so even a manual apply is difficult or do you just mean that the patches do not apply cleanly when running the patch command? Best regards // Ola On 28 March 2017 at 16:29, Roberto C. Sánchez wrote: > LTS folks, > > Based on Mathieu's comment related to the most recent samba patches not > applying cleanly to the version in wheezy, it seems that an update to > the latest upstream 3.6 release might be necessary. That said, I have > looked at the diffstat between the version in wheezy (3.6.6) and 3.6.25, > the latest upstream release in that series. > > The changes are rather substantial. The diffstat finishes with this: > > 258 files changed, 8344 insertions(+), 3246 deletions(-) > > Note that 1460 of the insertions are new lines in WHATSNEW.txt. > > That said, I have some questions: > > - Is this something that is feasible? > - What sort of testing would be required? > - Does it makes sense to go ahead and start updating to 3.6.25? > > If the patch provided by upstream is to apply cleanly, then Mathieu's > comment makes me think that updating to 3.6.25 is a necessary > precondition of utilizing that patch. If that is the path to take, I > think it makes sense to package 3.6.25 and begin testing it, then once > the current regressions (#858564, #858590, and possibly another) are > resolved apply the final patch from upstream. > > Another possibility would be to stick with 3.6.6. and attempt to > backport the patch. I am not a samba developer and while I think I am > sufficiently capable to backport the patch, I am also concerned that I > may miss something. Samba is sufficiently complex to make me prefer the > clean application of a patch from upstream. > > Given that samba is a very widely used and rather important package, I > feel it prudent to solicit comments and suggestions on this. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Wheezy update of ca-certificates?
Hi Let us in the LTS team know if you need assistance on this. Best regards // Ola On 28 March 2017 at 18:05, Michael Shuler wrote: > On 03/27/2017 09:06 PM, Paul Wise wrote: > > On Tue, Mar 28, 2017 at 8:12 AM, Michael Shuler wrote: > > > >> I need to fix up the jessie PU I have filed (and update to 2.11), and > >> I'll do a wheezy PU at the same time. Thanks! > > s/wheezy PU/wheezy LTS/ > > > Debian wheezy is no longer managed by the release team, so you will > > need to do an LTS upload instead: > > > > https://wiki.debian.org/LTS/Development > > Right :) Thanks for the link! > > -- > Kind regards, > Michael > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Wheezy update of binutils?
Hi That should be fine. // Ola On 27 March 2017 at 22:16, Antoine Beaupré wrote: > FWIW, the security team just marked all the currently pending security > issues of binutils in jessie as "no-dsa (minor issue)" which means they > consider the issues are not serious enough to warrant a security upload. > > after a quick review of the issues, i have also followed suit and marked > the issues as "no-dsa" in wheezy, and removed the item from > dla-needed.txt. > > this means it is unlikely we will make an upload to wheezy to fix those > issues unless someone believes those issues are important enough to be > fixed. from my perspective, the most serious issue is probably > CVE-2017-7227, where GNU ld can be crashed with an arbitrary input > script. this was marked as "low" severity by Red Hat as well... > > the other issues are all regarding debugging tools like addr2line which > are unlikely to be used on a wheezy system, as they are more aimed at > developping software... > > i hope that's alright with everyone! > > a. > > On 2017-03-22 08:10:11, Ola Lundqvist wrote: > > Hi > > > > This was interesting information. Do you know the background why they > were > > not accepted? > > I mean if this has been a known problem and the release team rejected it > > maybe we should not do an update. Are there backwards compatibility > > problems? > > > > Best regards > > > > // Ola > > > > On 21 March 2017 at 23:18, Matthias Klose wrote: > > > >> On 21.03.2017 21:01, Ola Lundqvist wrote: > >> > Hello dear maintainer(s), > >> > > >> > the Debian LTS team would like to fix the security issues which are > >> > currently open in the Wheezy version of binutils: > >> > https://security-tracker.debian.org/tracker/source-package/binutils > >> > > >> > Would you like to take care of this yourself? > >> > >> pleaes go ahead. afairc these patches were proposed during the wheezy > >> freeze to > >> be taken from the binutils branch, but not accepted. > >> > >> > > > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology > > / o...@inguza.comFolkebogatan 26\ > > | o...@debian.org 654 68 KARLSTAD| > > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > > --- > > -- > Isn't man but a blossom taken by the wind, and only the mountains and > the sea and the stars and this Land of the Gods real and everlasting? >- James Clavell, Shōgun > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
skipping clean on host when building in a chroot
On 2017-01-31 21:36:02, Guido Günther wrote: > On Tue, Jan 31, 2017 at 04:07:19PM -0500, Antoine Beaupré wrote: >> On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote: >> > I'd say it makes sense to release a regression update. >> > >> > BTW I'm not sure about this change, which is not mentioned in your >> > changelog entry: >> > >> > --- graphicsmagick-1.3.16/debian/rules 2016-09-20 23:52:26.0 +0200 >> > +++ graphicsmagick-1.3.16/debian/rules 2017-01-16 19:22:54.0 +0100 >> > @@ -36,7 +36,7 @@ >> > CFLAGS = -Wall -g -fno-strict-aliasing >> > LDFLAGS = >> > >> > -include /usr/share/hardening-includes/hardening.make >> > +-include /usr/share/hardening-includes/hardening.make >> > CFLAGS += $(HARDENING_CFLAGS) >> > LDFLAGS += $(HARDENING_LDFLAGS) >> >> This is to silence failure to include the file in later versions of >> hardening-includes (from stretch and later) that would prevent pdebuild, >> git-buildpackage and other tools from firing the build from sid or >> stretch. >> >> I still build the package inside a woody chroot, of course, this is just >> to trigger the build. >> >> But maybe there's another way to fix this that I don't know? >> >> Are you people all still running wheezy or jessie? ;) > > You can run with '-nc' to avoid pbuilder invoking clean outside of the > chroot. For future reference, this is actually: DIST=wheezy ARCH=amd64 pdebuild --debbuildopts -nc --pbuilder cowbuilder ... with pdebuild, in my case. a. -- To understand how any society functions you must understand the relationship between the men and the women - Angela Davis
Re: Wheezy update of ca-certificates?
On 03/27/2017 09:06 PM, Paul Wise wrote: > On Tue, Mar 28, 2017 at 8:12 AM, Michael Shuler wrote: > >> I need to fix up the jessie PU I have filed (and update to 2.11), and >> I'll do a wheezy PU at the same time. Thanks! s/wheezy PU/wheezy LTS/ > Debian wheezy is no longer managed by the release team, so you will > need to do an LTS upload instead: > > https://wiki.debian.org/LTS/Development Right :) Thanks for the link! -- Kind regards, Michael
Update wheezy samba to 3.6.25?
LTS folks, Based on Mathieu's comment related to the most recent samba patches not applying cleanly to the version in wheezy, it seems that an update to the latest upstream 3.6 release might be necessary. That said, I have looked at the diffstat between the version in wheezy (3.6.6) and 3.6.25, the latest upstream release in that series. The changes are rather substantial. The diffstat finishes with this: 258 files changed, 8344 insertions(+), 3246 deletions(-) Note that 1460 of the insertions are new lines in WHATSNEW.txt. That said, I have some questions: - Is this something that is feasible? - What sort of testing would be required? - Does it makes sense to go ahead and start updating to 3.6.25? If the patch provided by upstream is to apply cleanly, then Mathieu's comment makes me think that updating to 3.6.25 is a necessary precondition of utilizing that patch. If that is the path to take, I think it makes sense to package 3.6.25 and begin testing it, then once the current regressions (#858564, #858590, and possibly another) are resolved apply the final patch from upstream. Another possibility would be to stick with 3.6.6. and attempt to backport the patch. I am not a samba developer and while I think I am sufficiently capable to backport the patch, I am also concerned that I may miss something. Samba is sufficiently complex to make me prefer the clean application of a patch from upstream. Given that samba is a very widely used and rather important package, I feel it prudent to solicit comments and suggestions on this. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Dealing with renamed source packages during CVE triaging
On Tue, Mar 28, 2017 at 03:55:12PM +0200, Raphael Hertzog wrote: > On Tue, 28 Mar 2017, Moritz Muehlenhoff wrote: > > I'd suggest a cron job running once or twice per day, which keeps > > a table of (current source package name / old source package name(s)) > > and adds SOURCEPACKAGE for the older source package. > > These can then be set to or after manual > > triage. > > Why this and not the usual "SOURCEPACKAGE " tag followed by > a codename-specific tag added after triaging: "[wheezy] SOURCEPACKAGE > " if needed? That's also fine, since usually the older versions happens to be affected in most cases. Cheers, Moritz
Re: Dealing with renamed source packages during CVE triaging
On Tue, 28 Mar 2017, Moritz Muehlenhoff wrote: > I'd suggest a cron job running once or twice per day, which keeps > a table of (current source package name / old source package name(s)) > and adds SOURCEPACKAGE for the older source package. > These can then be set to or after manual > triage. Why this and not the usual "SOURCEPACKAGE " tag followed by a codename-specific tag added after triaging: "[wheezy] SOURCEPACKAGE " if needed? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Dealing with renamed source packages during CVE triaging
On Tue, Mar 28, 2017 at 03:11:41PM +0200, Raphael Hertzog wrote: > Hello, > > So it looks like we have to tweak our worflow and/or build something > to make sure that we do not miss to handle issues in such packages. > What do you think ? What would be the proper approach ? I'd suggest a cron job running once or twice per day, which keeps a table of (current source package name / old source package name(s)) and adds SOURCEPACKAGE for the older source package. These can then be set to or after manual triage. Cheers, Moritz
Dealing with renamed source packages during CVE triaging
Hello, I recently assigned myself "tiff" and noticed that the CVE were not properly tracked against "tiff3" (older version of the same codebase, available only in wheezy). I asked the security team if there was a reason to this and got this answer (on IRC): we don't actively triage versions only found in LTS, often that's added along, but not necassarily. I suggest for LTS to setup a script, which annotates older source package versions found in foo-lts, but not in stable e.g. it seems you also missed src:gnutls26 for some of the gnutls28 issues currently tracked in the tracker that stuff really calls for automation So it looks like we have to tweak our worflow and/or build something to make sure that we do not miss to handle issues in such packages. What do you think ? What would be the proper approach ? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download
On Tue, Mar 28, 2017 at 11:34:44AM +0200, Mathieu Parent wrote: > Hi, > > 2017-03-26 14:39 GMT+02:00 Roberto C. Sánchez : > > On Thu, Mar 23, 2017 at 11:30:09AM +0100, Mathieu Parent wrote: > >> > >> See attached the backported patches for 3.6 (those are from the samba > >> bugzilla which is still embargoed). > >> > >> Please take care of it. > >> > > > > Hi Mathieu, > > > > I wanted to let you know that I had to make a minor tweak to patch 08/15 > > in order to get the build to succeed on wheezy. I wanted let everyone > > know in the event that I have missed something important and for general > > awareness. > > Again, don't upload yet. We have 2 regressions (maybe 3) in jessie. > Yes, of course. I am still waiting for the resolution of at least #858564 and #858590. > > I had to change this hunk: > [...] > > Me too, I'm not a samba developer. If a patch doesn't apply, it's > because of one in debian/patches, or > maybe a requirement from 3.6. > > debian wheezy is based on 3.6.6, while latest 3.6 is 3.6.25. Maybe the > first thing to do is to update to 3.6.25. > OK. I did wonder at first why jessie was updated to the latest 4.2 but wheezy was not updated to the latest 3.6. > > > > The resolution for this one is not obvious to me. I intend to dig into > > it, but if anyone has a suggestion, I welcome it. > > Don't change the patches. They should apply cleanly. > OK. That is good to know. > Hope this helps. > It does help. I certainly don't want to cause a problem with a package so widely used as Samba. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download
Hi, 2017-03-26 14:39 GMT+02:00 Roberto C. Sánchez : > On Thu, Mar 23, 2017 at 11:30:09AM +0100, Mathieu Parent wrote: >> >> See attached the backported patches for 3.6 (those are from the samba >> bugzilla which is still embargoed). >> >> Please take care of it. >> > > Hi Mathieu, > > I wanted to let you know that I had to make a minor tweak to patch 08/15 > in order to get the build to succeed on wheezy. I wanted let everyone > know in the event that I have missed something important and for general > awareness. Again, don't upload yet. We have 2 regressions (maybe 3) in jessie. > I had to change this hunk: [...] Me too, I'm not a samba developer. If a patch doesn't apply, it's because of one in debian/patches, or maybe a requirement from 3.6. debian wheezy is based on 3.6.6, while latest 3.6 is 3.6.25. Maybe the first thing to do is to update to 3.6.25. > > The resolution for this one is not obvious to me. I intend to dig into > it, but if anyone has a suggestion, I welcome it. Don't change the patches. They should apply cleanly. Hope this helps. -- Mathieu