Re: Accepted pcs 0.10.1-2+deb10u1 (source) into oldstable
On Wed, Sep 14, 2022 at 10:55:29PM +0200, Sylvain Beucler wrote: > You can certainly give it a try if you have the time. > The description adapted from the DSA sounds good. > > Feel free to ask here or at #debian-lts if you have further questions. Ok, mail sent to debian-lts-announce, will check the website next... -- Valentin
Re: Accepted pcs 0.10.1-2+deb10u1 (source) into oldstable
On Wed, Sep 14, 2022 at 06:46:47PM +0200, Sylvain Beucler wrote: > Hello Valentin, > > Thank you for claiming 'pcs' in dla-needed.txt and uploading a fixed > version. > > LTS uploads follow a procedure which notably involves reserving a DLA in the > security tracker and sending announcements to the mailing list and website, > see: > https://lts-team.pages.debian.net/wiki/LTS-Development.html > > Note that uploads are not validated (provided you're DD) and are immediately > available to the end users. > > I can handle this administrative part of the upload (announcement text would > be appreciated), but first I'm coordinating with you: do you have further > work to do, are you waiting for us to check/review something? Hi and sorry about that. I was planning to follow the DLA procedure but ran out of time lately. The description from stable can probably be reused here: A security issue was discovered in pcs, a corosync and pacemaker configuration tool: * CVE-2022-1049 It was discovered that expired accounts were still able to login via PAM. For Debian 10 "Buster", the problem has been fixed in version 0.10.1-2+deb10u1. Let me know if you will send this out or I should give it a try? -- Valentin
Re: Accepted pcs 0.10.1-2+deb10u1 (source) into oldstable
Hello, On 14/09/2022 22:43, Valentin Vidic wrote: On Wed, Sep 14, 2022 at 06:46:47PM +0200, Sylvain Beucler wrote: Thank you for claiming 'pcs' in dla-needed.txt and uploading a fixed version. LTS uploads follow a procedure which notably involves reserving a DLA in the security tracker and sending announcements to the mailing list and website, see: https://lts-team.pages.debian.net/wiki/LTS-Development.html Note that uploads are not validated (provided you're DD) and are immediately available to the end users. I can handle this administrative part of the upload (announcement text would be appreciated), but first I'm coordinating with you: do you have further work to do, are you waiting for us to check/review something? Hi and sorry about that. I was planning to follow the DLA procedure but ran out of time lately. The description from stable can probably be reused here: A security issue was discovered in pcs, a corosync and pacemaker configuration tool: * CVE-2022-1049 It was discovered that expired accounts were still able to login via PAM. For Debian 10 "Buster", the problem has been fixed in version 0.10.1-2+deb10u1. Let me know if you will send this out or I should give it a try? You can certainly give it a try if you have the time. The description adapted from the DSA sounds good. Feel free to ask here or at #debian-lts if you have further questions. Cheers! Sylvain Beucler Debian LTS Team
Re: Updating OpenStack compute (aka src:nova) in Buster
On 9/14/22 13:37, Emilio Pozuelo Monfort wrote: Hi Thomas, On 11/09/2022 12:50, Thomas Goirand wrote: Hi, In the OpenStack team git, there are updates for nova 2:18.1.0-6+deb10u1 (CVE-2019-14433/ OSSA-2019-003). Can someone pick it up and upload it to Buster? It was never accepted in Buster due to the difficulties communicating with the Stable release team (too slow response, etc. that leads to /me giving up...). Though IMO, it'd be a very good candidate for buster LTS. The latest Buster version is in the debian/rocky branch at: https://salsa.debian.org/openstack-team/services/nova/ How to proceed? Can I simply upload the normal way? IS there a 3rd party peer reviewing accepting / rejecting uploads for LTS? I have taken a look at the package, and am a bit unease at the debconf changes, as I'm not particularly well versed in that front. I have done some piuparts testing, and at least that works well, though that's non-interactive so perhaps it's not fully testing that part. However given that you have tested that change (as well as the others) and that the changes are in bullseye, I think we can go ahead with it. Please upload a _source.changes to security-master targeting buster-security, and I can help or take care of the paperwork. Cheers, Emilio Uploaded, thanks. Cheers, Thomas Goirand (zigo)
Re: Accepted pcs 0.10.1-2+deb10u1 (source) into oldstable
Hello Valentin, Thank you for claiming 'pcs' in dla-needed.txt and uploading a fixed version. LTS uploads follow a procedure which notably involves reserving a DLA in the security tracker and sending announcements to the mailing list and website, see: https://lts-team.pages.debian.net/wiki/LTS-Development.html Note that uploads are not validated (provided you're DD) and are immediately available to the end users. I can handle this administrative part of the upload (announcement text would be appreciated), but first I'm coordinating with you: do you have further work to do, are you waiting for us to check/review something? Cheers! Sylvain Beucler Debian LTS Team On 12/09/2022 00:50, Debian FTP Masters wrote: Format: 1.8 Date: Sun, 04 Sep 2022 21:55:16 +0200 Source: pcs Architecture: source Version: 0.10.1-2+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian HA Maintainers Changed-By: Valentin Vidic Changes: pcs (0.10.1-2+deb10u1) buster-security; urgency=high . * d/patches: add fix for CVE-2022-1049 Checksums-Sha1: 256edea0145842422958382f44d4d6e5041013bf 2192 pcs_0.10.1-2+deb10u1.dsc e933ccad637141fc4814890d82c5d274cee45b32 1543718 pcs_0.10.1.orig.tar.gz 6da49f52e5a32e9398f2b716ca655132c2feff5f 166556 pcs_0.10.1-2+deb10u1.debian.tar.xz beb6e956ab70b02402c76d1b7b39e4bfed434078 6923 pcs_0.10.1-2+deb10u1_source.buildinfo Checksums-Sha256: 016832a8dadc7330a43d0f75aa538ffea62e09506220e5ef8dc56495e7239764 2192 pcs_0.10.1-2+deb10u1.dsc 61d36fc96c05a4724b76f45216a483e514c9da5b486ba77e906ae45722592cf2 1543718 pcs_0.10.1.orig.tar.gz c621dc384298849aa990cc027712f9a1d6eb9b14c557914e4273ad2b52beadd9 166556 pcs_0.10.1-2+deb10u1.debian.tar.xz 8aea519fc77163d2951fc845a9e4bd59d35e95024a53b06c600fd2e07d2d728c 6923 pcs_0.10.1-2+deb10u1_source.buildinfo Files: 9222bc71db53999c37ce1c27d36ceb68 2192 admin optional pcs_0.10.1-2+deb10u1.dsc 4c7af40096b89752e7fdcea636e9b8b9 1543718 admin optional pcs_0.10.1.orig.tar.gz 17daac52a88b60e4293e920b59d9c6d7 166556 admin optional pcs_0.10.1-2+deb10u1.debian.tar.xz 284b0d649f7934bf03fc12f5ec43250d 6923 admin optional pcs_0.10.1-2+deb10u1_source.buildinfo
Re: [SECURITY] [DLA 3107-1] sqlite3 security update
Hi Moritz, > In the case of DLA uploads you should rather even wait a little longer; > since there's no queue and if you've made a source upload for a large > package it might take some time until it's built. Ah, that makes sense. Because of that, I'll actually block announcements until the package appears in the archive as you suggest; previously I was merely waiting an arbitrary amount of time. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Re: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
El 14/09/22 a las 13:58, Emilio Pozuelo Monfort escribió: > On 13/09/2022 16:46, Sylvain Beucler wrote: > > Hi, > > > > IIUC this is about fixing 2 non-security bugs, that were introduced > > prior to buster's initial release. > > > > I personally don't think this fits the LTS project scope. > > Maybe other LTS members will have a different opinion. > > We've had bugfix updates from time to time. They are rare, but not > forbidden. This should go in a buster suite rather than buster-security, but > since there's no such suite for LTS, having it in buster-security is the > lesser evil. Of course we shouldn't flood -security with bug fixes, if that > was necessary we should consider keeping $stable open and handled by the LTS > team (but that doesn't seem necessary at this point). > > In this case, since the update has been prepared and looks sensible, I'll go > ahead with the upload if nobody objects. > Thanks, Emilio. Also consider https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961654#15 Haven't tested yet myself. But I suppose I should apply it in unstable. Cheers, -- S signature.asc Description: PGP signature
Re: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
On Wed, Sep 14, 2022 at 01:54:40PM +0200, Emilio Pozuelo Monfort wrote: > Your top-commit looks very similar to the one from Santiago on [1]. I'd > rather use that to give him credit as he proposed the fix first (plus using > CPPFLAGS seems more correct for this flag). In addition to that, the commit > misses his follow-up fix in [2]. I'm going to consider that last debdiff > from him for an upload to buster. Thanks in any case for looking at it (and > coming up with a similar fix) and for testing the update. No problem, thank you! - Chris
Re: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
On 13/09/2022 16:46, Sylvain Beucler wrote: Hi, IIUC this is about fixing 2 non-security bugs, that were introduced prior to buster's initial release. I personally don't think this fits the LTS project scope. Maybe other LTS members will have a different opinion. We've had bugfix updates from time to time. They are rare, but not forbidden. This should go in a buster suite rather than buster-security, but since there's no such suite for LTS, having it in buster-security is the lesser evil. Of course we shouldn't flood -security with bug fixes, if that was necessary we should consider keeping $stable open and handled by the LTS team (but that doesn't seem necessary at this point). In this case, since the update has been prepared and looks sensible, I'll go ahead with the upload if nobody objects. Cheers, Emilio
Re: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
Hi Chris, On 14/09/2022 05:48, Chris Frey wrote: On the other hand, the fix has been known since 2019 and looks like a prime problem for an LTS newbie volunteer like me. I have created the fix based on the Debian/bzip2 repo, the fix is in the debian/buster branch. git clone http://digon.foursquare.net/debian-buster-bzip2/.git Your top-commit looks very similar to the one from Santiago on [1]. I'd rather use that to give him credit as he proposed the fix first (plus using CPPFLAGS seems more correct for this flag). In addition to that, the commit misses his follow-up fix in [2]. I'm going to consider that last debdiff from him for an upload to buster. Thanks in any case for looking at it (and coming up with a similar fix) and for testing the update. Cheers, Emilio [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=961654;filename=bzip2_1.0.6-9.2~deb10u2.debdiff;msg=5 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=961654;filename=bzip2_1.0.6-9.2~deb10u2.debdiff;msg=10 I have tested it on a 32bit buster, and it works on +2g files. I do not have privileges to push this to any server yet, so feel free to tweak the changelog and claim it as your own, whoever wishes to upload it. - Chris On Tue, Sep 13, 2022 at 04:46:14PM +0200, Sylvain Beucler wrote: Hi, IIUC this is about fixing 2 non-security bugs, that were introduced prior to buster's initial release. I personally don't think this fits the LTS project scope. Maybe other LTS members will have a different opinion. Cheers! Sylvain Beucler Debian LTS Team On 13/09/2022 15:27, Santiago R.R. wrote: El 10/09/22 a las 19:11, Adam D. Barratt escribió: On Wed, 2020-05-27 at 11:56 +0200, Santiago R.R. wrote: Since 1.0.6-9, bzip2 was built without the -D_FILE_OFFSET_BITS=64 CPPFLAG, and so it's not able to handle > 2GB files in 32-bit archs. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944557 I've uploaded a fixed version to unstable yesterday. It would be great to fix it also in buster. Please, consider the attached debdiff. Would it be OK for you to upload it? Apologies for apparently letting this sit unanswered. (FTR there was a reply from a non-SRM member 18 months ago.) And I am sorry I missed that answer. The final point release for buster has now happened, so any further updates to packages in buster will need to be handled via LTS. I'm therefore going to close this request now. [snip] I am forwarding this to the LTS folks, so they can decide about this change.
Re: Updating OpenStack compute (aka src:nova) in Buster
Hi Thomas, On 11/09/2022 12:50, Thomas Goirand wrote: Hi, In the OpenStack team git, there are updates for nova 2:18.1.0-6+deb10u1 (CVE-2019-14433/ OSSA-2019-003). Can someone pick it up and upload it to Buster? It was never accepted in Buster due to the difficulties communicating with the Stable release team (too slow response, etc. that leads to /me giving up...). Though IMO, it'd be a very good candidate for buster LTS. The latest Buster version is in the debian/rocky branch at: https://salsa.debian.org/openstack-team/services/nova/ How to proceed? Can I simply upload the normal way? IS there a 3rd party peer reviewing accepting / rejecting uploads for LTS? I have taken a look at the package, and am a bit unease at the debconf changes, as I'm not particularly well versed in that front. I have done some piuparts testing, and at least that works well, though that's non-interactive so perhaps it's not fully testing that part. However given that you have tested that change (as well as the others) and that the changes are in bullseye, I think we can go ahead with it. Please upload a _source.changes to security-master targeting buster-security, and I can help or take care of the paperwork. Cheers, Emilio
Re: [SECURITY] [DLA 3107-1] sqlite3 security update
On Wed, Sep 14, 2022 at 11:34:57AM +0200, Santiago Ruano Rincón wrote: > If I am not wrong, DLAs should be claimed/announced once the upload has > been completed and accepted. I think this is documented here: > > https://wiki.debian.org/LTS/Development#Announce_the_update > > "Only when you have confirmed that the package was processed after > upload (once you get the accept email) should you send the DLA to the > mailing list. " In the case of DLA uploads you should rather even wait a little longer; since there's no queue and if you've made a source upload for a large package it might take some time until it's built. If you send the DLA mail too early (at least wait until amd64 is uploaded by the buildds for an arch:any package), people will get confused that no update is available. Cheers, Moritz
Re: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
On Tue, Sep 13, 2022 at 04:46:14PM +0200, Sylvain Beucler wrote: > IIUC this is about fixing 2 non-security bugs, that were introduced prior to > buster's initial release. > > I personally don't think this fits the LTS project scope. > Maybe other LTS members will have a different opinion. I do think it can be sensible to fix important, non security related bugs in LTS. Not being able to deal with files >2gb certainly is a bug of important severity. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ If nothing saves us from death, may love at least save us from life. signature.asc Description: PGP signature
Re: [SECURITY] [DLA 3107-1] sqlite3 security update
El 14/09/22 a las 08:04, Chris Lamb escribió: > Chris Lamb wrote: > > >> Did you forget to upload this? I don't see any sqlite3 update in > >> buster-security (or maybe it was rejected or something). > > > > I didn't forget. Rather, it was REJECTED late last night and I re- > > uploaded first thing this morning. > > ... and I just got the ACCEPTED. :) > Sorry for chiming in here… If I am not wrong, DLAs should be claimed/announced once the upload has been completed and accepted. I think this is documented here: https://wiki.debian.org/LTS/Development#Announce_the_update "Only when you have confirmed that the package was processed after upload (once you get the accept email) should you send the DLA to the mailing list. " HTH, Cheers, -- S signature.asc Description: PGP signature
Re: [SECURITY] [DLA 3107-1] sqlite3 security update
Chris Lamb wrote: >> Did you forget to upload this? I don't see any sqlite3 update in >> buster-security (or maybe it was rejected or something). > > I didn't forget. Rather, it was REJECTED late last night and I re- > uploaded first thing this morning. ... and I just got the ACCEPTED. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
