Re: Companies contact team@security?
Hi Korte, On Samstag, 17. Mai 2014, ko...@free.de wrote: > https://wiki.debian.org/LTS/Development mentions > > "Companies using Debian who are interested in aiding this effort should > contact t...@security.debian.org" > > Is this still up to date or should it be replaced with debian-lts? it should be updated, yes. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Draft announce of Debian 6 LTS, please review quickly
Hi, On Freitag, 13. Juni 2014, Raphael Hertzog wrote: > Please review the attached draft, share your comments and let me know if I > missed your company. I don't like the focus / expressed view that LTS is made possible by sponsoring organisations rather than volunteers. I think it sets a bad precedence. Not only does the existing text emphasize this company support it also completly lacks mentioning volunteers and thanking them for their work. And this despite as far as I know all LTS work has been voluntary so far. cheers, Holger, who also wants to offer his work for hire for LTS but so far failed to introduce himself on this list properly ;) Probably cause I've been to busy with volunteer work - I guess I should stop that and focus on making money instead. signature.asc Description: This is a digitally signed message part.
Re: Draft announce of Debian 6 LTS, please review quickly
Hi Raphael, On Freitag, 13. Juni 2014, Raphael Hertzog wrote: > Here's my suggestion. Replace the 2nd paragraph with this: [...] > Holger, does that sound ok to you? sounds a lot better to me! thanks! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: LTS / DebConf
Hi, On Dienstag, 1. Juli 2014, j...@debian.org wrote: > Is anyone of the people working on LTS going to DebConf in August? (I > won't) I'll be there. > It would be good to submit a talk to spread the word how to contribute > and where to go from here. I can certainly contribute to it and possible (co-)give the talk. Shall we start with some slides in our git repo? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: LTS / DebConf
Hi, On Mittwoch, 2. Juli 2014, Moritz Mühlenhoff wrote: > I can prepare premilinary slides as a basis. Cool. I've submitted an event now, so far boringly titled "Debian Long Term Support" with the descripion "What is the Debian LTS, what are the experiences so far, what are the plans and expectations?" and https://wiki.debian.org/LTS as URL. Anything else/better? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: LTS / DebConf
Hi, I forgot the URL for adding yourself to the event, should you want to participate and be there: https://summit.debconf.org/debconf14/meeting/92/debian-long-term-support/ cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: squeeze-lts and the security tracker
Hi Florian, On Mittwoch, 2. Juli 2014, Moritz Mühlenhoff wrote: > > You need the following in addition to the existing source entries for > > squeeze (as long as squeeze-lts is active, squeeze won't be moved > > to archive.debian.org) > > > > deb http://http.debian.net/debian/ squeeze-lts main contrib non-free > > deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free > > Did you have a chance to look into it? > Currently tracking issues for squeeze-lts is slightly complicated. ping, what Moritz said is still true, fixing it would be much appreciated! cheers, Holger signature.asc Description: This is a digitally signed message part.
LTS-ID : LTS6A-2014-015
Hi, I've refrained from adding "LTS6A-2014-015" to the subject of the linux-2.6 announcement, as well as from including it in the body. But I think we should have some ID there, and I propose to use "Long Term Support for Debian 6 Announcement", or short, LTS6A for this. What do you think? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: LTS-ID : LTS6A-2014-015
Hi, On Samstag, 12. Juli 2014, Holger Levsen wrote: > I've refrained from adding "LTS6A-2014-015" to the subject of the linux-2.6 > announcement, as well as from including it in the body. But I think we > should have some ID there, and I propose to use "Long Term Support for > Debian 6 Announcement", or short, LTS6A for this. possible variations would be "LTS6" or "ALTS6" or just "LTS", but considering that we might see LTS for two versions at once and/or that some people will only be interested in a certain LTS flavor, I'd suggest to include the major release number in the prefix. Besides that I don't really care much which prefix we choose, just that we use an id system at all. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: LTS-ID : LTS6A-2014-015
Hi, On Sonntag, 13. Juli 2014, Thorsten Alteholz wrote: > > Why not simply LTS-0008 (or whatever number this one is)? > How do you sync two people working on different packages? I'd suggest to pre-allocate them via a file in git. > As all (most?) LTS updates have a corresponding DSA number why not simply > replace DSA by LTS? the linux-2.6 is my first counter example, I'm sure there will be more. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: LTS-ID : LTS6A-2014-015
Hi, On Sonntag, 13. Juli 2014, Thorsten Alteholz wrote: > Hmm, according to your announce this upload fixes CVE-2014-4699 which has > DSA-2972-1. > Or DSA-2949-1 for CVE-2014-3145. so let's roll a dice? IMO there is no problem / much overhead in keeping a track of some IDs and there are some issues with the idea of reusing DSA IDs. > In this case maybe the latest one would be the best. what about cases where stable ain't affected? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: LTS-ID : LTS6A-2014-015
Hi, On Montag, 14. Juli 2014, Michael Gilbert wrote: > I just commited an initial list the existing LTS announcements to > data/DLA/list, using the same style as data/DSA/list in > secure-testing. I chose DLA based on the name of the > Debian-Lts-Announce mailing list. ok, let's settle on that then. I've just committed reservations for libxml2 and tor, thus bcc:ing Thorsten and Petter to be double-sure they get the news: secure-testing$ svn diff Index: data/DLA/list === --- data/DLA/list (revision 27711) +++ data/DLA/list (working copy) @@ -1,3 +1,5 @@ +reserved DLA-0017-1 tor - new upstream version +reserved DLA-0016-1 libxml2 - security update Please use those IDs when mailing debian-lts-annou...@lists.debian.org > You can now pre-declare an LTS number there while you're preparing it, > and whoever commits first gets the numer. It would be nice to refactor > bin/gen-DSA make updating the DLA data more automated, but I'm not > planning to do that. That would indeed be nice, maybe we can have a LTS work session at dc14? cheers, Holger signature.asc Description: This is a digitally signed message part.
DLA documented
Hi, I went ahead and explained LTS and DLA in https://wiki.debian.org/Glossary#LTS and https://wiki.debian.org/Glossary#DLA (and redefined DLA to mean "Debian LTS Advisory...) and also explained DLA ID handling it https://wiki.debian.org/LTS/Development cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: DLA documented
Hi, Alexander Wirt just offered/suggested to reject mails not conforming to a certain subject format (eg including a DLA ID) as well as unsigned mails. (I'd suggest to only allow mails signed by keys able to upload.) If we want this, we should file a wishlist bug against lists.d.o - do we? IMO yes. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: DLA documented
Hi, On Montag, 14. Juli 2014, Moritz Mühlenhoff wrote: > I thought "signed by a DD" is already a requirement for the LTS announce > list? yes, it is (as Alexander already privatly confirmed). cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: DLA documented
Hi, On Dienstag, 15. Juli 2014, Moritz Muehlenhoff wrote: > I don't think we should impose restrictions on the format of the mails. I think we absolutly should. We want consistend announcements, don't we? > If > we want to welcome maintainers not part of the LTS team to take care of > packages in Debian LTS, we should not make this needlessly difficult. Sure! But I think we can do both. > Let's not mimick the existing security.debian.org infrastructure too much, > but rather have a look on how can create cleaner solutions from scratch > (and retrofit them into security.debian.org once they've proven > themselves): I also agree with this. > If IDs are important to people to have a specific identifier, we should > rather solve this technically: The script which checks the PGP signature > could simply increment the ID internally and rewrite the subject with [DLA > $ID]. This saves people from all hassle with allocating IDs and it's free > of race conditions in assigning IDs. listmasters, how feasible do you think it is? I'm all for automating the generation of proper announcements! (But I also think that we should use other means to achieve consisten announcements until we got there.) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: User Q: Lenny -> Squeeze ; unverified packages reported by apt
Hi Ron, On Montag, 21. Juli 2014, Ron Leach wrote: > List, good evening, I am a user, not a developer, and let me apologise > if this is the wrong list to ask a question. > > We've been running a Lenny server for some years, which we've now > taken offline to upgrade to Wheezy, a process which Debian strongly > recommends is done in 2 stages, 1st stage an upgrade to Squeeze. if you plan to upgrade to wheezy anyway and just use squeeze as an intermediate step in between, I'd suggest not to bother with squeeze-lts at all. Just upgrade to squeeze and then to wheezy. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: DLA documented
Hi, (adding listmasters@ to cc: again...) On Freitag, 18. Juli 2014, Moritz Mühlenhoff wrote: > > > I don't think we should impose restrictions on the format of the mails. > > I think we absolutly should. We want consistend announcements, don't we? > Not at the price of scaring away occasional LTS contributors, no. well, we'll pay the price of looking incompent in exchange (as mails with "broken subjects" or context will happen. I hate(d) to see those on the DSA list (as it makes Debian security look bad, IMO) and I wont like to see these mistakes with DLAs. Also I'm not conviced a bouncing mail will scare away contributors for real. > Since the moderation scripts doesn't send error bounces, every misformatted > mail ends up in a black hole. This doesnt sound like an unfixable problem. (?) All this said, I won't insist now, getting work done is definitly more important than endless arguing. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: gen-DLA (was: Re: LTS-ID : LTS6A-2014-015)
Hi, On Dienstag, 22. Juli 2014, Raphael Geissert wrote: > > +reserved DLA-0017-1 tor - new upstream version > > +reserved DLA-0016-1 libxml2 - security update > Could we please not have those "reserved" ids? just add the entry and use > it. sure. I think the distinction / meaning of "reserved" is just "unreleased"... > I've just made a copy of gen-DSA, s/DSA/DLA;s/dsa/dla/ and removed some > bits. It works as it is, so please use it - will have a look another day to > merge the two into a single script to avoid code duplication. very cool! > As for having a work session during DC14... why not, but please lets cut > the blabla down, as e.g. it took me more time to find and read all of this > thread and the other, related, one than to get a working gen-DLA. sure! :) how/when shall we schedule it? cheers, Holger signature.asc Description: This is a digitally signed message part.
DLA27/file, delayed upload due to network outtage
Hi, so I send out the announcement for DLA27/file and then I wanted to upload the ready package and my network connection broke :-/ I now realize that wiki.d.o/LTS/Development suggests to first upload, then send mail... mea culpa, I'm sorry. cheers, Holger signature.asc Description: This is a digitally signed message part.
python2.6 update
Hi, as Raphel Geissert who did the python2.6 update is not on irc, some quotes from #debian-lts: [16:40] < Pepper> Hi! Is there a regression in python2.6? [16:40] < Pepper> I'm getting File "/usr/lib/python2.6/random.py", line 47, in [16:40] < Pepper> from os import urandom as _urandom [16:40] < Pepper> ImportError: cannot import name urandom [16:40] < Pepper> Happens on lts version: python2.6_2.6.6-8+deb6u1 [16:43] < h01ger> | Pepper: hi. i've no idea about your specific problem but i forwarded it to the person who did the update and told him to join here [16:44] < Pepper> | h01ger: thx. [16:46] < h01ger> | Pepper: if nothing happens in 30-60m i suggest to mail debian-lts@lists.debian.org about that problem [16:46] < h01ger> | (that list is publically archived) [16:46] < Pepper> is reporting a bug about a lts package ok too? [16:48] < h01ger> | sure [16:48] < Pepper> will do some tests an report a bug if it doesn't clear things up... thx for help [22:47] < weasel> 20:09:35> so [22:47] < weasel> 20:09:39> the python update really broke stuff [22:47] < weasel> 20:09:44> snapshot-sibelius for instance Raphael told me about Peppers problem privatly that he couldnt reproduce it, so hints how to reproduce the problem(s) are welcome! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: squeeze-lts and the security tracker
Hi Florian, On Dienstag, 8. Juli 2014, Holger Levsen wrote: > On Mittwoch, 2. Juli 2014, Moritz Mühlenhoff wrote: > > > You need the following in addition to the existing source entries for > > > squeeze (as long as squeeze-lts is active, squeeze won't be moved > > > to archive.debian.org) > > > > > > deb http://http.debian.net/debian/ squeeze-lts main contrib non-free > > > deb-src http://http.debian.net/debian/ squeeze-lts main contrib > > > non-free > > > > Did you have a chance to look into it? > > Currently tracking issues for squeeze-lts is slightly complicated. > > ping, what Moritz said is still true, fixing it would be much appreciated! ping, almost a month later... :/ Having the oldstable tracker working would be really useful to pick packages to work on... Isn't it just 5m work for you to enable it? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: squeeze-lts and the security tracker
Hi Florian, On Dienstag, 5. August 2014, Florian Weimer wrote: > > Having the oldstable tracker working would be really useful to pick > > packages to work on... > There's some code that assumes that oldstable has a security archive, > which is not quite true for LTS. The LTS archive has to be configured > in addition to the existing archives, so it's not just a matter of > swapping out some URLs. where's the repo for that code? would creating an (empty) lts security archive be easier? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: [DLA 20-1] munin security update
Hi Vincent, thanks for your feedback! On Freitag, 8. August 2014, Vincent Bernat wrote: > >>plugins will use /var/lib/munin-node/plugin-state/$uid/$some_file now > >>- please report plugins that are still using > >>/var/lib/munin/plugin-state/ - as those might pose a security risk! > This changes broke the crontab for /etc/munin/plugins/apt_all. Can we > use the BTS to report that? Yes, you could, but there is one already: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720275 This has been finally fixed by git commit b80f5f72 and previously pampered over with f356fb30 - I'll probably release a fix for squeeze-lts using b80f5f72 later today. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: squeeze-lts and the security tracker
Hi,
On Mittwoch, 6. August 2014, Michael Gilbert wrote:
> > svn://anonscm.debian.org/svn/secure-testing
> > (as listed on the bottom of the security-tracker pages)
>
> In particular the Makefile, which fetches and parses the package archive
> data.
$ svn diff
Index: Makefile
===
--- Makefile(revision 28144)
+++ Makefile(working copy)
@@ -150,6 +150,20 @@
done ; \
done
+LTS_MIRROR = http://ftp.de.debian.org/debian/dists
+update-lts: update-lts-$(OLDSTABLE)
+
+update-lts-$(OLDSTABLE):
+ set -e && archive=$(shell echo $@ | cut -d- -f3) ; \
+ for arch in $($(shell echo $@ | cut -d- -f3)_ARCHS) ; do \
+ $(PYTHON) bin/apt-update-file \
+ $(LTS_MIRROR)/$${archive}-lts/main/binary-$$arch/Packages \
+ data/packages/$${archive}-lts__main_$${arch}_Packages ; \
+ done ; \
+ $(PYTHON) bin/apt-update-file \
+ $(LTS_MIRROR)/$${archive}-lts/main/source/Sources \
+ data/packages/$${archive}-lts__main_Sources ; \
+
BACKPORTS_MIRROR = http://ftp.de.debian.org/debian-backports/dists
update-backports: update-backports-$(STABLE) update-backports-$(OLDSTABLE)
But then, this target (copied from update-backports(-*) is never called, just
like update-backports. doc/security-team.d.o/security_tracker only mentions
the update-stable target...
So there must be something missing here.
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
Re: squeeze-lts and the security tracker
Hi, On Samstag, 9. August 2014, Salvatore Bonaccorso wrote: > http://security-team.debian.org/security_tracker.html#setting-up-a-local-t > esting-instance ah, thanks. Though I managed to set it up already and partly have support for lts locally already :) Will post patches soon. cheers, Holger signature.asc Description: This is a digitally signed message part.
Debian LTS - impressions and thoughs from my first month involvement
# Debian LTS - impressions and thoughs from my first month involvement originally posted at http://layer-acht.org/thinking/blog/20140819-lts-july-2014/ ## About LTS - we want feedback and more companies supporting it financially Squeeze LTS, and even more [Debian LTS](https://wiki.debian.org/LTS), is a pretty young project, started in May 2014, so it's still a bit unclear where exactly we'll be going :) One purpose of this post is to spread some information about the initiative and invite you to tell us what you think about it or what your needs are. LTS stands for "Long Term Support" and the goal of the project is to extend the security support for Squeeze (aka the current oldstable distribution) by two years. If it weren't for Squeeze LTS, the security support for it would have been stopped in May 2014 (=one year after the release of the current stable distribution), which for many is a too short timespan after it's release in February 2011. It's an experiment, we hope that there will be a similar Wheezy LTS initiative in future, but the future is unwritten and things will change based on our experiences and your needs. If you have feedback on the direction LTS should take (or anything else LTS related), please comment on the [lts mailing list] (https://lists.debian.org/debian-lts/). For immediate feedback there is also the #debian-lts IRC channel. Another quite pragmatic way to express your needs is to [read more about how to financially contribute to LTS](http://www.freexian.com/services/debian- lts.html) and then doing exactly that - and unsurprisingly we are prioritizing the updates based on the needs expressed from our paying customers. ## My LTS work in July 2014 So, "somehow" I started working for money on Debian LTS in July, which means there were 10h I got paid, and probably another 10h where I did LTS related work unpaid. I used those to release four updates for squeeze-lts ([linux-2.6](https://lists.debian.org/debian-lts- announce/2014/07/msg2.html), [file](https://lists.debian.org/debian-lts- announce/2014/07/msg00013.html), [munin](https://lists.debian.org/debian-lts- announce/2014/08/msg4.html) and [reportbug] (https://lists.debian.org/debian-lts-announce/2014/08/msg5.html)) fixing 22 CVEs in total. The unpaid work was mostly spent on unsuccessfully working on security updates and on adding support for LTS to the [security team tracker](https://security- tracker.debian.org/tracker/), which I improved but couldn't fully address and which I haven't properly shared / committed yet... but at least I have a local instance of the tracker now, which - for LTS - is more useful than the .debian.org one. Hopefully during DebConf14 we'll manage to fix the tracker for good. Without success I've looked at libtasn1-3 (where the first fixes applied easily but then the code had changed too much from what was in squeeze compared to the available patches that I gave up) and libxstream-java (which is at version 1.3, while patches exist for upstream branches 1.4 and 2.x, but those need newer java to build and maybe if I'll spend two more hours I'll can get it build and then I'll have to find a useful test case, which looked quite difficult on a brief look.. so maybe I give up on libxstream-java too OTOH, if you use it and can do some testing, please do tell me. Working on all these updates turned out to be more team work than expected and a lot of work involving code (which I did expect), and often code which I'd normally not look at... similarily with tools: one has to deal with tools one doesnt like, eg I had to install cdbs... :-) And as I usually like challenges, this has actually been a lot of fun! Though it's also pretty cool to use common best practices, easy and understandable workflows. I love README.Source (or better yet, when it's not needed). And while git is of course really really great, it's still very desirable if your package builds twice (=many times) in a row, without resetting it via git. ## Some more observations The first 16 updates (until July 19th) didn't have a DLA ID, until I suggested to introduce them and insisted until we agreed. So now we agreed to put the DLA ID in the subject of the announcement mails and there is also some tool support for generating the templates/mails, but enforcing proper subjects is not done, as silent bounces are useless (and non silent ones can be abused too easily). I'm not really happy about this, but who is happy with the way email works today? And I agree, it's not the end of the world if an LTS announcement is done without a proper ID, but it looks unprofessional and could be avoided, but we have more important work to do. But one day we should automate this better. Another detail I'm not entirely happy is the policy/current decision that "almost everything is fine to upload if deemed sensible by the uploader" (which is everyone in the Debian upload keyring(s)). In d
Re: proposed wireshark_1.2.11-6+squeeze15 fixing multiple vulnerabilities
Hi Balint, On Mittwoch, 20. August 2014, Balint Reczey wrote: > I have prepared a security update for the wireshark source package. great. > Please see the diffs attached. and then, what do you want us to do? Review the patch? Test the package? Upload? All of that? Just some? :) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Please add me to the secure-testing project
Hi, On Mittwoch, 20. August 2014, Salvatore Bonaccorso wrote: > Could you check you can commit and ping again if it does not work? he already commited stuff :) [Secure-testing-commits] r28376 - cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#759727: patches for including LTS into security-tracker.d.o
package: security-tracker
severity: wishlist
tags: patch
x-debbugs-cc: debian-lts@lists.debian.org
Hi,
attached are my patches making the security-tracker aware of squeeze-lts. I've
tested that in a local instance of the tracker and they work nicely.
I think they should be submitted as they are, and as Raphael suggested I send
them here for review, I did that. Let me know if I shall commit :)
A few comments:
$ svn diff|diffstat
Makefile | 23 -
fine, I think, I slighlty dislike the variables squeeze_LTS_ARCHS and
LTS_MIRROR as well as the update-lts* targets, but it does the trick.
bin/check-syntax |6 ++-
bin/tracker_service.py |2 +
bin/update |2 -
bin/updatelist |2 +
lib/python/sectracker/parsers.py | 17 +
stupid codecopy, but hey, the loader for DTSAs was already a copy of the one
for DSAs, so I figured adding one more wasnt too painful ;)
lib/python/bugs.py | 47
+--
stupid codecopy, similar to the one in parsers.py... ;)
lib/python/sectracker_test/test_analyzers.py |1
lib/python/sectracker_test/test_parsers.py |5 ++
lib/python/security_db.py| 35 +---
here I use a trick to make the whole code easier: the release is changed from
"squeeze-lts" to "squeeze" and subrelease is set to "lts", so that this
matches the "security" suites. the other changes are then straightforward.
10 files changed, 121 insertions(+), 19 deletions(-)
That's it.
cheers,
Holger
Index: Makefile
===
--- Makefile (Revision 28502)
+++ Makefile (Arbeitskopie)
@@ -7,6 +7,7 @@
MIRROR = http://cdn.debian.net/debian/
squeeze_ARCHS = amd64 armel i386 ia64 mips mipsel powerpc s390 sparc kfreebsd-i386 kfreebsd-amd64
+squeeze_LTS_ARCHS = amd64 i386
wheezy_ARCHS = amd64 armel armhf i386 ia64 mips mipsel powerpc s390 s390x sparc kfreebsd-i386 kfreebsd-amd64
jessie_ARCHS = amd64 armel armhf i386 mips mipsel powerpc s390x kfreebsd-i386 kfreebsd-amd64
sid_ARCHS = amd64 armel armhf hurd-i386 i386 kfreebsd-i386 kfreebsd-amd64 mips mipsel powerpc s390x sparc
@@ -27,7 +28,7 @@
test check: check-syntax
check-syntax: stamps/CVE-syntax \
- stamps/DSA-syntax stamps/DTSA-syntax
+ stamps/DSA-syntax stamps/DTSA-syntax stamps/DLA-syntax
stamps/CVE-syntax: data/CVE/list bin/check-syntax $(PYTHON_MODULES)
$(PYTHON) bin/check-syntax CVE data/CVE/list
@@ -41,6 +42,10 @@
$(PYTHON) bin/check-syntax DTSA data/DTSA/list
touch $@
+stamps/DLA-syntax: data/DLA/list bin/check-syntax $(PYTHON_MODULES)
+ $(PYTHON) bin/check-syntax DLA data/DLA/list
+ touch $@
+
.PHONY: serve
serve:
@bash bin/test-web-server
@@ -136,7 +141,7 @@
done ; \
done
-update-old-security:
+update-old-security: update-lts
for archive in $(OLDSTABLE); do \
for section in main contrib non-free ; do \
$(PYTHON) bin/apt-update-file \
@@ -150,6 +155,20 @@
done ; \
done
+LTS_MIRROR = http://ftp.de.debian.org/debian/dists
+update-lts: update-lts-$(OLDSTABLE)
+
+update-lts-$(OLDSTABLE):
+ set -e && archive=$(shell echo $@ | cut -d- -f3) ; \
+ for arch in $($(shell echo $@ | cut -d- -f3)_LTS_ARCHS) ; do \
+ $(PYTHON) bin/apt-update-file \
+ $(LTS_MIRROR)/$${archive}-lts/main/binary-$$arch/Packages \
+ data/packages/$${archive}-lts__main_$${arch}_Packages ; \
+ done ; \
+ $(PYTHON) bin/apt-update-file \
+ $(LTS_MIRROR)/$${archive}-lts/main/source/Sources \
+ data/packages/$${archive}-lts__main_Sources ; \
+
BACKPORTS_MIRROR = http://ftp.de.debian.org/debian-backports/dists
update-backports: update-backports-$(STABLE) update-backports-$(OLDSTABLE)
Index: lib/python/security_db.py
===
--- lib/python/security_db.py (Revision 28502)
+++ lib/python/security_db.py (Arbeitskopie)
@@ -1,4 +1,4 @@
-# security_db.py -- simple, CVE-driven Debian security bugs database
+# lts_db.py -- simple, CVE-driven Debian security bugs database
# Copyright (C) 2005 Florian Weimer
#
# This program is free software; you can redistribute it and/or modify
@@ -385,7 +385,7 @@
AND NOT COALESCE((SELECT NOT vulnerable
FROM source_packages AS secp, source_package_status AS secst
WHERE secp.name = sp.name
-AND secp.release = '%s' AND secp.subrelease = 'security'
+AND secp.release = '%s' AND ( secp.subrelease = 'security' OR secp.subrelease = 'lts' )
AND secp.archive = sp.archive
AND secst.bug_name = st.bug_name
AND secst.package = secp.rowid), 0)
@@ -555,6 +555,9 @@
if unchanged:
continue
+if release == '
Bug#761061: tracker doesnt show closed issues as done
package: security-tracker severity: important x-debbugs-cc: debian-lts@lists.debian.org Hi, the tracker doesnt show issues which are "only" closed in the security or lts subreleases as closed, as for example can be seen on https://security- tracker.debian.org/tracker/source-package/file eg https://security-tracker.debian.org/tracker/CVE-2014-3478 is closed in both wheezy-security as well as squeeze-lts, yet the /tracker/source-package/file lists it as open. (There pages like https://security-tracker.debian.org/tracker/CVE-2014-3478 also are less clean, but at least they contain the right info visibly, just a bit scrambled.) I believe the bug is in getBugsForSourcePackage() in lib/python/security_db.py but I couldn't yet wrap my head around it properly to fix it. There seem to be several functions (in security_db.py) which only deal with the releases (sid, jessie, wheezy, squeeze) but not the subreleases (security, lts). I'd be happy to discuss this issue and possible strategies to fix it in either #debian-security or #debian-lts cheers, Holger signature.asc Description: This is a digitally signed message part.
packages-to-support vs rails EOL
Hi, debian-lts.git/packages-to-support lists rails with 1h/month, while the debian-security-support package (and the security-tracker) express that rails is unsupported in squeeze(-lts), because it's end-of-life. So should rails be removed from debian-lts.git/packages-to-support? If not, I don't think 1h/month is realistic... cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: packages-to-support vs rails EOL
Hi Raphael, On Mittwoch, 17. September 2014, Raphael Hertzog wrote: > you're referring here to a non-public file that lists the packages that > (some) sponsors of http://www.freexian.com/services/debian-lts.html have > installed. > > Thus I don't believe that this list is the proper place to discuss this. I agree, apologies. LTS is very new in many regards... > That said, the file is auto-generated from list of installed packages and > I don't see the harm of having it listed in that file. As long as the > security support status of that packages is clear, it will never appear in > dla-needed.txt and nobody will spend work time on an unsupported package. ok, so the contents of the debian-security-support package define what we support or not. Good. Thanks for clarifying. (That wasn't clear to me as evident by this thread.) Thanks! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Security support of axis2c
Hi, adding the security team to the loop :) On Montag, 22. September 2014, Raphael Hertzog wrote: > while going through the list of open CVE in oldstable I stumbled upon two > issues concerning axis2c: > https://security-tracker.debian.org/tracker/source-package/axis2c > > None of those issues are fixed upstream and they are also not fixed > in unstable. It looks like the software is mostly dead upstream with > no new releases for years. > > Shall we declare that axis2c is no longer supportable on squeeze? > > If yes, what's the way to do that, opening a bug report against > debian-security-support? (IIRC we used to drop the package > from the release entirely during point releases but this > is not possible here). cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#762715: dch: please add --lts option
package: devscripts x-debbugs-cc: debian-lts@lists.debian.org severity: wishlist Hi, please add a --lts option to dch. This should - set the release to "debian-lts" - insert "Non-maintainer upload by the Squeeze LTS Team." as the first changelog entry and - increment the version like this: - if a package already e.g. had a +squeeze1 update, use +squeeze2 for the next update, - if a package hasn't seen an update, use +deb6u1 for the next update. Thanks for maintaining devscripts! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DLA 62-1] nss security update
Hi, to answer the original posters question (bcc:ed), iceape ain't supported anymore, see https://lists.debian.org/debian-security-announce/2013/msg00233.html On Donnerstag, 25. September 2014, Raphael Geissert wrote: > Is this even accurate? squeeze's iceweasel should be using the system > version of nss. I concluded that from the fact that wheezy had an iceweasel update for this issue. > So in spite of being EOL, insecure and rather useless on the internet... > that old version of iceweasel should get "fixed" by the nss update. hm, I should have probably left out that last sentence... cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: LTS for Debian 6.0.7
Hi Björn, On Montag, 29. September 2014, Björn Daunfeldt wrote: > Im running Debian 6.0.7 on two servers, for me to use the latest > updates(security for bash and future ones) for my system i need to get the > lts repository if i understand it correct. > > Im wondering if what I wrote above is correct? yes, see https://wiki.debian.org/LTS/Using cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#763339: lintian: please recognize "squeeze-lts" as suite
package: lintian severity: wishlist x-debbugs-cc: debian-lts@lists.debian.org Hi, it would be great if lintian could recognize squeeze-lts as a valid suite. cheers, Holger signature.asc Description: This is a digitally signed message part.
My LTS September
Hi, In the beginning of September I spent quite some time fixing bugs in the [Debian Security Tracker](https://security-tracker.debian.org), which now, thanks to the awesome CSS from [Ulrike] (https://qa.debian.org/developer.php?login=u...@451f.org) looks really good and professional! There are still some bugs to fix and features I'd like to add, eg. the ability to in- and exclude (old)oldstable/lts/backports/nodsa/EOL everywhere. It was fun to squash #742382 #642987 #742855 #762214 #479727 #610220 #611163 and #755800! And then I also discovered dgit, as in "I've used it for the first time". It was so great, I immediatly did a backport of it and uploaded it to wheezy- backports. So during the last month these uploads I made to squeeze-lts: * [DLA 56-1]for wordpress, fixing CVE-2014-2053 CVE-2014-5204 CVE-2014-5205 CVE-2014-5240 CVE-2014-5265 CVE-2014-5266 * [DLA 57-1] for libstruts1.2-java, fixing CVE-2014-0114 * [DLA 60-1] for icinga, fixing CVE-2013-7108 and CVE-2014-1878 * [DLA 61-1] for libplack-perl, fixing CVE-2014-5269 * [DLA 62-1] for nss, fixing CVE-2014-1568 * [DLA 66-1] for apache2, fixing CVE-2013-6438 CVE-2014-0118 CVE-2014-0226 CVE-2014-0231 Plus I filed #762715, asking the devscripts maintainers to 'add an --lts option to dch' and #763339 against lintian: please 'recognize "squeeze-lts" as suite'. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: security.debian.org vs debian-lts respository
Hi, On Dienstag, 17. Juni 2014, Evgeni Golov wrote: > No, please *extend* the list. Not replace it. > https://wiki.debian.org/LTS/Using > > If you remove squeeze and/or squeeze security, dependencies will become > unresolvable. squeeze-security isn't needed, the last point release has happened and all packages have been moved from there to squeeze proper. So only squeeze and squeeze-lts are needed. I'm updating https://wiki.debian.org/LTS/Using to reflect this again. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: security.debian.org vs debian-lts respository
Hi, On Freitag, 3. Oktober 2014, Matus UHLAR - fantomas wrote: > there are still packages that seem to be part of security updates, like > bugzilla3 and openswan I don't see these source packages in squeeze at all, where do you see them? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: security.debian.org vs debian-lts respository
Hi, On Freitag, 3. Oktober 2014, Matus UHLAR - fantomas wrote: > >On Freitag, 3. Oktober 2014, Matus UHLAR - fantomas wrote: > >> there are still packages that seem to be part of security updates, like > >> bugzilla3 and openswan > https://packages.debian.org/search?keywords=openswan oh, you found a bug in the archive: openswan was removed from squeeze on 2014-07-19 as you can see https://packages.qa.debian.org/o/openswan.html and the same is true for https://packages.qa.debian.org/b/bugzilla.html but/so these packages should also have been removed from oldstable-security, thus cc:ing the ftpmaster team, to make them aware. Shall I file a bug so that this doesn't get forgotten? btw, installing the debian-security-support package would also have told you that these packages are not supported anymore. :-) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: security.debian.org vs debian-lts respository
Hi, On Samstag, 4. Oktober 2014, Matus UHLAR - fantomas wrote: > >btw, installing the debian-security-support package would also have told > >you that these packages are not supported anymore. :-) > I do have that one. well unfortunately it's not in wheezy yet. there is a backport in wheezy-backports. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: security.debian.org vs debian-lts respository
Hi, On Samstag, 4. Oktober 2014, Matus UHLAR - fantomas wrote: > What about squeeze-updates (formerly volatile)? > Are they still needed? No. > Are security fixes applied to packages in squeeze or squeeze-updates? No. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: security.debian.org vs debian-lts respository
Hi Adam, On Mittwoch, 8. Oktober 2014, Adam D. Barratt wrote: > The real question is "if there are different packages in squeeze and > squeeze-proposed-updates, to which one are security patches applied" and > the obvious answer is squeeze-proposed-updates, as that's what will > become squeeze at the next point release. (If the package in -updates is > newer than squeeze, then it is either the same as or older than the > package in proposed-updates; if the package in -updates is the same or > older than squeeze then it's irrelevant). do you think there will be another squeeze point release? I thought it was final, but you might know better ;) > Updating openjdk-6 in LTS to a version > 6b27-1.12.5-1 will still cause > the same problem, yes. I haven't checked the archive constraints for > -lts, but certainly having it contain more recent packages than wheezy > would at the very least break the principle of least surprise. be surprised: $ ssh coccia.debian.org dak ls debian-security-support debian-security-support | 2014.09.07~bpo70+1 | wheezy-backports | source, all debian-security-support | 2014.09.07 | testing | source, all debian-security-support | 2014.09.07 | unstable | source, all debian-security-support | 2014.09.11~deb6u1 | squeeze-lts | source, all $ dpkg --compare-versions 2014.09.11~deb6u1 gt 2014.09.07 ; echo $? 0 cheers, Holger signature.asc Description: This is a digitally signed message part.
testers wanted: tomcat6 packages
Hi, http://layer-acht.org/tomcat6/ has updated tomcat6 6.0.41-2+squeeze5 packages for amd64, I'd be glad to see more testing. I'll add i386 .debs shortly. Closes: 299635 608286 654136 659748 664072 665393 666256 668761 671373 677912 682955 687818 692440 695250 713796 717279 tomcat6 (6.0.41-2+squeeze5) squeeze-lts; urgency=medium . * Security upload by the Debian LTS team. * The full list of changes between 6.0.35 (the version previously available in squeeze) and 6.0.41 can be see in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0- doc/changelog.html * This update fixes the following security issues: - CVE-2014-0033: prevent remote attackers from conducting session fixation attacks via crafted URLs. - CVE-2013-4590: prevent "Tomcat internals" information leaks. - CVE-2013-4322: prevent remote attackers from doing denial of service attacks. - CVE-2013-4286: reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used. - Avoid CVE-2013-1571 when generating Javadoc. - CVE-2012-3439: various improvements to the DIGEST authenticator. * Thanks to Tony Mancill for doing the vast amount of the work for this update! * Downgrade debian/compat to 8 and reduce build-dependency do debhelper 8 to match the squeeze squeeze version cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: testers wanted: tomcat6 packages
doh, it's java... :) (so only all_debs :) signature.asc Description: This is a digitally signed message part.
tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi, On Sonntag, 23. November 2014, Debian FTP Masters wrote: > Version check failed: > Your upload included the source package tomcat6, version 6.0.41-2+squeeze5, > however stable already has version 6.0.35-6+deb7u1. > Uploads to squeeze-lts must have a lower version than present in stable. so this is due to the changes to dak implemented by Mark Hymers during the MiniDebConf in Cambridge early November. (Mark can you please explain what other changes (relevant to LTS) you did?! Sadly I already send the DLA for the tomcat6 squeeze update and will go out for brunch with a fellow DD now, so I cannot work on this in the next few hours, but later today I could prepare an upload containing the same changes for wheezy. May/should I? If so, what's the procedure? Build with the proper changelog in the proper env, test and upload and write the DSA and send the signed mail to the DSA- list or will someone of the security team need to sign the upload+mail? Or should we do something else? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
On Sonntag, 23. November 2014, Holger Levsen wrote: > If so, what's the procedure? Build with the proper changelog in the proper > env, test and upload and write the DSA and send the signed mail to the DSA- > list or will someone of the security team need to sign the upload+mail? and is this proper: tomcat6 (6.0.41-2~deb7u1) wheezy-security; urgency=medium ? (the version number I mean...) signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
On Sonntag, 23. November 2014, Mark Hymers wrote: > This probably means that in some cases (especially those involving new > upstream versions), stable security updates will need to hit p-u before > the LTS uploads happen. If this is a problem, we should just revoke > those parts of the version constraints and leave only the oldstable > ones. I still think this makes sense, it was just unconviniend today... signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi ftpmasters, On Sonntag, 23. November 2014, Ansgar Burchardt wrote: > > squeeze-lts MustBeNewerThan oldstable > > squeeze-lts Enhances oldstable > > squeeze-lts MustBeOlderThan stable > > squeeze-lts MustBeOlderThan proposed-updates > It even has to be in stable itself, not just in proposed-updates. Which > means one has to wait until the next point release... *that* I think is undesirable, we want to be able to do updates more often. Adding stable-security as a constraint wont work (as security is using a different dak install), so I guess those two constraints newer than stable+proposed-updates should go for now - until we move LTS to the security archive (if we do so - but I do think thats desirable.) Anyway, could you please remove those two constraints for now again? Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi Mark, On Sonntag, 23. November 2014, Mark Hymers wrote: > > Anyway, could you please remove those two constraints for now again? > Done. thank you! (+didnt we already discuss in Cambridge and conclude not to chane this? I'm a bit surprised now.) Anyway, cheers! Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi, security-team, please comment... On Sonntag, 23. November 2014, tony mancill wrote: > Synopsis: Updating tomcat6 for squeeze-lts put us in the awkward > position of having a newer tomcat in old-stable than in stable; Holger > is helping to get this resolved. I am recommending that tomcat-native > 1.1.31 accompany any updates to tomcat6 6.0.41. I'm happy to prepare the tomcat-native uploads tomorrow, as well as tomcat6 for wheezy. What version number should I use for wheezy? 6.0.41-2~deb7u1 or 6.0.41-2+deb7u1 or something else? oh, "btw": jessie has -2, sid -3, with changes unsuitable for wheezy and targeted at jessie. this needs an unblock request to let -3 migrate to jessie and have the binaries removed from sid first... anybody doing this? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi Adam, On Sonntag, 23. November 2014, Adam D. Barratt wrote: > On Sun, 2014-11-23 at 19:43 +0100, Holger Levsen wrote: > > oh, "btw": jessie has -2, sid -3, with changes unsuitable for wheezy and > > targeted at jessie. this needs an unblock request to let -3 migrate to > > jessie and have the binaries removed from sid first... anybody doing > > this? > > It needs more than that; from the cruft-report: that's the cruft report for which distro? > * package libtomcat6-java in version 6.0.41-2 is no longer built from > source [...] > - broken Depends: > tomcat-maven-plugin: libtomcat-maven-plugin-java both are in wheezy > * package tomcat6 in version 6.0.41-2 is no longer built from source > [...] > - broken Depends: > biomaj-watcher/contrib: biomaj-watcher > guacamole-client: guacamole-tomcat both are in wheezy > jspwiki/contrib: jspwiki jspwiki I can only find in unstable... > - broken Build-Depends: > jspwiki/contrib: tomcat6 > * package tomcat6-common in version 6.0.41-2 is no longer built from source > [... > - broken Build-Depends: > tomcat-maven-plugin: tomcat6-common see above, in wheezy /me cannot believe adsb might have done a mistake - have we been hacked? ;-) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi Adam, On Sonntag, 23. November 2014, Adam D. Barratt wrote: > > > It needs more than that; from the cruft-report: > > that's the cruft report for which distro? > For unstable, to go with your "needs ... ah, doh, rather obviously you're (already) looking at this from the jessie angle (too) :) /me just was thinking about blockers for the wheezy upload (yet) :) > the binaries removed from sid". > Those are the things blocking ftp-master from semi-automagically > removing them. right. somebody needs to do more somethings ;) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi Tony, On Sonntag, 23. November 2014, tony mancill wrote: > The cruft report for unstable will look *very* different due to 6.0.41-3 > being a *radically* different package. no, the report exactly looks like this *because* of this: > > * Build only the libservlet2.5-java and libservlet2.5-java-doc > > packages. [..] > The decision/requirement to remove tomcat6 from jessie has been > requested by the Security team for quite a while, and the 6.0.41-3 > source upload effectively does this by just building libservlet2.5-java > (without which we would have many packages with missing r-deps). what's missing now is a bug against ftp.debian.org asking for the removal of the binaries from sid, which are not build by the -3 anymore. *then*, -3 can migrate to jessie and those binaries will vanish "automagically". and the stuff in the cruft report breaks because of this. > I not sure I understand all of the ramifications of the statement I'm > about to make, but for the purposes of squeeze and wheezy, we need to > consider 6.0.41-2 as the last version of a "complete" tomcat6 source > package. yup, I will base the wheezy upload on this. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DLA 91-1] tomcat6 security update
Hi, full context for the benefit of the Debian Java maintainers and team security... On Montag, 24. November 2014, H B wrote: > thx to Tony for the huge effort! > > I installed the update on 2 machines this morning, and i received an error > message: > > Setting up tomcat6 (6.0.41-2+squeeze5) ... > sed: -e expression #1, char 396: unknown option to `s' > dpkg: error processing tomcat6 (--configure): > subprocess installed post-installation script returned error exit status 1 > configured to not write apport reports > Errors were encountered while > processing: > tomcat6 > E: Sub-process /usr/bin/dpkg returned an error code (1) > A package failed to install. Trying to recover: > Setting up tomcat6 (6.0.41-2+squeeze5) ... > sed: -e expression #1, char 396: unknown option to `s' > dpkg: error processing tomcat6 (--configure): > subprocess installed post-installation script returned error exit status 1 > Errors were encountered while processing: > tomcat6 > > Does anyone have the same problem? together with Hubert we tracked this down to (most likely) him having JAVA_OPTS include "ErrorFile=/var/lib/tomcat6/hs_err_pid%p.log" and the % sign is causing this error as tomcat6.postinst has this: cat $TEMPLATE \ | sed "s%^TOMCAT6_USER=.*$%TOMCAT6_USER=$TOMCAT6_USER%" \ | sed "s%^TOMCAT6_GROUP=.*$%TOMCAT6_GROUP=$TOMCAT6_GROUP%" \ | sed "s%^JAVA_OPTS=.*$%JAVA_OPTS=\"$JAVA_OPTS\"%" \ >> $tmpfile IOW, it's using % as seperator. I believe this is a rather rare case, else postinst wouldn't look like it looks like (and rather use § or # as seperator) and there is nothing I/we should do for this DLA - and the upcoming DSA. (I didn't hit this bug in my testing...) Do you agree? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DLA 91-1] tomcat6 security update
Hi Hubert, On Montag, 24. November 2014, H B wrote: > After removing the % in the $JAVA_OPTS the upgrade process finishes > correctly. Mea culpa :-/ I don't think it's your fault at all, rather a bug in the package. Just not a bug which should be fixed in this security update ;) Thanks again for your feedback! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi, On Sonntag, 23. November 2014, Mark Hymers wrote: > Anyways, it's now just > based on oldstable - I expect this to bite us at some point, but > probably better this way than not being able to get security fixes in. ...and it just bit us. Gah. So when I was about to kick of pbuilder for the wheezy tomcat6 update I looked at the .dsc files and saw this: tomcat6_6.0.41-2+squeeze5.dsc tomcat6_6.0.41-2~deb7u1.dsc And realized, this is bad, squeeze-lts would have a higher version than wheezy-security. So tomcat6_6.0.41-2+deb7u1, no, that won't work, still lower version than squeeze-lts. So tomcat6_6.0.41-3~deb7u1 and "praying" that -3 will go into jessie. (Which is actually the right thing (I think), but still needs some work. (#770769)) And while tomcat6_6.0.41-3~deb7u1 would work regarding squeeze-lts, it will not work for wheezy-security now (AIU), as jessie has a lower version atm. Did I miss something? I'll now proceed with uploading tomcat-native to squeeze-lts and leave the tomcat6|tomcat-native uploads for now... grumble. cheers, Holger, who "takes credits" for choosing 6.0.41-2+squeeze5 and not 6.0.41-2~deb6u1... hindsight and all that. https://wiki.debian.org/LTS/Development misses instructions for this use case (updating to a new upstream version which is the same as in wheezy) but should probably get some (as soon as we figured out whats proper), so we don't repeat this mistake. For now I'd wish to file a bug so we don't forget but against which package? signature.asc Description: This is a digitally signed message part.
Please test linux-2.6 (2.6.32-48squeeze9)
with AF_INET pending data - dm snapshot: fix data corruption - crypto: ansi_cprng - Fix off by one error in non-block size request - uml: check length in exitcode_proc_write() - KVM: Improve create VCPU parameter (CVE-2013-4587) - KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) - qeth: avoid buffer overflow in snmp ioctl - xfs: underflow bug in xfs_attrlist_by_handle() - aacraid: missing capable() check in compat ioctl - SELinux: Fix kernel BUG on empty security contexts. - s390: fix kernel crash due to linkage stack instructions - netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages - floppy: ignore kernel-only members in FDRAWCMD ioctl input - floppy: don't write kernel-only members to FDRAWCMD ioctl output * Add stable release 2.6.32.63: - ethtool: Report link-down while interface is down - futex: Add another early deadlock detection check - futex: Prevent attaching to kernel threads - futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) - futex: Validate atomic acquisition in futex_lock_pi_atomic() - futex: Always cleanup owner tid in unlock_pi - futex: Make lookup_pi_state more robust - auditsc: audit_krule mask accesses need bounds checking - net: fix regression introduced in 2.6.32.62 by sysctl fixes * Add stable release 2.6.32.64: - x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508) - x86_32, entry: Store badsys error code in %eax - x86_32, entry: Clean up sysenter_badsys declaration - MIPS: Cleanup flags in syscall flags handlers. - MIPS: asm: thread_info: Add _TIF_SECCOMP flag - fix autofs/afs/etc. magic mountpoint breakage - ALSA: control: Make sure that id->index does not overflow - ALSA: control: Handle numid overflow - sctp: Fix sk_ack_backlog wrap-around problem - mm: try_to_unmap_cluster() should lock_page() before mlocking - filter: prevent nla extensions to peek beyond the end of the message - ALSA: control: Protect user controls against concurrent access - ptrace,x86: force IRET path after a ptrace_stop() - sym53c8xx_2: Set DID_REQUEUE return code when aborting squeue - tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb - igmp: fix the problem when mc leave group - appletalk: Fix socket referencing in skb - net: sctp: fix information leaks in ulpevent layer - sunvnet: clean up objects created in vnet_new() on vnet_exit() - ipv4: fix buffer overflow in ip_options_compile() - net: sctp: inherit auth_capable on INIT collisions Fixes CVE-2014-5077 - net: sendmsg: fix NULL pointer dereference - tcp: Fix integer-overflows in TCP veno - tcp: Fix integer-overflow in TCP vegas - macvlan: Initialize vlan_features to turn on offload support. - net: Correctly set segment mac_len in skb_segment(). - iovec: make sure the caller actually wants anything in memcpy_fromiovecend - sctp: fix possible seqlock seadlock in sctp_packet_transmit() - Revert "nfsd: correctly handle return value from nfsd_map_name_to_*" - dm crypt: fix access beyond the end of allocated space - gianfar: disable vlan tag insertion by default - USB: kobil_sct: fix non-atomic allocation in write path - fix misuses of f_count() in ppp and netlink - net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks - tty: Fix high cpu load if tty is unreleaseable - netfilter: nf_log: account for size of NLMSG_DONE attribute - netfilter: nfnetlink_log: fix maximum packet length logged to userspace - ring-buffer: Always reset iterator to reader page - md/raid6: avoid data corruption during recovery of double-degraded RAID6 - net: pppoe: use correct channel MTU when using Multilink PPP - ARM: 7668/1: fix memset-related crashes caused by recent GCC (4.7.2) optimizations - ARM: 7670/1: fix the memset fix - lib/lzo: Update LZO compression to current upstream version - Documentation: lzo: document part of the encoding - lzo: check for length overrun in variable length encoding. - USB: add new zte 3g-dongle's pid to option.c - futex: Unlock hb->lock in futex_wait_requeue_pi() error path - isofs: Fix unbounded recursion when processing relocated directories Fixes CVE-2014-5471 CVE-2014-5472 - sctp: not send SCTP_PEER_ADDR_CHANGE notifications with failed probe * Update the OpenVZ patch to apply on top of 2.6.32.64. Non-trivial changes in net/ipv4/tcp_output.c. [ Holger Levsen ] * CVE-2014-4653: ALSA: control: Ensure possession of a read/write lock. * CVE-2014-4654: ALSA: control: Check authorization for commands. * CVE-2014-4655: ALSA: control: Maintain the user_ctl_count value properly. * Ignore ABI change of module:drivers/scsi/osd/libosd by listing it in debian/config/defines
My LTS November
originatlly posted at http://layer-acht.org/thinking/blog/20141201-lts-november-2014/ In November I resumed work on Debian LTS and worked on the following packages: * [DLA 88-1](https://lists.debian.org/debian-lts- announce/2014/11/msg7.html) for ruby1.8 fixing several CVEs as described in the announcement. * [DLA 91-1](https://lists.debian.org/debian-lts- announce/2014/11/msg00010.html) for tomcat6, mostly prepared by one of it's maintainers, Tony Mancill, also fixing several issues by upgrading to a new upstream version. I just did review, testing, release and announcement, and then figured out the proper versioing for Wheezy, which turned out to be problematic because using the recommend versioning breaks the upgrade paths, when new upstream versions are introdued to squeeze-lts which basically have same version as in will be (or are) in wheezy-security. One cause (besides the wrong recommendation which still needs fixing in [our wiki page] (https://wiki.debian.org/LTS/Development) are non enforcable version constraints: the suites wheezy and squeeze-lts reside on ftp-master.debian.org (and wheezy is only updated on point releases), while wheezy-security resides on security.debian.org. Most probably we will still leave things as they are for squeeze-lts and do changes for wheezy-lts only. Oh, and the release of the tomcat6 update for wheezy is currently stalled by [#770769] (https://bugs.debian.org/770769). * [DLA 92-1](https://lists.debian.org/debian-lts- announce/2014/11/msg00011.html) for tomcat-native was also done in cooperation with Tony and is also a new upstream release, which is needed as the old version of tomcat-native doesn't function with the new tomcat6 version. * The 2.6.32.64 update of linux-2.6 has not happened yet, but is planned for the coming weekend. So far it has been done in collaboration of Moritz Mühlenhoff from the security team, Ben Hutchings from the kernel team, and Raphaël Hertzog and myself from the LTS team, which I consider to be quite nice. As [Raphaël had already explained] (http://raphaelhertzog.com/2014/12/02/my-free-software-activities-in- november-2014/), Ben has joined the LTS team and so far his contribution was to identify a problem in patch related to openvz, so I haven't published this kernel update yet. Also, there was zero feedback from testers for the openvz flavor packages - so if you are using openvz and squeeze kernels, please contact us. For all the other flavors there was positive feedback [to the call for testing](https://lists.debian.org/debian-lts/2014/11/msg00038.html) (thanks!) - so you might want to give these kernels a try too! Thanks to everyone who is supporting Squeeze LTS in whatever form, according to the wide feedback there are quite many people appreciating the work! signature.asc Description: This is a digitally signed message part.
Re: My LTS November
I've just added this to the blog post: As this was asked on IRC: if you are a maintainer preparing something for squeeze-lts, that's totally great, thanks!, just [please tell us about it] (https://lists.debian.org/debian-lts/) as this is the assumption we are working under: if noone tells the LTS team, we think we need to prepare upgrades for squeeze-lts. signature.asc Description: This is a digitally signed message part.
mark textpattern unsupported for LTS?
Hi, Raphael commented about textpattern: "NOTE: Has been dropped from newer releases. Should we instead mark it unsupported?" and looking at https://qa.debian.org/popcon.php?package=textpattern (installed: 6, vote: 1) and CVE-2014-4737 (XSS vulnerability) I tend to agree. If noone disagrees in the next 24h I will file a wishlist bug against the debian-security-support package, so that this get's implemented. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Accepted debian-security-support 2014.12.08~bpo60+1 (source all) into squeeze-lts
Hi Christoph, thanks for taking care of the debian-security-support package! On Mittwoch, 10. Dezember 2014, Christoph Biedl wrote: > Changes: > debian-security-support (2014.12.08~bpo60+1) squeeze-lts; urgency=low > . >* Rebuild for squeeze-lts it would be nice if you could build with "debuild -v$previous_version" so that we get meaningful changelogs on the list. I think this would have been this: debian-security-support (2014.12.08) unstable; urgency=high * Remove remaining bashism. Closes: #772268 * limited support: mozjs* and libv8-3.14 * postinst: Have an (empty) triggered target * Add list of packages not supported in jessie, empty for the time being -- Christoph Biedl Mon, 08 Dec 2014 22:24:37 +0100 debian-security-support (2014.11.07) unstable; urgency=high * Check hook for existence before running it. Closes: #768391 -- Christoph Biedl Fri, 07 Nov 2014 07:12:24 +0100 debian-security-support (2014.11.04) unstable; urgency=high * Closes an RC bug, urgency set to high * Add src:axis2c to list of packages not supported in squeeze-lts. Closes: #765374 * Use dpkg invoke hook instead of triggers. Thanks Guillem Jover for the detailed explanations. Closes: #762031 -- Christoph Biedl Tue, 04 Nov 2014 22:01:42 +0100 debian-security-support (2014.10.26) unstable; urgency=low * Features and Bugfixes - Add VCS information - Move manpage to man/ directory - Declare the trigger "-noawait". See: #762031 - Use dpkg-query to retrieve the dpkg version number - Override TMPDIR unless it has relaxed permissions. Closes: #763277 * limited support list - Alter text for kde4libs, change webkit to webkitgtk - Remove wireshark from list of packages with limited support * l10n - Prepare support for localized manpage, leave a note for translators - Swedish debconf template translation [Martin Bagge]. Closes: #762794 - Dutch debconf template translation [Paul Gevers]. Closes: #762927 -- Christoph Biedl Sun, 26 Oct 2014 19:28:08 +0100 debian-security-support (2014.09.11) UNRELEASED; urgency=low * Add iceweasel to list of packages not supported in squeeze-lts -- Christoph Biedl Thu, 11 Sep 2014 23:30:20 +0200 (which I copied from http://metadata.ftp- master.debian.org/changelogs/main/d/debian-security- support/unstable_changelog. This UNRELEASED entry there is also hmmm.) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DLA 103-1] linux-2.6 security update
Hi Manuel, On Mittwoch, 10. Dezember 2014, Manuel Gualda Caballero wrote: > 3 openvz updated without problems. thanks for the feedback! Much appreciated! :) cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#773048: please mark textpattern as "not supported" in Squeeze LTS
package: debian-security-support x-debbugs-cc: debian-lts@lists.debian.org, Vincent Bernat Hi, Please mark the "textpattern" packages as "not supported" in Squeeze LTS. On Donnerstag, 4. Dezember 2014, Holger Levsen wrote: > Raphael commented about textpattern: "NOTE: Has been dropped from newer > releases. Should we instead mark it unsupported?" and looking at > https://qa.debian.org/popcon.php?package=textpattern (installed: 6, vote: > 1) and CVE-2014-4737 (XSS vulnerability) I tend to agree. > > If noone disagrees in the next 24h I will file a wishlist bug against the > debian-security-support package, so that this get's implemented. thanks & cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Accepted debian-security-support 2014.12.08~bpo60+1 (source all) into squeeze-lts
On Mittwoch, 17. Dezember 2014, Christoph Biedl wrote: > [,..] the debuild manpage doesn't know anything about that option. indeed, I know about it from "man dpkg-buildpackage", but that's also very spare on it. "man dpkg-genchanges" has slightly more info. signature.asc Description: This is a digitally signed message part.
my LTS December
repost from http://layer-acht.org/thinking/blog/20150106-lts-december-2014/ (it's better formatted there) # My LTS December In December 2014 I spent 11h on Debian LTS work and managed to get six DLAs released and another one almost done... I did: * Release [DLA 103-1](https://lists.debian.org/debian-lts- announce/2014/12/msg00020.html) which was previously prepared by [Ben] (http://womble.decadent.org.uk/blog/debian-lts-work-december-2014.html), [Raphael](http://raphaelhertzog.com/2014/12/02/my-free-software-activities-in- november-2014/) and [myself](http://layer-acht.org/thinking/blog/20141201-lts- november-2014/). So while for this release in December I only had to review one patch, I also had to build the package, provide prelimary .debs, ask for feedback, do some final smoke tests, write the announcement and do the upload. In total this still took 2.5h to "just release it"... * Doing [DLA 114-1](https://lists.debian.org/debian-lts- announce/2014/12/msg00015.html) for bind9 was rather straightforward, * As was [DLA 116-1](https://lists.debian.org/debian-lts- announce/2014/12/msg00018.html) for ntp, which I managed to release within one hour after the DSA for wheezy, despite me having to make the patch apply cleanly due to some openssl differences... ;-) * I mentioned the bit about openssl because noone ever made a mistake with such patches. Seriously, I mean: I would welcome a public review system for security fixes. We are all humans and we all make mistakes. I do think my ntp patching was safe, but... mistakes happen. * [DLA 118-1](https://lists.debian.org/debian-lts- announce/2014/12/msg00020.html) was basically "just" a new 2.6.32.65 kernel update, which I almost released on my own, until (thankfully) Ben helped me wih one patch from .65 not applying (a fix for a wrong fix which Debian already had correctly fixed), which was due to a patch not correctly removed due to linenumber changes. And while I was still wrapping my head around applying+deapplying these very similar looking patches, Ben had already commited the fix. I'm quite happy with this sharing the work, due to the following benefits: a.) Ben can spend more time on important tasks and b.) the LTS user get more kernel security fixes faster. * [DLA 119-1](https://lists.debian.org/debian-lts- announce/2014/12/msg00021.html) for subversion was a rather straight forward take from the wheez DSAs again, I just had to make sure to also include the 2nd regression fixing DSA. * And then, I failed to finish my work on a jqueryui update before [31c3] (http://media.ccc.de/browse/congress/2014/) started. And 31c3 really only ended yesterday when I helped putting stuff on trucks and cleaned the big hall... So that's also why I'm only writing this blog post now, and not two weeks ago, like I probably better had. Anyway, according to the security- tracker jqueryui is affected by two CVEs and that's wrong: [CVE-2012-6662] (https://security-tracker.debian.org/tracker/CVE-2012-6662) does not affect the squeeze version. [CVE-2010-5312](https://security- tracker.debian.org/tracker/CVE-2010-5312) on the other hand affects the squeeze version, I know how to fix it, I just lacked a quiet moment to prepare my fix properly and test it, and so I've rather postponed doing so during 31c3... so, expect a DLA for jqeuryui very soon now! Thanks to everyone who is supporting Squeeze LTS in whatever form! Even just expressing that you or the company or project you're working with is using LTS, is useful, as it's always nice to hear once work is used and appreciated. If you can contribute more, please do so. If you can't, that's also fine. It's free software after all :-) signature.asc Description: This is a digitally signed message part.
Re: Upgrade from squeeze-lts to wheezy
Hi Lucas, On Samstag, 17. Januar 2015, Lucas van Braam van Vloten wrote: > I am planning the upgrade according to the standard instructions > (https://www.debian.org/releases/stable/amd64/release-notes/ch-upgrading.h > tml). Since I am using squeeze-lts, are there any additional considerations > for this upgrade? No. Just take the usual measures for such (distro) upgrades... :-) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Accepted tomcat6 6.0.41-2+squeeze6 (source all) into squeeze-lts
Hi Mathieu, On Montag, 19. Januar 2015, Mathieu Parent wrote: > Date: Fri, 16 Jan 2015 21:34:40 +0100 > Source: tomcat6 [...] > Changes: > tomcat6 (6.0.41-2+squeeze6) squeeze-lts; urgency=medium > . >* Security upload by the Debian LTS team. >* This update fixes a regression: > - Fix for "NoSuchElementException when an attribute has empty string > as value." Reported upstream as >https://issues.apache.org/bugzilla/show_bug.cgi?id=56561 thanks for doing this LTS update, but I'm a bit surprised as there was nothing in the Debian BTS about this bug and also because you didn't contact myself as previous LTS uploader of tomcat6 - did you at least contact the package maintainers before uploading? (eg for preventing duplication of work.) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Accepted tomcat6 6.0.41-2+squeeze6 (source all) into squeeze-lts
Hi Mathieu, On Dienstag, 20. Januar 2015, Mathieu Parent (Debian) wrote: > No, but I posted to debian-lts mailing list [1] and updated the SVN. sigh to/about myself, I should have noticed the mails to the lts lists (but friday was a (too) busy day it seems :/ > I > didn't intend to hijak the package. I didn't thought about sending a > mail to you and package maintainer. > > This is my first LTS update, and it took me some time to figure out > how it works. I focused too much on the process and didn't contact the > proper persons. > > I'm sorry. I'll do better next time. No need to be sorry, you improved Debian LTS, helped users and notified the LTS list. That's at least three good things against a small mistake :-) Thanks for your work! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: eglibc update for GHOST CVE-2015-0235
Hi, On Mittwoch, 28. Januar 2015, Raphael Hertzog wrote: > Of course we do! That said the current LTS team doesn't have access > to embargoed information and thus nobody prepared the update in advance. Lucas now contacted me about this and he said he would try to start with some informal discussions at FOSDEM about how to solve this. To accellerate this a bit I've put him and the security team in cc: - as we both agreed an email discussion first is also good. "Whatever works." Please keep in mind that Debian LTS is not even a year young. > The announce has not yet been sent to debian-lts-announce however. > Holger will probably do it once he wakes up. actually I did sent it last night already but there was+is a problem with the lists, which the listmasters are currently sorting out. cheers, Holger, still at his first coffee… signature.asc Description: This is a digitally signed message part.
Re: eglibc update for GHOST CVE-2015-0235
Hi,
On Mittwoch, 28. Januar 2015, Thijs Kinkhorst wrote:
> It seems at least from my perspective that the LTS team is a loosely
> defined consortium of individuals which makes sharing the embargoed
> information problematic. If I have an embargoed issue I think there's
> usually no problem sharing that information privately with LTS'ers, but
> right now there's no clear contact point for that.
agreed
> Nor do I have a good understanding of who is working on LTS. People are
> hired by the hour, so if I send something to someone personally now it may
> just be that they're not working on LTS this week.
I do understand how you come to think this, but at least for me this is not
true: while I do work some paid hours per month on LTS I also spent "my free
time" on both LTS and (to a lesser degree) I'mm also willing to do security
work (in "my free time") for wheezy (esp. for issues I fix in LTS first...)
So in summary: I'm available (at least for coordination) for LTS things all
the time.
But I don't want to be the single LTS person in that role...
> There's not really a
> defined "team" that I could find.
we should still fix this.
> I would start with creating such a contact point, and make it clear who's
> behind it. That makes sharing this information much more straightforward.
agreed.
> Subscription to distros list is per individual and we can certainly
> nominate people for that, but I think it also depends on a clear
> definition of which DD('s) that would be.
agreed.
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
my LTS january
repost from http://layer-acht.org/thinking/blog/20150205-lts-january-2015/ (it's better formatted there) # My LTS January It was very nice to hear many appreciations for our work on [Squeeze LTS] (https://wiki.debian.org/LTS) during the last weekend at FOSDEM. People really seem to like and use LTS a lot - and start to rely on it. I was approached more than once about Wheezy LTS already... (Most of my FOSDEM time I spent with [reproducible builds] (https://fosdem.org/2015/schedule/event/stretching_out_for_trustworthy_reproducible_builds/) however, though this shall be the topic of another report, coming hopefully soon.) So, about LTS. First I'd like to describe some current practices clearly: * the Squeeze LTS team might fix your package without telling the maintainers in advance nor directly: dak will send a mail as usual, but that might be the only notification you'll get. (Plus the DLA send out to the [debian-lts- announce](https://lists.debian.org/debian-lts-announce/) mailing list.) * when we fix a package we will likely *not* push these changes into whatever VCS is used for packaging. So when you start working on an update (which is great), please check whether there has been an update before. (We don't do this because we are mean, but because we normally don't have commit access to your VCS... * we totally appreciate help from maintainers and everybody else too. We just don't expect it, so we don't go and ask each time there is a DLA to be made. Please do support us & please do talk to us! :-) I hope this clarifies things. And as usual, things are open for discussion and best practices will change over time. In January 2014 I spent 12h on Debian LTS work and managed to get four DLAs released, plus I've marked some CVEs as not affecting squeeze. The DLAs I released were: * [DLA 139-1 for eglibc](https://lists.debian.org/debian-lts- announce/2015/01/msg00012.html) fixing CVE-2015-0235 also known as the "Ghost" vulnerability. The update itself was simple, testing needed some more attention but then there were also many many user requests asking about the update, and some were providing fixes too. And then many people were happy, though one person seriously complained at FOSDEM that the squeeze update was released full six hours after the wheezy update. I think I didn't really reply to that complaint, though obviously this person was right ;) * [DLA 140-1 for rpm](https://lists.debian.org/debian-lts- announce/2015/01/msg00013.html) was quite straightforward to do, thanks to RedHat unsurprisingly providing patches for many rpm releases. There was just a lots of unfuzzying to do... * [DLA 141-1 for libksba](https://lists.debian.org/debian-lts- announce/2015/01/msg00015.html) had an easy to pick git commit in upstreams repo too, except that I had to disable the testsuite, but given the patch is 100% trivial I decided that was a safe thing to do. * [DLA 142-1 for privoxy](https://lists.debian.org/debian-lts- announce/2015/01/msg00016.html) was a bit more annoying, despite clearly available patches from the maintainers upload to sid: first, I had to convert them from quilt to dpatch format, then I found that 2 ouf 6 CVEs were not affecting the squeeze version as the code ain't present and then I spent almost an hour in total to find+fix 10 whitespace difference in 3 patches. At least there was one patch which needed some more serious changes ;-) Thanks to everyone who is supporting Squeeze LTS in whatever form! We like to hear from you, we love your contributions, but it's also totally ok to silently enjoy a good old quality distribution :-) Finally, something for the future: checking for previous DLAs is currently best done via said mailing list archive, as DLAs are not yet integrated into the website due to a dependency loop of blocking bugs... see [#761945] (https://bugs.debian.org/761945) for a starting point. signature.asc Description: This is a digitally signed message part.
Re: [debian-lts] file package
Hi, On Donnerstag, 19. Februar 2015, Raphael Hertzog wrote: > Yeah, that's the kind of feature that I envisioned within the new > package tracker. Each contributor would express what they are willing > to work on: [...] > But I have too many plans for the package tracker and not enough time to > dedicate to it. :-( we could start with a wiki page like the lowNMU one?!? This technology exists today and would allow us to gather data until tracker is ready for this. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: [debian-lts] file package
Hi Christoph, On Donnerstag, 19. Februar 2015, Christoph Biedl wrote: > Thanks for that, given the past experiences with regressions > introduced in file updates I'd really like to keep an eye on it. Thanks for that! And your other work on file too :) > I > have a huge collection of test files that help me to identify > unexpected side effects, total run time is several hours - but cannot > disclose it for legal reasons. Just that I'm slightly uncomfortable with this. IMO uploads of free software should not depend on access to a non-free data collection. Can you maybe share this collection with others, so there could be team maintenance of the file package? Could Debian somehow help to make this collection free, gather a free collection or do something else? Should we track this as a bug in the file package for the time being? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: [debian-lts] file package
On Donnerstag, 19. Februar 2015, Holger Levsen wrote: > Just that I'm slightly uncomfortable with this. IMO uploads of free > software should not depend on access to a non-free data collection. > > Can you maybe share this collection with others, so there could _at least_ > be team maintenance of the file package? signature.asc Description: This is a digitally signed message part.
Bug#780201: new codename needed for oldstable (due to squeeze-lts) when stable becomes oldstable
package: ftp.debian.org x-debbugs-cc: debian-lts@lists.debian.org, debian-rele...@lists.debian.org Hi, when jessie will be released, wheezy will become oldstable and we'll need a new alias for squeeze, as various tools internally work with aliases. (The security tracker comes to my mind, but also the Release files it seems. And probably more.) I believe it's the ftp teams duty / joy to decide this name and would like to ask you to do soon, so that various places can be prepared for the joyful day we release jessie. Current suggestions I've heard (and liked) are "oldoldstable" and "veryoldstable". I *dislike* "obsoletestable" and "stalestable" as they are either wrong (squeeze is not obsolete) or carry a bad connotation. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: About the security issues affecting tcllib in Squeeze
Hi Sergei, On Dienstag, 10. März 2015, Sergei Golovan wrote: > I've prepared an updated package. I can upload it to squeeze-lts. What > else should I do? please follow the procedure as described on https://wiki.debian.org/LTS/Development & thanks for your contributions to LTS! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: squeeze update of axis?
Hi Markus, On Mittwoch, 18. Februar 2015, Markus Koschany wrote: > > I think this is a trivial update, the version of Axis hasn't changed > > since Squeeze and it should be as simple as dropping the CVE-2014-3596 > > patch from axis/1.4-22 into the version 1.4-12 currently in Squeeze (it > > also addresses CVE-2012-5784). > I agree with Emmanuel. I have successfully built axis in Squeeze with > the CVE patch. Please find attached the debdiff against the version in > Squeeze. Thanks! I've just uploaded a fixed axis package to squeeze-lts and will send out the announcement shortly! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Debian LTS talk/BoF/sprint during Debconf?
Hi Raphael, On Montag, 16. März 2015, Raphael Hertzog wrote: > In particular, it would be nice if we could get face to face with > the stable security team to see how we can get closer in term of workflow > so that wheezy lts keeps using security.debian.org instead of > a supplementary repository that everybody must add. I totally agree, thanks for bringing this up! > Shall we schedule something else during Debconf? a roundtable / workshop maybe? > Who will be there? (I'm there for the whole conference, but not for > Debcamp) I'll be at DebConf too, except for the cccamp days (august 12-17th) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Any ideas on whether or not a Wheezy LTS will happen or not
Hi, On Montag, 30. März 2015, Michael Banck wrote: > Please keep in mind that wheezy will get regular maintenance for one > year after the jessie release, so the question whether there will be a > wheezy-lts or not is not imminent. while I agree that the question is not imminent, I do think this question should be answered sooner, eg. it would be good to decide on _jessie_ LTS _now_, as it's an important factor when deciding whether to deploy jessie soon, whether it will have 2 or 5 years security support. That's said, I dont know how to "properly" decide this now and I also have no idea how to guarantee that we'll keep this promise unless by proving we'll do so, by doing so. Basically just like we release a new Debian version roughly every 22 months since 10 years, even though this also not guaranteed. So my current answer to the question about Wheezy or Jessie LTS is: "I have no idea, but given Squeeze's LTS success, I think it's very likely we'll have Wheezy + Jessie LTS. Please support Squeeze LTS and/or express your appreciation / usage to make it happen." cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Any ideas on whether or not a Wheezy LTS will happen or not
On Montag, 30. März 2015, Holger Levsen wrote: > _now_, as it's an important factor when deciding whether to deploy jessie > soon, whether it will have 2 or 5 years security support. 3 or 5 signature.asc Description: This is a digitally signed message part.
Re: About the security issues affecting openldap in Squeeze
Hi debian-edu, is anyone of you using Squeeze and able to test Ryans updated packages? If you are interested, please reply to Ryan directly. On Mittwoch, 8. April 2015, Ryan Tandy wrote: > >>We currently have a few patches pending or under discussion for > >>wheezy. After the changes for stable are finalized, I hope to > >>backport them to squeeze as well, when time permits. > >is there anything I can do for the Squeeze upload? > I have a squeeze branch in progress. Do you use openldap on squeeze? I'd > be really happy to have someone besides myself test the package before > uploading. Ryan, I believe you might find some testers among the Debian Edu users, which uses openldap by default. Best if you couldd provide binary packages (amd64/i386) for download somewhere... cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: How to deal with wireshark CVE affecting Squeeze
Hi Balint, On Dienstag, 14. April 2015, Bálint Réczey wrote: > I have prepared the DLA and uploaded the fixed package but it ended up in > NEW. Dear FTP Masters, please accept it. what distribution did you use in debian/changelog? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: How to deal with wireshark CVE affecting Squeeze
On Dienstag, 14. April 2015, Bálint Réczey wrote: > squeeze-lts, both in *.changes and *.changelog. > The binary package names changed quite a lot so I think entering NEW > was reasonable. ah. makes sense :) signature.asc Description: This is a digitally signed message part.
Re: About the security issues affecting openldap in Squeeze
Hi Ryan, On Samstag, 18. April 2015, Ryan Tandy wrote: > Uploaded openldap for squeeze-lts to mentors: [...] > Would a member of the LTS team be willing to sponsor it and announce the > update? The issues fixed are the same as DSA-3209-1, plus CVE-2012-1164. ok, cool! I'll upload and announce it (now). > I didn't receive any responses to my call for tests. I think it should > be safe to go ahead, but I don't mind waiting longer if you think it's > appropriate. I think it's fine. You prepared the update carefully and asked for testers... > Thanks for your work on LTS, likewise! :) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Debian LTS talk/BoF/sprint during Debconf?
Hi Raphael, On Dienstag, 31. März 2015, Raphael Hertzog wrote: > I proposed this event: > https://summit.debconf.org/debconf15/meeting/189/preparing-for-wheezy-lts/ awesome! Feel free to add me as a speaker... cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Debian LTS talk/BoF/sprint during Debconf?
Hi Raphael, On Montag, 20. April 2015, Raphael Hertzog wrote: > > > I proposed this event: > > > https://summit.debconf.org/debconf15/meeting/189/preparing-for-wheezy-l > > > ts/ > > Feel free to add me as a speaker... > I don't know how to do this. It doesn't appear to be an option under "Edit > event". thats a known missing feature in summit, cc:ing the talks team. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Debian LTS talk/BoF/sprint during Debconf?
Servus Maxy! On Montag, 20. April 2015, Maximiliano Curia wrote: > Added. In the edit event that I see the speakers are selected from a select > box, that lists all the users without any order, which is not ideal. > Anyway, done. merci! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Updating dpkg in squeeze-lts
Hi Ben, thanks for preparing the LTS dpkg update! On Mittwoch, 22. April 2015, Ben Hutchings wrote: > - Would you rather I numbered it as 1.15.12 or 1.15.11+nmu1? I think you should use 1.15.11+deb6u1 as per https://wiki.debian.org/LTS/Development :-) The dpkg maintainers can comment better on the remaining questions than me. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Bug#773834: Preparing a release for stable and lts
Hi Vincent, On Donnerstag, 30. April 2015, Vincent Fourmond wrote: > I'm in no position to upload tonight. I'm posting a debdiff with > respect to the previous LTS version. seems you forgot to attach the diff, can you please do so? enjoy your vacation! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: squeeze update of mercurial?
Hi, On Montag, 11. Mai 2015, PICCORO McKAY Lenz wrote: > the mercurial version of squeeze has those issues open? in wich version of > debian mercurial packages are resolved? check the links you quoted: > > https://security-tracker.debian.org/tracker/CVE-2014-9462 > > https://security-tracker.debian.org/tracker/CVE-2014-9390 (optional, is > > tagged no-dsa) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Bug#773834: Preparing a release for stable and lts
Hi Vincent, On Dienstag, 12. Mai 2015, Vincent Fourmond wrote: > Looks like I've started enjoying my vacation before attaching the > file... Sorry about that. I hope you had a good one! :) And thanks for coming back to this issue... > Bastien has worked more on the patches. I'm attaching the debdiff > between 8:6.6.0.4-3+squeeze5 and the proposed new version. Please note > that, for internal (gitpkg-related) reasons, some patches have changed > names between the squeeze5 and squeeze6 version, which is not easy to > detect because of the huge number of new patches in the squeeze6 > version. sigh. i'm not sure this is a the right thing to do... > However, I've checked manually that the patches are still > applied to the final code (one of them has further changed), so I > don't expect any regression on that point. > > I haven't tried to build yet, but that's what I'm going to do right > now, if I can get my squeeze chroot up again. > > If I get it to build, would it be OK to upload as is ? once you have build it, you should *test* that package. once that has been done, we can think about uploading ;-) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Virtualbox 3.2 update due to CVE-2015-3456 (VENOM)
Hi, adding the virtualbox maintainers to cc: :) On Montag, 18. Mai 2015, Marcin Szewczyk wrote: > is there going to be a security update to the squeeze-lts Virtualbox? from IRC: the debian-security-support package will tell you if a package is end-of-life in a distro virtualbox wasnt part of squeeze virtualbox is only in squeeze-backports, for that you need to ask the maintainer, but backports are generally asked to be security supported so, yes, virtualbox-ose should be supported (i have no idea atm if this is practical...) https://www.virtualbox.org/wiki/Download_Old_Builds_3_2 doesnt have an updated for venom yet, but https://www.virtualbox.org/wiki/Download_Old_Builds says 3.2 is still supported... Please reply if there are patches "somewhere". cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Accepted fuse 2.8.4-1.1+deb6u1 (source amd64) into squeeze-lts
Hi Laszlo, On Dienstag, 2. Juni 2015, Laszlo Boszormenyi wrote: > Source: fuse > Version: 2.8.4-1.1+deb6u1 there was no DLA for this upload, could you please prepare one and send it to the list?! Thanks already. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Accepted mercurial 1.6.4-1+deb6u1 (source all amd64) into squeeze-lts
Hi Javi, On Mittwoch, 3. Juni 2015, Javi Merino wrote: > Source: mercurial > Version: 1.6.4-1+deb6u1 there was no DLA for this upload, could you please prepare one and send it to the list?! Thanks already. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Accepted imagemagick 8:6.6.0.4-3+squeeze6 (source amd64 all) into squeeze-lts
Hi Bastien, On Freitag, 29. Mai 2015, Bastien Roucariès wrote: > Source: imagemagick > Version: 8:6.6.0.4-3+squeeze6 there was no DLA for this upload, could you please prepare one and send it to the list?! Thanks already. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: About the security issues affecting dcraw/ufraw/libraw/rawtherapee/rawstudio/exactimage/freeimage in Squeeze
Hi David, (mostly using darkstar as an example. I don't event know that package - but I noticed that I decided not to care much about my squeeze-backports anymore (eg not to backport piuparts) while realizing I'd still do security fixes.) On Mittwoch, 3. Juni 2015, David Bremner wrote: > Sven Eckelmann writes: > > [...] dcraw, darktable, > > freeimage, rawstudio and xbmc most likely still need a patch. > Darktable is not in squeeze. There is a version in squeeze backports, > but I don't plan any further support for that. Of course, someone else > is welcome to... I'm not sure this is what the backports project is expecting, cc:ing them to get their input. A possible solution would be to remove the backport if it's not supported security wise anymore, or, express this via the debian-security-support package (which doesn't support backports yet) or to cease oldoldstable- backports alltogether, which I think would be unfortunate. And finally, if the issue is not worth fixing, this can also be documented in the security tracker... cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Accepted linux-2.6 2.6.32-48squeeze12 (all source) into squeeze-lts
Hi Patrick, On Mittwoch, 17. Juni 2015, Patrick Matthäi wrote: > We have got problems with the new version on all of our vSphere 5.1/5.5 > VMs and dedicated hosts. > It looks like our xen VMs are not affected. Here some snips of dmesg: to confirm #789037 - you've only seen this on 32bit archs (i386/powerpc) but not on amd64?! cheers, Holger signature.asc Description: This is a digitally signed message part.
