Re: freeze exception -- bugzilla3 3.6.3.0-1
Dear Christian, Debian uses a different directory structure then upstream since years. The CVE-2010-3764 patch can not be applied as drop in because it's affect the directory structure of Debian. You have to change Debian's patches to achieve this too. Instead of loosing time changing something that is done already accept the 3.6.3.0 series. At the end it's more clear that Debian fixed those vulnerability if package version is 3.6.3.0 anyway. /Raphael 2010/12/6 Christian PERRIER bubu...@debian.org: Quoting Julien Cristau (jcris...@debian.org): On Thu, Nov 25, 2010 at 22:05:47 +, Adam D. Barratt wrote: On Thu, 2010-11-25 at 21:07 +, Adam D. Barratt wrote: $ debdiff ftp/pool/main/b/bugzilla/bugzilla_3.6.{2.0-4,3.0-2}.dsc 2/dev/null | diffstat | tail -n1 1645 files changed, 80807 insertions(+), 94494 deletions(-) A lot of that is probably ignorable as it relates to changes in CVS and .svn{,-base} files and directories (why are those even in the diff?) but at this stage of the freeze we shouldn't be having to spend significant amounts of time reviewing diffs where the patches for the required fixes amount to less than two hundred lines of nett changes. As a follow-up note, if you can identify any significant parts of the above which are likely not to be relevant to the Debian package, that would be helpful in persuading us that the unstable package should be accepted, rather than requesting a t-p-u upload with the extracted fixes. Ping. Can this be addressed or the security and RC fixes uploaded to tpu? I made an attempt yesterday after being pointed at this by Julien (I was trying to get debconf l10n fixed and uploaded a package to tpu with these fixessorry, I should have asked before). However, the build system of that package is not well known to me (upstream tarballs in the source package) and I don't know how to properly patch the sources with the two security fixes. Just naively dropping them to a newly-created debian/patches and creating debian/patches/series didn't work as expected. So, I gave up. If anyone is working on this, I would deeply appreciate if the two debconf translations that are fixed in unstable would be fixed in the tpu upload. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJM/HvVAAoJEIcvcCxNbiWo788P/iUZecyT1NCunOjIuBdk525Q vbsxBYnigr8RKGr4AuFuv6K6IegbQdIEfCHZJ7xmnwEHlqPSIUMH+GbPU9gIn0JP 7961KnHSOxZv8oDdhRFlFKs6a3vGvLtx6FqUx8Wo48LbUhC18DUPW5vmpUoCp9qz Ffvm9LwCR495oblhtL9KXMmmgEbD12Fd2CMRnL6oeOx5mdD/Uf+8YS6rZbAzh+RD dje9b8MFNs2UsUbIsTaV477DuKFEHC9gQ2Y2NtPDw/GTZ+YrwK1jezHSWo297pU6 GzIRnLq4BX7vlkfXGgu5D73BSWlZdieWkR9Rw3M2NbQGaK9HYjslW1CsWJnsVJsP DKgt5OJPnGCmqdB9bE4iSIKjWtobhoP6qEaDVyg0EQ92DpQI+7KfF9CuUUHQSGdG xKizay+SdAibQ+6HCHyaNn0uhAFMdCFdmsZia+CW80mcLkIUaiKowYo6u6F6bvcO tFh9kgvPwO+ncxuuloEChjnhGX5Oe/GXdUTr8fvi7ZrOKozCe81wOec0/OTedmmX HOfJmyEsh/sCSzabaen/iZQGuWwG9ae5dfOV21qGRV4r3xpB138TdkwLsMZ16qz4 uii7hD4hV10PD+eG/DRiZfaYWpsbuR68f94V4XedlkYRzmMds1j4vdYxaK7mL+AV wpDg0MYy6ABjh+2Gb/dw =BcvL -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinprwcifvmjkxpmuwynysdpgzoezbdges-rh...@mail.gmail.com
Re: freeze exception -- bugzilla3 3.6.3.0-1
Hi Moritz, thank you for your support. Sorry but I missed your response. If 3.6.3 is not accepted for testing -- where these security vulnerabilities (http://bugs.debian.org/602420) are solved upstream -- applying patches to 3.6.2 could be but in consideration. By the way, 3.6.3.0-2 solved some further issues with noninteractive installation (piuparts) and missing package dependencies; both issues exists in 3.6.2 series of Debian packages. I would prefer the 3.6.3 because it's simpler to read the CVE and compare the version of the package instead of reading the changelog for solved security vulnerabilities. Greetings, Raphael PS: Here the missing diff between the uploaded and testing version of bugzilla. diff -r eb3bbeed652d debian/changelog --- a/debian/changelog Wed Oct 27 16:59:27 2010 +0200 +++ b/debian/changelog Mon Nov 22 10:30:02 2010 +0100 @@ -1,3 +1,40 @@ +bugzilla (3.6.3.0-2) unstable; urgency=medium + + * Support for noninteractive mode in Debconf. Closes: #602738 + * Added missing package dependency against liburi-perl. Removed non exsiting +package option libgd-noxpm-perl. + * Urgency set to medium because previous version is not accepted for +testing. + * Parallel build for Makefiles is working now. + * Surrpress error messages for non existing template directories if +checksetup fails (in noninteractive mode). + * Extensions are not installed by default. They exist as documentation. + + -- Raphael Bossek boss...@debian.org Sat, 20 Nov 2010 05:51:25 +0100 + +bugzilla (3.6.3.0-1) unstable; urgency=medium + + * New upstream release. Closes: #602420 + * Fixed vulnerability CVE-2010-3172: +By inserting a certain string into a URL, it was possible +to inject both headers and content to any browser that +supported Server Push (mostly only Gecko-based browsers +like Firefox). This could lead to Cross-Site Scripting +vulnerabilities, and possibly other more dangerous security +issues as well. + * Fixed vulnerability CVE-2010-3764: +The Old Charts system generated graphs with +predictable names into the graphs/ directory, +which also could be browsed to see its contents. +This allowed unauthorized users to see product +names and charted information about those +products over time. + * Fixed references to YUI components used by language templates. + * Fixed missing images. + * Surrpress error messages at installation stage. + + -- Raphael Bossek boss...@debian.org Mon, 15 Nov 2010 10:09:20 +0100 + bugzilla (3.6.2.0-4) unstable; urgency=low * Upgrade from Lenny to Squeeze fixed. Closes: #600170 --- a/debian/Makefile Wed Oct 27 16:59:27 2010 +0200 +++ b/debian/Makefile Mon Nov 22 10:30:02 2010 +0100 @@ -22,8 +22,9 @@ # For a better maintenance, we'll create by hand each # bugzilla's sub directories. BUGZILLA_PERLDIR= $(BUGZILLA_PKGDIR)/usr/share/perl5 +BUGZILLA_DOCDIR = $(BUGZILLA_PKGDIR)/usr/share/doc/bugzilla3 BUGZILLA_WWW = $(BUGZILLA_SHAREDIR)/web -BUGZILLA_CGIDIR = $(BUGZILLA_WWW) +BUGZILLA_CGIDIR = $(BUGZILLA_WWW) BUGZILLA_CONTRIB= $(BUGZILLA_SHAREDIR)/contrib PKGVER := $(shell dpkg-parsechangelog |grep Version: |sed -e 's,Version: \([^-]\+\).*,\1,g') @@ -46,8 +47,8 @@ $(CURDIR)/debian/create-bugzilla-srcdir -install: install_static_dirs install_static_files install_lib_files \ -install_cgi install_template install_contrib install_extensions +install: install_static_files install_images install_js install_lib_files \ +install_cgi install_template install_skins install_contrib install_extensions install_contrib: extractsrc @@ -58,23 +59,25 @@ install_extensions:extractsrc $(INSTALL) -d -m 0755 -o root -g root $(BUGZILLA_EXTENSIONSDIR) + : # Install extensions as documentation until we have a real extensions support + $(INSTALL) -d -m 0755 -o root -g root $(BUGZILLA_DOCDIR) cd $(BUGZILLA_SRCDIR) for this_dir in `find extensions -type d` ; do \ - $(INSTALL) -d -m 0755 -o root -g root $(BUGZILLA_VARDIR)/$$this_dir ;\ + $(INSTALL) -d -m 0755 -o root -g root $(BUGZILLA_DOCDIR)/$$this_dir ;\ done - cd $(BUGZILLA_SRCDIR) for this_file in `find extensions -type f` ; do \ - $(INSTALL) -m 0644 -o root -g root $$this_file $(BUGZILLA_VARDIR)/`dirname $$this_file` ;\ + cd $(BUGZILLA_SRCDIR) for this_file in `find extensions -type f -not -name create.pl` ; do \ + $(INSTALL) -m 0644 -o root -g root $$this_file $(BUGZILLA_DOCDIR)/`dirname $$this_file` ;\ done + : # Create an archive for these extensions + tar -C $(BUGZILLA_DOCDIR) -czf $(BUGZILLA_DOCDIR)/extensions.tgz extensions + rm -rf $(BUGZILLA_DOCDIR)/extensions -install_static_dirs: extractsrc +install_skins: extractsrc cd $(BUGZILLA_SRCDIR) for this_dir in `find skins -type d` ; do \ $(INSTALL) -d -m 0755 -o root -g root $(BUGZILLA_WWW)/$$this_dir
Re: freeze exception -- bugzilla3 3.6.3.0-1
Bugzilla 3.6.3.0-1 with security fixes pending for unfreeze in unstable since today. Greetings, Raphael -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Mon, 15 Nov 2010 10:09:20 +0100 Source: bugzilla Binary: bugzilla3 bugzilla3-doc Architecture: source all Version: 3.6.3.0-1 Distribution: unstable Urgency: medium Maintainer: Raphael Bossek boss...@debian.org Changed-By: Raphael Bossek boss...@debian.org Description: bugzilla3 - web-based bug tracking system bugzilla3-doc - comprehensive guide to Bugzilla Closes: 602420 Changes: bugzilla (3.6.3.0-1) unstable; urgency=medium . * New upstream release. Closes: #602420 * Fixed vulnerability CVE-2010-3172: By inserting a certain string into a URL, it was possible to inject both headers and content to any browser that supported Server Push (mostly only Gecko-based browsers like Firefox). This could lead to Cross-Site Scripting vulnerabilities, and possibly other more dangerous security issues as well. * Fixed vulnerability CVE-2010-3764: The Old Charts system generated graphs with predictable names into the graphs/ directory, which also could be browsed to see its contents. This allowed unauthorized users to see product names and charted information about those products over time. * Fixed references to YUI components used by language templates. * Fixed missing images. * Surrpress error messages at installation stage. Checksums-Sha1: d77d70e1ec20b7ac80eabf26d4bf133ced458fba 1162 bugzilla_3.6.3.0-1.dsc 0b4fa7cff9dd5ce5aaf644bf73c4bd2946e79dd1 4438817 bugzilla_3.6.3.0.orig.tar.gz 3856d2b2a7e63979adce26453caece156b9ec8d0 99404 bugzilla_3.6.3.0-1.debian.tar.gz 2db2cfe7e85e0885c3f9affd41738a14524520ff 3043686 bugzilla3_3.6.3.0-1_all.deb 481a345d3ae43971148f35d7dcd8fea6b294d853 1418858 bugzilla3-doc_3.6.3.0-1_all.deb Checksums-Sha256: d7f068cc9dceba80d42a71c13ef6de8414678aa690c1055d5a07c3908c5dbd62 1162 bugzilla_3.6.3.0-1.dsc 85bf47de333b51e08223ac4a09529abd11e4a649c06ab9a10b5b02edc60817c4 4438817 bugzilla_3.6.3.0.orig.tar.gz b3b921a2c05c3393fc5a766262c89dc206754429dd1e0d6a24e5f5d3cc269e56 99404 bugzilla_3.6.3.0-1.debian.tar.gz d796eb7086de85ae42a20898c4799d376cc86dc4bffe27d5a9b6164114c9330e 3043686 bugzilla3_3.6.3.0-1_all.deb cb75ad3bd91333590fcda13e9e09cfc4ae0b8ba0145bbaca1b80d0e92434700a 1418858 bugzilla3-doc_3.6.3.0-1_all.deb Files: bf631a0414a165adc549bce46b96cd39 1162 web optional bugzilla_3.6.3.0-1.dsc f40946783c7ba2eeef36f1e3ab6c67ae 4438817 web optional bugzilla_3.6.3.0.orig.tar.gz 47b5112962d0cc5ce1246946d0ad395b 99404 web optional bugzilla_3.6.3.0-1.debian.tar.gz 580d2c90c93cfbbf3ed1881cd1ab4f0f 3043686 web optional bugzilla3_3.6.3.0-1_all.deb 7e1905f851cb72a2a7a95680f103d068 1418858 doc optional bugzilla3-doc_3.6.3.0-1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFM4PnaN2lBq4Nesv8RAgy6AKCL7ViHGRKX11c8s2J8T+xqLrLTsQCeJuJr /szVc938tepPiMoDOdC3s2I= =FmTk -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktin=h2efsm7x8kahzietz2974q8ir3byvgztf...@mail.gmail.com
Re: freeue exception -- bugzilla3 3.6.2.0-1
Hi Mehdi, these vulnerabilities are fixed in 3.6.2 ! If this freeze exception whould be accepted they go into testing-stable. Greetings, Raphael 2010/10/12 Mehdi Dogguy me...@dogguy.org: On 10/12/2010 06:43 AM, Raphael Bossek wrote: Hi release team, whould be nice if bugzilla 3.6.2.0-3 could be accepted for stable; http://release.debian.org/migration/testing.pl?package=bugzilla What about #595015? Regards, -- Mehdi Dogguy مهدي الدڤي http://dogguy.org/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktimrq0udmb9t00yi6=ucob=xmjr2j-coepuq-...@mail.gmail.com
Re: freeue exception -- bugzilla3 3.6.2.0-1
Hi release team, whould be nice if bugzilla 3.6.2.0-3 could be accepted for stable; http://release.debian.org/migration/testing.pl?package=bugzilla Greetings, Raphael 2010/8/12 Mehdi Dogguy me...@dogguy.org: On 0, Raphael Bossek boss...@debian.org wrote: Dear Release-Team, Could you please grant a freeze exception for bugzilla3 3.6.2.0-1 The diff is quite huge: 5136 files changed, 391657 insertions(+), 428387 deletions(-) Most of changes are in .{tmpl,pl,pm} files and your package is quite fresh. Let's wait at least two/three weeks before before considering a freeze exception for this package. Regards, -- Mehdi Dogguy -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlkti=s+vsxtnsdhdy5ihp6rzjybvoqyr-w2dssm...@mail.gmail.com
freeue exception -- bugzilla3 3.6.2.0-1
Dear Release-Team, Could you please grant a freeze exception for bugzilla3 3.6.2.0-1 because 1) Security issues were solved with this new version http://www.bugzilla.org/security/3.2.7/ ; this would also be the case for 3.4.8 but 2) Security support for 3.4 will end 2011 but not for 3.6 so we are able to make Debian (and Ubuntu) more secure with less effort by applying default upstream patches. Greetings, Raphael -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktim47trqy1rrzdr_6m8dumwojzxbye+ffvx=p...@mail.gmail.com