Re: freeze exception -- bugzilla3 3.6.3.0-1
On 12/26/2010 01:22 PM, Mehdi Dogguy wrote: I'll wait for your comments before uploading. FTR, I've uploaded Bugzilla to testing-proposed-updates. (debdiff is attached, fixed an issue found by Julien). Regards, -- Mehdi Dogguy مهدي الدڤي http://dogguy.org/ diff -Nru bugzilla-3.6.2.0/debian/bugzilla3.config bugzilla-3.6.2.0/debian/bugzilla3.config --- bugzilla-3.6.2.0/debian/bugzilla3.config 2010-08-27 09:51:13.0 +0200 +++ bugzilla-3.6.2.0/debian/bugzilla3.config 2010-12-25 21:25:38.0 +0100 @@ -138,6 +138,11 @@ ask_again bugzilla3/bugzilla_admin_pwd bugzilla3/pwd_check fi db_endblock + +# Do not repeat if we are in non-interactive mode. +if [ $DEBIAN_FRONTEND = noninteractive ]; then +break +fi done # vim:ts=4 et sw=4 diff -Nru bugzilla-3.6.2.0/debian/bugzilla3.postinst bugzilla-3.6.2.0/debian/bugzilla3.postinst --- bugzilla-3.6.2.0/debian/bugzilla3.postinst 2010-10-27 13:46:06.0 +0200 +++ bugzilla-3.6.2.0/debian/bugzilla3.postinst 2010-12-25 21:29:28.0 +0100 @@ -137,9 +137,9 @@ if [ $mode = configure ]; then # Fix file/directory permissions. -run_script $BUGZILLA_ETCDIR/post-checksetup.d/10setdefaultdpkgstatoverride 21 /dev/null \ +run_script $BUGZILLA_ETCDIR/post-checksetup.d/10setdefaultdpkgstatoverride /dev/null 21 \ || true -run_script $BUGZILLA_ETCDIR/post-checksetup.d/15restoredpkgstatoverride 21 /dev/null \ +run_script $BUGZILLA_ETCDIR/post-checksetup.d/15restoredpkgstatoverride /dev/null 21 \ || true # Setup a preleminary /etc/bugzilla3/params file. diff -Nru bugzilla-3.6.2.0/debian/changelog bugzilla-3.6.2.0/debian/changelog --- bugzilla-3.6.2.0/debian/changelog 2010-12-05 18:55:32.0 +0100 +++ bugzilla-3.6.2.0/debian/changelog 2010-12-26 01:06:06.0 +0100 @@ -1,3 +1,13 @@ +bugzilla (3.6.2.0-4.2) testing-proposed-updates; urgency=low + + * Non-maintainer upload. + * Support for noninteractive mode in Debconf (Closes: #602738) + * Add security patches (Closes: #602420): +- 50_cve-2010-3172.sh fixes CVE-2010-3172 +- 70_cve-2010-3764.sh fixes CVE-2010-3764 (and remove 50_graphdir.sh) + + -- Mehdi Dogguy me...@debian.org Sat, 25 Dec 2010 22:25:55 +0100 + bugzilla (3.6.2.0-4.1) testing-proposed-updates; urgency=low * Non-maintainer upload. diff -Nru bugzilla-3.6.2.0/debian/maintenance/50_graphdir.sh bugzilla-3.6.2.0/debian/maintenance/50_graphdir.sh --- bugzilla-3.6.2.0/debian/maintenance/50_graphdir.sh 2010-08-08 18:49:32.0 +0200 +++ bugzilla-3.6.2.0/debian/maintenance/50_graphdir.sh 1970-01-01 01:00:00.0 +0100 @@ -1,69 +0,0 @@ -#!/bin/sh -# https://bugs.launchpad.net/ubuntu/+source/bugzilla/+bug/419335 -set -e - -echo $0 $* - -cd $1 patch -p1 $0 - -exit 0 - -diff -Naur a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm a/Bugzilla/Install/Filesystem.pm 2010-07-14 01:09:27.0 +0200 -+++ b/Bugzilla/Install/Filesystem.pm 2010-08-08 18:13:35.534125065 +0200 -@@ -176,7 +176,7 @@ - dirs = $ws_dir_writeable }, - $webdotdir = { files = $ws_writeable, - dirs = $ws_dir_writeable }, -- graphs = { files = $ws_writeable, -+ $datadir/graphs = { files = $ws_writeable, - dirs = $ws_dir_writeable }, - - # Readable directories -@@ -228,7 +228,7 @@ - $datadir/extensions = $ws_dir_readable, - $attachdir = $ws_dir_writeable, - $extensionsdir = $ws_dir_readable, --graphs = $ws_dir_writeable, -+$datadir/graphs = $ws_dir_writeable, - $webdotdir = $ws_dir_writeable, - $skinsdir/custom = $ws_dir_readable, - $skinsdir/contrib = $ws_dir_readable, -@@ -358,10 +358,10 @@ - my %files = %{$fs-{create_files}}; - - my $datadir = bz_locations-{'datadir'}; --# If the graphs/ directory doesn't exist, we're upgrading from -+# If the $datadir/graphs/ directory doesn't exist, we're upgrading from - # a version old enough that we need to update the $datadir/mining - # format. --if (-d $datadir/mining !-d 'graphs') { -+if (-d $datadir/mining !-d $datadir/graphs) { - _update_old_charts($datadir); - } - -diff -Naur a/collectstats.pl b/collectstats.pl a/collectstats.pl 2010-07-06 20:20:12.0 +0200 -+++ b/collectstats.pl 2010-08-08 18:17:23.746133772 +0200 -@@ -49,9 +49,11 @@ - # in the regenerate mode). - $| = 1; - -+my $datadir = bz_locations()-{'datadir'}; -+ - # Tidy up after graphing module - my $cwd = Cwd::getcwd(); --if (chdir(graphs)) { -+if (chdir($datadir/graphs)) { - unlink ./*.gif; - unlink ./*.png; - # chdir(..) doesn't work if graphs is a symlink, see bug 429378 -@@ -68,8 +70,6 @@ - $regenerate = 1; - } - --my $datadir = bz_locations()-{'datadir'}; -- - my @myproducts =
Re: freeze exception -- bugzilla3 3.6.3.0-1
On 12/18/2010 02:39 PM, Julien Cristau wrote: On Wed, Dec 8, 2010 at 16:03:58 +0100, Raphael Bossek wrote: Dear Christian, Debian uses a different directory structure then upstream since years. The CVE-2010-3764 patch can not be applied as drop in because it's affect the directory structure of Debian. You have to change Debian's patches to achieve this too. Instead of loosing time changing something that is done already accept the 3.6.3.0 series. At the end it's more clear that Debian fixed those vulnerability if package version is 3.6.3.0 anyway. That's not going to happen at this stage. Please backport the necessary fixes for squeeze and upload to tpu. I've approved Christian's NMU and it migrated. (So, one thing less to care about). Now, I've prepared an NMU based on Squeeze's version. One remark before you read the diff: 50_graphdir.sh was removed in favour of 70_cve-2010-3764.sh which contains the whole patch to fix the security issue. I'll wait for your comments before uploading. Regards, -- Mehdi Dogguy مهدي الدڤي http://dogguy.org/ diff -Nru bugzilla-3.6.2.0/debian/bugzilla3.config bugzilla-3.6.2.0/debian/bugzilla3.config --- bugzilla-3.6.2.0/debian/bugzilla3.config 2010-08-27 09:51:13.0 +0200 +++ bugzilla-3.6.2.0/debian/bugzilla3.config 2010-12-25 21:25:38.0 +0100 @@ -138,6 +138,11 @@ ask_again bugzilla3/bugzilla_admin_pwd bugzilla3/pwd_check fi db_endblock + +# Do not repeat if we are in non-interactive mode. +if [ $DEBIAN_FRONTEND = noninteractive ]; then +break +fi done # vim:ts=4 et sw=4 diff -Nru bugzilla-3.6.2.0/debian/bugzilla3.postinst bugzilla-3.6.2.0/debian/bugzilla3.postinst --- bugzilla-3.6.2.0/debian/bugzilla3.postinst 2010-10-27 13:46:06.0 +0200 +++ bugzilla-3.6.2.0/debian/bugzilla3.postinst 2010-12-25 21:29:28.0 +0100 @@ -137,9 +137,9 @@ if [ $mode = configure ]; then # Fix file/directory permissions. -run_script $BUGZILLA_ETCDIR/post-checksetup.d/10setdefaultdpkgstatoverride 21 /dev/null \ +run_script $BUGZILLA_ETCDIR/post-checksetup.d/10setdefaultdpkgstatoverride /dev/null 21 \ || true -run_script $BUGZILLA_ETCDIR/post-checksetup.d/15restoredpkgstatoverride 21 /dev/null \ +run_script $BUGZILLA_ETCDIR/post-checksetup.d/15restoredpkgstatoverride /dev/null 21 \ || true # Setup a preleminary /etc/bugzilla3/params file. diff -Nru bugzilla-3.6.2.0/debian/changelog bugzilla-3.6.2.0/debian/changelog --- bugzilla-3.6.2.0/debian/changelog 2010-12-05 18:55:32.0 +0100 +++ bugzilla-3.6.2.0/debian/changelog 2010-12-26 01:06:06.0 +0100 @@ -1,3 +1,13 @@ +bugzilla (3.6.2.0-4.2) testing-proposed-updates; urgency=low + + * Non-maintainer upload. + * Support for noninteractive mode in Debconf (Closes: #602738) + * Add security patches (Closes: #602420): +- 50_cve-2010-3172.sh fixes CVE-2010-3172 +- 70_cve-2010-3764.sh fixes CVE-2010-3764 (and remove 50_graphdir.sh) + + -- Mehdi Dogguy me...@debian.org Sat, 25 Dec 2010 22:25:55 +0100 + bugzilla (3.6.2.0-4.1) testing-proposed-updates; urgency=low * Non-maintainer upload. diff -Nru bugzilla-3.6.2.0/debian/maintenance/50_graphdir.sh bugzilla-3.6.2.0/debian/maintenance/50_graphdir.sh --- bugzilla-3.6.2.0/debian/maintenance/50_graphdir.sh 2010-08-08 18:49:32.0 +0200 +++ bugzilla-3.6.2.0/debian/maintenance/50_graphdir.sh 1970-01-01 01:00:00.0 +0100 @@ -1,69 +0,0 @@ -#!/bin/sh -# https://bugs.launchpad.net/ubuntu/+source/bugzilla/+bug/419335 -set -e - -echo $0 $* - -cd $1 patch -p1 $0 - -exit 0 - -diff -Naur a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm a/Bugzilla/Install/Filesystem.pm 2010-07-14 01:09:27.0 +0200 -+++ b/Bugzilla/Install/Filesystem.pm 2010-08-08 18:13:35.534125065 +0200 -@@ -176,7 +176,7 @@ - dirs = $ws_dir_writeable }, - $webdotdir = { files = $ws_writeable, - dirs = $ws_dir_writeable }, -- graphs = { files = $ws_writeable, -+ $datadir/graphs = { files = $ws_writeable, - dirs = $ws_dir_writeable }, - - # Readable directories -@@ -228,7 +228,7 @@ - $datadir/extensions = $ws_dir_readable, - $attachdir = $ws_dir_writeable, - $extensionsdir = $ws_dir_readable, --graphs = $ws_dir_writeable, -+$datadir/graphs = $ws_dir_writeable, - $webdotdir = $ws_dir_writeable, - $skinsdir/custom = $ws_dir_readable, - $skinsdir/contrib = $ws_dir_readable, -@@ -358,10 +358,10 @@ - my %files = %{$fs-{create_files}}; - - my $datadir = bz_locations-{'datadir'}; --# If the graphs/ directory doesn't exist, we're upgrading from -+# If the $datadir/graphs/ directory doesn't exist, we're upgrading from - # a version old enough that we
Re: freeze exception -- bugzilla3 3.6.3.0-1
Hi Mehdi, On Sonntag, 26. Dezember 2010, Mehdi Dogguy wrote: I'll wait for your comments before uploading. did you include the fix for 604230/602738? (which is in the sid version) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: freeze exception -- bugzilla3 3.6.3.0-1
On 12/26/2010 02:02 PM, Holger Levsen wrote: Hi Mehdi, On Sonntag, 26. Dezember 2010, Mehdi Dogguy wrote: I'll wait for your comments before uploading. did you include the fix for 604230/602738? (which is in the sid version) Yes. (first hunk in the diff, fwiw) Regards, -- Mehdi Dogguy مهدي الدڤي http://dogguy.org/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d173f36.4090...@debian.org
Re: freeze exception -- bugzilla3 3.6.3.0-1
On Wed, Dec 8, 2010 at 16:03:58 +0100, Raphael Bossek wrote: Dear Christian, Debian uses a different directory structure then upstream since years. The CVE-2010-3764 patch can not be applied as drop in because it's affect the directory structure of Debian. You have to change Debian's patches to achieve this too. Instead of loosing time changing something that is done already accept the 3.6.3.0 series. At the end it's more clear that Debian fixed those vulnerability if package version is 3.6.3.0 anyway. That's not going to happen at this stage. Please backport the necessary fixes for squeeze and upload to tpu. Cheers, Julien signature.asc Description: Digital signature
Re: freeze exception -- bugzilla3 3.6.3.0-1
Dear Christian, Debian uses a different directory structure then upstream since years. The CVE-2010-3764 patch can not be applied as drop in because it's affect the directory structure of Debian. You have to change Debian's patches to achieve this too. Instead of loosing time changing something that is done already accept the 3.6.3.0 series. At the end it's more clear that Debian fixed those vulnerability if package version is 3.6.3.0 anyway. /Raphael 2010/12/6 Christian PERRIER bubu...@debian.org: Quoting Julien Cristau (jcris...@debian.org): On Thu, Nov 25, 2010 at 22:05:47 +, Adam D. Barratt wrote: On Thu, 2010-11-25 at 21:07 +, Adam D. Barratt wrote: $ debdiff ftp/pool/main/b/bugzilla/bugzilla_3.6.{2.0-4,3.0-2}.dsc 2/dev/null | diffstat | tail -n1 1645 files changed, 80807 insertions(+), 94494 deletions(-) A lot of that is probably ignorable as it relates to changes in CVS and .svn{,-base} files and directories (why are those even in the diff?) but at this stage of the freeze we shouldn't be having to spend significant amounts of time reviewing diffs where the patches for the required fixes amount to less than two hundred lines of nett changes. As a follow-up note, if you can identify any significant parts of the above which are likely not to be relevant to the Debian package, that would be helpful in persuading us that the unstable package should be accepted, rather than requesting a t-p-u upload with the extracted fixes. Ping. Can this be addressed or the security and RC fixes uploaded to tpu? I made an attempt yesterday after being pointed at this by Julien (I was trying to get debconf l10n fixed and uploaded a package to tpu with these fixessorry, I should have asked before). However, the build system of that package is not well known to me (upstream tarballs in the source package) and I don't know how to properly patch the sources with the two security fixes. Just naively dropping them to a newly-created debian/patches and creating debian/patches/series didn't work as expected. So, I gave up. If anyone is working on this, I would deeply appreciate if the two debconf translations that are fixed in unstable would be fixed in the tpu upload. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJM/HvVAAoJEIcvcCxNbiWo788P/iUZecyT1NCunOjIuBdk525Q vbsxBYnigr8RKGr4AuFuv6K6IegbQdIEfCHZJ7xmnwEHlqPSIUMH+GbPU9gIn0JP 7961KnHSOxZv8oDdhRFlFKs6a3vGvLtx6FqUx8Wo48LbUhC18DUPW5vmpUoCp9qz Ffvm9LwCR495oblhtL9KXMmmgEbD12Fd2CMRnL6oeOx5mdD/Uf+8YS6rZbAzh+RD dje9b8MFNs2UsUbIsTaV477DuKFEHC9gQ2Y2NtPDw/GTZ+YrwK1jezHSWo297pU6 GzIRnLq4BX7vlkfXGgu5D73BSWlZdieWkR9Rw3M2NbQGaK9HYjslW1CsWJnsVJsP DKgt5OJPnGCmqdB9bE4iSIKjWtobhoP6qEaDVyg0EQ92DpQI+7KfF9CuUUHQSGdG xKizay+SdAibQ+6HCHyaNn0uhAFMdCFdmsZia+CW80mcLkIUaiKowYo6u6F6bvcO tFh9kgvPwO+ncxuuloEChjnhGX5Oe/GXdUTr8fvi7ZrOKozCe81wOec0/OTedmmX HOfJmyEsh/sCSzabaen/iZQGuWwG9ae5dfOV21qGRV4r3xpB138TdkwLsMZ16qz4 uii7hD4hV10PD+eG/DRiZfaYWpsbuR68f94V4XedlkYRzmMds1j4vdYxaK7mL+AV wpDg0MYy6ABjh+2Gb/dw =BcvL -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinprwcifvmjkxpmuwynysdpgzoezbdges-rh...@mail.gmail.com
Re: freeze exception -- bugzilla3 3.6.3.0-1
Quoting Raphael Bossek (boss...@debian.org): Dear Christian, Debian uses a different directory structure then upstream since years. The CVE-2010-3764 patch can not be applied as drop in because it's affect the directory structure of Debian. You have to change Debian's patches to achieve this too. Instead of loosing time changing something that is done already accept the 3.6.3.0 series. At the end it's more clear that Debian fixed those vulnerability if package version is 3.6.3.0 anyway. Maybe. But we're in a release freeze and, imagine that everybody follows the same reasoning: we will always end up with new upstream releases and we'll never release. It's not very good news to hear that a simple security patch isn't easy to apply to bugzilla. If that's true, how will later security updates be handled? In that specific case, anyway, the decision is in the release team hands. But not seeing signs of attempts to apply the sec fix to the existing package in testing can't make them very optimistic about further maintenance. signature.asc Description: Digital signature
Re: freeze exception -- bugzilla3 3.6.3.0-1
On Thu, Nov 25, 2010 at 22:05:47 +, Adam D. Barratt wrote: On Thu, 2010-11-25 at 21:07 +, Adam D. Barratt wrote: $ debdiff ftp/pool/main/b/bugzilla/bugzilla_3.6.{2.0-4,3.0-2}.dsc 2/dev/null | diffstat | tail -n1 1645 files changed, 80807 insertions(+), 94494 deletions(-) A lot of that is probably ignorable as it relates to changes in CVS and .svn{,-base} files and directories (why are those even in the diff?) but at this stage of the freeze we shouldn't be having to spend significant amounts of time reviewing diffs where the patches for the required fixes amount to less than two hundred lines of nett changes. As a follow-up note, if you can identify any significant parts of the above which are likely not to be relevant to the Debian package, that would be helpful in persuading us that the unstable package should be accepted, rather than requesting a t-p-u upload with the extracted fixes. Ping. Can this be addressed or the security and RC fixes uploaded to tpu? Cheers, Julien signature.asc Description: Digital signature
Re: freeze exception -- bugzilla3 3.6.3.0-1
Quoting Julien Cristau (jcris...@debian.org): On Thu, Nov 25, 2010 at 22:05:47 +, Adam D. Barratt wrote: On Thu, 2010-11-25 at 21:07 +, Adam D. Barratt wrote: $ debdiff ftp/pool/main/b/bugzilla/bugzilla_3.6.{2.0-4,3.0-2}.dsc 2/dev/null | diffstat | tail -n1 1645 files changed, 80807 insertions(+), 94494 deletions(-) A lot of that is probably ignorable as it relates to changes in CVS and .svn{,-base} files and directories (why are those even in the diff?) but at this stage of the freeze we shouldn't be having to spend significant amounts of time reviewing diffs where the patches for the required fixes amount to less than two hundred lines of nett changes. As a follow-up note, if you can identify any significant parts of the above which are likely not to be relevant to the Debian package, that would be helpful in persuading us that the unstable package should be accepted, rather than requesting a t-p-u upload with the extracted fixes. Ping. Can this be addressed or the security and RC fixes uploaded to tpu? I made an attempt yesterday after being pointed at this by Julien (I was trying to get debconf l10n fixed and uploaded a package to tpu with these fixessorry, I should have asked before). However, the build system of that package is not well known to me (upstream tarballs in the source package) and I don't know how to properly patch the sources with the two security fixes. Just naively dropping them to a newly-created debian/patches and creating debian/patches/series didn't work as expected. So, I gave up. If anyone is working on this, I would deeply appreciate if the two debconf translations that are fixed in unstable would be fixed in the tpu upload. signature.asc Description: Digital signature
Re: freeze exception -- bugzilla3 3.6.3.0-1
On Mon, 2010-11-22 at 10:34 +0100, Raphael Bossek wrote: thank you for your support. Sorry but I missed your response. If 3.6.3 is not accepted for testing -- where these security vulnerabilities (http://bugs.debian.org/602420) are solved upstream -- applying patches to 3.6.2 could be but in consideration. By the way, 3.6.3.0-2 solved some further issues with noninteractive installation (piuparts) and missing package dependencies; both issues exists in 3.6.2 series of Debian packages. Every release update since the freeze was announced has mentioned that uploads to unstable should not include extraneous changes or fixes; a new upstream release which includes changes which do not fix RC bugs is fairly clearly likely to end up being viewed as extraneous at this point. I would prefer the 3.6.3 because it's simpler to read the CVE and compare the version of the package instead of reading the changelog for solved security vulnerabilities. That approach generally won't work in Debian anyway, as the version numbers in a stable release won't correspond to those in which upstream have fixed vulnerabilities in many cases. PS: Here the missing diff between the uploaded and testing version of bugzilla. That's nowhere *near* the diff between the two versions. The patch you provided only appears to cover parts of debian/ and is: 13 files changed, 82 insertions(+), 85 deletions(-) whereas $ debdiff ftp/pool/main/b/bugzilla/bugzilla_3.6.{2.0-4,3.0-2}.dsc 2/dev/null | diffstat | tail -n1 1645 files changed, 80807 insertions(+), 94494 deletions(-) A lot of that is probably ignorable as it relates to changes in CVS and .svn{,-base} files and directories (why are those even in the diff?) but at this stage of the freeze we shouldn't be having to spend significant amounts of time reviewing diffs where the patches for the required fixes amount to less than two hundred lines of nett changes. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1290719250.2914.655.ca...@hathi.jungle.funky-badger.org
Re: freeze exception -- bugzilla3 3.6.3.0-1
On Thu, 2010-11-25 at 21:07 +, Adam D. Barratt wrote: $ debdiff ftp/pool/main/b/bugzilla/bugzilla_3.6.{2.0-4,3.0-2}.dsc 2/dev/null | diffstat | tail -n1 1645 files changed, 80807 insertions(+), 94494 deletions(-) A lot of that is probably ignorable as it relates to changes in CVS and .svn{,-base} files and directories (why are those even in the diff?) but at this stage of the freeze we shouldn't be having to spend significant amounts of time reviewing diffs where the patches for the required fixes amount to less than two hundred lines of nett changes. As a follow-up note, if you can identify any significant parts of the above which are likely not to be relevant to the Debian package, that would be helpful in persuading us that the unstable package should be accepted, rather than requesting a t-p-u upload with the extracted fixes. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1290722747.2914.918.ca...@hathi.jungle.funky-badger.org
Re: freeze exception -- bugzilla3 3.6.3.0-1
On Mon, Nov 22, 2010 at 10:34:11AM +0100, Raphael Bossek wrote: Hi Moritz, thank you for your support. Sorry but I missed your response. If 3.6.3 is not accepted for testing -- where these security vulnerabilities (http://bugs.debian.org/602420) are solved upstream -- applying patches to 3.6.2 could be but in consideration. By the way, 3.6.3.0-2 solved some further issues with noninteractive installation (piuparts) and missing package dependencies; both issues exists in 3.6.2 series of Debian packages. I would prefer the 3.6.3 because it's simpler to read the CVE and compare the version of the package instead of reading the changelog for solved security vulnerabilities. That is up to release managers to review/decide. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101124210407.gb6...@galadriel.inutil.org
Re: freeze exception -- bugzilla3 3.6.3.0-1
Hi Moritz, thank you for your support. Sorry but I missed your response. If 3.6.3 is not accepted for testing -- where these security vulnerabilities (http://bugs.debian.org/602420) are solved upstream -- applying patches to 3.6.2 could be but in consideration. By the way, 3.6.3.0-2 solved some further issues with noninteractive installation (piuparts) and missing package dependencies; both issues exists in 3.6.2 series of Debian packages. I would prefer the 3.6.3 because it's simpler to read the CVE and compare the version of the package instead of reading the changelog for solved security vulnerabilities. Greetings, Raphael PS: Here the missing diff between the uploaded and testing version of bugzilla. diff -r eb3bbeed652d debian/changelog --- a/debian/changelog Wed Oct 27 16:59:27 2010 +0200 +++ b/debian/changelog Mon Nov 22 10:30:02 2010 +0100 @@ -1,3 +1,40 @@ +bugzilla (3.6.3.0-2) unstable; urgency=medium + + * Support for noninteractive mode in Debconf. Closes: #602738 + * Added missing package dependency against liburi-perl. Removed non exsiting +package option libgd-noxpm-perl. + * Urgency set to medium because previous version is not accepted for +testing. + * Parallel build for Makefiles is working now. + * Surrpress error messages for non existing template directories if +checksetup fails (in noninteractive mode). + * Extensions are not installed by default. They exist as documentation. + + -- Raphael Bossek boss...@debian.org Sat, 20 Nov 2010 05:51:25 +0100 + +bugzilla (3.6.3.0-1) unstable; urgency=medium + + * New upstream release. Closes: #602420 + * Fixed vulnerability CVE-2010-3172: +By inserting a certain string into a URL, it was possible +to inject both headers and content to any browser that +supported Server Push (mostly only Gecko-based browsers +like Firefox). This could lead to Cross-Site Scripting +vulnerabilities, and possibly other more dangerous security +issues as well. + * Fixed vulnerability CVE-2010-3764: +The Old Charts system generated graphs with +predictable names into the graphs/ directory, +which also could be browsed to see its contents. +This allowed unauthorized users to see product +names and charted information about those +products over time. + * Fixed references to YUI components used by language templates. + * Fixed missing images. + * Surrpress error messages at installation stage. + + -- Raphael Bossek boss...@debian.org Mon, 15 Nov 2010 10:09:20 +0100 + bugzilla (3.6.2.0-4) unstable; urgency=low * Upgrade from Lenny to Squeeze fixed. Closes: #600170 --- a/debian/Makefile Wed Oct 27 16:59:27 2010 +0200 +++ b/debian/Makefile Mon Nov 22 10:30:02 2010 +0100 @@ -22,8 +22,9 @@ # For a better maintenance, we'll create by hand each # bugzilla's sub directories. BUGZILLA_PERLDIR= $(BUGZILLA_PKGDIR)/usr/share/perl5 +BUGZILLA_DOCDIR = $(BUGZILLA_PKGDIR)/usr/share/doc/bugzilla3 BUGZILLA_WWW = $(BUGZILLA_SHAREDIR)/web -BUGZILLA_CGIDIR = $(BUGZILLA_WWW) +BUGZILLA_CGIDIR = $(BUGZILLA_WWW) BUGZILLA_CONTRIB= $(BUGZILLA_SHAREDIR)/contrib PKGVER := $(shell dpkg-parsechangelog |grep Version: |sed -e 's,Version: \([^-]\+\).*,\1,g') @@ -46,8 +47,8 @@ $(CURDIR)/debian/create-bugzilla-srcdir -install: install_static_dirs install_static_files install_lib_files \ -install_cgi install_template install_contrib install_extensions +install: install_static_files install_images install_js install_lib_files \ +install_cgi install_template install_skins install_contrib install_extensions install_contrib: extractsrc @@ -58,23 +59,25 @@ install_extensions:extractsrc $(INSTALL) -d -m 0755 -o root -g root $(BUGZILLA_EXTENSIONSDIR) + : # Install extensions as documentation until we have a real extensions support + $(INSTALL) -d -m 0755 -o root -g root $(BUGZILLA_DOCDIR) cd $(BUGZILLA_SRCDIR) for this_dir in `find extensions -type d` ; do \ - $(INSTALL) -d -m 0755 -o root -g root $(BUGZILLA_VARDIR)/$$this_dir ;\ + $(INSTALL) -d -m 0755 -o root -g root $(BUGZILLA_DOCDIR)/$$this_dir ;\ done - cd $(BUGZILLA_SRCDIR) for this_file in `find extensions -type f` ; do \ - $(INSTALL) -m 0644 -o root -g root $$this_file $(BUGZILLA_VARDIR)/`dirname $$this_file` ;\ + cd $(BUGZILLA_SRCDIR) for this_file in `find extensions -type f -not -name create.pl` ; do \ + $(INSTALL) -m 0644 -o root -g root $$this_file $(BUGZILLA_DOCDIR)/`dirname $$this_file` ;\ done + : # Create an archive for these extensions + tar -C $(BUGZILLA_DOCDIR) -czf $(BUGZILLA_DOCDIR)/extensions.tgz extensions + rm -rf $(BUGZILLA_DOCDIR)/extensions -install_static_dirs: extractsrc +install_skins: extractsrc cd $(BUGZILLA_SRCDIR) for this_dir in `find skins -type d` ; do \ $(INSTALL) -d -m 0755 -o root -g root $(BUGZILLA_WWW)/$$this_dir ;\
Re: freeze exception -- bugzilla3 3.6.3.0-1
Raphael, On Thu, Nov 18, 2010 at 21:40:31 +0100, Moritz Muehlenhoff wrote: In gmane.linux.debian.devel.release, you wrote: Bugzilla 3.6.3.0-1 with security fixes pending for unfreeze in unstable since today. Why did you upload a new upstream version? We're in freeze and new upstream releases should be avoided, as outlined on debian- devel-announce several times. I even attached the isolated security patches to my bugreport. I see bugzilla has been reuploaded today with, in the changelog entry: * Urgency set to medium because previous version is not accepted for testing. Setting urgency to medium is not going to help if you're not replying to queries about the uploads... Cheers, Julien signature.asc Description: Digital signature
Re: freeze exception -- bugzilla3 3.6.3.0-1
In gmane.linux.debian.devel.release, you wrote: Bugzilla 3.6.3.0-1 with security fixes pending for unfreeze in unstable since today. Why did you upload a new upstream version? We're in freeze and new upstream releases should be avoided, as outlined on debian- devel-announce several times. I even attached the isolated security patches to my bugreport. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101118204031.ga8...@galadriel.inutil.org
Re: freeze exception -- bugzilla3 3.6.3.0-1
Bugzilla 3.6.3.0-1 with security fixes pending for unfreeze in unstable since today. Greetings, Raphael -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Mon, 15 Nov 2010 10:09:20 +0100 Source: bugzilla Binary: bugzilla3 bugzilla3-doc Architecture: source all Version: 3.6.3.0-1 Distribution: unstable Urgency: medium Maintainer: Raphael Bossek boss...@debian.org Changed-By: Raphael Bossek boss...@debian.org Description: bugzilla3 - web-based bug tracking system bugzilla3-doc - comprehensive guide to Bugzilla Closes: 602420 Changes: bugzilla (3.6.3.0-1) unstable; urgency=medium . * New upstream release. Closes: #602420 * Fixed vulnerability CVE-2010-3172: By inserting a certain string into a URL, it was possible to inject both headers and content to any browser that supported Server Push (mostly only Gecko-based browsers like Firefox). This could lead to Cross-Site Scripting vulnerabilities, and possibly other more dangerous security issues as well. * Fixed vulnerability CVE-2010-3764: The Old Charts system generated graphs with predictable names into the graphs/ directory, which also could be browsed to see its contents. This allowed unauthorized users to see product names and charted information about those products over time. * Fixed references to YUI components used by language templates. * Fixed missing images. * Surrpress error messages at installation stage. Checksums-Sha1: d77d70e1ec20b7ac80eabf26d4bf133ced458fba 1162 bugzilla_3.6.3.0-1.dsc 0b4fa7cff9dd5ce5aaf644bf73c4bd2946e79dd1 4438817 bugzilla_3.6.3.0.orig.tar.gz 3856d2b2a7e63979adce26453caece156b9ec8d0 99404 bugzilla_3.6.3.0-1.debian.tar.gz 2db2cfe7e85e0885c3f9affd41738a14524520ff 3043686 bugzilla3_3.6.3.0-1_all.deb 481a345d3ae43971148f35d7dcd8fea6b294d853 1418858 bugzilla3-doc_3.6.3.0-1_all.deb Checksums-Sha256: d7f068cc9dceba80d42a71c13ef6de8414678aa690c1055d5a07c3908c5dbd62 1162 bugzilla_3.6.3.0-1.dsc 85bf47de333b51e08223ac4a09529abd11e4a649c06ab9a10b5b02edc60817c4 4438817 bugzilla_3.6.3.0.orig.tar.gz b3b921a2c05c3393fc5a766262c89dc206754429dd1e0d6a24e5f5d3cc269e56 99404 bugzilla_3.6.3.0-1.debian.tar.gz d796eb7086de85ae42a20898c4799d376cc86dc4bffe27d5a9b6164114c9330e 3043686 bugzilla3_3.6.3.0-1_all.deb cb75ad3bd91333590fcda13e9e09cfc4ae0b8ba0145bbaca1b80d0e92434700a 1418858 bugzilla3-doc_3.6.3.0-1_all.deb Files: bf631a0414a165adc549bce46b96cd39 1162 web optional bugzilla_3.6.3.0-1.dsc f40946783c7ba2eeef36f1e3ab6c67ae 4438817 web optional bugzilla_3.6.3.0.orig.tar.gz 47b5112962d0cc5ce1246946d0ad395b 99404 web optional bugzilla_3.6.3.0-1.debian.tar.gz 580d2c90c93cfbbf3ed1881cd1ab4f0f 3043686 web optional bugzilla3_3.6.3.0-1_all.deb 7e1905f851cb72a2a7a95680f103d068 1418858 doc optional bugzilla3-doc_3.6.3.0-1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFM4PnaN2lBq4Nesv8RAgy6AKCL7ViHGRKX11c8s2J8T+xqLrLTsQCeJuJr /szVc938tepPiMoDOdC3s2I= =FmTk -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktin=h2efsm7x8kahzietz2974q8ir3byvgztf...@mail.gmail.com