Re: [SECURITY] [DSA 3355-2] libvdpau regression update
On 11/03/2015 08:30 AM, Ansgar Burchardt wrote: > dak needs to forget that it has seen the file. Which means either > resigning it or ftp-master telling dak to do so. I just did the latter > and moved the upload back to the processing queue. Just tried the update and it worked fine. Thanks for the quick fix! Daniel
Re: [SECURITY] [DSA 3355-2] libvdpau regression update
Hi Ansgar, On Tue, Nov 03, 2015 at 08:30:56AM +0100, Ansgar Burchardt wrote: > Hi, > > Salvatore Bonaccorso writes: > > On Tue, Nov 03, 2015 at 01:08:36AM +0100, Cyril Brulebois wrote: > >> Daniel Reichelt (2015-11-03): > >> > the amd64 build for 0.8-3+deb8u2 seems to be missing from [1]. > >> > > >> > Is this an error or am I missing something? > > > > The problem seems to be the following: the upload was done only > > including the arch:all packages, but the changes fil was named > > _amd64.changes. > > That was indeed the problem. For uploads to policy queues, we keep the > .changes around and, as dak uses the uploader-provided name and doesn't > rename them, uploads are rejected if they reuse an already used name. > > > I guess the reuploading the amd64 builds with a renamed changes file > > might work in this case? > > dak needs to forget that it has seen the file. Which means either > resigning it or ftp-master telling dak to do so. I just did the latter > and moved the upload back to the processing queue. Thanks! Regards, Salvatore
Re: [SECURITY] [DSA 3355-2] libvdpau regression update
Hi, Salvatore Bonaccorso writes: > On Tue, Nov 03, 2015 at 01:08:36AM +0100, Cyril Brulebois wrote: >> Daniel Reichelt (2015-11-03): >> > the amd64 build for 0.8-3+deb8u2 seems to be missing from [1]. >> > >> > Is this an error or am I missing something? > > The problem seems to be the following: the upload was done only > including the arch:all packages, but the changes fil was named > _amd64.changes. That was indeed the problem. For uploads to policy queues, we keep the .changes around and, as dak uses the uploader-provided name and doesn't rename them, uploads are rejected if they reuse an already used name. > I guess the reuploading the amd64 builds with a renamed changes file > might work in this case? dak needs to forget that it has seen the file. Which means either resigning it or ftp-master telling dak to do so. I just did the latter and moved the upload back to the processing queue. Ansgar
Re: [SECURITY] [DSA 3355-2] libvdpau regression update
Hi, Adding FTP masters to the loop, since they might help best in this case. On Tue, Nov 03, 2015 at 01:08:36AM +0100, Cyril Brulebois wrote: > Hi, > > Daniel Reichelt (2015-11-03): > > Hi * > > > > the amd64 build for 0.8-3+deb8u2 seems to be missing from [1]. > > > > Is this an error or am I missing something? The problem seems to be the following: the upload was done only including the arch:all packages, but the changes fil was named _amd64.changes. At least from the processing of the _amd64.changes I have: libvdpau_0.8-3+deb8u2_amd64.changes uploaded successfully to ftp.upload.debian.org along with the files: libvdpau_0.8-3+deb8u2.dsc libvdpau_0.8-3+deb8u2.debian.tar.xz libvdpau-doc_0.8-3+deb8u2_all.deb I guess the reuploading the amd64 builds with a renamed changes file might work in this case? Regards, Salvatore
Re: [SECURITY] [DSA 3355-2] libvdpau regression update
Hi, Daniel Reichelt (2015-11-03): > Hi * > > the amd64 build for 0.8-3+deb8u2 seems to be missing from [1]. > > Is this an error or am I missing something? > > > Thanks > Daniel > > > [1] http://security.debian.org/pool/updates/main/libv/libvdpau/ If I'm reading wanna-build right, it's Uploaded (as opposed to Installed), since 2015-11-02 17:25:03.079505 So far as I can check, queued and dak on ftp-master seem rather happy: | Nov 2 19:31:19 processing /libvdpau_0.8-3+deb8u2_amd64.changes | Nov 2 19:31:19 libvdpau_0.8-3+deb8u2_amd64.changes processed successfully (uploader pkg-nvidia-de...@lists.alioth.debian.org) and: | 20151102193529|process-upload|dak|Processing changes file|libvdpau_0.8-3+deb8u2_amd64.changes | 20151102193532|process-upload|dak|ACCEPT|libvdpau_0.8-3+deb8u2_amd64.changes so it doesn't seem obvious to me what's happening here. Adding team@ to the loop since I don't think I can check anything on the security.d.o side. Mraw, KiBi. signature.asc Description: Digital signature
Re: [SECURITY] [DSA 3355-2] libvdpau regression update
Hi * the amd64 build for 0.8-3+deb8u2 seems to be missing from [1]. Is this an error or am I missing something? Thanks Daniel [1] http://security.debian.org/pool/updates/main/libv/libvdpau/ On 11/02/2015 08:27 PM, Alessandro Ghedini wrote: > - > Debian Security Advisory DSA-3355-2 secur...@debian.org > https://www.debian.org/security/ Alessandro Ghedini > November 02, 2015 https://www.debian.org/security/faq > - > > Package: libvdpau > Debian Bug : 802625 > > The previous update for libvdpau, DSA-3355-1, introduced a regression in > the stable distribution (jessie) causing a segmentation fault when the > DRI_PRIME environment variable is set. For reference, the original > advisory text follows. > > Florian Weimer of Red Hat Product Security discovered that libvdpau, the > VDPAU wrapper library, did not properly validate environment variables, > allowing local attackers to gain additional privileges. > > For the stable distribution (jessie), this problem has been fixed in > version 0.8-3+deb8u2. > > We recommend that you upgrade your libvdpau packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > >