On Sun, 2016-03-13 at 12:52 +0100, Guido Günther wrote:
> Hi Brian,
> On Sun, Mar 13, 2016 at 11:13:31AM +1100, Brian May wrote:
[...]
> > If so I imagine this would require:
> >
> > - identifying which CVEs are fixed in 4.1.6.1
> > - updating xen package
> > - updating the kernel packages (if thi
On Wed, 2016-04-13 at 21:51 +1000, Brian May wrote:
[...]
> (dvswitch)
[...]
This is known to be broken with newer libav and has not been fixed
upstream. (I think I was able to make it build, but it then crashed at
run-time.) Definitely a candidate for removal.
Ben.
--
Ben Hutchings
Larkinson
Brian May writes:
> So guessing the solution might be to backport the stretch version to
> wheezy?
Backporting ffmpeg could prove challenging, this is the version from
jessie-backports:
The following packages have unmet dependencies:
sbuild-build-depends-ffmpeg-dummy : Depends: debhelper (>= 9
Brian May writes:
> Whoops. Just noticed that libpostproc-dev is provided by the old libav,
> however not provided by the new libav. I had thought it was another
> source package.
What do I do with ffmpeg?
Looks like this use to be provided by libav.
Jessie doesn't have ffmpeg (except in backp
Moritz Muehlenhoff writes:
> In general, all the libav transitions have been handled via the BTS, so
> patches
> should be found there. Some packages also ended up being
> incompatible/abandoned
> and were eventuall removed, so please also check whether any of the failing
> packages are actuall
Brian May writes:
> libpostproc-dev will be uninstallable - does this matter?
Whoops. Just noticed that libpostproc-dev is provided by the old libav,
however not provided by the new libav. I had thought it was another
source package.
So any packages that depend on it will need to be fixed not t
Holger Levsen writes:
> yes, if you break packages like this you cannot fix them if other more
> severe problems show up in those packages.
Good point.
My current plan will be to to to fix all non-EOLed packages in my
staging repository, and then find out what I need to do next.
--
Brian May
On Thu, Apr 21, 2016 at 11:19:18AM +1000, Brian May wrote:
> Is any binary packages going to break if we just upload the new libav
> without changing anything else? Does it matter if this causes FTBFS in
> supported packages before if/we fix them too?
yes, if you break packages like this you canno
Hi,
On Thu, 21 Apr 2016, Brian May wrote:
> Is any binary packages going to break if we just upload the new libav
> without changing anything else? Does it matter if this causes FTBFS in
> supported packages before if/we fix them too?
> It looks like the soname is different, that is good.
> libpos
Brian May writes:
> For now, I am going to look at creating a simple staging area with
> reprepro on people.debian.org
Ok, mostly done. I think. Has xen and libav packages.
Find instructions at:
https://people.debian.org/~bam/debian/README.txt
I appear to be having random problems trying to a
Moritz Muehlenhoff writes:
> That would work for some of the changes, but there's also other API changes.
>
> In general, all the libav transitions have been handled via the BTS, so
> patches
> should be found there. Some packages also ended up being
> incompatible/abandoned
> and were eventual
B0;115;0cOn Wed, Apr 20, 2016 at 09:35:31AM +0200, Raphael Hertzog wrote:
> On Wed, 20 Apr 2016, Brian May wrote:
> > Looks like a total of 85 packages failed to build and 46 packages
> > succeeded. So me thinks this strategy of using the Jessie version in
> > wheezy may not be a feasible option.
>
On Wed, 20 Apr 2016, Brian May wrote:
> Looks like a total of 85 packages failed to build and 46 packages
> succeeded. So me thinks this strategy of using the Jessie version in
> wheezy may not be a feasible option.
Unless you can revert some of the problematic change or add some
compatibility cod
Brian May writes:
> The current list of packages that fail to build against the new libav is
> (the building is still ongoing):
All build logs in
https://people.debian.org/~bam/wheezy/libav/amd64/buildlogs/
Looks like a total of 85 packages failed to build and 46 packages
succeeded. So me thinks
Brian May writes:
> The following packages have unmet dependencies:
> libpostproc-dev : Depends: libavutil-dev (= 6:0.8.17-2) but 6:11.6-1~deb7u1
> is to be installed
> E: Unable to correct problems, you have held broken packages.
Ok, so looks like we would need a new version of libpostproc-de
Brian May writes:
> I intended to rebuild all packages that depend on libav, however during
> the process suddenly noticed that the --extra-packages argument to
> sbuild (used by ratt) doesn't appear to be working for me, so I actually
> was testing against the libav already in wheezy :-(
Ok, go
I thought I had sent the following information to
debian-lts@lists.debian.org and t...@security.debian.org; but looking at
my archives I hadn't :-(
I have a version of libav available for testing:
https://people.debian.org/~bam/wheezy/libav/
I intended to rebuild all packages that depend on lib
Hi Guido,
On Mon, Mar 28, 2016 at 11:49:55AM +0200, Guido Günther wrote:
> Hi Salvatore,
> On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote:
> > Hi Guido,
> >
> > On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote:
> [..snip..]
> > > O.k. to grab lxc fixing CVE-2015
Hi Salvatore,
On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote:
> Hi Guido,
>
> On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote:
[..snip..]
> > O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ?
>
> Honestly I tend to actually mark this as no-dsa. My argument
Hi,
On Tue, Mar 01, 2016 at 08:01:20PM +0100, Moritz Muehlenhoff wrote:
> On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote:
> > On 2016-03-01, Mike Gabriel wrote:
> > > @Security Team: Shall we (LTS contributors) handle wheezy-security
> > > updates like described below until D
Antoine Beaupré writes:
> I am not aware of any such tool. How did you do the following comparison
> - by hand?
Yes, I did.
What I imagine is having same tool that will look at an input file
(e.g. debian/changelog) and find everything that looks like a CVE, and
then compare against distribution
On 2016-03-24 10:48:14, Antoine Beaupré wrote:
> 2014-8104 is probably a typo, as it concerns OpenVPN according to the
> security tracker. You probably mean CVE-2015-8104...
>
> I'll look at what that one implies specifically.
Oh, I see that you already ported those patches in
<87d1qvvzhi@prun
On 2016-03-21 19:16:24, Brian May wrote:
> Brian May writes:
>
>>> Wonder how many of the CVEs the Ubuntu version fixes.
>>
>> Will have a look at this now.
>
> Comparing the changelog with our security tracker (by hand; not sure if
> anybody has written a tool to automate this, if not might be a
Brian May writes:
>> Wonder how many of the CVEs the Ubuntu version fixes.
>
> Will have a look at this now.
Comparing the changelog with our security tracker (by hand; not sure if
anybody has written a tool to automate this, if not might be a good
idea):
Not fixed in backported Ubuntu precise
Brian May writes:
> So one possible strategy might be to take Ubuntu's package as is and
> port it to Debian wheezy.
Have rebuilt Ubuntu's xen package for wheezy.
The results are available for testing.
https://people.debian.org/~bam/wheezy/xen/
The most significant change I had to remove the
t
Moritz Muehlenhoff writes:
> It was pointed out on IRC that Ubuntu precise has a Xen 4.1 package, so
> you might want to compare fixes with their package.
Thanks for this. I will check this out later when I have more time.
Just a very quick glance for now:
Debian wheezy has 4.1.4, Ubuntu preci
On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote:
> Guido Günther writes:>
>
> > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> > don't seem to be applied so the tracker looks correct, there's plenty of
> > work left.
> >
> > Are you going to look at the Wheezy pac
On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote:
> Guido Günther writes:>
>
> > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> > don't seem to be applied so the tracker looks correct, there's plenty of
> > work left.
> >
> > Are you going to look at the Wheezy pac
Have attached patches for two security issues in the wheezy version.
CVE-2015-2752.diff
CVE-2015-8104+CVE-2015-5307.patch
Not tested in anyway, except they apply ok.
Am currently looking at CVE-2015-7969; I am beginning to think wheezy is
not vulnerable. Still need to double check this.
Out of
Guido Günther writes:>
> Sid has Xen 4.6 and looking at the CVEs that affect sid the patches
> don't seem to be applied so the tracker looks correct, there's plenty of
> work left.
>
> Are you going to look at the Wheezy packages?
Looking now.
Just looking at CVE-2015-2756 - this appears to be
On Sun, Mar 13, 2016 at 12:52:09PM +0100, Guido Günther wrote:
> Looking at
>
>
> http://metadata.ftp-master.debian.org/changelogs/main/x/xen/xen_4.1.4-3+deb7u9_changelog
>
> and the source package the current practice is to pull in the individual
> patches.
Ack.
> I wonder if somebody ca
Hi Brian,
On Sun, Mar 13, 2016 at 11:13:31AM +1100, Brian May wrote:
> Moritz Mühlenhoff writes:
>
> > 1. We're already one wheezy update behind for xen (since some of
> > the changes were invasive and complex). It would be great if
> > someone from the Freexian sponsor pool would work on a wheez
Am 13.03.2016 um 04:32 schrieb Brian May:
> Brian May writes:
>
>>> 2. Spend some time on investigating what it takes to backport
>>> libav from jessie to wheezy. 11.x is still supported by
>>> libav upstream and we could share triage work for jessie/wheezy
>>> going forwards. 0.8 has simply too
Brian May writes:
>> 2. Spend some time on investigating what it takes to backport
>> libav from jessie to wheezy. 11.x is still supported by
>> libav upstream and we could share triage work for jessie/wheezy
>> going forwards. 0.8 has simply too much missing.
>> There will be a few applications
Moritz Mühlenhoff writes:
> 1. We're already one wheezy update behind for xen (since some of
> the changes were invasive and complex). It would be great if
> someone from the Freexian sponsor pool would work on a wheezy
> update for Xen. It's probably a solid day of work, though, but
> it will al
On Mon, Feb 29, 2016 at 03:25:46PM +, Mike Gabriel wrote:
> Hi all,
>
> as of today, the Debian squeeze LTS support will cease and squeeze will
> One thing, we can do, I guess, is helping out with the Debian Security Team
> regarding package updates in Debian wheezy.
There are two major areas
On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote:
> On 2016-03-01, Mike Gabriel wrote:
> > @Security Team: Shall we (LTS contributors) handle wheezy-security
> > updates like described below until Debian wheezy LTS comes into play?
> >
> >o Pick a package that has open CVE
On 2016-03-01, Mike Gabriel wrote:
> @Security Team: Shall we (LTS contributors) handle wheezy-security
> updates like described below until Debian wheezy LTS comes into play?
>
>o Pick a package that has open CVE issues in wheezy, e.g. from
> above list
>o Add the package to data/
On Di 01 Mär 2016 08:44:08 CET, Guido Günther wrote:
On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote:
[..snip..]
>>Issues that are unfixed in wheezy but fixed in squeeze:
>>* aptdaemon-> CVE-2015-1323
>>* cakephp -> TEMP-000-698CF7
>>* dhcpcd
On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote:
[..snip..]
> >>Issues that are unfixed in wheezy but fixed in squeeze:
> >>* aptdaemon-> CVE-2015-1323
> >>* cakephp -> TEMP-000-698CF7
> >>* dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
Hi Guido,
On Mo 29 Feb 2016 21:54:11 CET, Guido Günther wrote:
* prepare a fixed package
* test the package
* send a .debdiff to t...@security.debian.org
* wait for feedback and ideally permission to upload to wheezy-security
That's what I'm doing at the moment (sending the debdiff t
Hi,
On Mon, Feb 29, 2016 at 03:25:46PM +, Mike Gabriel wrote:
> For this, we can run bin/lts-needs-forward-port.py from the secure-testing
> repo and see what issues we fixed in squeeze and port those fixes to the
> package version in wheezy-security. Package updates must be coordinated with
>
Hi all,
as of today, the Debian squeeze LTS support will cease and squeeze
will finally enter the archived archives of Debian.
.oO( /me gets out his handkerchief ...)
As (paid) LTS contributor you may wonder what to do next, esp. until
the official Debian wheezy LTS support period starts o
43 matches
Mail list logo