Re: last call for wheezy updates and remaining work for transition
Hi, As for my work: > lame (Hugo Lefeuvre) > NOTE: 20180529: Tested patch ready for upload. Waiting for feedback from > the security team. > NOTE: See https://lists.debian.org/debian-lts/2018/05/msg00081.html As said, I'm waiting for the security team to review the patch. It will most likely be included in the last Jessie point update, and I will send the Wheezy update as part of ELTS. > libav (Hugo Lefeuvre) > NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, > but encountered personal issues and had to stop. > NOTE: 20180118: It is unlikely that he will start again in the next weeks. > NOTE: 20180118: I am currently working on CVE triage but I will not be able > to process the whole backlog until May. > NOTE: 20180529: Help is welcome, feel free to mail Hugo. Still up-to-date. > Help needed for CVE triage and patch development. > NOTE: 20180529: Just contacted some of the CVE reporters to ask for the > reproducers, CC-ed team ML. I have always been working on both Wheezy and Jessie at the same time, so Wheezy EOL isn't going to change much here. Though, I'd really like a better libav support for Jessie. I have made a list of things that didn't work very well in Wheezy and which I'd like to improve for Jessie LTS. I'll communicate about it in a separate e-mail. > ming (Hugo Lefeuvre) > NOTE: 20180529: wip, currently working on it with upstream. Lots of fuzzing > noise, > NOTE: many duplicate issues. I'm currently working on the next upload, > which will fix > NOTE: another batch of CVEs. It will most likely not be ready until Wheezy > EOL, but I > NOTE: will upload it for ELTS. I am working on a last batch of security fixes here. I will not have time to finish them until Wheezy EOL, though. I guess they will be part of ELTS. > >From what I understand, the next steps here are: > > 1. send the announcement (tomorrow, markus?) > 2. ensure the infrastructure team is ready for the new LTS > 3. contact the FTP team to give LTS users 4 weeks grace period > 4. contact the rel team to coordinate the last jessie release > 5. update wiki pages > > That's more or less verbatim from from: > > https://wiki.debian.org/LTS/Development#Switching_to_the_next_LTS_release I was really busy these last weeks and didn't have much time to take part to Wheezy EOL organization. Thank you all for that great work ! Cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA signature.asc Description: PGP signature
Re: News: 2018-06-01-Debian-7-Long-Term-Support-reaching-end-of-life
Hi Markus, On Thu, May 31, 2018 at 01:18:29PM +0200, Markus Koschany wrote: > > [adding Raphael / Freexian to CC] [dropping events@d.o, adding debian-lts] > Am 31.05.2018 um 08:08 schrieb Joost van Baal-Ilić: > > > > [non-public reply, feel free to quote me publicly though] > > > > On Wed, May 30, 2018 at 04:18:06PM +0200, Markus Koschany wrote to > > debian-public...@lists.debian.org, debian-l10n-engl...@lists.debian.org, > > debian-i...@lists.debian.org : > >> > >> the LTS team would like to announce the end of Wheezy LTS. Unfortunately > >> I have no rights to push to the announcements repository on > >> salsa.debian.org but you can find my draft at > >> > >> https://people.debian.org/~apo/2018-06-01-Debian-7-Long-Term-Support-reaching-end-of-life.wml > >> > > > > Thanks for your contribution. Imho it would be even better if freexian.com > > would not be mentioned in the announcement: afaik there's no formal > > endorsement of Debian for Freexian. (I'd like to add freexian does great > > work, btw!) > > > > Something like > > > > "A subset of Wheezy packages might be supported by some external parties. > > Refer to https://wiki.debian.org/LTS/ for more information." > > > > would be better. > > This also came up on debian-lts [1]. Perhaps we should better > communicate that Extended LTS will benefit all Debian users? At any rate > it is certain that ELTS will happen now. I think we would rather prefer > a straight forward sentence like the current > > A subset of Wheezy packages will be supported by Freexian though. > Detailed information can be found at href="https://deb.freexian.com/extended-lts";>Extended LTS. Now that I've read that webpage stuff is more clear to me. > I could change the first sentence to "A subset of Wheezy packages will > be supported by external parties though. They will be made available for > all Debian users." > > IMO if we change the other sentence to "Refer to > https://wiki.debian.org/LTS/ for more information." we just create one > more diversion but the fact remains the same, ELTS is managed by > Freexian. I don't have a strong opinion though. I could live with either > way. > [1] https://lists.debian.org/debian-lts/2018/05/msg00074.html I don't think we ever before suggested our users to use services supplied by external companies in our general public announcements. I am not yet sure what's the wisest thing to do here. Referring to the wiki feels more safe. Maybe anybody else has some insights to share? Time is running out and I can't invest much more time in this now... :( Thanks for your reply, Bye, Joost
Re: procps
Hi, On Wed, May 30, 2018 at 10:56:20PM +0530, Abhijith PA wrote: > I've prepared update for procps. Patches are backported from > procps_3.3.9-9+deb8u1 (jessie). Debdiff is attached. I was able to > install it on a clean machine and ran some procps commands. Please > review and upload. I'll do so now. -- cheers, Holger signature.asc Description: PGP signature
Re: procps
Hi abhijith,
On Wed, May 30, 2018 at 10:56:20PM +0530, Abhijith PA wrote:
> I've prepared update for procps. Patches are backported from
> procps_3.3.9-9+deb8u1 (jessie). Debdiff is attached. I was able to
> install it on a clean machine and ran some procps commands. Please
> review and upload.
> +++ procps-3.3.3/debian/patches/CVE-2018-1122.patch 2018-05-30
> 17:05:28.0 +
> +++ procps-3.3.3/debian/patches/CVE-2018-1123.patch 2018-05-30
> 16:49:19.0 +
> +++ procps-3.3.3/debian/patches/CVE-2018-1124.patch 2018-05-30
> 16:49:20.0 +
these look good to me.
> +++ procps-3.3.3/debian/patches/CVE-2018-1125.patch 2018-05-30
> 16:49:18.0 +
> + } else {
> + strcpy (cmd, task.cmd);
this hunk is not present in
debian/patches/0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch
from the jessie update. can you explain?
> --- procps-3.3.3/debian/patches/CVE-2018-1126.patch 1970-01-01
> 00:00:00.0 +
> procps-3.3.3/proc/alloc.c
> +@@ -80,10 +80,14 @@ char *xstrdup(const char *str) {
> + char *p = NULL;
> +
> + if (str) {
> +-unsigned int size = strlen(str) + 1;
> ++size_t size = strlen(str) + 1;
> ++if (size < 1) {
> ++xalloc_err_handler("%s refused to allocate %zu bytes of
> memory", __func__, size);
> ++exit(EXIT_FAILURE);
> ++}
> + p = malloc(size);
> + if (!p) {
> +-xalloc_err_handler("%s failed to allocate %u bytes of memory",
> __func__, size);
> ++xalloc_err_handler("%s failed to allocate %zu bytes of memory",
> __func__, size);
> + exit(EXIT_FAILURE);
> + }
> + strcpy(p, str);
here, debian/patches/0035-proc-alloc.-Use-size_t-not-unsigned-int.patch
from jessie has
< -strcpy(p, str);
< +memcpy(p, str, size);
why did you remove that memcpy in
procps-3.3.3/debian/patches/CVE-2018-1126.patch ?
as said: rest looks good to me :)
--
cheers,
Holger
signature.asc
Description: PGP signature
Re: procps
Hi.
On Thursday 31 May 2018 08:18 PM, Holger Levsen wrote:
>> +++ procps-3.3.3/debian/patches/CVE-2018-1125.patch 2018-05-30
>> 16:49:18.0 +
>> +} else {
>> +strcpy (cmd, task.cmd);
>
> this hunk is not present in
> debian/patches/0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch
> from the jessie update. can you explain?
Sorry I couldn't find any hunk.
>> --- procps-3.3.3/debian/patches/CVE-2018-1126.patch 1970-01-01
>> 00:00:00.0 +
>> procps-3.3.3/proc/alloc.c
>> +@@ -80,10 +80,14 @@ char *xstrdup(const char *str) {
>> + char *p = NULL;
>> +
>> + if (str) {
>> +-unsigned int size = strlen(str) + 1;
>> ++size_t size = strlen(str) + 1;
>> ++if (size < 1) {
>> ++xalloc_err_handler("%s refused to allocate %zu bytes of
>> memory", __func__, size);
>> ++exit(EXIT_FAILURE);
>> ++}
>> + p = malloc(size);
>> + if (!p) {
>> +-xalloc_err_handler("%s failed to allocate %u bytes of memory",
>> __func__, size);
>> ++xalloc_err_handler("%s failed to allocate %zu bytes of
>> memory", __func__, size);
>> + exit(EXIT_FAILURE);
>> + }
>> + strcpy(p, str);
>
> here, debian/patches/0035-proc-alloc.-Use-size_t-not-unsigned-int.patch
> from jessie has
>
> < -strcpy(p, str);
> < +memcpy(p, str, size);
>
> why did you remove that memcpy in
> procps-3.3.3/debian/patches/CVE-2018-1126.patch ?
Missed it.
I have made the changes and new debdiff is attached.
diff -Nru procps-3.3.3/debian/changelog procps-3.3.3/debian/changelog
--- procps-3.3.3/debian/changelog 2013-03-28 10:58:19.0 +
+++ procps-3.3.3/debian/changelog 2018-05-23 07:45:16.0 +
@@ -1,3 +1,11 @@
+procps (1:3.3.3-3+deb7u1) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS team.
+ * Fix various vulnerabilities CVE-2018-1122, CVE-2018-1123, CVE-2018-1124,
+CVE-2018-1125, CVE-2018-1126 (Closes: #899170)
+
+ -- Abhijith PA Wed, 23 May 2018 13:15:16 +0530
+
procps (1:3.3.3-3) testing-proposed-updates; urgency=medium
* 3.3.3-3 Fix ps crash with large process groups Closes: #702965
diff -Nru procps-3.3.3/debian/patches/CVE-2018-1122.patch
procps-3.3.3/debian/patches/CVE-2018-1122.patch
--- procps-3.3.3/debian/patches/CVE-2018-1122.patch 1970-01-01
00:00:00.0 +
+++ procps-3.3.3/debian/patches/CVE-2018-1122.patch 2018-05-23
07:45:16.0 +
@@ -0,0 +1,53 @@
+Description: CVE-2018-1122
+ procps-ng is vulnerable to a local privilege escalation in top. If a user
+ runs top with HOME unset in an attacker-controlled directory, the attacker
+ could achieve privilege escalation by exploiting one of several
+ vulnerabilities in the config_file() function.
+
+Author: Abhijith PA
+Origin: backported from procps-2:3.3.9-9+deb8u1 jessie.
+Bug-Debian: https://bugs.debian.org/899170
+Last-Update: 2018-05-23
+
+--- procps-3.3.3.orig/top/top.c
procps-3.3.3/top/top.c
+@@ -2248,6 +2248,19 @@ static int config_cvt (WIN_t *q) {
+return 0;
+ } // end: config_cvt
+
++static int snprintf_Rc_name (const char *const format, ...)
__attribute__((format(printf,1,2)));
++static int snprintf_Rc_name (const char *const format, ...) {
++ int len;
++ va_list ap;
++ va_start(ap, format);
++ len = vsnprintf(Rc_name, sizeof(Rc_name), format, ap);
++ va_end(ap);
++ if (len <= 0 || (size_t)len >= sizeof(Rc_name)) {
++ Rc_name[0] = '\0';
++ return 0;
++ }
++ return len;
++}
+
+ /*
+ * Build the local RC file name then try to read both of 'em.
+@@ -2270,8 +2283,18 @@ static void configs_read (void) {
+FILE *fp;
+int i, x;
+
++ Rc_name[0] = '\0'; // "fopen() shall fail if pathname is an empty string."
+p = getenv("HOME");
+- snprintf(Rc_name, sizeof(Rc_name), "%s/.%src", (p && *p) ? p : ".",
Myname);
++
++ if (!p || p[0] != '/') {
++ const struct passwd *const pwd = getpwuid(getuid());
++ if (!pwd || !(p = pwd->pw_dir) || p[0] != '/') {
++ p = NULL;
++ }
++ }
++ if (p) {
++ snprintf_Rc_name("%s/.%src", p, Myname);
++ }
+
+fp = fopen(SYS_RCFILESPEC, "r");
+if (fp) {
diff -Nru procps-3.3.3/debian/patches/CVE-2018-1123.patch
procps-3.3.3/debian/patches/CVE-2018-1123.patch
--- procps-3.3.3/debian/patches/CVE-2018-1123.patch 1970-01-01
00:00:00.0 +
+++ procps-3.3.3/debian/patches/CVE-2018-1123.patch 2018-05-23
07:45:16.0 +
@@ -0,0 +1,75 @@
+Description: CVE-2018-1123
+ procps-ng is vulnerable to a denial of service in ps via mmap buffer
overflow.
+ Inbuilt protection in ps maps a guard page at the end of the overflowed
buffer,
+ ensuring that the impact of this flaw is limited to a crash (temporary denial
+ of service).
+
+
+Author: Abhijith PA
+Origin: backported from procps-2:3.3.9-9+deb8u1 jessie.
+Bug-Debi
Re: News: 2018-06-01-Debian-7-Long-Term-Support-reaching-end-of-life
Hi About https://deb.freexian.com/extended-lts header: "Debian Extended LTS by Freexian". The explanation that follows is perfect, but the header could be misunderstood, imho. How about "Extended LTS for Debian (7) by Freexian"? Debian... by Freexian could be understood like Debian is a trademark of Freexian. ;) The ELTS project is really a new thing in the Debian world and the information about its existance can be important to some Debian users. I don't know the rules for announcement mails. Maybe the project can be mentioned in the mail as "it is not by the Debian LTS team, but some people are involved in both". Other companies should have the same right to be mentioned in an announcement then. Maybe it can be mentioned in the Debian wiki on the page where freelancers are mentioned and in the announcement there can be a link to the wiki page. Jens Am Thu, 31 May 2018 15:33:02 +0200 schrieb Joost van Baal-Ilić : > Hi Markus, > > On Thu, May 31, 2018 at 01:18:29PM +0200, Markus Koschany wrote: > > > > [adding Raphael / Freexian to CC] > [dropping events@d.o, adding debian-lts] > > > Am 31.05.2018 um 08:08 schrieb Joost van Baal-Ilić: > > > > > > [non-public reply, feel free to quote me publicly though] > > > > > > On Wed, May 30, 2018 at 04:18:06PM +0200, Markus Koschany wrote to > > > debian-public...@lists.debian.org, > > > debian-l10n-engl...@lists.debian.org, > > > debian-i...@lists.debian.org : > > >> > > >> the LTS team would like to announce the end of Wheezy LTS. > > >> Unfortunately I have no rights to push to the announcements > > >> repository on salsa.debian.org but you can find my draft at > > >> > > >> https://people.debian.org/~apo/2018-06-01-Debian-7-Long-Term-Support-reaching-end-of-life.wml > > >> > > > > > > Thanks for your contribution. Imho it would be even better if > > > freexian.com would not be mentioned in the announcement: afaik > > > there's no formal endorsement of Debian for Freexian. (I'd like > > > to add freexian does great work, btw!) > > > > > > Something like > > > > > > "A subset of Wheezy packages might be supported by some external > > > parties. Refer to https://wiki.debian.org/LTS/ for more > > > information." > > > > > > would be better. > > > > This also came up on debian-lts [1]. Perhaps we should better > > communicate that Extended LTS will benefit all Debian users? At any > > rate it is certain that ELTS will happen now. I think we would > > rather prefer a straight forward sentence like the current > > > > A subset of Wheezy packages will be supported by Freexian though. > > Detailed information can be found at > href="https://deb.freexian.com/extended-lts";>Extended LTS. > > Now that I've read that webpage stuff is more clear to me. > > > I could change the first sentence to "A subset of Wheezy packages > > will be supported by external parties though. They will be made > > available for all Debian users." > > > > IMO if we change the other sentence to "Refer to > > https://wiki.debian.org/LTS/ for more information." we just create > > one more diversion but the fact remains the same, ELTS is managed by > > Freexian. I don't have a strong opinion though. I could live with > > either way. > > > [1] https://lists.debian.org/debian-lts/2018/05/msg00074.html > > I don't think we ever before suggested our users to use services > supplied by external companies in our general public announcements. > I am not yet sure what's the wisest thing to do here. Referring to > the wiki feels more safe. Maybe anybody else has some insights to > share? Time is running out and I can't invest much more time in this > now... :( > > Thanks for your reply, Bye, > > Joost >
Re: last call for wheezy updates and remaining work for transition
On 2018-05-30 17:36:16, Chris Lamb wrote: > Hi Antoine, > >> So wheezy is EOL starting from tomorrow, as will probably be announced >> then. > > (Hm, would it make sense to update/sync ca-certificates just before we > EOL wheezy?) I'm not sure. I lost track of what happened with that the last time - I remember working on trying to coordinate an update for some CAs removals last time, and I don't know what happened with that. Did you have any specific update required in mind? A. -- Five out of four people have a problem with fractions
Re: last call for wheezy updates and remaining work for transition
Hi Antoine et al., > > (Hm, would it make sense to update/sync ca-certificates just before we > > EOL wheezy?) > > I'm not sure. I lost track of what happened with that the last time - > I remember working on trying to coordinate an update for some CAs > removals last time, and I don't know what happened with that. I remember uploading (or helping to upload?) a version that removed the StartCom certs, but a quick glance a couple of days ago suggested that we were missing a handful of newer, although somewhat less serious, CAs. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: last call for wheezy updates and remaining work for transition
On 2018-05-30 20:21:38, Salvatore Bonaccorso wrote: > On Wed, May 30, 2018 at 07:42:02PM +0200, Markus Koschany wrote: >> Hi, >> >> [...] >> >>From what I understand, the next steps here are: >> > >> > 1. send the announcement (tomorrow, markus?) >> >> I will send the announcement on 01.06. around 10-14 UTC. >> >> > 2. ensure the infrastructure team is ready for the new LTS >> > 3. contact the FTP team to give LTS users 4 weeks grace period >> > 4. contact the rel team to coordinate the last jessie release >> > 5. update wiki pages >> >> I assume the last point release for Jessie will happen before June 17. > > Actually it will be later, see the thread at > https://lists.debian.org/debian-release/2018/05/msg00185.html . For > security the support ends on 17th, the last point release is then > planned for something in june/july but it's not fixed yet according to > that thread. > > So in short: actually no date is fixed yet for the last jessie point > release, afaict. Understood. So the (updated) plan is: 1. send the announcement (today, Markus) 2. ensure the infrastructure team is ready for the new LTS (they are?) 3. contact the FTP team to give LTS users 4 weeks grace period (need to be contacted) 4. contact the rel team to coordinate the last jessie release (wait + send an email if we don't have progress in june/july?) 5. update wiki pages 6. update the security tracker on when jessie becomes EOL (carnil) I guess it might be a little early to reach out to infra/FTP/rel teams at this point, since the rotation stuff will more likely happen in june or july. Also: thanks everyone for your answers, I'm really glad every answered so quickly. We seem to have most of dla-needed.txt covered but (naturally) those which are unassigned: -- git -- liblouis -- linux Someone on IRC suggested we just no-dsa liblouis, but I suggested we keep it because it's a small patch and we already did a similar one in wheezy. It seems to me git should also be patched considering the severity, but I haven't looked at how complex the patch is. I am not sure where we stand WRT Linux in wheezy - I guess we can just punt that over to ELTS just like everything else in wheezy at this stage. A. -- On ne peut s'empêcher de vieillir, mais on peut s'empêcher de devenir vieux. - Henri Matisse
Re: last call for wheezy updates and remaining work for transition
On 2018-05-31 19:05:02, Chris Lamb wrote: > Hi Antoine et al., > >> > (Hm, would it make sense to update/sync ca-certificates just before we >> > EOL wheezy?) >> >> I'm not sure. I lost track of what happened with that the last time - >> I remember working on trying to coordinate an update for some CAs >> removals last time, and I don't know what happened with that. > > I remember uploading (or helping to upload?) a version that removed > the StartCom certs, but a quick glance a couple of days ago suggested > that we were missing a handful of newer, although somewhat less > serious, CAs. I would say that could easily be punted to ELTS as well. Revocation seems more critical than new CAs... a. -- Il n'existe aucune limite sacrée ou non à l'action de l'homme dans l'univers. Depuis nos origines nous avons le choix: être aveuglé par la vérité ou coudre nos paupières. - [no one is innocent]
Re: last call for wheezy updates and remaining work for transition
Hi Antoine, > > > > I remember uploading (or helping to upload?) a version that removed > > the StartCom certs, but a quick glance a couple of days ago suggested > > that we were missing a handful of newer, although somewhat less > > serious, CAs. > > I would say that could easily be punted to ELTS as well. Revocation > seems more critical than new CAs... Oh, I typo'd or at least was not clear enough — my glance suggested we we missing a handful of newer, although somewhat less serious, CA *removals*. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: last call for wheezy updates and remaining work for transition
On 2018-05-31 19:20:40, Chris Lamb wrote: > Hi Antoine, > >> > >> > I remember uploading (or helping to upload?) a version that removed >> > the StartCom certs, but a quick glance a couple of days ago suggested >> > that we were missing a handful of newer, although somewhat less >> > serious, CAs. >> >> I would say that could easily be punted to ELTS as well. Revocation >> seems more critical than new CAs... > > Oh, I typo'd or at least was not clear enough — my glance suggested we > we missing a handful of newer, although somewhat less serious, CA > *removals*. Ah, then it might be relevant to push such a change. Should we add this to dla-needed.txt? A. -- Quis custodiet ipsos custodes? Who watches the watchmen? Qui police la police? Tu. You. Toi.
Re: last call for wheezy updates and remaining work for transition
Antoine, > Ah, then it might be relevant to push such a change. Should we add this > to dla-needed.txt? Please do so that it does not get lost. :) I would suggest adding a note indicating that its inclusion is not necessarily to imply an upload is necessary, more that a brief check is required first. I won't be able to tackle that tonight, unfortunately. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: last call for wheezy updates and remaining work for transition
On 2018-05-31 19:28:59, Chris Lamb wrote: > Antoine, > >> Ah, then it might be relevant to push such a change. Should we add this >> to dla-needed.txt? > > Please do so that it does not get lost. :) > > I would suggest adding a note indicating that its inclusion is not > necessarily to imply an upload is necessary, more that a brief check > is required first. > > I won't be able to tackle that tonight, unfortunately. Will do, thanks for the update! -- If builders built houses the way programmers built programs, The first woodpecker to come along would destroy civilization. - Gerald Weinberg
Re: last call for wheezy updates and remaining work for transition
On Thu, May 31, 2018 at 02:05:38PM -0400, Antoine Beaupré wrote: > It seems to me git should also be patched considering the severity, but > I haven't looked at how complex the patch is. I took a brief look and it didnt look easy, 20 or so patches, touching many files, and the code has changed quite a bit. I've not looked further whether some already backported those -- cheers, Holger signature.asc Description: PGP signature
Re: procps
Hi,
On Thu, May 31, 2018 at 09:08:16PM +0530, Abhijith PA wrote:
> >> +++ procps-3.3.3/debian/patches/CVE-2018-1125.patch2018-05-30
> >> 16:49:18.0 +
> >> + } else {
> >> + strcpy (cmd, task.cmd);
> > this hunk is not present in
> > debian/patches/0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch
> > from the jessie update. can you explain?
> Sorry I couldn't find any hunk.
you are of course right. so nothing to see here, great ;)
> > why did you remove that memcpy in
> > procps-3.3.3/debian/patches/CVE-2018-1126.patch ?
> Missed it.
> I have made the changes and new debdiff is attached.
ok, cool, thanks!
will give it some final short testing now and then upload.
--
cheers,
Holger
signature.asc
Description: PGP signature
Re: intel-microcode?
On Wed, 2018-05-30 at 11:35 -0400, Antoine Beaupré wrote: > Should we provide updates for the spectre/meltdown v4 in the > intel-microcode package? > > It's non-free, so technically it's not supported even by the security > team, but considering the severity of those vulnerabilities, I guess we > should make an exception? > > A, with his frontdesk hat. As I understand it, the only microcode update published so far is to add features to mitigate Spectre v2 (IBPB, IBRS, Speculation Control). These features need to be actively invoked by system software, and the kernel changes to do so have not been backported to Linux 3.2. So there seems to be little point in doing the microcode update. Ben. -- Ben Hutchings No political challenge can be met by shopping. - George Monbiot signature.asc Description: This is a digitally signed message part
Re: last call for wheezy updates and remaining work for transition
On Wed, 2018-05-30 at 11:51 -0400, Antoine Beaupré wrote: > So wheezy is EOL starting from tomorrow, as will probably be announced > then. > > This brings the question of whatever happens to the pending work in > dla-needed.txt, which is probably at an all time lowest size. Here's the > whole thing, for the record: [...] > linux [...] I will update linux in the next few hours, but won't fix all the outstanding issues. Ben. -- Ben Hutchings No political challenge can be met by shopping. - George Monbiot signature.asc Description: This is a digitally signed message part
A huge thank you!
Dear LTS Team Your work is greatly appreciated! I would like to thank you all for your effort. Without the LTS of wheezy it would have been a big pain for me. Thanks a lot for helping that much. Best regards, Adrian.
Re: News: 2018-06-01-Debian-7-Long-Term-Support-reaching-end-of-life
Hello all Sorry for the late reply. I have renamed the announcement draft to match the usual format: https://salsa.debian.org/publicity-team/announcements/blob/master/en/2018/20180601.wml also removed the short "About Debian" paragraph, and removed the comment lines that we use as "help" for writing announcements. El 31/05/18 a las 15:33, Joost van Baal-Ilić escribió: > Hi Markus, > > On Thu, May 31, 2018 at 01:18:29PM +0200, Markus Koschany wrote: >> >> [adding Raphael / Freexian to CC] > [dropping events@d.o, adding debian-lts] > >> Am 31.05.2018 um 08:08 schrieb Joost van Baal-Ilić: >>> >>> [non-public reply, feel free to quote me publicly though] >>> >>> On Wed, May 30, 2018 at 04:18:06PM +0200, Markus Koschany wrote to >>> debian-public...@lists.debian.org, debian-l10n-engl...@lists.debian.org, >>> debian-i...@lists.debian.org : the LTS team would like to announce the end of Wheezy LTS. Unfortunately I have no rights to push to the announcements repository on salsa.debian.org but you can find my draft at https://people.debian.org/~apo/2018-06-01-Debian-7-Long-Term-Support-reaching-end-of-life.wml >>> >>> Thanks for your contribution. Imho it would be even better if freexian.com >>> would not be mentioned in the announcement: afaik there's no formal >>> endorsement of Debian for Freexian. (I'd like to add freexian does great >>> work, btw!) >>> >>> Something like >>> >>> "A subset of Wheezy packages might be supported by some external parties. >>> Refer to https://wiki.debian.org/LTS/ for more information." >>> >>> would be better. >> >> This also came up on debian-lts [1]. Perhaps we should better >> communicate that Extended LTS will benefit all Debian users? At any rate >> it is certain that ELTS will happen now. I think we would rather prefer >> a straight forward sentence like the current >> >> A subset of Wheezy packages will be supported by Freexian though. >> Detailed information can be found at > href="https://deb.freexian.com/extended-lts";>Extended LTS. > > Now that I've read that webpage stuff is more clear to me. > >> I could change the first sentence to "A subset of Wheezy packages will >> be supported by external parties though. They will be made available for >> all Debian users." >> >> IMO if we change the other sentence to "Refer to >> https://wiki.debian.org/LTS/ for more information." we just create one >> more diversion but the fact remains the same, ELTS is managed by >> Freexian. I don't have a strong opinion though. I could live with either >> way. > >> [1] https://lists.debian.org/debian-lts/2018/05/msg00074.html > > I don't think we ever before suggested our users to use services supplied by > external companies in our general public announcements. I am not yet sure > what's the wisest thing to do here. Referring to the wiki feels more safe. > Maybe anybody else has some insights to share? Time is running out and I > can't > invest much more time in this now... :( We (publicity delegates) also think that is better to mention "external parties" and link to a wiki page. I have committed our proposal: https://salsa.debian.org/publicity-team/announcements/commit/cd98c0779d59f22ab66d401d21f7bf5ec0ce0f62 Debian will not provide further security updates for Debian 7. A - subset of Wheezy packages will be supported by Freexian though. Detailed - information can be found at https://deb.freexian.com/extended-lts";> + subset of Wheezy packages will be supported by external parties. Detailed + information can be found at https://wiki.debian.org/LTS/ExtendedLTS";> Extended LTS. Our proposal would be that you (or us, but you know better the details) create the https://wiki.debian.org/LTS/ExtendedLTS with a similar format as the https://wiki.debian.org/LTS page, including timeline, link to Freexian, and maybe explain that it is not in Debian infrastructure but all the Debian users can benefit of the work... This way, we keep in the announcement the focus on end-of-life of Wheezy LTS, and yes, we add one click for the interested people, but IMO that's also a good filter to avoid misunderstandings for other readers, and an opportunity to explain more things or explain then better, in the wiki page. What do you think? Kind regards, -- Laura Arjona Reina https://wiki.debian.org/LauraArjona signature.asc Description: OpenPGP digital signature
Re: News: 2018-06-01-Debian-7-Long-Term-Support-reaching-end-of-life
Hi Laura e.a., On Fri, Jun 01, 2018 at 01:32:21AM +0200, Laura Arjona Reina wrote: > > https://salsa.debian.org/publicity-team/announcements/blob/master/en/2018/20180601.wml And more below : > El 31/05/18 a las 15:33, Joost van Baal-Ilić escribió: > > On Thu, May 31, 2018 at 01:18:29PM +0200, Markus Koschany wrote: > >> Am 31.05.2018 um 08:08 schrieb Joost van Baal-Ilić: > >>> > >>> On Wed, May 30, 2018 at 04:18:06PM +0200, Markus Koschany wrote to > >>> debian-public...@lists.debian.org, debian-l10n-engl...@lists.debian.org, > >>> debian-i...@lists.debian.org : > > the LTS team would like to announce the end of Wheezy LTS. Unfortunately > I have no rights to push to the announcements repository on > salsa.debian.org but you can find my draft at > > https://people.debian.org/~apo/2018-06-01-Debian-7-Long-Term-Support-reaching-end-of-life.wml > > >>> > >>> Thanks for your contribution. Imho it would be even better if > >>> freexian.com > >>> would not be mentioned in the announcement: afaik there's no formal > >>> endorsement of Debian for Freexian. (I'd like to add freexian does great > >>> work, btw!) > >>> > >>> Something like > >>> > >>> "A subset of Wheezy packages might be supported by some external parties. > >>> Refer to https://wiki.debian.org/LTS/ for more information." > >>> > >>> would be better. > >> > >> This also came up on debian-lts [1]. Perhaps we should better > >> communicate that Extended LTS will benefit all Debian users? At any rate > >> it is certain that ELTS will happen now. I think we would rather prefer > >> a straight forward sentence like the current > >> > >> A subset of Wheezy packages will be supported by Freexian though. > >> Detailed information can be found at >> href="https://deb.freexian.com/extended-lts";>Extended LTS. > > > > Now that I've read that webpage stuff is more clear to me. > > > >> I could change the first sentence to "A subset of Wheezy packages will > >> be supported by external parties though. They will be made available for > >> all Debian users." > >> > >> IMO if we change the other sentence to "Refer to > >> https://wiki.debian.org/LTS/ for more information." we just create one > >> more diversion but the fact remains the same, ELTS is managed by > >> Freexian. I don't have a strong opinion though. I could live with either > >> way. > > > >> [1] https://lists.debian.org/debian-lts/2018/05/msg00074.html > > > > I don't think we ever before suggested our users to use services supplied by > > external companies in our general public announcements. I am not yet sure > > what's the wisest thing to do here. Referring to the wiki feels more safe. > > Maybe anybody else has some insights to share? Time is running out and I > > can't > > invest much more time in this now... :( > > We (publicity delegates) also think that is better to mention "external > parties" and link to a wiki page. I have committed our proposal: > > https://salsa.debian.org/publicity-team/announcements/commit/cd98c0779d59f22ab66d401d21f7bf5ec0ce0f62 > > Debian will not provide further security updates for Debian 7. A > - subset of Wheezy packages will be supported by Freexian though. Detailed > - information can be found at href="https://deb.freexian.com/extended-lts";> > + subset of Wheezy packages will be supported by external parties. Detailed > + information can be found at href="https://wiki.debian.org/LTS/ExtendedLTS";> > Extended LTS. > > Our proposal would be that you (or us, but you know better the details) > create the https://wiki.debian.org/LTS/ExtendedLTS with a similar format > as the https://wiki.debian.org/LTS page, including timeline, link to > Freexian, and maybe explain that it is not in Debian infrastructure but > all the Debian users can benefit of the work... > > This way, we keep in the announcement the focus on end-of-life of Wheezy > LTS, and yes, we add one click for the interested people, but IMO that's > also a good filter to avoid misunderstandings for other readers, and an > opportunity to explain more things or explain then better, in the wiki page. > > What do you think? I think this is a great solution, thanks a lot. I just wrote a very tiny scratch-version at https://wiki.debian.org/LTS/ExtendedLTS . I have very little time today to do more work on this. Anybody else would like to contribute? Bye, Joost signature.asc Description: Digital signature
