Re: RFC: tomcat8 in the remaining jessie lifecycle
Am 30.06.2018 um 04:00 schrieb Roberto C. Sánchez: [...] > Comments and suggestions are most welcome. I would suggest to fix the open CVE via patches for now. Being EOL does not necessarily mean that we cannot backport fixes from the 8.5 branch but at some point upgrading from 8.x to 8.5 might be the only viable option. At the moment I recommend to refrain from marking Tomcat 8 EOL. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: RFC: tomcat8 in the remaining jessie lifecycle
On Sat, Jun 30, 2018 at 04:24:24PM +0200, Markus Koschany wrote: > Am 30.06.2018 um 04:00 schrieb Roberto C. Sánchez: > [...] > > Comments and suggestions are most welcome. > > I would suggest to fix the open CVE via patches for now. Being EOL does > not necessarily mean that we cannot backport fixes from the 8.5 branch > but at some point upgrading from 8.x to 8.5 might be the only viable > option. At the moment I recommend to refrain from marking Tomcat 8 EOL. > That makes sense. I have already prepared the necessary patches and I am now trying to ensure that the unit test failures I am seeing do not indicate a regression as a result from the patches I introduced. I don't think that we need to make an EOL decision/announcement with any urgency at this point. However, it is sensible to at least have a discussion on it so that when the time comes it will not be the first discussion of it. Regards, -Roberto -- Roberto C. Sánchez
Jessie update of symfony?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of symfony: https://security-tracker.debian.org/tracker/source-package/symfony Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of symfony updates for the LTS releases. Thank you very much. Thorsten Alteholz, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt
testing slurm-llnl for Jessie LTS
Hi everybody, I uploaded version 14.03.9-5+deb8u3 of slurm-llnl to: https://people.debian.org/~alteholz/packages/jessie-lts/slurm-llnl/ Please give it a try and tell me about any problems you met. Thanks! Thorsten * CVE-2018-7033 Fix for issue in accounting_storage/mysql plugin by always escaping strings within the slurmdbd. * CVE-2018-10995 Fix for mishandling of user names (aka user_name fields) and group ids (aka gid fields).
qemu in jessie
Dear security team, I am working on the jessie package of qemu (the first time I work on it), and I notice it hasn't been updated in jessie since May 2017. There were various stretch updates since then, and I wonder if the reason why jessie wasn't updated was mainly lack of time/resources, or is there anything else I should be aware of (and I am missing in the doc)? Happy hacking, Santiago signature.asc Description: PGP signature
Re: qemu in jessie
On Sat, Jun 30, 2018 at 05:42:37PM +0200, Santiago R.R. wrote: > Dear security team, > > I am working on the jessie package of qemu (the first time I work on > it), and I notice it hasn't been updated in jessie since May 2017. > There were various stretch updates since then, and I wonder if the > reason why jessie wasn't updated was mainly lack of time/resources, or > is there anything else I should be aware of (and I am missing in the > doc)? Please look at what was done for the wheezy package. I backported some drivers from newer QEMU versions (cirrus, 9pfs) and this is needed in Jessie as well for further security updates to make sense. If there's no rush I can also take a look. Cheers, -- Guido
Advice for building tomcat8 on jessie?
Hello Tomcat Maintainers, I have prepared a tomcat8 package for jessie (version 8.0.14-1+deb8u12) which addresses CVE-2018-1304 and CVE-2018-1305. When I try to build the package in a pbuilder chroot (invoked from gbp), the build fails. Here is the tail end of the build output: BUILD FAILED /build/tomcat8-8.0.14/build.xml:1345: Some tests completed with an Error. See /build/tomcat8-8.0.14/output/build/logs for details, search for "FAILED". Total time: 45 minutes 32 seconds debian/rules:55: recipe for target 'build-stamp' failed make: *** [build-stamp] Error 1 dpkg-buildpackage: error: debian/rules build gave error exit status 2 I: copying local configuration E: Failed autobuilding of package I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: Cleaning COW directory I: forking: rm -rf /var/cache/pbuilder/build/cow.21397 gbp:error: 'git-pbuilder' failed: it exited with 1 I tried building the current package (8.0.14-1+deb8u11) and it also fails, as does 8.0.14-1+deb8u12 when I build it with openjdk-7 7u151-2.6.11-1~deb8u1 (I thought that 7u181 might perhaps be part of the cause). As it turns out, the 8.0.14-1+deb8u12 package does have one unit test failure that that 8.0.14-1+deb8u11 does not have: [junit] Running org.apache.tomcat.websocket.TestUtil [junit] Tests run: 21, Failures: 0, Errors: 0, Skipped: 0, Time elapsed [junit] Running org.apache.tomcat.websocket.TestWebSocketFrameClient -[junit] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed +[junit] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed +[junit] Test org.apache.tomcat.websocket.TestWebSocketFrameClient FAILED [junit] Running org.apache.tomcat.websocket.TestWebSocketFrameClientSSL [junit] Tests run: 2, Failures: 0, Errors: 2, Skipped: 0, Time elapsed [junit] Test org.apache.tomcat.websocket.TestWebSocketFrameClientSSL FAILED Interestingly, that unit test does not fail in a build with 7u151. The package from sid (8.5.32-1) builds successfully. The only way I was able to get the jessie package to build was to use the "nocheck" option to skip the unit tests. Since the unit tests are on by default, I am reluctant to upload a package built with "nocheck". I also want to make sure that I am building the package correctly before wasting time trying to diagnose a unit test failure that may have nothing to do with the patches I introduced. I would very much appreciate your guidance on this so that I can get tomcat8 in jessie updated. Regards, -Roberto -- Roberto C. Sánchez
