minor issues (wavpack)
I am a bit unclear when we should be some issues, and when we should be marking them as no-DSA (or similar). For example, webpack was three issues: - CVE-2019-1010315: divide by zero - CVE-2019-1010317: use of uninitialized memory. - CVE-2019-1010319: use of uninitialized memory. All three issues have been marked no-DSA by the security team. Does that mean we should do the same thing? I don't think there is any proven direct security vulnerabilty (other then maybe a DOS attack by killing a remote service), however that does not mean there isn't a security vulnerabilty, especially for the 2nd two CVEs. -- Brian May
Re: Advice for building tomcat8 on jessie?
Hello. tomcat8 is FTBFS in jessie. I think the culprit is CVE-2017-5647 patch which makes TestSendFile to fail. I tried with a latest upstream change of TestSendfile but it is still failing. I like to get help on this one. --abhijith
Re: minor issues (wavpack)
Hi, On 22/07/19 1:13 pm, Brian May wrote: > I am a bit unclear when we should be some issues, and when we should be > marking them as no-DSA (or similar). > > For example, webpack was three issues: > > - CVE-2019-1010315: divide by zero > - CVE-2019-1010317: use of uninitialized memory. > - CVE-2019-1010319: use of uninitialized memory. > > All three issues have been marked no-DSA by the security team. Does that > mean we should do the same thing? > > I don't think there is any proven direct security vulnerabilty (other > then maybe a DOS attack by killing a remote service), however that does > not mean there isn't a security vulnerabilty, especially for the 2nd two > CVEs. > If you see it as trivial. You can mark as and can fix with later updates. --abhijith.
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity
hi, today I unclaimed these packages: for LTS: -cfengine3 (Mike Gabriel) -glib2.0 (Mike Gabriel) -imagemagick (Mike Gabriel) -tomcat8 (Abhijith PA) and none for eLTS. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
On Mon, Jul 22, 2019 at 02:36:36PM +, Holger Levsen wrote: > hi, > > today I unclaimed these packages: > > for LTS: > -cfengine3 (Mike Gabriel) > -glib2.0 (Mike Gabriel) > -imagemagick (Mike Gabriel) > -tomcat8 (Abhijith PA) > To be fair, Abhijith did just today send a request for assistance with the FBTFS problem on tomcat8. Perhaps the note in dla-needed.txt was not updated to reflect this. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
On Mon, Jul 22, 2019 at 11:48:20AM -0400, Roberto C. Sánchez wrote: > To be fair, Abhijith did just today send a request for assistance with > the FBTFS problem on tomcat8. I'd seen this, just that me unclaiming packages is not ment to be fair or unfair, but rather just a means to get probably stuck packages unclained. and our workflows require dla-needed.txt to be kept up2date. > Perhaps the note in dla-needed.txt was > not updated to reflect this. exactly. Or, in other words, asking for help about a package is great, but/just if one has claimed that package and is stuck, one shall also update dla-needed.txt. all in all not a big deal, noone was harmed and Abhijith has certainly not done anything bad, just suboptimal. happens. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
On Mon, Jul 22, 2019 at 04:41:11PM +, Holger Levsen wrote: > On Mon, Jul 22, 2019 at 11:48:20AM -0400, Roberto C. Sánchez wrote: > > To be fair, Abhijith did just today send a request for assistance with > > the FBTFS problem on tomcat8. > > I'd seen this, just that me unclaiming packages is not ment to be fair > or unfair, but rather just a means to get probably stuck packages > unclained. and our workflows require dla-needed.txt to be kept up2date. > I can see two errors on my part here: - I used "to be fair" as a fluff/filler, not in any way intending to imply that the process or your associated was unfair; a better lead in would have been "coincidentally" - I failed to note that Abhijith's message and your message went to the same list (my email filter rules sorted the two messages into different folders; it seemed to me likely that someone who might decide to pick up tomcat8 after seeing your message might not have seen Abhijith's earlier message, though that was clearly not the case) > > Perhaps the note in dla-needed.txt was > > not updated to reflect this. > > exactly. Or, in other words, asking for help about a package is great, > but/just if one has claimed that package and is stuck, one shall also > update dla-needed.txt. > > all in all not a big deal, noone was harmed and Abhijith has certainly > not done anything bad, just suboptimal. happens. > After reading your response I don't even think it was suboptimal. The process worked as intended and it was my failure to make the correct connection between the two messages that resulted in me imagining a "problem" that did not exist. Regards, -Roberto -- Roberto C. Sánchez
Re: libsdl2-image security issues in testing
Hi Hugo, On 21.07.19 18:30, Hugo Lefeuvre wrote: Dear libsdl2-image maintainers, I have prepared a jessie (LTS) update addressing libsdl2-image's current security issues. I will coordinate with the security team to possibly fix them in a future stretch/buster point update. Are you planning to address these issues in testing? Packaging upstream's latest 2.0.5 release should be sufficient, but they can also be addressed with more targeted fixes. I can provide some help if needed. Thanks for your work! I'm preparing a 2.0.5 upload right now. As far as I can tell all CVEs in the tracker are fixed with 2.0.5. Do you agree? Cheers, Felix
Re: libsdl2-image security issues in testing
Hi Felix, (CC-ing #932754 which tracks this issue) > > I have prepared a jessie (LTS) update addressing libsdl2-image's current > > security issues. I will coordinate with the security team to possibly fix > > them in a future stretch/buster point update. > > > > Are you planning to address these issues in testing? Packaging upstream's > > latest 2.0.5 release should be sufficient, but they can also be addressed > > with more targeted fixes. > > > > I can provide some help if needed. > > Thanks for your work! > > I'm preparing a 2.0.5 upload right now. Great, thanks! > As far as I can tell all CVEs in the tracker are fixed with 2.0.5. > Do you agree? Exactly. By the way, I had a second look and it appears that CVE-2019-5051 was also fixed by the jessie LTS upload. CVE-2019-5051 is also a member of the CVE-2019-12221 family, and is therefore fixed by [0]. cheers, Hugo [0] https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
