Thanks for updating the patch! A couple of comments: * I don't see that CVEs are assigned for any of these issues or any requests to oss-security for them? Do you know if upstream has CVEs assigned? If not, can someone request them on http://oss-security.openwall.org/wiki/mailing-lists/oss-security? (we can publish the update without CVE assignments) * Normally we would break out all the fixes into discrete patches (one for each CVE/security issue) so that it is easier to review, backout and understand * each patch should follow DEP-5 which makes review much easier and less error prone. Combined with splitting out the patches, each patch would include the upstream commit to make it easier to find (you did include a link to a page that lists the commits and while it is workable enough, it isn't as clear as it should be) * the patch to src/lib/wsman-subscription-repository.c is quite different than 09c3fcf4d209f6890eb9cb9e554bff637eae73b5 * the patch to src/lib/u/iniparser.c needs both 89dabd4582e3fbb88328dd780e89baf6efb4ad3f and 638abcbf5faa97ccb2c3ab15faeb2f2cc9363b56, but the DEP-5 comments and changelog entry is not clear on this point (though you include it) * the changelog entry does not contain 'SECURITY UPDATE'
The real blocker on this is the lack of information on the changes to src/lib/wsman-subscription-repository.c (I would've likely sponsored it otherwise), however since you are going to update the packaging anyway, can you: * break out the patches, one per security issue/CVE and include full Origin and Description for each (ie, follow DEP-5, being sure to include the Origin for supporting patches). If this is burdensome, you can instead add the Origin to debian/changelog for each patch and any supporting patches * ask upstream to request CVEs (you could do this yourself if desired) * update debian/changelog to follow https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging (specifically, include 'SECURITY UPDATE', any assigned CVE identifiers and all Origin information if it isn't included in the DEP-5 comments of the patches ** Changed in: openwsman (Ubuntu) Status: New => In Progress ** Changed in: openwsman (Ubuntu) Assignee: (unassigned) => Kent Baxley (kentb) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319089 Title: Add security fixes from upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openwsman/+bug/1319089/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
