clamav: (PRSC) Please backport fix for CVE-2011-1003

Debian Bug report logs - #617444
clamav: (PRSC) Please backport fix for CVE-2011-1003

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: clamav: (PRSC) Please backport fix for CVE-2011-1003

Date: Tue, 08 Mar 2011 23:48:07 +0000

Package: clamav
Version: 0.96.5+dfsg-1.1
Severity: important
Tags: squeeze
Usertags: prsc-target-squeeze

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear maintainer,

Recently you fixed one or more security problems as identified in the subject.
These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.1)

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

Alternatively, if the suite is not affected by this problem please tell
me and close the bug, and I will update our tracker.

I will happily assist you at any stage if the patch is straightforward and
you need help or lack time. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
- -- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJNdsA0AAoJEFOUR53TUkxRscwQAKpCNKH5saP3HgUin17oVa+W
vzaI86JSwleNsLcXKz50s6dxALy6cQX0x3+8/bJks/Z8OWDLGpWXPkvmn9D0SUor
0Pvf6MNNtjh8EN1Ahbth4ywoVlVDxI3YPeU6gdCDduFmyXeBA9rzDgQkzmmUY/uU
FM8E3bbT2i/8S8QOA9QHX4FgwY4wRCxLpope7+ryl7cqX1dq8/7hHsjAotV49+gM
wkWY1qE35AHrUmKefhj2WJ1Qe/wsL1hDKICj0icgQU8riddcSErJTULuv4rKwMee
h4zmYx1yXpd7L0YPUT2k5NYG/raG/w8XIaED/SgYBS63gOvTdLYmq7TiwpdR7DSg
Q8jtZPLsspkpJ40V1XNc6djV59AcfoCPYoFNIHiPFiZ5dETNnOxPxHfJHPw+6Wz7
ObQvNYwb3bPDbXo+3aaYnjO9abBlU82ST2JPD4WC1StI98qVPh4uEa/oJ4jYU0ng
WTibahGFVjcvGho8y+dw5CozRnNlywbqY8Cwwrkb2SWnXAkacAg0XFF5BJPtGN6Q
qbPa+kYJvJbUMQkJ2U7pVs9SDuRQEd03jNlW0hHBRD/innnyWcKFWDL4OwXbdrdA
sOBQDn2UoefJmoWbtjfpSJseVWTRIM6wFMOj7iPilYplcErlOn2NajtygHVsSWhq
w2ntJkeH5xbsgbX5Bvm8
=Qku1
-----END PGP SIGNATURE-----

Message #10 received at 617444@bugs.debian.org (full text, mbox, reply):

From: Michael Tautschnig <mt@debian.org>

To: Jonathan Wiltshire <jmw@debian.org>, 617444@bugs.debian.org

Subject: Re: Bug#617444: clamav: (PRSC) Please backport fix for CVE-2011-1003

Date: Thu, 10 Mar 2011 22:55:08 +0000

[Message part 1 (text/plain, inline)]

Hi Jonathan,

> Package: clamav
> Version: 0.96.5+dfsg-1.1
> Severity: important
> Tags: squeeze
> Usertags: prsc-target-squeeze
> 

[...]

> 
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
> 
[...]

For clamav, would it also be acceptable to upload the full new upstream release
instead of doing some semi-bugfixing by a minimal backport? AFAIK the release
team operates a relaxed policy for clamav - would that apply here? If so, we
will try to get a new upload targeted at squeeze done in time.

Best regards,
Michael

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 617444@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: Michael Tautschnig <mt@debian.org>

Cc: 617444@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#617444: clamav: (PRSC) Please backport fix for CVE-2011-1003

Date: Thu, 10 Mar 2011 23:37:04 +0000

[Message part 1 (text/plain, inline)]

Hi,

On Thu, Mar 10, 2011 at 10:55:08PM +0000, Michael Tautschnig wrote:
> > Package: clamav
> 
> For clamav, would it also be acceptable to upload the full new upstream release
> instead of doing some semi-bugfixing by a minimal backport? AFAIK the release
> team operates a relaxed policy for clamav - would that apply here? If so, we
> will try to get a new upload targeted at squeeze done in time.

That's not up to me - please check with the release team on a case-by-case
basis. Copying them in now to save time.

If you're not already aware the Squeeze queue will be frozen this weekend,
so if you can make it that's great, but I realise it's a short turnaround.

Thanks,


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 617444@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Jonathan Wiltshire <jmw@debian.org>

Cc: Michael Tautschnig <mt@debian.org>, 617444@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#617444: clamav: (PRSC) Please backport fix for CVE-2011-1003

Date: Sat, 12 Mar 2011 19:22:25 +0000

On Thu, 2011-03-10 at 23:37 +0000, Jonathan Wiltshire wrote:
> On Thu, Mar 10, 2011 at 10:55:08PM +0000, Michael Tautschnig wrote:
> > For clamav, would it also be acceptable to upload the full new upstream release
> > instead of doing some semi-bugfixing by a minimal backport? AFAIK the release
> > team operates a relaxed policy for clamav - would that apply here? If so, we
> > will try to get a new upload targeted at squeeze done in time.
> 
> That's not up to me - please check with the release team on a case-by-case
> basis. Copying them in now to save time.
> 
> If you're not already aware the Squeeze queue will be frozen this weekend,
> so if you can make it that's great, but I realise it's a short turnaround.

Apologies for not replying sooner; I seem to have missed this when it
arrived.

Just to check: as far as I can see the SONAME hasn't changed in the new
upstream version, which is a good start :-) Are there any other API
changes which would mean we would need to rebuild any of the
reverse-dependencies in stable?

If not then please go ahead with the upload as 0.97+dfsg-2~squeeze1 -
assuming that the upload has been tested in that environment of course.
As Jonathan said, the window for acceptance in to 6.0.1 closes tomorrow
so it would be good if the upload could be made before the final
dinstall tomorrow so we can include it in the point release.

Note that the versioning for the lenny-volatile upload originally used
-2~volatile1, which was higher than my request above.  As a result that
version will be adjusted to -2~lenny1 before it is released.

Regards,

Adam

Message #25 received at 617444-done@bugs.debian.org (full text, mbox, reply):

From: Michael Tautschnig <mt@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: Jonathan Wiltshire <jmw@debian.org>, 617444-done@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#617444: clamav: (PRSC) Please backport fix for CVE-2011-1003

Date: Tue, 15 Mar 2011 13:17:40 +0000

[Message part 1 (text/plain, inline)]

Version: 0.97+dfsg-2~squeeze1

Hi all,

[...]
> Apologies for not replying sooner; I seem to have missed this when it
> arrived.
> 

Sorry for not getting to it earlier, hence we missed the deadline for the first
point release.

> Just to check: as far as I can see the SONAME hasn't changed in the new
> upstream version, which is a good start :-) Are there any other API
> changes which would mean we would need to rebuild any of the
> reverse-dependencies in stable?
> 

To the best of my knowledge, there aren't any changes that would affect the
reverse depends. It's all internal bugfixes.

> If not then please go ahead with the upload as 0.97+dfsg-2~squeeze1 -
> assuming that the upload has been tested in that environment of course.

Minimal testing of the squeeze-specific build has been performed; the same
version, although built for lenny-volatile, is being "tested" in production
environments. I'm now uploading to squeeze-updates.

> As Jonathan said, the window for acceptance in to 6.0.1 closes tomorrow
> so it would be good if the upload could be made before the final
> dinstall tomorrow so we can include it in the point release.
> 

Sorry for missing that one!

> Note that the versioning for the lenny-volatile upload originally used
> -2~volatile1, which was higher than my request above.  As a result that
> version will be adjusted to -2~lenny1 before it is released.
> 

Yes, noted that one (and thanks Philipp Kern for fixing it without further
hassle). Future uploads to lenny-volatile will follow these guidelines.

Best regards,
Michael

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 617444@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: "Michael Tautschnig" <mt@debian.org>

Cc: "Jonathan Wiltshire" <jmw@debian.org>, 617444@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#617444: clamav: (PRSC) Please backport fix for CVE-2011-1003

Date: Tue, 15 Mar 2011 17:04:51 -0000

On Tue, March 15, 2011 13:17, Michael Tautschnig wrote:
>> Just to check: as far as I can see the SONAME hasn't changed in the new
>> upstream version, which is a good start :-) Are there any other API
>> changes which would mean we would need to rebuild any of the
>> reverse-dependencies in stable?
>>
>
> To the best of my knowledge, there aren't any changes that would affect
> the reverse depends. It's all internal bugfixes.

Thanks for the confirmation.

>> If not then please go ahead with the upload as 0.97+dfsg-2~squeeze1 -
>> assuming that the upload has been tested in that environment of course.
>
> Minimal testing of the squeeze-specific build has been performed; the same
> version, although built for lenny-volatile, is being "tested" in
> production environments. I'm now uploading to squeeze-updates.

Unfortunately, the upload got rejected by dak.

Please could you re-upload using "stable" as the distribution. 
"squeeze-updates" is not intended as a direct upload target.

>> Note that the versioning for the lenny-volatile upload originally used
>> -2~volatile1, which was higher than my request above.  As a result that
>> version will be adjusted to -2~lenny1 before it is released.
>>
>
> Yes, noted that one (and thanks Philipp Kern for fixing it without further
> hassle). Future uploads to lenny-volatile will follow these guidelines.

Thanks; that's appreciated.

Regards,

Adam

Message #35 received at 617444@bugs.debian.org (full text, mbox, reply):

From: Michael Tautschnig <mt@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: Jonathan Wiltshire <jmw@debian.org>, 617444@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#617444: clamav: (PRSC) Please backport fix for CVE-2011-1003

Date: Tue, 15 Mar 2011 17:55:31 +0000

[Message part 1 (text/plain, inline)]

Hi again,

[...]
> > Minimal testing of the squeeze-specific build has been performed; the same
> > version, although built for lenny-volatile, is being "tested" in
> > production environments. I'm now uploading to squeeze-updates.
> 
> Unfortunately, the upload got rejected by dak.
> 
> Please could you re-upload using "stable" as the distribution. 
> "squeeze-updates" is not intended as a direct upload target.
> 

Fixed and re-uploading just now. Is that use of distribution names documented
anywhere? I had taken a look at tzdata, which indeed uses "stable", but
according to [1] all these are equivalent and I found squeeze-updates to be much
more descriptive, hence used that one.

Another related question: should one send a working draft of an update
announcement to somewhere? I'm used to doing that for volatile, but don't know
about the procedures for stable-updates.

Best regards,
Michael

[1] http://lists.debian.org/debian-release/2011/03/msg00007.html

[Message part 2 (application/pgp-signature, inline)]

Message #40 received at 617444@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Michael Tautschnig <mt@debian.org>

Cc: Jonathan Wiltshire <jmw@debian.org>, 617444@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#617444: clamav: (PRSC) Please backport fix for CVE-2011-1003

Date: Tue, 15 Mar 2011 19:03:38 +0000

Hi,

On Tue, 2011-03-15 at 17:55 +0000, Michael Tautschnig wrote:
> > > Minimal testing of the squeeze-specific build has been performed; the same
> > > version, although built for lenny-volatile, is being "tested" in
> > > production environments. I'm now uploading to squeeze-updates.
> > 
> > Unfortunately, the upload got rejected by dak.
> > 
> > Please could you re-upload using "stable" as the distribution. 
> > "squeeze-updates" is not intended as a direct upload target.
> > 
> 
> Fixed and re-uploading just now.

Thanks.  I've marked it for acceptance in to proposed-updates during the
next dinstall; we'll see how quickly the majority of the builds come in
and promote it to squeeze-updates later.

> Is that use of distribution names documented
> anywhere? I had taken a look at tzdata, which indeed uses "stable", but

The relevant section of the Developer's Reference -
<URL:http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable> - implies that "stable" is correct.  That section, together with basically all other documentation about updating stable, needs overhauling to match current practice and policy, but from that point-of-view it's correct.

> according to [1] all these are equivalent and I found squeeze-updates to be much
> more descriptive, hence used that one.

That's the theory; it doesn't quite work right now, as you discovered.
(Although in this case it was due to the version constraints on
squeeze-updates being different from those on proposed-updates
currently).

> Another related question: should one send a working draft of an update
> announcement to somewhere? I'm used to doing that for volatile, but don't know
> about the procedures for stable-updates.

Feel free to ping it in my direction if you'd like.

> [1] http://lists.debian.org/debian-release/2011/03/msg00007.html

Regards,

Adam

Send a report that this bug log contains spam.