Secure testing team - Mar 2006 - summary of what''s blocking security fixes from testing

Another pass over security holes that are fixed in unstable but not
testing. Not sure if these are still useful to send to -release.

RM summary: m68k is killing us with ICE after ICE and contributing to
blocking hald of the fixes. The transitions arn''t hurting as much after
the last heroic britney run, although kde/qt is of course a problem.

Testing team summary: well, of these asterisk, inkscape, some kde stuff,
lm-sensors, mysql-dfsg-4.1, and texmacs seem like the most likely
candidates for upload to secure-testing, although some of the holes may
not warrant a DTSA.

apache
	m68k build needs requeued once deps are met
asterisk
	30 days old
	m68k build needs requeued once deps are met
	blocked indirectly by qt transition
bzip
	8/10 days old
chmlib
	3/10 days old
clamav (fixed in secure-testing)
	33 days old
	blocked by gmp
courier
	too young
fftw3
	m68k FTBFS
gxine
	too young
inkscape
	20 days old
	blocked by libsigc++-2.0
kdeedu
	FTBFS on arm (ICE)
	missing hppa and m68k builds
kdegraphics
	kde transtion
kdelibs
	kde transition
kismet (fixed in secure-testing)
	23 days old
	blocked by gmp
lm-sensors
	23 days old
	indirectly blocked by perl
mozilla (partially fixed in secure-testing)
	41 days old, AKA, is this package being maintained?
	rc bugs, FTBDS, etc
mozilla-firefox (partially fixed in secure-testing)
	too young
mozilla-thunderbird
	41 days old
	FTBFS on alpha, arm, m68k
mysql-dfsg-4.1
	26 days old
	rc bug
	FTBFS on m68k
net-snmp
	too young
	blocked by perl
netpbm
	8/10 days old
	FTBFS on m68k (ICE)
ntp
	177 days old
	3 RC bugs, max 98 days old, none with responses from maintainers
	recommend removal from testing (and/or debian)
openmotif
	106 days old
	non-free package, still missing s390 build
	(I tried and failed to build this on raptor, machine is too
	unstable.)
openssh
	frozen, rc bug
	security hole is minor (CAN-2005-2666)
qt-x11-free
	too young
	rc bug
pdns
	FTBFS on m68k
	rc bugs
php4 (fixed in secure-testing)
	needs requeue on m68k once deps are satisfied
	blocked by qt-x11-free, perl, etc
python2.1
	alpha build succeeded 2 weeks ago but gone missing
	mips, mipsel, powerpc builds ditto
	blocked by gmp
python2.2
	FTBFS m68k (ICE)
	FTBFS hppa
	blocked by gmp
python2.3
	FTBFS m68k (ICE)
	FTBFS hppa
	blocked by gmp
rpm
	FTBFS m68k (ICE)
smb4k
	hppa build needs requeue once build deps are met
	m68k ditto
	arm ditto
	kde transition
squid
	too young
sqwebmail
	too young
texmacs
	59 days old
	FTBFS arm, hppa, m68k (ICE)
turqstat
	too young
	blocked by qt-x11-free
xorg-x11
	too young
	build needs retried on arm

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050913/cbc01822/attachment.pgp

On Tue, Sep 13, 2005 at 11:45:52PM -0400, Joey Hess
wrote:
> Another pass over security holes that are fixed in unstable but not
> testing. Not sure if these are still useful to send to -release.
Yes, I think they are.
> Testing team summary: well, of these asterisk, inkscape, some kde stuff,
> lm-sensors, mysql-dfsg-4.1, and texmacs seem like the most likely
> candidates for upload to secure-testing, although some of the holes may
> not warrant a DTSA.
FWIW, inkscape is in the libsigc++-2.0/libgc transition that''s
currently
at the top of my hit list.
> apache
> 	m68k build needs requeued once deps are met
> fftw3
> 	m68k FTBFS
> netpbm
> 	8/10 days old
> 	FTBFS on m68k (ICE)
> rpm
> 	FTBFS m68k (ICE)
I''m forcing these in spite of the lack of m68k builds.  Between ICEs
and
general sluggishness, m68k is not keeping up.  I know the m68k porters
are talking about putting new buildds on-line, but there are also a lot
of KDE uploads coming that are going to bog it down further, and lots of 
m68k-specific toolchain problems that still need to be fixed.  If we
don''t see improvement soon, I think the necessary next step is to
ignore
it for all packages (i.e., exclude it from the list of release
candidates for the time being).
> mysql-dfsg-4.1
> 	26 days old
> 	rc bug
> 	FTBFS on m68k
And no build log for the m68k failure to let people usefully debug it...

The RC bug was apparently meant to be downgraded, and the maintainer
missed.  Downgrading now, and forcing in without m68k.
> bzip
> 	8/10 days old
> chmlib
> 	3/10 days old
> courier
> 	too young
> gxine
> 	too young
> squid
> 	too young
> sqwebmail
> 	too young
Feel free to add urgent hints for any of these.
> clamav (fixed in secure-testing)
> 	33 days old
> 	blocked by gmp
> kismet (fixed in secure-testing)
> 	23 days old
> 	blocked by gmp
This mainly means "blocked by kaffe", I think.
> kdeedu
> 	FTBFS on arm (ICE)
> 	missing hppa and m68k builds
Those will almost certainly be all the same ICE, actually.
> lm-sensors
> 	23 days old
> 	indirectly blocked by perl
> net-snmp
> 	too young
> 	blocked by perl
<grumble>
> mozilla (partially fixed in secure-testing)
> 	41 days old, AKA, is this package being maintained?
> 	rc bugs, FTBDS, etc
I''ll NMU this if no one else does, but it''ll probably take me
a day or
two to get to it.
> mozilla-firefox (partially fixed in secure-testing)
> 	too young
More that arm hasn''t finished building it yet.
> mozilla-thunderbird
> 	41 days old
> 	FTBFS on alpha, arm, m68k
... with a patch in the BTS, if someone wants to NMU...
> ntp
> 	177 days old
> 	3 RC bugs, max 98 days old, none with responses from maintainers
> 	recommend removal from testing (and/or debian)
Are these different security bugs than the ones already fixed via
proposed-updates?
> openmotif
> 	106 days old
> 	non-free package, still missing s390 build
> 	(I tried and failed to build this on raptor, machine is too
> 	unstable.)
This package really doesn''t appear to have the necessary baseline
support from porters and/or the maintainer to let us keep it around.
There''s a total of one package in testing still depending on openmotif;
I think we should give the arb maintainer a shot at fixing it, and then
drop it from testing if he doesn''t get anywhere.
> openssh
> 	frozen, rc bug
> 	security hole is minor (CAN-2005-2666)
Pushed in.  (The RC bug was reported against the version in stable, and
should not be a blocker.)
> php4 (fixed in secure-testing)
> 	needs requeue on m68k once deps are satisfied
Already in dep-wait.  The version in unstable is stuck for a while, but
the sarge security update is waiting in t-p-u for m68k to catch up.
> python2.1
> 	alpha build succeeded 2 weeks ago but gone missing
> 	mips, mipsel, powerpc builds ditto
> 	blocked by gmp
> python2.2
> 	FTBFS m68k (ICE)
> 	FTBFS hppa
> 	blocked by gmp
No hope that we can get rid of these yet...?
> xorg-x11
> 	too young
> 	build needs retried on arm
Currently listed as building on tofee.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050913/dc2b7a49/attachment.pgp

Steve Langasek wrote:
> > bzip
> > 	8/10 days old
> > chmlib
> > 	3/10 days old
> > courier
> > 	too young
> > gxine
> > 	too young
> > squid
> > 	too young
> > sqwebmail
> > 	too young
> 
> Feel free to add urgent hints for any of these.
None of them are that serious holes, IRC.
> > ntp
> > 	177 days old
> > 	3 RC bugs, max 98 days old, none with responses from maintainers
> > 	recommend removal from testing (and/or debian)
> 
> Are these different security bugs than the ones already fixed via
> proposed-updates?
Thanks, you''re right it''s not vulnerable.
> > openmotif
> > 	106 days old
> > 	non-free package, still missing s390 build
> > 	(I tried and failed to build this on raptor, machine is too
> > 	unstable.)
> 
> This package really doesn''t appear to have the necessary baseline
> support from porters and/or the maintainer to let us keep it around.
> There''s a total of one package in testing still depending on
openmotif;
> I think we should give the arb maintainer a shot at fixing it, and then
> drop it from testing if he doesn''t get anywhere.
Agreed, although I think you might as well let the maintainers of ida
and motv have a crack at it too.
> > python2.1
> > 	alpha build succeeded 2 weeks ago but gone missing
> > 	mips, mipsel, powerpc builds ditto
> > 	blocked by gmp
> > python2.2
> > 	FTBFS m68k (ICE)
> > 	FTBFS hppa
> > 	blocked by gmp
> 
> No hope that we can get rid of these yet...?
Very little depends on python2.1. python2.2 has a bit more stuff but
certianly not too much that filing some RC bugs and dropping it might
not be the easiest way to fix this issue.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050914/43baeaf3/attachment.pgp

Steve Langasek wrote:
> > mozilla-thunderbird
> > 	41 days old
> > 	FTBFS on alpha, arm, m68k
> 
> ... with a patch in the BTS, if someone wants to NMU...
The maintainer posted a followup to the firefox side of the latest
Mozilla IDN buffer overflow, so I very much suspect he''s currently
preparing fixed thunderbird packages.
 
> > ntp
> > 	177 days old
> > 	3 RC bugs, max 98 days old, none with responses from maintainers
> > 	recommend removal from testing (and/or debian)
> 
> Are these different security bugs than the ones already fixed via
> proposed-updates?
No, it the same vulnerability as already fixed in t-p-u.
 
Cheers,
        Moritz

Joey Hess wrote:
> kdeedu
> 	FTBFS on arm (ICE)
> 	missing hppa and m68k builds
> kdegraphics
> 	kde transtion
I had a look at these, but it''s worth a fix, xpdf has been more
critical, because someone
could indirectly mess with the print spooler, but kpdf as a simple app
doesn''t warrant
a fix IMO.
And the kdeedu issue is really minor.
> kdelibs
> 	kde transition
I have fixed packages ready, I''ll send them to you this evening, after
some more testing.
kdebase will be fixed next.
> mozilla (partially fixed in secure-testing)
> 	41 days old, AKA, is this package being maintained?
> 	rc bugs, FTBDS, etc
633 open bugs, 10 of them RC. Should probably be team-maintained.
> mysql-dfsg-4.1
> 	26 days old
> 	rc bug
> 	FTBFS on m68k
This (and mysql-dfsg) are perfect candidates for DTSAs/NMUs, the fix is a simple
one-liner.
> ntp
> 	177 days old
> 	3 RC bugs, max 98 days old, none with responses from maintainers
> 	recommend removal from testing (and/or debian)
Fix is a one-liner as well.
> squid
> 	too young
Could very well be bumped, it only contains the (IMO non-invasive) security
fixes
and typo fixes.

Cheers,
        Moritz

On Tue, Sep 13, 2005 at 11:45:52PM -0400, Joey Hess wrote:
> Another pass over security holes that are fixed in unstable but not
> testing. Not sure if these are still useful to send to -release.
There''s also zlib, which is held up in both testing-proposed-updates
and
unstable by missing builds.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a
fever."

Joey Hess writes:
> RM summary: m68k is killing us with ICE after ICE and contributing to
> blocking hald of the fixes. The transitions arn''t hurting as much
after
> the last heroic britney run, although kde/qt is of course a problem.
updated gcc-4.0 packages, which should fix some of the ICEs are
uploaded today. Currently bootstrapping, it may take a while.

A bigger problem seems to be the new binutils on m68k.
> python2.2
> 	FTBFS m68k (ICE)
> 	FTBFS hppa
> 	blocked by gmp
needs a new upload.
> python2.3
> 	FTBFS m68k (ICE)
> 	FTBFS hppa
> 	blocked by gmp
hppa is a glibc problem.

* Joey Hess [Tue, 13 Sep 2005 23:45:52 -0400]:
> kdegraphics
> 	kde transtion
  4:3.3.2-2sarge1 was propagated to t-p-u, but not accepted because of
  #325254 (uninstallable on powerpc). Anyway, 4:3.3.2-3 is now in t-p-u
  and waiting for buildds (haven''t seen any, though).
> kdelibs
> 	kde transition
  4:3.3.2-6.2 seems to be in NEW? And is blocking kdegraphics below.
> qt-x11-free
> 	too young
> 	rc bug
  Is this listed here for some security issue, or because it''s blocking
  some stuff? It''ll be a long while before it can enter testing,
though.

-- 
Adeodato Sim?
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
 
Loan-department manager:  "There isn''t any fine print.  At these
interest rates, we don''t need it."

On Wed, Sep 14, 2005 at 11:05:08AM +0200, Moritz Muehlenhoff
wrote:
> > > ntp
> > > 	177 days old
> > > 	3 RC bugs, max 98 days old, none with responses from maintainers
> > > 	recommend removal from testing (and/or debian)
> > Are these different security bugs than the ones already fixed via
> > proposed-updates?
> No, it the same vulnerability as already fixed in t-p-u.
Right, that version''s already present in testing then.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050914/02c64d96/attachment.pgp

On Mon, Sep 19, 2005 at 03:16:41AM -0700, Steve Langasek
wrote:
> On Wed, Sep 14, 2005 at 10:00:05AM -0400, Joey Hess wrote:
> > Agreed, although I think you might as well let the maintainers of ida
> > and motv have a crack at it too.
> 
> So Frank has already NMUed this with a proposed fix for the s390 failure.
> Binaries only uploaded for i386 and m68k so far, though.
I''ve added it to the list of non-free buildds. But they will only pick
it up after dinstall since they don''t build out of incoming...

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/

Joey Hess writes:
> > > python2.1
> > > 	alpha build succeeded 2 weeks ago but gone missing
> > > 	mips, mipsel, powerpc builds ditto
> > > 	blocked by gmp
> > > python2.2
> > > 	FTBFS m68k (ICE)
> > > 	FTBFS hppa
> > > 	blocked by gmp
> > 
> > No hope that we can get rid of these yet...?
> 
> Very little depends on python2.1. python2.2 has a bit more stuff but
> certianly not too much that filing some RC bugs and dropping it might
> not be the easiest way to fix this issue.
these should slowly fade away. Just waiting to clear up the transition
business to start this one.

  Matthias

* Joey Hess (joeyh@debian.org) [050914 23:12]:
> Adeodato Sim? wrote:
> > > kdelibs
> > > 	kde transition
> > 
> >   4:3.3.2-6.2 seems to be in NEW? And is blocking kdegraphics below.
> 
> Moritz Muehlenhoff wrote (privately):
> > But according to http://ftp-master.debian.org/new.html it is in
> > t-p-u? And it''s not shown in the PTS either?
> > And why would it need to go through NEW, there were not binary
> > packages added?
> I share this confusion..
Uh, that''s strongly technical. Basically it''s a corner case of
the
version propogation patches that doesn''t work right. Please see
http://lists.debian.org/debian-dak/2005/09/msg00000.html for a possible
fix.


Cheers,
Andi

Andreas Barth wrote:
> > >   4:3.3.2-6.2 seems to be in NEW? And is blocking kdegraphics
below.
> > 
> > Moritz Muehlenhoff wrote (privately):
> > > But according to http://ftp-master.debian.org/new.html it is in
> > > t-p-u? And it''s not shown in the PTS either?
> > > And why would it need to go through NEW, there were not binary
> > > packages added?
> 
> > I share this confusion..
> 
> Uh, that''s strongly technical. Basically it''s a corner
case of the
> version propogation patches that doesn''t work right. Please see
> http://lists.debian.org/debian-dak/2005/09/msg00000.html for a possible
> fix.
Has the dak patch mentioned in above link been applied or is this more
a mid-term solution (i.e. preparing a fix through a DTSA would be better
for now?)

Cheers,
        Moritz

Adeodato Sim? wrote:
> > kdelibs
> > 	kde transition
> 
>   4:3.3.2-6.2 seems to be in NEW? And is blocking kdegraphics below.
Moritz Muehlenhoff wrote (privately):
> But according to http://ftp-master.debian.org/new.html it is in
> t-p-u? And it''s not shown in the PTS either?
> And why would it need to go through NEW, there were not binary
> packages added?
I share this confusion..
> > qt-x11-free
> > 	too young
> > 	rc bug
> 
>   Is this listed here for some security issue, or because it''s
blocking
>   some stuff? It''ll be a long while before it can enter testing,
though.
Not sure how I contrived to list that as a security issue, it''s only
blocking other security fixes.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050914/83916cff/attachment.pgp

On Wed, Sep 14, 2005 at 10:00:05AM -0400, Joey Hess
wrote:
> > Feel free to add urgent hints for any of these.
> None of them are that serious holes, IRC.
Hmm, if they''re not serious enough to bump package urgency for, maybe
it''s
also not useful to have that part of the list posted to d-release. :)
> > > openmotif
> > > 	106 days old
> > > 	non-free package, still missing s390 build
> > > 	(I tried and failed to build this on raptor, machine is too
> > > 	unstable.)
> > This package really doesn''t appear to have the necessary
baseline
> > support from porters and/or the maintainer to let us keep it around.
> > There''s a total of one package in testing still depending on
openmotif;
> > I think we should give the arb maintainer a shot at fixing it, and
then
> > drop it from testing if he doesn''t get anywhere.
> Agreed, although I think you might as well let the maintainers of ida
> and motv have a crack at it too.
So Frank has already NMUed this with a proposed fix for the s390 failure.
Binaries only uploaded for i386 and m68k so far, though.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050919/14d26c5a/attachment.pgp