Michael Schultheiss
2008-Sep-29 14:41 UTC
[Secure-testing-team] Please unblock gallery 1.5.9-1
Please unblock gallery 1.5.9-1. This is a security release that fixed CVE-2008-3662 and CVE-2008-4129. The CVE''s were not listed in the changelog since I did not know the CVE numbers when the package was built. -- ---------------------------- Michael Schultheiss E-mail: schultmc at debian.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080929/c9cad843/attachment.pgp
On Mon, Sep 29, 2008 at 10:41:15AM -0400, Michael Schultheiss wrote:> Please unblock gallery 1.5.9-1. This is a security release that fixed > CVE-2008-3662 and CVE-2008-4129. The CVE''s were not listed in the > changelog since I did not know the CVE numbers when the package was > built. >Gah. Images have changed, $Id$ changes and whitespace formatting, as well as things like: - $gallery->user->canCreateSubAlbum($gallery->album)) { + $gallery->user->canCreateSubAlbum($gallery->album)) + { Some pofiles also seem to have dissapeared. This all leads to: 828 files changed, 43756 insertions(+), 431897 deletions(-) I''m not reviewing this, sorry. s-t team: if someone can do so, I''ll hint it in. Otherwise, I''ll need a DTSA please. Neil -- <Yoe> is _that_ gunnar? <weasel> yes <Yoe> what happened to his tires? <towersbe> He''s shrunk. I think his wife washed him at too high a temperature. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080930/38c4be49/attachment.pgp
Moritz Muehlenhoff
2008-Oct-04 20:28 UTC
[Secure-testing-team] Please unblock gallery 1.5.9-1
On Tue, Sep 30, 2008 at 11:34:30AM +0100, Neil McGovern wrote:> On Mon, Sep 29, 2008 at 10:41:15AM -0400, Michael Schultheiss wrote: > > Please unblock gallery 1.5.9-1. This is a security release that fixed > > CVE-2008-3662 and CVE-2008-4129. The CVE''s were not listed in the > > changelog since I did not know the CVE numbers when the package was > > built. > > > > Gah. > Images have changed, $Id$ changes and whitespace formatting, as well as things like: > > - $gallery->user->canCreateSubAlbum($gallery->album)) { > + $gallery->user->canCreateSubAlbum($gallery->album)) > + { > > Some pofiles also seem to have dissapeared. > > This all leads to: > 828 files changed, 43756 insertions(+), 431897 deletions(-) > > I''m not reviewing this, sorry. > > s-t team: if someone can do so, I''ll hint it in. Otherwise, I''ll need a DTSA please.This has happened for previous Gallery releases before and in fact many issues are still open in Etch: gallery2 [45]CVE-2008-4129 medium [46]CVE-2008-1066 low [47]CVE-2008-2720 low [48]CVE-2008-2721 low [49]CVE-2008-2722 low [50]CVE-2008-2723 low [51]CVE-2008-2724 low [52]CVE-2007-6685 [53]CVE-2007-6686 [54]CVE-2007-6687 [55]CVE-2007-6688 [56]CVE-2007-6689 [57]CVE-2007-6690 [58]CVE-2007-6691 [59]CVE-2007-6692 [60]CVE-2007-6693 [61]CVE-2008-3662 [62]CVE-2008-4130 Unless there''s more effort by upstream and the maintainer to address this by isolated patches and more detailed descriptions of vulnerabilities we should rather drop Gallery from Lenny. (We already discussed this internally in the Security Team in July for previous and came to the conclusion it should rather be removed unless the situation improves). Cheers, Moritz
CCing maintainer, who was dropped from the discussion. * Moritz Muehlenhoff [Sat, 04 Oct 2008 22:28:15 +0200]:> On Tue, Sep 30, 2008 at 11:34:30AM +0100, Neil McGovern wrote: > > On Mon, Sep 29, 2008 at 10:41:15AM -0400, Michael Schultheiss wrote: > > > Please unblock gallery 1.5.9-1. This is a security release that fixed > > > CVE-2008-3662 and CVE-2008-4129. The CVE''s were not listed in the > > > changelog since I did not know the CVE numbers when the package was > > > built.> > Gah. > > Images have changed, $Id$ changes and whitespace formatting, as well as things like:> > - $gallery->user->canCreateSubAlbum($gallery->album)) { > > + $gallery->user->canCreateSubAlbum($gallery->album)) > > + {> > Some pofiles also seem to have dissapeared.> > This all leads to: > > 828 files changed, 43756 insertions(+), 431897 deletions(-)> > I''m not reviewing this, sorry.> > s-t team: if someone can do so, I''ll hint it in. Otherwise, I''ll need a DTSA please.> This has happened for previous Gallery releases before and in fact many > issues are still open in Etch:> gallery2 [45]CVE-2008-4129 medium > [46]CVE-2008-1066 low > [47]CVE-2008-2720 low > [48]CVE-2008-2721 low > [49]CVE-2008-2722 low > [50]CVE-2008-2723 low > [51]CVE-2008-2724 low > [52]CVE-2007-6685 > [53]CVE-2007-6686 > [54]CVE-2007-6687 > [55]CVE-2007-6688 > [56]CVE-2007-6689 > [57]CVE-2007-6690 > [58]CVE-2007-6691 > [59]CVE-2007-6692 > [60]CVE-2007-6693 > [61]CVE-2008-3662 > [62]CVE-2008-4130> Unless there''s more effort by upstream and the maintainer to address this > by isolated patches and more detailed descriptions of vulnerabilities > we should rather drop Gallery from Lenny.> (We already discussed this internally in the Security Team in July for previous > and came to the conclusion it should rather be removed unless the situation > improves).> Cheers, > Moritz-- Adeodato Sim? dato at net.com.org.es Debian Developer adeodato at debian.org Listening to: Pastora - Invasi?n
Michael Schultheiss
2008-Oct-07 20:37 UTC
[Secure-testing-team] Please unblock gallery 1.5.9-1
Adeodato Sim? wrote:> > Unless there''s more effort by upstream and the maintainer to address this > > by isolated patches and more detailed descriptions of vulnerabilities > > we should rather drop Gallery from Lenny.I''m fine with removing gallery from Lenny. Upstream does not have the resources to provide isolated patches. -- ---------------------------- Michael Schultheiss E-mail: schultmc at debian.org
* Michael Schultheiss [Tue, 07 Oct 2008 16:37:41 -0400]:> Adeodato Sim? wrote: > > > Unless there''s more effort by upstream and the maintainer to address this > > > by isolated patches and more detailed descriptions of vulnerabilities > > > we should rather drop Gallery from Lenny.> I''m fine with removing gallery from Lenny. Upstream does not have the > resources to provide isolated patches.Okay, thank you. Security team: the package would re-enter testing after lenny, unless you file an RC bug to that effect. Cheers, -- Adeodato Sim? dato at net.com.org.es Debian Developer adeodato at debian.org Listening to: Chavela Vargas - En el ?ltimo trago
Moritz Muehlenhoff
2008-Oct-08 19:25 UTC
[Secure-testing-team] Please unblock gallery 1.5.9-1
On Tue, Oct 07, 2008 at 11:37:03PM +0200, Adeodato Sim? wrote:> * Michael Schultheiss [Tue, 07 Oct 2008 16:37:41 -0400]: > > > Adeodato Sim? wrote: > > > > Unless there''s more effort by upstream and the maintainer to address this > > > > by isolated patches and more detailed descriptions of vulnerabilities > > > > we should rather drop Gallery from Lenny. > > > I''m fine with removing gallery from Lenny. Upstream does not have the > > resources to provide isolated patches. > > Okay, thank you. > > Security team: the package would re-enter testing after lenny, unless > you file an RC bug to that effect.That''s fine, we can re-evaluate when Squeeze is coming closer. Cheers, Moritz
Moritz Muehlenhoff
2008-Nov-11 23:13 UTC
[Secure-testing-team] Please unblock gallery 1.5.9-1
On Tue, Oct 07, 2008 at 04:37:41PM -0400, Michael Schultheiss wrote:> Adeodato Sim? wrote: > > > Unless there''s more effort by upstream and the maintainer to address this > > > by isolated patches and more detailed descriptions of vulnerabilities > > > we should rather drop Gallery from Lenny. > > I''m fine with removing gallery from Lenny. Upstream does not have the > resources to provide isolated patches.I fear there''s been a misunderstanding, my comment was targeted at Gallery in the source package gallery2 (which I was I quoted in the Security Tracker excerpt). Gallery 1.x (was packaged in the gallery source package seems harmless. AFAICT right now gallery has been blocked instead of gallery2. Cheers, Moritz
* Moritz Muehlenhoff [Wed, 12 Nov 2008 00:13:21 +0100]:> On Tue, Oct 07, 2008 at 04:37:41PM -0400, Michael Schultheiss wrote: > > Adeodato Sim? wrote: > > > > Unless there''s more effort by upstream and the maintainer to address this > > > > by isolated patches and more detailed descriptions of vulnerabilities > > > > we should rather drop Gallery from Lenny.> > I''m fine with removing gallery from Lenny. Upstream does not have the > > resources to provide isolated patches.> I fear there''s been a misunderstanding, my comment was targeted at Gallery > in the source package gallery2 (which I was I quoted in the Security Tracker > excerpt). Gallery 1.x (was packaged in the gallery source package seems > harmless. AFAICT right now gallery has been blocked instead of gallery2.Ok, I''ve marked gallery2 for removal. Regarding gallery (1), it seems that the two latest uploads that didn''t make it into testing (last version in testing was 1.5.7) both fixed many or several security issues. Is that a package that should be released with Lenny? In any case, the diff from gallery 1.5.7 to 1.5.9 is huge, so I''m not sure what would have happened with it anyway... -- Adeodato Sim? dato at net.com.org.es Debian Developer adeodato at debian.org Listening to: Dar Williams - After All
Moritz Muehlenhoff
2008-Nov-18 22:49 UTC
[Secure-testing-team] Please unblock gallery 1.5.9-1
On Tue, Nov 18, 2008 at 10:40:31PM +0100, Adeodato Sim? wrote:> * Moritz Muehlenhoff [Wed, 12 Nov 2008 00:13:21 +0100]: > > > On Tue, Oct 07, 2008 at 04:37:41PM -0400, Michael Schultheiss wrote: > > > Adeodato Sim? wrote: > > > > > Unless there''s more effort by upstream and the maintainer to address this > > > > > by isolated patches and more detailed descriptions of vulnerabilities > > > > > we should rather drop Gallery from Lenny. > > > > I''m fine with removing gallery from Lenny. Upstream does not have the > > > resources to provide isolated patches. > > > I fear there''s been a misunderstanding, my comment was targeted at Gallery > > in the source package gallery2 (which I was I quoted in the Security Tracker > > excerpt). Gallery 1.x (was packaged in the gallery source package seems > > harmless. AFAICT right now gallery has been blocked instead of gallery2. > > Ok, I''ve marked gallery2 for removal. Regarding gallery (1), it seems > that the two latest uploads that didn''t make it into testing (last > version in testing was 1.5.7) both fixed many or several security > issues. Is that a package that should be released with Lenny?Gallery 1.5.x seems okay to me.> In any case, the diff from gallery 1.5.7 to 1.5.9 is huge, so I''m not > sure what would have happened with it anyway...That''s up for you decide, maybe Michael can comment on it further. Cheers, Moritz