Secure testing team - Sep 2008 - Please unblock gallery 1.5.9-1

Please unblock gallery 1.5.9-1.  This is a security release that fixed
CVE-2008-3662 and CVE-2008-4129.  The CVE''s were not listed in the
changelog since I did not know the CVE numbers when the package was
built.

-- 
----------------------------
Michael Schultheiss
E-mail: schultmc at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080929/c9cad843/attachment.pgp

On Mon, Sep 29, 2008 at 10:41:15AM -0400, Michael Schultheiss
wrote:
> Please unblock gallery 1.5.9-1.  This is a security release that fixed
> CVE-2008-3662 and CVE-2008-4129.  The CVE''s were not listed in the
> changelog since I did not know the CVE numbers when the package was
> built.
> 
Gah.
Images have changed, $Id$ changes and whitespace formatting, as well as things
like:

-               $gallery->user->canCreateSubAlbum($gallery->album)) {
+                      
$gallery->user->canCreateSubAlbum($gallery->album))
+               {

Some pofiles also seem to have dissapeared.

This all leads to:
 828 files changed, 43756 insertions(+), 431897 deletions(-)

I''m not reviewing this, sorry.

s-t team: if someone can do so, I''ll hint it in. Otherwise,
I''ll need a DTSA please.

Neil
-- 
<Yoe> is _that_ gunnar?
<weasel> yes
<Yoe> what happened to his tires?
<towersbe> He''s shrunk. I think his wife washed him at too high a
temperature.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080930/38c4be49/attachment.pgp

On Tue, Sep 30, 2008 at 11:34:30AM +0100, Neil McGovern
wrote:
> On Mon, Sep 29, 2008 at 10:41:15AM -0400, Michael Schultheiss wrote:
> > Please unblock gallery 1.5.9-1.  This is a security release that fixed
> > CVE-2008-3662 and CVE-2008-4129.  The CVE''s were not listed
in the
> > changelog since I did not know the CVE numbers when the package was
> > built.
> > 
> 
> Gah.
> Images have changed, $Id$ changes and whitespace formatting, as well as
things like:
> 
> -              
$gallery->user->canCreateSubAlbum($gallery->album)) {
> +                      
$gallery->user->canCreateSubAlbum($gallery->album))
> +               {
> 
> Some pofiles also seem to have dissapeared.
> 
> This all leads to:
>  828 files changed, 43756 insertions(+), 431897 deletions(-)
> 
> I''m not reviewing this, sorry.
> 
> s-t team: if someone can do so, I''ll hint it in. Otherwise,
I''ll need a DTSA please.
This has happened for previous Gallery releases before and in fact many
issues are still open in Etch:

   gallery2            [45]CVE-2008-4129        medium
                       [46]CVE-2008-1066        low
                       [47]CVE-2008-2720        low
                       [48]CVE-2008-2721        low
                       [49]CVE-2008-2722        low
                       [50]CVE-2008-2723        low
                       [51]CVE-2008-2724        low
                       [52]CVE-2007-6685
                       [53]CVE-2007-6686
                       [54]CVE-2007-6687
                       [55]CVE-2007-6688
                       [56]CVE-2007-6689
                       [57]CVE-2007-6690
                       [58]CVE-2007-6691
                       [59]CVE-2007-6692
                       [60]CVE-2007-6693
                       [61]CVE-2008-3662
                       [62]CVE-2008-4130

Unless there''s more effort by upstream and the maintainer to address
this
by isolated patches and more detailed descriptions of vulnerabilities
we should rather drop Gallery from Lenny.

(We already discussed this internally in the Security Team in July for previous
and came to the conclusion it should rather be removed unless the situation
improves).

Cheers,
        Moritz

CCing maintainer, who was dropped from the discussion.

* Moritz Muehlenhoff [Sat, 04 Oct 2008 22:28:15 +0200]:
> On Tue, Sep 30, 2008 at 11:34:30AM +0100, Neil McGovern wrote:
> > On Mon, Sep 29, 2008 at 10:41:15AM -0400, Michael Schultheiss wrote:
> > > Please unblock gallery 1.5.9-1.  This is a security release that
fixed
> > > CVE-2008-3662 and CVE-2008-4129.  The CVE''s were not
listed in the
> > > changelog since I did not know the CVE numbers when the package
was
> > > built.
> > Gah.
> > Images have changed, $Id$ changes and whitespace formatting, as well
as things like:
> > -              
$gallery->user->canCreateSubAlbum($gallery->album)) {
> > +                      
$gallery->user->canCreateSubAlbum($gallery->album))
> > +               {
> > Some pofiles also seem to have dissapeared.
> > This all leads to:
> >  828 files changed, 43756 insertions(+), 431897 deletions(-)
> > I''m not reviewing this, sorry.
> > s-t team: if someone can do so, I''ll hint it in. Otherwise,
I''ll need a DTSA please.
> This has happened for previous Gallery releases before and in fact many
> issues are still open in Etch:
>    gallery2            [45]CVE-2008-4129        medium
>                        [46]CVE-2008-1066        low
>                        [47]CVE-2008-2720        low
>                        [48]CVE-2008-2721        low
>                        [49]CVE-2008-2722        low
>                        [50]CVE-2008-2723        low
>                        [51]CVE-2008-2724        low
>                        [52]CVE-2007-6685
>                        [53]CVE-2007-6686
>                        [54]CVE-2007-6687
>                        [55]CVE-2007-6688
>                        [56]CVE-2007-6689
>                        [57]CVE-2007-6690
>                        [58]CVE-2007-6691
>                        [59]CVE-2007-6692
>                        [60]CVE-2007-6693
>                        [61]CVE-2008-3662
>                        [62]CVE-2008-4130
> Unless there''s more effort by upstream and the maintainer to
address this
> by isolated patches and more detailed descriptions of vulnerabilities
> we should rather drop Gallery from Lenny.
> (We already discussed this internally in the Security Team in July for
previous
> and came to the conclusion it should rather be removed unless the situation
> improves).
> Cheers,
>         Moritz


-- 
Adeodato Sim?                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
                                        Listening to: Pastora - Invasi?n

Adeodato Sim? wrote:
> > Unless there''s more effort by upstream and the maintainer to
address this
> > by isolated patches and more detailed descriptions of vulnerabilities
> > we should rather drop Gallery from Lenny.
I''m fine with removing gallery from Lenny.  Upstream does not have the
resources to provide isolated patches.

-- 
----------------------------
Michael Schultheiss
E-mail: schultmc at debian.org

* Michael Schultheiss [Tue, 07 Oct 2008 16:37:41 -0400]:
> Adeodato Sim? wrote:
> > > Unless there''s more effort by upstream and the
maintainer to address this
> > > by isolated patches and more detailed descriptions of
vulnerabilities
> > > we should rather drop Gallery from Lenny.
> I''m fine with removing gallery from Lenny.  Upstream does not have
the
> resources to provide isolated patches.
Okay, thank you.

Security team: the package would re-enter testing after lenny, unless
you file an RC bug to that effect.

Cheers,

-- 
Adeodato Sim?                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
                       Listening to: Chavela Vargas - En el ?ltimo trago

On Tue, Oct 07, 2008 at 11:37:03PM +0200, Adeodato Sim?
wrote:
> * Michael Schultheiss [Tue, 07 Oct 2008 16:37:41 -0400]:
> 
> > Adeodato Sim? wrote:
> > > > Unless there''s more effort by upstream and the
maintainer to address this
> > > > by isolated patches and more detailed descriptions of
vulnerabilities
> > > > we should rather drop Gallery from Lenny.
> 
> > I''m fine with removing gallery from Lenny.  Upstream does not
have the
> > resources to provide isolated patches.
> 
> Okay, thank you.
> 
> Security team: the package would re-enter testing after lenny, unless
> you file an RC bug to that effect.
That''s fine, we can re-evaluate when Squeeze is coming closer.

Cheers,
        Moritz

On Tue, Oct 07, 2008 at 04:37:41PM -0400, Michael Schultheiss
wrote:
> Adeodato Sim? wrote:
> > > Unless there''s more effort by upstream and the
maintainer to address this
> > > by isolated patches and more detailed descriptions of
vulnerabilities
> > > we should rather drop Gallery from Lenny.
> 
> I''m fine with removing gallery from Lenny.  Upstream does not have
the
> resources to provide isolated patches.
I fear there''s been a misunderstanding, my comment was targeted at
Gallery
in the source package gallery2 (which I was I quoted in the Security Tracker
excerpt). Gallery 1.x (was packaged in the gallery source package seems
harmless. AFAICT right now gallery has been blocked instead of gallery2.

Cheers,
        Moritz

* Moritz Muehlenhoff [Wed, 12 Nov 2008 00:13:21 +0100]:
> On Tue, Oct 07, 2008 at 04:37:41PM -0400, Michael Schultheiss wrote:
> > Adeodato Sim? wrote:
> > > > Unless there''s more effort by upstream and the
maintainer to address this
> > > > by isolated patches and more detailed descriptions of
vulnerabilities
> > > > we should rather drop Gallery from Lenny.
> > I''m fine with removing gallery from Lenny.  Upstream does not
have the
> > resources to provide isolated patches.
> I fear there''s been a misunderstanding, my comment was targeted at
Gallery
> in the source package gallery2 (which I was I quoted in the Security
Tracker
> excerpt). Gallery 1.x (was packaged in the gallery source package seems
> harmless. AFAICT right now gallery has been blocked instead of gallery2.
Ok, I''ve marked gallery2 for removal. Regarding gallery (1), it seems
that the two latest uploads that didn''t make it into testing (last
version in testing was 1.5.7) both fixed many or several security
issues. Is that a package that should be released with Lenny?

In any case, the diff from gallery 1.5.7 to 1.5.9 is huge, so I''m not
sure what would have happened with it anyway...

-- 
Adeodato Sim?                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
                                  Listening to: Dar Williams - After All

On Tue, Nov 18, 2008 at 10:40:31PM +0100, Adeodato Sim?
wrote:
> * Moritz Muehlenhoff [Wed, 12 Nov 2008 00:13:21 +0100]:
> 
> > On Tue, Oct 07, 2008 at 04:37:41PM -0400, Michael Schultheiss wrote:
> > > Adeodato Sim? wrote:
> > > > > Unless there''s more effort by upstream and the
maintainer to address this
> > > > > by isolated patches and more detailed descriptions of
vulnerabilities
> > > > > we should rather drop Gallery from Lenny.
> 
> > > I''m fine with removing gallery from Lenny.  Upstream
does not have the
> > > resources to provide isolated patches.
> 
> > I fear there''s been a misunderstanding, my comment was
targeted at Gallery
> > in the source package gallery2 (which I was I quoted in the Security
Tracker
> > excerpt). Gallery 1.x (was packaged in the gallery source package
seems
> > harmless. AFAICT right now gallery has been blocked instead of
gallery2.
> 
> Ok, I''ve marked gallery2 for removal. Regarding gallery (1), it
seems
> that the two latest uploads that didn''t make it into testing (last
> version in testing was 1.5.7) both fixed many or several security
> issues. Is that a package that should be released with Lenny?
Gallery 1.5.x seems okay to me.
 
> In any case, the diff from gallery 1.5.7 to 1.5.9 is huge, so I''m
not
> sure what would have happened with it anyway...
That''s up for you decide, maybe Michael can comment on it further.

Cheers,
        Moritz