Hi Thijs, from the announcement mail:> Migrated from unstable: > ====================== > r-base 2.7.1-1+lenny1: > DTSA-162-1 : r-base - symlink attack > CVE-2008-3931:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3931> http://bugs.debian.org/496418Something is strange here (and I want to improve the announcement script). AFAICS you did a t-p-u upload for r-base. Was this the same package as the one from the DTSA? Strangely, there is no r-base package for lenny on klecker anymore. Was it removed manually? Or do the packages get removed from klecker automatically when they are accepted in t-p-u? Cheers, Stefan PS: The DTSA is here: http://lists.alioth.debian.org/pipermail/secure-testing-commits/2008-August/010110.html -------------- next part -------------- This automatic mail gives an overview over security issues that were recently fixed in Debian Testing. The majority of fixed packages migrate to testing from unstable. If this would take too long, fixed packages are uploaded to the testing-security repository instead. It can also happen that vulnerable packages are removed from Debian testing. Migrated from unstable: ======================jhead 2.84-2: CVE-2008-4641: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4641 http://bugs.debian.org/503645 kvirc 2:3.4.0-3: CVE-2008-4748: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4748 http://bugs.debian.org/503401 phpmyadmin 4:2.11.8.1-4: CVE-2008-4775: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4775 r-base 2.7.1-1+lenny1: DTSA-162-1 : r-base - symlink attack CVE-2008-3931: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3931 http://bugs.debian.org/496418 How to update: -------------- Make sure the line deb http://security.debian.org lenny/updates main contrib non-free is present in your /etc/apt/sources.list. Of course, you also need the line pointing to your normal lenny mirror. You can use aptitude update && aptitude dist-upgrade to install the updates. More information: ----------------- More information about which security issues affect Debian can be found in the security tracker: http://security-tracker.debian.net/tracker/ A list of all known unfixed security issues is at http://security-tracker.debian.net/tracker/status/release/testing -- To UNSUBSCRIBE, email to debian-testing-security-announce-request at lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster at lists.debian.org
Hi Stefan, On Tue, November 4, 2008 09:14, Stefan Fritsch wrote:> Hi Thijs, > > > from the announcement mail: > >> Migrated from unstable: >> ======================>> > >> r-base 2.7.1-1+lenny1: DTSA-162-1 : r-base - symlink attack >> CVE-2008-3931: >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3931 > >> http://bugs.debian.org/496418 >> > > Something is strange here (and I want to improve the announcement > script). AFAICS you did a t-p-u upload for r-base. Was this the same > package as the one from the DTSA? > > Strangely, there is no r-base package for lenny on klecker anymore. > Was it removed manually? Or do the packages get removed from klecker > automatically when they are accepted in t-p-u?I upload my own build of the package to t-p-u. I did this because the bug was fixed in sid but could not migrate. I looked for a DTSA but couldn''t find any (didn''t look in the ML, but in the archives). I''m not sure when and why it disappeared. cheers, Thijs
Hi, On Tuesday 04 November 2008, Thijs Kinkhorst wrote:> I upload my own build of the package to t-p-u. I did this because > the bug was fixed in sid but could not migrate. I looked for a DTSA > but couldn''t find any (didn''t look in the ML, but in the archives). > I''m not sure when and why it disappeared.OK. From the backup data from the announcement script I see that r-base 2.7.1-1+lenny1 was not in testing-security yesterday. The *changes files on klecker are in queue/broken, not in queu/done. Nico, do you remember problems when releasing the r-base DTSA? I would find it somewhat disturbing if it just disappeared. Cheers, Stefan
Hi, * Stefan Fritsch <sf at debian.org> [2008-11-04 20:18]:> On Tuesday 04 November 2008, Thijs Kinkhorst wrote: > > I upload my own build of the package to t-p-u. I did this because > > the bug was fixed in sid but could not migrate. I looked for a DTSA > > but couldn''t find any (didn''t look in the ML, but in the archives). > > I''m not sure when and why it disappeared. > > OK. From the backup data from the announcement script I see that > r-base 2.7.1-1+lenny1 was not in testing-security yesterday. > > The *changes files on klecker are in queue/broken, not in queu/done. > Nico, do you remember problems when releasing the r-base DTSA? > I would find it somewhat disturbing if it just disappeared.Nope I didn''t see any problems. Everything as usual. Is there any way to find out why it ended up in broken/? Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081104/d6108ad9/attachment.pgp
Hi, On Tuesday 04 November 2008, Nico Golde wrote:> * Stefan Fritsch <sf at debian.org> [2008-11-04 20:18]: > > On Tuesday 04 November 2008, Thijs Kinkhorst wrote: > > > I upload my own build of the package to t-p-u. I did this > > > because the bug was fixed in sid but could not migrate. I > > > looked for a DTSA but couldn''t find any (didn''t look in the ML, > > > but in the archives). I''m not sure when and why it disappeared. > > > > OK. From the backup data from the announcement script I see that > > r-base 2.7.1-1+lenny1 was not in testing-security yesterday. > > > > The *changes files on klecker are in queue/broken, not in > > queu/done. Nico, do you remember problems when releasing the > > r-base DTSA? I would find it somewhat disturbing if it just > > disappeared. > > Nope I didn''t see any problems. Everything as usual. Is > there any way to find out why it ended up in broken/?I don''t know. Since the announcement mail in August [1] has it, it is likely that it was available then, and was removed later. The mtime on klecker seems to indicate that it may have been removed on Oct 18: $ ls -ld ftp/pool/updates/main/r/r-base/ drwxrwsr-x 2 dak debadmin 4096 Oct 18 23:36 ftp/pool/updates/main/r/r-base/ @ftp-master: Is there any log on klecker that may indicate why r-base was removed from testing-security? Thanks for your help. Cheers, Stefan PS: Wouldn''t it make sense to make /org/security.debian.org/queue/REPORT readable for group sec_embargo? [1] http://lists.debian.org/debian-testing-security-announce/2008/08/msg00019.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081105/0a5a5868/attachment.pgp
Hi, Stefan Fritsch wrote:> @ftp-master: Is there any log on klecker that may indicate why r-base > was removed from testing-security?It was one of the three packages erroneously removed from the security testing archive when I had a bug in a script to identify obsolete packages adding the three "still needed" packages in [1] to a removal list. I believe Neil McGovern and Joerg Jaspert worked on undoing the damage, though I''m ignorant of what exactly they did. (I don''t access klecker myself.) Kind regards T. 1. http://ftp-master.debian.org/~tviehmann/obsolete-testing-security/output.txt -- Thomas Viehmann, http://thomas.viehmann.net/
Hi Thomas, On Wednesday 05 November 2008, Thomas Viehmann wrote:> Stefan Fritsch wrote: > > @ftp-master: Is there any log on klecker that may indicate why > > r-base was removed from testing-security? > > It was one of the three packages erroneously removed from the > security testing archive when I had a bug in a script to identify > obsolete packages adding the three "still needed" packages in [1] > to a removal list. I believe Neil McGovern and Joerg Jaspert worked > on undoing the damage, though I''m ignorant of what exactly they > did. (I don''t access klecker myself.)Thanks, that explains it then. The other two packages, e2fsprogs and bugzilla, are fixed in testing by now, too. Cheers, Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081106/122e5721/attachment.pgp