Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#698925: unblock: glpi/0.83.31-2
0 views
Skip to first unread message
Pierre Chifflier
Jan 25, 2013, 6:10:02 AM1/25/13
to
Package: release.debian.org
Severity: normal
User: release.d...@packages.debian.org
Usertags: unblock
Please unblock package glpi
This fixes a security issue, and should allow glpi not to be removed
from wheezy.
Changelog:
glpi (0.83.31-2) unstable; urgency=high
.
* Security fixes:
Replace embedded copy of extjs by Debian package, the embedded one
contains a flash file built with a vulnerable version of yui
(charts.swf).
(Closes: #694642)
* Urgency high, this is a RC bug
Full debdiff attached.
Regards,
Pierre
unblock glpi/0.83.31-2
-- System Information:
Debian Release: 6.0.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32.55.pollux-grsec (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Severity: normal
User: release.d...@packages.debian.org
Usertags: unblock
Please unblock package glpi
This fixes a security issue, and should allow glpi not to be removed
from wheezy.
Changelog:
glpi (0.83.31-2) unstable; urgency=high
.
* Security fixes:
Replace embedded copy of extjs by Debian package, the embedded one
contains a flash file built with a vulnerable version of yui
(charts.swf).
(Closes: #694642)
* Urgency high, this is a RC bug
Full debdiff attached.
Regards,
Pierre
unblock glpi/0.83.31-2
-- System Information:
Debian Release: 6.0.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32.55.pollux-grsec (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Niels Thykier
Jan 25, 2013, 6:30:02 AM1/25/13
to
Control: tags -1 moreinfo
On 2013-01-25 11:51, Pierre Chifflier wrote:
> Package: release.debian.org
> Severity: normal
> User: release.d...@packages.debian.org
> Usertags: unblock
>
> Please unblock package glpi
>
> This fixes a security issue, and should allow glpi not to be removed
> from wheezy.
>
> Changelog:
> glpi (0.83.31-2) unstable; urgency=high
> .
> * Security fixes:
> Replace embedded copy of extjs by Debian package, the embedded one
> contains a flash file built with a vulnerable version of yui
> (charts.swf).
> (Closes: #694642)
> * Urgency high, this is a RC bug
>
> Full debdiff attached.
>
> Regards,
> Pierre
>
> unblock glpi/0.83.31-2
>
> [...]
Hi,
Paul Wise suggested that there are no sources for the affected files[1].
If so, they should be removed from the source package[2].
~Niels
[1] https://lists.debian.org/debian-release/2013/01/msg00951.html
[2] http://www.debian.org/social_contract
DFSG §2
"""
The program must include source code, [...].
"""
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
On 2013-01-25 11:51, Pierre Chifflier wrote:
> Package: release.debian.org
> Severity: normal
> User: release.d...@packages.debian.org
> Usertags: unblock
>
> Please unblock package glpi
>
> This fixes a security issue, and should allow glpi not to be removed
> from wheezy.
>
> Changelog:
> glpi (0.83.31-2) unstable; urgency=high
> .
> * Security fixes:
> Replace embedded copy of extjs by Debian package, the embedded one
> contains a flash file built with a vulnerable version of yui
> (charts.swf).
> (Closes: #694642)
> * Urgency high, this is a RC bug
>
> Full debdiff attached.
>
> Regards,
> Pierre
>
> unblock glpi/0.83.31-2
>
Hi,
Paul Wise suggested that there are no sources for the affected files[1].
If so, they should be removed from the source package[2].
~Niels
[1] https://lists.debian.org/debian-release/2013/01/msg00951.html
[2] http://www.debian.org/social_contract
DFSG §2
"""
The program must include source code, [...].
"""
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Pierre Chifflier
Jan 25, 2013, 7:10:03 AM1/25/13
to
I will indeed remove the files from the source. I just did a minimal
diff for the inclusion in testing, to make sure the .swf file is not
included in binary packages, and make the source repackaging stuff in a
second step.
Regards,
Pierre
Christian PERRIER
Jan 25, 2013, 1:20:01 PM1/25/13
to
Quoting Pierre Chifflier (pol...@debian.org):
> I will indeed remove the files from the source. I just did a minimal
> diff for the inclusion in testing, to make sure the .swf file is not
> included in binary packages, and make the source repackaging stuff in a
> second step.
I'm afraid you *have* to repackage to get the package in testing as
> I will indeed remove the files from the source. I just did a minimal
> diff for the inclusion in testing, to make sure the .swf file is not
> included in binary packages, and make the source repackaging stuff in a
> second step.
having .swf file without source code might be considered an RC bug
itself.
Indeed, the security bug is *also* RC because .swf files are not built
from source. There should maybe be two RC bugs and not one....but,
anyway, you probably get the point.
Thanks, anyway, for your quick reaction.
Niels Thykier
Jan 26, 2013, 7:50:02 AM1/26/13
to
Control: tags -1 moreinfo
On 2013-01-25 18:57, Christian PERRIER wrote:
> Quoting Pierre Chifflier (pol...@debian.org):
>
>> I will indeed remove the files from the source. I just did a minimal
>> diff for the inclusion in testing, to make sure the .swf file is not
>> included in binary packages, and make the source repackaging stuff in a
>> second step.
>
>
> I'm afraid you *have* to repackage to get the package in testing as
> having .swf file without source code might be considered an RC bug
> itself.
>
Indeed, this would be preferred from the RT PoV as we then only have to
unblock your package once.
> Indeed, the security bug is *also* RC because .swf files are not built
> from source. There should maybe be two RC bugs and not one....but,
> anyway, you probably get the point.
>
> Thanks, anyway, for your quick reaction.
>
Also thanks for quick reacting time, :)
~Niels
On 2013-01-25 18:57, Christian PERRIER wrote:
> Quoting Pierre Chifflier (pol...@debian.org):
>
>> I will indeed remove the files from the source. I just did a minimal
>> diff for the inclusion in testing, to make sure the .swf file is not
>> included in binary packages, and make the source repackaging stuff in a
>> second step.
>
>
> I'm afraid you *have* to repackage to get the package in testing as
> having .swf file without source code might be considered an RC bug
> itself.
>
unblock your package once.
> Indeed, the security bug is *also* RC because .swf files are not built
> from source. There should maybe be two RC bugs and not one....but,
> anyway, you probably get the point.
>
> Thanks, anyway, for your quick reaction.
>
~Niels
Pierre Chifflier
Feb 19, 2013, 2:40:02 PM2/19/13
to
On Sat, Jan 26, 2013 at 01:39:57PM +0100, Niels Thykier wrote:
> Control: tags -1 moreinfo
>
> On 2013-01-25 18:57, Christian PERRIER wrote:
> > Quoting Pierre Chifflier (pol...@debian.org):
> >
> >> I will indeed remove the files from the source. I just did a minimal
> >> diff for the inclusion in testing, to make sure the .swf file is not
> >> included in binary packages, and make the source repackaging stuff in a
> >> second step.
> >
> >
> > I'm afraid you *have* to repackage to get the package in testing as
> > having .swf file without source code might be considered an RC bug
> > itself.
> >
>
> Indeed, this would be preferred from the RT PoV as we then only have to
> unblock your package once.
Hi,
> Control: tags -1 moreinfo
>
> On 2013-01-25 18:57, Christian PERRIER wrote:
> > Quoting Pierre Chifflier (pol...@debian.org):
> >
> >> I will indeed remove the files from the source. I just did a minimal
> >> diff for the inclusion in testing, to make sure the .swf file is not
> >> included in binary packages, and make the source repackaging stuff in a
> >> second step.
> >
> >
> > I'm afraid you *have* to repackage to get the package in testing as
> > having .swf file without source code might be considered an RC bug
> > itself.
> >
>
> Indeed, this would be preferred from the RT PoV as we then only have to
> unblock your package once.
I finally had some time to work on a new package, with both removing the
extjs library, and fixing the symlink to the library.
Since the source is repackaged, I named the new package
glpi 0.83.31+dfsg-1
The problem is, the diff is huge (3.5M) due to the removal of the extjs
library, so I cannot attach it to this mail. I have attached to this
mail a diffstat of the debdiff, and an extract to show all changes not
being removals. Can you check the diff and confirm me if this is ok for
you ? If you need to complete diff I can of course upload it to a
server.
If this is fine, what is the next step ? Should I open a new bug for the
release team ? Should I also upload the repackaged source in unstable
before (or at the same time) ?
Thanks,
Pierre
Niels Thykier
Mar 6, 2013, 3:40:02 PM3/6/13
to
On 2013-02-19 20:21, Pierre Chifflier wrote:
> On Sat, Jan 26, 2013 at 01:39:57PM +0100, Niels Thykier wrote:
>> Control: tags -1 moreinfo
>>
>> [...]
> On Sat, Jan 26, 2013 at 01:39:57PM +0100, Niels Thykier wrote:
>> Control: tags -1 moreinfo
>>
>
> Hi,
>
Hi,
> I finally had some time to work on a new package, with both removing the
> extjs library, and fixing the symlink to the library.
>
> Since the source is repackaged, I named the new package
> glpi 0.83.31+dfsg-1
>
Great.
Hi,
> I finally had some time to work on a new package, with both removing the
> extjs library, and fixing the symlink to the library.
>
> Since the source is repackaged, I named the new package
> glpi 0.83.31+dfsg-1
>
> The problem is, the diff is huge (3.5M) due to the removal of the extjs
> library, so I cannot attach it to this mail. I have attached to this
> mail a diffstat of the debdiff, and an extract to show all changes not
> being removals. Can you check the diff and confirm me if this is ok for
> you ? If you need to complete diff I can of course upload it to a
> server.
>
> If this is fine, what is the next step ? Should I open a new bug for the
> release team ? Should I also upload the repackaged source in unstable
> before (or at the same time) ?
>
> Thanks,
> Pierre
>
am considering to just "ignore" the embedded swf issue Wheezy[1] and
call this a day. I know it is not as satisfying for you (or me for that
matter), but I think it is the pragmatic thing to do here.
That said, you can just upload that version to sid; if we change our
minds the fixed version will have had a bit more time in sid. And if
not, then the bug is at least fixed in the start of Jessie.
~Niels
[1] We already got a few "DFSG-incompatible JSON" issues that won't be
fixed in Wheezy.
0 new messages