Debian Bug report logs - #690075
unblock: dnsmasq/2.63-4

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 9 Oct 2012 17:54:01 UTC

Severity: normal

Tags: moreinfo

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, simon@thekelleys.org.uk, Debian Release Team <debian-release@lists.debian.org>:
Bug#690075; Package release.debian.org. (Tue, 09 Oct 2012 17:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to simon@thekelleys.org.uk, Debian Release Team <debian-release@lists.debian.org>. (Tue, 09 Oct 2012 17:54:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: dnsmasq/2.63-4
Date: Tue, 09 Oct 2012 19:51:26 +0200
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package dnsmasq

It fixes CVE-2012-3411

unblock dnsmasq/2.63-4

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#690075; Package release.debian.org. (Sat, 10 Nov 2012 15:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 10 Nov 2012 15:15:03 GMT) (full text, mbox, link).

Message #10 received at 690075@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, Simon Kelley <simon@thekelleys.org.uk>
Cc: 690075@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#690075: unblock: dnsmasq/2.63-4
Date: Sat, 10 Nov 2012 16:10:40 +0100
tags 690075 + moreinfo
thanks

Hi Moritz,

Moritz Muehlenhoff wrote (09 Oct 2012 17:51:26 GMT) :
> Please unblock package dnsmasq
> It fixes CVE-2012-3411
> unblock dnsmasq/2.63-4

The new upstream version includes quite a few changes that are
unrelated to the security fix, which probably partly explains why
nobody reviewed the proposed changes yet.

However, determining which exact set of patches should be backported
from upstream to fix this issue is not trivial, and I guess that's why
Moritz asks for the whole think to be unblocked:

54dd393 (Add --bind-dynamic) is obvious, but a few follow-up commits
come to fix the problems brought by the initial implementation; at
least these two ones seem needed:

 * 2b5bae9 -- Fall back from --bind-dynamic to --bind-interfaces in
   BSD, rather than quitting
 * 5f11b3e -- Cope with --listen-address for not yet existent addr in
   bind-dynamic mode

... and I would not bet that's enough.

Simon, are you interested in listing the commits that are needed,
on top of 2.62-3, to fix CVE-2012-3411 without breaking anything?

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Added tag(s) moreinfo. Request was from intrigeri <intrigeri@debian.org> to control@bugs.debian.org. (Sat, 10 Nov 2012 15:15:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#690075; Package release.debian.org. (Mon, 12 Nov 2012 21:09:05 GMT) (full text, mbox, link).

Acknowledgement sent to Simon Kelley <simon@thekelleys.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 12 Nov 2012 21:09:05 GMT) (full text, mbox, link).

Message #17 received at 690075@bugs.debian.org (full text, mbox, reply):

From: Simon Kelley <simon@thekelleys.org.uk>
To: intrigeri <intrigeri@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 690075@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#690075: unblock: dnsmasq/2.63-4
Date: Mon, 12 Nov 2012 21:05:35 +0000
On 10/11/12 15:10, intrigeri wrote:
> tags 690075 + moreinfo
> thanks
>
> Hi Moritz,
>
> Moritz Muehlenhoff wrote (09 Oct 2012 17:51:26 GMT) :
>> Please unblock package dnsmasq
>> It fixes CVE-2012-3411
>> unblock dnsmasq/2.63-4
>
> The new upstream version includes quite a few changes that are
> unrelated to the security fix, which probably partly explains why
> nobody reviewed the proposed changes yet.
>
> However, determining which exact set of patches should be backported
> from upstream to fix this issue is not trivial, and I guess that's why
> Moritz asks for the whole think to be unblocked:
>
> 54dd393 (Add --bind-dynamic) is obvious, but a few follow-up commits
> come to fix the problems brought by the initial implementation; at
> least these two ones seem needed:
>
>   * 2b5bae9 -- Fall back from --bind-dynamic to --bind-interfaces in
>     BSD, rather than quitting
>   * 5f11b3e -- Cope with --listen-address for not yet existent addr in
>     bind-dynamic mode
>
> ... and I would not bet that's enough.
>
> Simon, are you interested in listing the commits that are needed,
> on top of 2.62-3, to fix CVE-2012-3411 without breaking anything?
>


I'd strongly suggest moving to 2.63-4, rather than backporting. The 
changes for the security fix are not trivial, and probablity of 
introducing a bug backporting is much larger that the probablity that 
there's an un-found bug in 2.63 which is not in 2.62. There are no 
intended backwards incompatibilities between 2.63 and 2.62, and no 
un-intended ones have been found in the three months since 2.63 was 
released.


Cheers,

Simon.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#690075; Package release.debian.org. (Thu, 15 Nov 2012 11:30:04 GMT) (full text, mbox, link).

Acknowledgement sent to intrigeri <intrigeri@boum.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 15 Nov 2012 11:30:04 GMT) (full text, mbox, link).

Message #22 received at 690075@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@boum.org>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: 690075@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#690075: unblock: dnsmasq/2.63-4
Date: Thu, 15 Nov 2012 00:58:44 +0100
Hi,

Simon Kelley wrote (12 Nov 2012 21:05:35 GMT) :
> I'd strongly suggest moving to 2.63-4, rather than backporting.
> The changes for the security fix are not trivial, and probablity of
> introducing a bug backporting is much larger that the probablity
> that there's an un-found bug in 2.63 which is not in 2.62. There are
> no intended backwards incompatibilities between 2.63 and 2.62, and
> no un-intended ones have been found in the three months since 2.63
> was released.

Then, this matter goes way out of the scope of my humble "help the
release team with a few easy reviews" effort.

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#690075; Package release.debian.org. (Wed, 12 Dec 2012 11:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to intrigeri <intrigeri@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 12 Dec 2012 11:15:05 GMT) (full text, mbox, link).

Message #27 received at 690075@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>
To: Simon Kelley <simon@thekelleys.org.uk>, Moritz Muehlenhoff <jmm@debian.org>
Cc: 690075@bugs.debian.org
Subject: Re: Bug#690075: unblock: dnsmasq/2.63-4
Date: Wed, 12 Dec 2012 12:11:12 +0100
Hi,

intrigeri wrote (14 Nov 2012 23:58:44 GMT) :
> Simon Kelley wrote (12 Nov 2012 21:05:35 GMT) :
>> I'd strongly suggest moving to 2.63-4, rather than backporting.
>> The changes for the security fix are not trivial, and probablity of
>> introducing a bug backporting is much larger that the probablity
>> that there's an un-found bug in 2.63 which is not in 2.62. There are
>> no intended backwards incompatibilities between 2.63 and 2.62, and
>> no un-intended ones have been found in the three months since 2.63
>> was released.

> Then, this matter goes way out of the scope of my humble "help the
> release team with a few easy reviews" effort.

A new upstream release was uploaded to unstable since then, so this
unblock request can't be satisfied as is. Please either update or
close it.

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#690075; Package release.debian.org. (Tue, 05 Feb 2013 23:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Stapelberg <stapelberg@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 05 Feb 2013 23:09:03 GMT) (full text, mbox, link).

Message #32 received at 690075@bugs.debian.org (full text, mbox, reply):

From: Michael Stapelberg <stapelberg@debian.org>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: intrigeri <intrigeri@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, 690075@bugs.debian.org
Subject: Re: Bug#690075: unblock: dnsmasq/2.63-4
Date: Wed, 6 Feb 2013 00:07:21 +0100
On Wed, 12 Dec 2012 12:11:12 +0100
intrigeri <intrigeri@debian.org> wrote:
> A new upstream release was uploaded to unstable since then, so this
> unblock request can't be satisfied as is. Please either update or
> close it.
Actually, unstable got 2.64-1 _and_ 2.65-1 by now.

Simon: Are these uploads necessary to fix the security issue this
unblock request talks about (CVE-2012-3411)?

If so, can you please close this unblock request and open a new one?

If not, it would be better to upload new versions to experimental
during the freeze. Your best option (AFAICT) is to prepare an upload to
t-p-u now.

Thanks.

-- 
Best regards,
Michael

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (Wed, 06 Feb 2013 16:48:03 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 06 Feb 2013 16:48:03 GMT) (full text, mbox, link).

Message #37 received at 690075-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Michael Stapelberg <stapelberg@debian.org>
Cc: Simon Kelley <simon@thekelleys.org.uk>, intrigeri <intrigeri@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, 690075-done@bugs.debian.org
Subject: Re: Bug#690075: unblock: dnsmasq/2.63-4
Date: Wed, 6 Feb 2013 17:43:19 +0100
On Wed, Feb 06, 2013 at 12:07:21AM +0100, Michael Stapelberg wrote:
> On Wed, 12 Dec 2012 12:11:12 +0100
> intrigeri <intrigeri@debian.org> wrote:
> > A new upstream release was uploaded to unstable since then, so this
> > unblock request can't be satisfied as is. Please either update or
> > close it.
> Actually, unstable got 2.64-1 _and_ 2.65-1 by now.
> 
> Simon: Are these uploads necessary to fix the security issue this
> unblock request talks about (CVE-2012-3411)?
> 
> If so, can you please close this unblock request and open a new one?
> 
> If not, it would be better to upload new versions to experimental
> during the freeze. Your best option (AFAICT) is to prepare an upload to
> t-p-u now.

That unblock request can be closed, since the required changes are too
intrusive at this point of the release.

The impact of the security issue is low and we won't fix it for Wheezy.
 
Cheers,
        Moritz

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 07 Mar 2013 07:27:40 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 19 05:36:46 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.