[Pkg-samba-maint] upload of samba 4.7.6
Andreas Hasenack
andreas at canonical.com
Wed Mar 14 13:29:11 UTC 2018
On Wed, Mar 14, 2018 at 9:51 AM, Mathieu Parent (Debian) <sathieu at debian.org
> wrote:
> Hello,
>
> 2018-03-14 13:36 GMT+01:00 Andreas Hasenack <andreas at canonical.com>:
> > Hi guys, (CCing Mathieu because I'm not sure he is in the list, sorry if
> you
> > get dupes, and is listed a lot in d/changelog)
> >
> > just checking in to see if you are about to upload 4.7.6 to Debian. I
> would
> > like to do that for Ubuntu, following Andrew's request (and reasoning) in
> > https://bugs.launchpad.net/ubuntu/+source/samba/+bCVE-2018-1057ug/
> 1755059 <https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1755059> and
> > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/
> 175CVE-2018-10575057
> <https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1755057>. The
> secfixes
> > have patches, but the corruption bug patch is quite big, around 100Kb.
> >
> > Unfortunately the orig tarball is a dfsg one, so if I generate one myself
> > there is no guarantee that its md5 will match what Debian will generate,
> > even though the content will be the same (different compression levels
> could
> > cause that md5 to differ, for example).
> >
> > To avoid that, my plan is to use a version like
> 4.7.6+dfsg~ubuntu-0ubuntu1
> > for the Ubuntu package, so that when the time comes to merge with Debian
> > again, the version is different and we would avoid a potential hash
> mismatch
> > between the orig tarballs.
> >
> > Since we are in feature freeze mode, I'm starting on that now. These two
> > version bumps contain only bugfixes, so I can still upload it. But if you
> > are just about to upload 4.7.6 yourselves, then I wouldn't have to use
> this
> > odd/long version for the Ubuntu package. I also saw that the delta
> between
> > our packages was greatly reduced in your last 4.7.4 upload, which is
> great.
> >
> > Cheers!
> >
>
> Why not use 2:4.7.4+dfsg-2 which contains those two fixes?
>
You have the two security fixes (CVE-2018-1050 and CVE-2018-1057), but I
don't see a fix for https://bugzilla.samba.org/show_bug.cgi?id=13228 which
Andrew Bartlett filed against Ubuntu as
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1755057
> (Alternatively, you can use our tarball, it's even in the pristine-tar
> branch.)
>
>
I'll take a look, thanks
> FYI I won't upload 4.7.6, and go straight to samba 4.8.0 in experimental
> first.
>
>
Ack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20180314/d9c4cf82/attachment-0001.html>
More information about the Pkg-samba-maint
mailing list