[Debian-ha-maintainers] Bug#973254: pacemaker: CVE-2020-25654 upload prepared

[wferi at niif.hu]

Moritz Mühlenhoff <jmm at inutil.org> writes:

> On Sat, Nov 07, 2020 at 08:56:38PM +0100, wferi at niif.hu wrote:
> 
>> I propose a security upload with the debdiff below.  The patch series
>> posted by upstream against 2.0.3 applies cleanly to the buster source,
>> and is hereby included.  I'll try to do some testing while you review.
>
> Thanks, this looks. I also compared the upstream 2.0.3 patch set against
> the update Ubuntu released for their 20.4 release (which also ships
> 2.0.3) and which is identical (and without reported regressions so far)

Cool.  One can't possibly test all relevant use cases here.

> Please upload to security-master if your tests were fine as well

Done.  I managed to provoke some of the new denials with the updated
package, and basic cluster operation remained unperturbed.

I think the changelog entry will work well enough as the DSA text.
The LTS update used a shorter version, which is fine as well.

> (and remember to build with -sa since pacemaker is new in
> buster-security (ftp.debian.org and security.debian.org don't share
> tarballs)

The --source-only-changes switch of sbuild seems to counteract -sa, but
I tried to revert that with changestool.  Hope it's fine.  If only I
also remembered to remove the buildinfo file...  Or is that problem
fixed already?

Salvatore Bonaccorso <carnil at debian.org> writes:

> Thanks for your upload to unstable!
>
> On Tue, Nov 10, 2020 at 10:34:18PM +0000, Debian FTP Masters wrote:
>>    * [6956006] New upstream pre-release (2.0.5~rc2) (Closes: #973254)
>
> Bonus point: please do include the assigned CVE id references which
> makes it easier to cross-check and track fixes for security issues.

I'll add the CVE ID to the changelog in the next upload, sorry.

> Thanks for your work here and for the stable upload!

Rather: thanks for your (plural) tireless work archive wide!
-- 
Cheers,
Feri