[Pkg-monitoring-maintainers] ganglia update for Squeeze (CVE-2012-3448)

Daniel Pocock daniel at pocock.com.au
Sat Jan 19 21:15:00 UTC 2013



On 19/01/13 21:52, Salvatore Bonaccorso wrote:
> Hi Daniel, hi all
> 
> Ok let's try to reassume (I feel like there is some confusion ;-))
> 
> Squeeze currently has ganglia 3.1.7-1. So the updated package needs to
> be based on this. Usually introducing a new upstream version is not
> accepted for security updates (an exception is e.g. mysql, where it
> seems not other possible). So this should/will be 3.1.7-1+squeeze1 for
> a Squeeze update.

The upstream 3.1 branch only receives updates of the type that qualify
for the stable branch in Debian (e.g. security updates, fixes for seg
faults).  The 3.1.8 upstream release only differs from 3.1.7 with the
addition of the fix for this issue

In this instance, upstream even created a 3.1.8 branch off the 3.1
branch, just to isolate the fix:

https://github.com/ganglia/monitor-core/commits/release/3.1.8


> Adjusting the Subject of this mail to avoid further confusions.
> 
> The source diff between 3.1.7 and 3.1.8 is somehow huge (4.8M, 110
> files changed, 49330 insertions(+), 73094 deletions(-)).
>
> The isolated fix is only in web/graph.php right?

This seems odd, and not what I would expect if I check upstream:

git clone git at github.com:ganglia/monitor-core.git

cd ganglia
git diff monitor-core-3.1.7 3.1.8

(from that diff, ignore the git2dist and bootstrap changes, those files
are not released in the tarballs)

Is it possible that dpkg-buildpackage is incorrectly regenerating the
tarball, or does squeeze possibly have a modified 3.1.7.orig tarball?

I PGP sign the upstream release announcements, so it should be easy to
verify.
http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg05533.html
http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html

> So the upload for stable-security needs only to include the fix to
> actually fix CVE-2012-3448, which seems the part discussed. You as
> contributor upstream might give some more hints what is actually
> needed apart the change in web/graph.php (if there is any).
> 
> p.s.: I'm not trying to hijack your work, but only would like to make
>       sure that the fix get's into Squeeze for CVE-2012-3448.

I agree this needs to be understood, you'll notice from github that
georgiou (Fedora maintainer) did the backport onto the branch and then I
cut the upstream release.  It's good to have multiple people involved in
the process to double-check things like this.  If we are not sure the
fix is correct or complete, it probably needs to be raised on ganglia-dev




More information about the Pkg-monitoring-maintainers mailing list