[Pkg-monitoring-maintainers] ganglia update for Squeeze (CVE-2012-3448)

Salvatore Bonaccorso carnil at debian.org
Sat Jan 19 23:02:17 UTC 2013

Hi Daniel, hi Yves-Alexis

In short, [1] looks to be the only change needed for the security
update. So the debdiff I posted should be okay. But I will leave it to
Yves-Alexis (who is Debian Security Team member) which way to go.

On Sat, Jan 19, 2013 at 10:15:00PM +0100, Daniel Pocock wrote:
> On 19/01/13 21:52, Salvatore Bonaccorso wrote:
> > Hi Daniel, hi all
> > 
> > Ok let's try to reassume (I feel like there is some confusion ;-))
> > 
> > Squeeze currently has ganglia 3.1.7-1. So the updated package needs to
> > be based on this. Usually introducing a new upstream version is not
> > accepted for security updates (an exception is e.g. mysql, where it
> > seems not other possible). So this should/will be 3.1.7-1+squeeze1 for
> > a Squeeze update.
> The upstream 3.1 branch only receives updates of the type that qualify
> for the stable branch in Debian (e.g. security updates, fixes for seg
> faults).  The 3.1.8 upstream release only differs from 3.1.7 with the
> addition of the fix for this issue
> In this instance, upstream even created a 3.1.8 branch off the 3.1
> branch, just to isolate the fix:
> https://github.com/ganglia/monitor-core/commits/release/3.1.8

Ok and indeed this[1] confirms that the isolated fix is the oneliner.

 [1]: https://github.com/ganglia/monitor-core/commit/3404fbfcfad74c4c050578add31ea3a5ec5f0276
> > Adjusting the Subject of this mail to avoid further confusions.
> > 
> > The source diff between 3.1.7 and 3.1.8 is somehow huge (4.8M, 110
> > files changed, 49330 insertions(+), 73094 deletions(-)).
> >
> > The isolated fix is only in web/graph.php right?
> This seems odd, and not what I would expect if I check upstream:
> git clone git at github.com:ganglia/monitor-core.git
> cd ganglia
> git diff monitor-core-3.1.7 3.1.8
> (from that diff, ignore the git2dist and bootstrap changes, those files
> are not released in the tarballs)
> Is it possible that dpkg-buildpackage is incorrectly regenerating the
> tarball, or does squeeze possibly have a modified 3.1.7.orig tarball?
> I PGP sign the upstream release announcements, so it should be easy to
> verify.
> http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg05533.html
> http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html

This is how I checked the above:

wget http://cdn.debian.net/debian/pool/main/g/ganglia/ganglia_3.1.7.orig.tar.gz

>From [2] there is link to source tarball:

 [2] http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html

fetch the ganglia-3.1.8.tar.gz and checksum with sha224sum; and
compared the two source trees. (A lot can be excluded, right, as is
autogenerated stuff).


More information about the Pkg-monitoring-maintainers mailing list