[Pkg-monitoring-maintainers] ganglia update for Squeeze (CVE-2012-3448)
carnil at debian.org
Sat Jan 19 23:02:17 UTC 2013
Hi Daniel, hi Yves-Alexis
In short,  looks to be the only change needed for the security
update. So the debdiff I posted should be okay. But I will leave it to
Yves-Alexis (who is Debian Security Team member) which way to go.
On Sat, Jan 19, 2013 at 10:15:00PM +0100, Daniel Pocock wrote:
> On 19/01/13 21:52, Salvatore Bonaccorso wrote:
> > Hi Daniel, hi all
> > Ok let's try to reassume (I feel like there is some confusion ;-))
> > Squeeze currently has ganglia 3.1.7-1. So the updated package needs to
> > be based on this. Usually introducing a new upstream version is not
> > accepted for security updates (an exception is e.g. mysql, where it
> > seems not other possible). So this should/will be 3.1.7-1+squeeze1 for
> > a Squeeze update.
> The upstream 3.1 branch only receives updates of the type that qualify
> for the stable branch in Debian (e.g. security updates, fixes for seg
> faults). The 3.1.8 upstream release only differs from 3.1.7 with the
> addition of the fix for this issue
> In this instance, upstream even created a 3.1.8 branch off the 3.1
> branch, just to isolate the fix:
Ok and indeed this confirms that the isolated fix is the oneliner.
> > Adjusting the Subject of this mail to avoid further confusions.
> > The source diff between 3.1.7 and 3.1.8 is somehow huge (4.8M, 110
> > files changed, 49330 insertions(+), 73094 deletions(-)).
> > The isolated fix is only in web/graph.php right?
> This seems odd, and not what I would expect if I check upstream:
> git clone git at github.com:ganglia/monitor-core.git
> cd ganglia
> git diff monitor-core-3.1.7 3.1.8
> (from that diff, ignore the git2dist and bootstrap changes, those files
> are not released in the tarballs)
> Is it possible that dpkg-buildpackage is incorrectly regenerating the
> tarball, or does squeeze possibly have a modified 3.1.7.orig tarball?
> I PGP sign the upstream release announcements, so it should be easy to
This is how I checked the above:
>From  there is link to source tarball:
fetch the ganglia-3.1.8.tar.gz and checksum with sha224sum; and
compared the two source trees. (A lot can be excluded, right, as is
More information about the Pkg-monitoring-maintainers