[Pkg-monitoring-maintainers] ganglia update for Squeeze (CVE-2012-3448)

[Yves-Alexis Perez]

On dim., 2013-01-20 at 00:44 +0100, Daniel Pocock wrote:
> Thanks for confirming that
> 
> It is possible that I bootstrapped 3.1.7 on an earlier Debian version
> than 3.1.8.  E.g. Maybe 3.1.7 was bootstrapped on lenny and 3.1.8 on
> squeeze.  This would mean different versions of autoconf were present,
> and each of them dumps different stuff in the source tree.

Looks possible.
> 
> However, just excluding that change (e.g. by hacking the one line
> change
> into the 3.1.7 tree rather than using the whole 3.1.8 tree) doesn't
> guarantee identical autotools behavior unless the build is done on a
> platform equivalent to where the original 3.1.7-1 package was built.

I'd be really concerned if it'd be the case. But if you fear something
like that, it'd be best if you could test the package indeed fixes the
bug.
> 
> If we need to be that pedantic about it to put something into squeeze
> (which may well be a good idea), then maybe we need to make the change
> without building and releasing any of the actual binaries, just
> release
> the ganglia-web.deb package (which contains no binary code, just PHP).
> Is there a workflow to do that?

No. We want minimal changes against the version in Squeeze, remember?

In any case, provided it actually fixes the bug, I'm ok with Salvatore
package including only the oneliner patch.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-monitoring-maintainers/attachments/20130120/708b0cd8/attachment.pgp>