[tryton-debian] Security fix for safe_eval in Tryton server

Mathias Behrle mathiasb at m9s.biz
Sat Oct 4 00:07:28 UTC 2014 

* Moritz Muehlenhoff: " Re: Security fix for safe_eval in Tryton server" (Fri,
  3 Oct 2014 14:06:17 +0200):

> On Fri, Oct 03, 2014 at 11:43:37AM +0200, Mathias Behrle wrote:
> > * Mathias Behrle: " Re: Security fix for safe_eval in Tryton server" (Wed, 1
> >   Oct 2014 13:22:14 +0200):
> > 
> > > * Raphael Hertzog: " Re: Security fix for safe_eval in Tryton
> > > server" (Wed, 1 Oct 2014 00:28:23 +0200):
> > > 
> > > Hi Raphael,
> > > 
> > > > On Tue, 30 Sep 2014, Mathias Behrle wrote:
> > > > > > BTW, what's the status for squeeze? The version there is even older
> > > > > > but as we officially support LTS, it would be nice if you could
> > > > > > provide me an update for that version too (in case it also applies).
> > > > > 
> > > > > As written in my original mail I didn't plan an upload for oldstable.
> > > > > 
> > > > > First because I really don't expect any user to run Tryton 1.6 any
> > > > > more. Second it would be a stripped down version of the patches (only
> > > > > the one for safe_eval), because ast is new in Python 2.6 (and squeeze
> > > > > has 2.5).
> > > > 
> > > > That's fine.
> > > > 
> > > > > If you estimate nevertheless, that the package should be done, I will
> > > > > provide it.
> > > > 
> > > > Yes, please. I agree with you that probably nobody is using it but if
> > > > it's not too much work, I believe it's good to live up to our new LTS
> > > > promise.
> > > > 
> > > > The only alternative solution is to mark the package as unsupported in
> > > > that release (via debian-security-support) and I'd rather avoid that.
> > > 
> > > Here comes the debdiff attached. Thanks for uploading.
> > 
> > Hi Raphael, hi Florian,
> > 
> > the fix for CVE-2014-6633 [1] caused a regression on the creation of strict
> > sequences [2]. What is the best way to prepare the packages with the fix for
> > [3]?
> 
> Good timing. I was about to release this this afternoon :-)
>  
> > - just doing another package for security.debian.org (it seems they are not
> > yet published?)
> >   * tryton-server (2.2.4-1+deb7u2) stable-security; urgency=high
> >   * tryton-server (1.6.1-2+squeeze3) oldstable-security; urgency=high
> 
> Please upload 2.2.4-1+deb7u2 to security-master.
> 
> For Squeeze please see https://wiki.debian.org/LTS/Development

Hi Raphael,

please find the two debdiffs attached. For squeeze-lts I condensed the
patches into one package, because the first package wasn't uploaded yet.
Please let me know, if you need anything else.

Thanks for uploading,
Mathias



-- 

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/tryton-debian/attachments/20141004/be10b490/attachment.sig>

More information about the tryton-debian mailing list