Bug 45179 – wget: minor issues (4.2)

Bug 45179 - wget: minor issues (4.2)


Summary:	wget: minor issues (4.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-1-errata
Assigned To:	Philipp Hahn
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:	41662
Blocks:
	Show dependency tree / graph

Reported:	2017-08-10 14:58 CEST by Arvid Requate
Modified:	2017-08-23 14:35 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:	6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-08-10 14:58:19 CEST

Package has been copied from the jessie Repos.

Advisory: ucs-4.2-1/doc/errata/staging/wget.yaml

Comment 1 Arvid Requate

2017-08-10 16:27:32 CEST

I've moved the advisory to ucs-4.2-0/doc/errata/staging, because the package has been imported to ucs-4.2-0.


The following patch should be merged too and applied during build:

~/svn/patches/wget/4.1-0-0-ucs/1.13.4-3+deb7u4-errata4.1-4/39940_fix_memory_hog.patch

Comment 2 Philipp Hahn

2017-08-10 18:15:42 CEST

(In reply to Arvid Requate from comment #1)
> I've moved the advisory to ucs-4.2-0/doc/errata/staging, because the package
> has been imported to ucs-4.2-0.

4.2-0 is out-of-maintenance!
<http://updates.software-univention.de/download/ucs-maintenance/4.2-0.yaml>: maintained: false

So please revert r82011 to move back all those .yaml files to 4.2-1 and add
  ignore: [version.scope]
as announce_errata can pick any scope directory as source.

> The following patch should be merged too and applied during build:
> 
> ~/svn/patches/wget/4.1-0-0-ucs/1.13.4-3+deb7u4-errata4.1-4/
> 39940_fix_memory_hog.patch

No need:
$ grep debian.org 4.1-0-0-ucs/1.13.4-3+deb7u4-errata4.1-4/39940_fix_memory_hog.patch 
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642563>

$ curl -s http://metadata.ftp-master.debian.org/changelogs/main/w/wget/wget_1.16-1+deb8u2_changelog | grep 642563
    - Fix a memory leak problem in the GNU TLS backend. closes: #642563

$ curl -s https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642563 | grep Fixed
<p>Fixed in version wget/1.14-1</p>

$ repo_get_version.py -r 4.2 -s errata4.2-0 -p wget | grep version
Current version: 1.16-1+deb8u2

$ dpkg --compare-versions 1.14-1 le 1.16-1+deb8u2 ; echo $?
0

Comment 3 Arvid Requate

2017-08-10 20:45:02 CEST

Ok, right 1.16-1 has the patch.

> 4.2-0 is out-of-maintenance!

Correct, that's why the advisory says

 version: [1]

That's the destination side. As far as Jenek told me, the svn branch where the advisory is stored needs to correspond to the scope where the new packages are to be taken from, which seems to be errata4.2-0 in this case. At least I had to include that scope for the QA.


> So please revert r82011 to move back all those .yaml files to 4.2-1 and add
>   ignore: [version.scope]
> as announce_errata can pick any scope directory as source.

How? If that's required then please document in the wiki under which condition that is applicable.

Comment 4 Arvid Requate

2017-08-16 18:50:57 CEST

Ok, I've moved the advisory back as recommended by you. The announce tool relies of the "scope: " field in the advisory, which is correct.

I've added this bug number to the advisory.

Comment 5 Arvid Requate

2017-08-23 14:35:30 CEST

<http://errata.software-univention.de/ucs/4.2/144.html>