Bug 45179

Summary:	wget: minor issues (4.2)
Product:	UCS	Reporter:	Arvid Requate <requate>
Component:	Security updates	Assignee:	Philipp Hahn <hahn>
Status:	CLOSED FIXED	QA Contact:	Arvid Requate <requate>
Severity:	normal
Priority:	P5	CC:	best
Version:	UCS 4.2	Flags:	requate: Patch_Available+
Target Milestone:	UCS 4.2-1-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	Security
Max CVSS v3 score:	6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Bug Depends on:	41662
Bug Blocks:

Description Arvid Requate

2017-08-10 14:58:19 CEST

Package has been copied from the jessie Repos.

Advisory: ucs-4.2-1/doc/errata/staging/wget.yaml

Comment 1 Arvid Requate

2017-08-10 16:27:32 CEST

I've moved the advisory to ucs-4.2-0/doc/errata/staging, because the package has been imported to ucs-4.2-0.


The following patch should be merged too and applied during build:

~/svn/patches/wget/4.1-0-0-ucs/1.13.4-3+deb7u4-errata4.1-4/39940_fix_memory_hog.patch

Comment 2 Philipp Hahn

2017-08-10 18:15:42 CEST

(In reply to Arvid Requate from comment #1)
> I've moved the advisory to ucs-4.2-0/doc/errata/staging, because the package
> has been imported to ucs-4.2-0.

4.2-0 is out-of-maintenance!
<http://updates.software-univention.de/download/ucs-maintenance/4.2-0.yaml>: maintained: false

So please revert r82011 to move back all those .yaml files to 4.2-1 and add
  ignore: [version.scope]
as announce_errata can pick any scope directory as source.

> The following patch should be merged too and applied during build:
> 
> ~/svn/patches/wget/4.1-0-0-ucs/1.13.4-3+deb7u4-errata4.1-4/
> 39940_fix_memory_hog.patch

No need:
$ grep debian.org 4.1-0-0-ucs/1.13.4-3+deb7u4-errata4.1-4/39940_fix_memory_hog.patch 
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642563>

$ curl -s http://metadata.ftp-master.debian.org/changelogs/main/w/wget/wget_1.16-1+deb8u2_changelog | grep 642563
    - Fix a memory leak problem in the GNU TLS backend. closes: #642563

$ curl -s https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642563 | grep Fixed
<p>Fixed in version wget/1.14-1</p>

$ repo_get_version.py -r 4.2 -s errata4.2-0 -p wget | grep version
Current version: 1.16-1+deb8u2

$ dpkg --compare-versions 1.14-1 le 1.16-1+deb8u2 ; echo $?
0

Comment 3 Arvid Requate

2017-08-10 20:45:02 CEST

Ok, right 1.16-1 has the patch.

> 4.2-0 is out-of-maintenance!

Correct, that's why the advisory says

 version: [1]

That's the destination side. As far as Jenek told me, the svn branch where the advisory is stored needs to correspond to the scope where the new packages are to be taken from, which seems to be errata4.2-0 in this case. At least I had to include that scope for the QA.


> So please revert r82011 to move back all those .yaml files to 4.2-1 and add
>   ignore: [version.scope]
> as announce_errata can pick any scope directory as source.

How? If that's required then please document in the wiki under which condition that is applicable.

Comment 4 Arvid Requate

2017-08-16 18:50:57 CEST

Ok, I've moved the advisory back as recommended by you. The announce tool relies of the "scope: " field in the advisory, which is correct.

I've added this bug number to the advisory.

Comment 5 Arvid Requate

2017-08-23 14:35:30 CEST

<http://errata.software-univention.de/ucs/4.2/144.html>