Backporting security fix

[Cajus Pollmeier <ca...@naasa.net>]

Hi,

while Debian Wheezy is in the freeze process, there was a security 
issue found that affects 0.16:

http://www.openwall.com/lists/oss-security/2012/08/09/6

That means that I've to apply the fix to 0.16. The question is: what 
should I do with the SONAME of the affected library (libqpidbroker) - 
which exposes a method with a changed interface in this case?

Is there a SONAME proposal to not conflict with later versions of 
qpidd?

Thanks!
Cajus

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

RE: Backporting security fix

[Steve Huston <sh...@riverace.com>]

There may be an Apache channel through which we can distribute security notices - we'd need to set up some structure on our side to track them though and be sure they're reported consistently.

> -----Original Message-----
> From: Andrew Stitcher [mailto:astitcher@redhat.com]
> Sent: Wednesday, August 29, 2012 10:36 AM
> To: dev@qpid.apache.org
> Subject: Re: Backporting security fix
> 
> On Wed, 2012-08-29 at 11:23 +0200, Cajus Pollmeier wrote:
> > Thanks Andrew. Ok. I'll take a look at it for the Debian packages.
> >
> >  From the packagers point of view, it would be really helpful to have
> > some kind of security issue notification channel, where packagers can
> > subscribe. Is there something for qpid that I'm not aware of?
> 
> We have nothing like this at the moment, it certainly seems like a good idea.
> 
> Andrew
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org For additional
> commands, e-mail: dev-help@qpid.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

Re: Backporting security fix

[Andrew Stitcher <as...@redhat.com>]

On Wed, 2012-08-29 at 11:23 +0200, Cajus Pollmeier wrote:
> Thanks Andrew. Ok. I'll take a look at it for the Debian packages.
> 
>  From the packagers point of view, it would be really helpful to have 
> some kind of security issue notification channel, where packagers can 
> subscribe. Is there something for qpid that I'm not aware of?

We have nothing like this at the moment, it certainly seems like a good
idea.

Andrew



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

Re: Backporting security fix

[Cajus Pollmeier <ca...@naasa.net>]

Thanks Andrew. Ok. I'll take a look at it for the Debian packages.

 From the packagers point of view, it would be really helpful to have 
some kind of security issue notification channel, where packagers can 
subscribe. Is there something for qpid that I'm not aware of?

Cajus

Am 27.08.2012 17:48, schrieb Andrew Stitcher:
> On Mon, 2012-08-27 at 09:32 +0200, Cajus Pollmeier wrote:
>> Hi,
>>
>> while Debian Wheezy is in the freeze process, there was a security
>> issue found that affects 0.16:
>>
>> http://www.openwall.com/lists/oss-security/2012/08/09/6
>>
>> That means that I've to apply the fix to 0.16. The question is: what
>> should I do with the SONAME of the affected library (libqpidbroker) 
>> -
>> which exposes a method with a changed interface in this case?
>>
>> Is there a SONAME proposal to not conflict with later versions of
>> qpidd?
>
> I don't think that we are currently proposing any upstream library
> versioning at all. As far as I remember the library versioning in the
> Fedora and Red Hat Enterprise packages are not the same as the
> versioning you will get if you just run make install on the upstream
> package.
>
> Similarly we've not been especially careful to change library 
> versions
> consistent with ABI so I perhaps you should do whatever works for 
> your
> packaging.
>
> I would note that libqpidbroker really exposes only an entirely 
> private
> interface though so perhaps it's versioning isn't that significant -
> it's not actually separable from qpidd anyway.
>
> Andrew
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
> For additional commands, e-mail: dev-help@qpid.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

Re: Backporting security fix

[Andrew Stitcher <as...@redhat.com>]

On Mon, 2012-08-27 at 09:32 +0200, Cajus Pollmeier wrote:
> Hi,
> 
> while Debian Wheezy is in the freeze process, there was a security 
> issue found that affects 0.16:
> 
> http://www.openwall.com/lists/oss-security/2012/08/09/6
> 
> That means that I've to apply the fix to 0.16. The question is: what 
> should I do with the SONAME of the affected library (libqpidbroker) - 
> which exposes a method with a changed interface in this case?
> 
> Is there a SONAME proposal to not conflict with later versions of 
> qpidd?

I don't think that we are currently proposing any upstream library
versioning at all. As far as I remember the library versioning in the
Fedora and Red Hat Enterprise packages are not the same as the
versioning you will get if you just run make install on the upstream
package.

Similarly we've not been especially careful to change library versions
consistent with ABI so I perhaps you should do whatever works for your
packaging.

I would note that libqpidbroker really exposes only an entirely private
interface though so perhaps it's versioning isn't that significant -
it's not actually separable from qpidd anyway.

Andrew



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org