As said on irc:
1) I don't want to ship the package in Buster if the security team can't handle
security updates
2) I don't want security team to handle them, I'll in case provide them the
stuff that can be sponsored (as we did in the past).
In case the new micro releases are not ship anymore b
Hi,
On 13/03/19 at 22:18 +0100, Ivo De Decker wrote:
> Control: severity -1 serious
>
> Hi,
>
> On Mon, Aug 28, 2017 at 03:01:18PM +0200, Lucas Nussbaum wrote:
> > After a private discussion with Gianfranco, I'm retitling this bug and
> > downgrading its severity. (Gianfranco agrees, at least on
Processing control commands:
> severity -1 serious
Bug #794466 [src:virtualbox] virtualbox: might not be suitable for stable
releases due to lack of cooperation from upstream on security support for older
releases
Severity set to 'serious' from 'important'
--
794466: https://bugs.debian.org/cg
Processing control commands:
> retitle -1 virtualbox: might not be suitable for stable releases due to lack
> of cooperation from upstream on security support for older releases
Bug #794466 [src:virtualbox] Virtualbox might not be suitable for Stretch
Changed Bug title to 'virtualbox: might not b
Control: retitle -1 virtualbox: might not be suitable for stable releases due
to lack of cooperation from upstream on security support for older releases
Control: severity -1 important
Hi,
After a private discussion with Gianfranco, I'm retitling this bug and
downgrading its severity. (Gianfranc
On Mon, 2016-12-12 at 21:59 -0800, Gordon Farquharson wrote:
> 3. Do you recommend migrating existing VirtualBox images to KVM?
On Tue, 13 Dec 2016 14:25:32 +0530, Ritesh Raj Sarraf wrote:
> Migration should be doable. I'm not sure if there are any issues in
> migration, but you may give it a sh
Hi Moritz,
>
>We'll have a security team meeting at DebConf and will discuss
>virtualbox as well.
following up on the DebConf discussion,
I did update vbox for wheezy and jessie, on
the respective braches on git (names with the codenames)
targeted -security.
http://anonscm.debian.org/cgit/pkg-v
On Mon, Aug 10, 2015 at 07:16:59AM +, Gianfranco Costamagna wrote:
> Yes, otherwise the points remains:
>
> 1) leave the oracle with CVEs in stable releases
>
> or
>
> 2) have an exception from Security Team and/or Release Team
>
> or
>
> 3) wait and hope Oracle will change the model or ma
On Mon, 2015-08-10 at 07:16 +, Gianfranco Costamagna wrote:
> >But if the security team can agree up with this release model, then
> the
> >VBox team could just keep it up-to-date.
>
>
>
> Yes, otherwise the points remains:
>
> 1) leave the oracle with CVEs in stable releases
>
> or
>
Hi,
>Debian Security Team:
>These are what we have currently in Debian:
>
>oldstable: 4.1.18
>stable: 4.3.18
>testing: 4.3.30
I would add (as Ben requested)
old-old-stable 3.2.10 --> 3.2.28
(this will fix AFAICS all the CVEs on o-o-stable, but not the latest one)
https://www.virtualbox.org
On Mon, 2015-08-10 at 07:40 +0200, Markus Frosch wrote:
> > I'm not sure how they handle vulnerabilities. But their release
> strategy is: ESR and Regular releases. Every security fix goes into
> the
> > next Regular release, and also the ESR release.
> >
> > ESR is supported until the next ESR
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09.08.2015 12:51, Ritesh Raj Sarraf wrote:
> Not sure about MySQL, but for Iceweasel, is it really like that ?
>
> From what I've known, there were trademark issues which led to the rebranding.
Sorry for being unclear, I meant the usage of upst
On Sat, 2015-08-08 at 20:11 +0200, Markus Frosch wrote:
> Hi Gianfranco,
> thanks for your summary.
>
> Although I'm not involved in maintaining virtualbox, still a few
> thoughts:
>
> * What would that mean for Jessie updates?
> * Isn't that basically the same problem we have with MySQL,
> or
Hi Debian Security Team,
(Dear Jonathan, thanks for the heads-up, I tried to avoid cross-posting,
and I thought release was a better place then security, so dropping
-release from the mail cc, let me know if I have to readd it)
I would like to ask you whether is possible to have an exception fo
On Sat, Aug 08, 2015 at 09:23:31PM +, Gianfranco Costamagna wrote:
> Virtualbox suffers of many security issues in Debian,
> specially because Upstream (Oracle) refuses to give
> patches for CVEs, and (you can see in the Debian bug
> 794466 an analysis of the Oracle policy and discussion)
> th
Hi Frank and Release Team,
>Oracle at this moment maintains a 4.0.x 4.1.x 4.2.x 4.3.x 5.0.x
>branches where security fixes seems to be addressed all.
>
>(virtualbox-ose from o-o-s still needs some pinpoint fixes)
virtualbox-ose is at version 3.2.10, and the last release from [1]
is 3.2.28, and
Hi Debian Release Team,
TLTR:
Virtualbox suffers of many security issues in Debian,
specially because Upstream (Oracle) refuses to give
patches for CVEs, and (you can see in the Debian bug
794466 an analysis of the Oracle policy and discussion)
this makes difficult to handle security uploads i
On Mon, 3 Aug 2015 10:47:23 + (UTC) Gianfranco Costamagna <
costamagnagianfra...@yahoo.it> wrote:
> Source: virtualbox
> Version: 4.3.30-dfsg-1
> Severity: critical
Hi Gianfranco,
thanks for your summary.
Although I'm not involved in maintaining virtualbox, still a few
thoughts:
* What woul
Source: virtualbox
Version: 4.3.30-dfsg-1
Severity: critical
X-Debbugs-CC: j...@inutil.org
X-Debbugs-CC: r...@debian.org
X-Debbugs-CC: frank.mehn...@oracle.com
X-Debbugs-CC: klaus.espenl...@oracle.com
(please cc people if needed
As Said in many different threads [1 bottom of the mail], Upstream
19 matches
Mail list logo
