Re: Better communication about spectre/meltdown
- To: Ben Hutchings <ben@decadent.org.uk>, Antoine Beaupré <anarcat@orangeseeds.org>, Moritz Mühlenhoff <jmm@inutil.org>, debian-lts@lists.debian.org, team@security.debian.org
- Subject: Re: Better communication about spectre/meltdown
- From: Roberto C. Sánchez <roberto@debian.org>
- Date: Sun, 1 Apr 2018 08:08:27 -0400
- Message-id: <[🔎] 20180401120827.qwxjhmtxiv2fqjhe@connexer.com>
- Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, Ben Hutchings <ben@decadent.org.uk>, Antoine Beaupré <anarcat@orangeseeds.org>, Moritz Mühlenhoff <jmm@inutil.org>, debian-lts@lists.debian.org, team@security.debian.org
- In-reply-to: <[🔎] 20180401114855.kkpvfzbqiwm4h7la@connexer.com>
- References: <1519686363.2617.351.camel@decadent.org.uk> <20180301125645.wt3nkodmksce3a6v@connexer.com> <1520087480.2617.367.camel@decadent.org.uk> <20180303151806.widvs35uya6se2x3@santiago.connexer.com> <1520090534.2617.370.camel@decadent.org.uk> <20180303160712.3xrlbel5vdgmy47e@connexer.com> <1520109616.2617.381.camel@decadent.org.uk> <1520561116.2495.24.camel@decadent.org.uk> <1521505828.2495.198.camel@decadent.org.uk> <[🔎] 20180401114855.kkpvfzbqiwm4h7la@connexer.com>
On Sun, Apr 01, 2018 at 07:48:55AM -0400, Roberto C. Sánchez wrote:
>
> At this point I feel like the packages are ready for upload, but it
> seems prudent to first wait for confirmation that the kernel build on
> wheezy works with this backported gcc. Once I receive that confirmation,
> I will proceed with uploading and releasing a DLA (patterned after
> DSA-4117-1). Is there anything special that will need to be done in
> order to introduce a new source package to wheezy?
>
I have attached my proposed DLA text to this mail. Please feel free to
offer suggestions on improving the text.
Regards,
-Roberto
--
Roberto C. Sánchez
Package : gcc-4.9
CVE ID : not applicable
This update doesn't fix a vulnerability in GCC itself, but instead
provides support for building retpoline-enabled Linux kernel updates.
Special note: The gcc-4.9 package is new to Debian 7 "Wheezy" as of this
update. Attempts to patch gcc-4.6, the gcc package in Wheezy used to
build the Linux kernel, were to found to be infeasible. As a results, it
was decided to backport the gcc-4.9 package from Debian 8 "Jessie" to
enable building retpoline-enabled Linux kernel packages and to support
users who require gcc packages with retpoline support.
For Debian 7 "Wheezy", this problem has been fixed in version
4.9.2-10+deb7u1.
We recommend that you upgrade your gcc-4.9 packages.
For the detailed security status of gcc-4.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gcc-4.9
Reply to: