Discussion:
Bug#869836: stretch-pu: package nvidia-graphics-drivers/375.82-1~deb9u1
Luca Boccassi
2017-07-30 22:23:14 UTC
Permalink
Control: tags -1 - moreinfo
Control: tags -1 + moreinfo
The non-free proprietary nvidia-graphics-drivers version 375.66
in
Stretch is affected by CVE-2017-6257 and CVE-2017-6259. Debian
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869783
Please consider allowing the new upstream version 375.82, which
fixes
these CVEs, in proposed-updates. As usual with these proprietary
drivers, we cannot just cherry-pick the fixes for the CVEs as
they
are
in the binary blobs.
I have tested this new version on a Stretch amd64 desktop and
didn't
encounter any issue.
The debdiff from 375.66-2~deb9u1 to 375.82-1 is attached.
While I'm sure it's probably fine, could we have a diff of the
proposed
375.82-1~deb9u1, as built and tested on stretch, please?
Regards,
Adam
Hi Adam,
There were no changes when I opened the bug apart from the new
changelog entry.
Andreas has since committed 2 small fixes to the changelog as well,
inlined, just minor clarifications. I still find the way upstream
compiles their changelog quite confusing and often make mistakes when
copying over :-)
Kind regards,
Luca Boccassi
To further clarify, the debdiff I attached originally is the one from
the source I built and tested on Stretch.

Kind regards,
Luca Boccassi
Adam D. Barratt
2017-07-30 22:44:39 UTC
Permalink
Post by Luca Boccassi
Control: tags -1 - moreinfo
Control: tags -1 + moreinfo
The non-free proprietary nvidia-graphics-drivers version 375.66
in
Stretch is affected by CVE-2017-6257 and CVE-2017-6259. Debian
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869783
Please consider allowing the new upstream version 375.82, which
fixes
these CVEs, in proposed-updates. As usual with these proprietary
drivers, we cannot just cherry-pick the fixes for the CVEs as
they
are
in the binary blobs.
I have tested this new version on a Stretch amd64 desktop and
didn't
encounter any issue.
The debdiff from 375.66-2~deb9u1 to 375.82-1 is attached.
While I'm sure it's probably fine, could we have a diff of the
proposed
375.82-1~deb9u1, as built and tested on stretch, please?
[...]
Post by Luca Boccassi
There were no changes when I opened the bug apart from the new
changelog entry.
Andreas has since committed 2 small fixes to the changelog as well,
inlined, just minor clarifications. I still find the way upstream
compiles their changelog quite confusing and often make mistakes when
copying over :-)
Kind regards,
Luca Boccassi
To further clarify, the debdiff I attached originally is the one from
the source I built and tested on Stretch.
That's rather confusing, given that it had the changelog set to
"unstable"...

Regards,

Adam
Luca Boccassi
2017-07-30 22:58:44 UTC
Permalink
Post by Adam D. Barratt
Post by Luca Boccassi
Control: tags -1 - moreinfo
Control: tags -1 + moreinfo
The non-free proprietary nvidia-graphics-drivers version 375.66
in
Stretch is affected by CVE-2017-6257 and CVE-2017-6259. Debian
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869783
Please consider allowing the new upstream version 375.82, which
fixes
these CVEs, in proposed-updates. As usual with these
proprietary
drivers, we cannot just cherry-pick the fixes for the CVEs as
they
are
in the binary blobs.
I have tested this new version on a Stretch amd64 desktop and
didn't
encounter any issue.
The debdiff from 375.66-2~deb9u1 to 375.82-1 is attached.
While I'm sure it's probably fine, could we have a diff of the
proposed
375.82-1~deb9u1, as built and tested on stretch, please?
[...]
Post by Luca Boccassi
There were no changes when I opened the bug apart from the new
changelog entry.
Andreas has since committed 2 small fixes to the changelog as well,
inlined, just minor clarifications. I still find the way upstream
compiles their changelog quite confusing and often make mistakes when
copying over :-)
Kind regards,
Luca Boccassi
To further clarify, the debdiff I attached originally is the one from
the source I built and tested on Stretch.
That's rather confusing, given that it had the changelog set to
"unstable"...
Regards,
Adam
It was confusing, sorry about that.

It was a local build from SVN on my Stretch machine to test it, so I
hadn't updated the changelog with the stable entry yet.

Kind regards,
Luca Boccassi

Loading...