From Mageia wiki
Jump to: navigation, search
Line 195: Line 195:
 
</pre>
 
</pre>
  
Trigger advisory mail (I usually do this after every advisory to spot any issues, and to get the advisory mails sorted. If you forget this step, a cron job will send new/unpublished advisories every 10 minutes):
+
Trigger advisory mail (I usually do this after every advisory to spot any perl parser issues, and to get the advisory mails sorted. If you forget this step, a cron job will send new/unpublished advisories every 10 minutes):
 
<pre>
 
<pre>
 
[mga-advisories@valstar ~]$ update_mga-advisories  
 
[mga-advisories@valstar ~]$ update_mga-advisories  

Revision as of 09:55, 23 March 2014

This is a short version of what currently is done when pushing updates.
I here use 3 terminal windows, one as myself on my local machine, one as root @ valstar and one as mga-advisories @ valstar.

Install advisories tool:

[root@laptop ~]# urpmi mga-advisories
  - installs mgaadv

Do initial config:

[tmb@laptop ~]$ mgaadv initqaconf
  - initializes config file (it opens text editor to show config)
  - initial download of advisories

Check that you have latest advisories:

[tmb@laptop ~]$ cd mageia-advisories/advisories
[tmb@laptop advisories]$ svn up

Check at end of http://mageia.madb.org/tools/updates for advisories ready to be pushed.

Pushing updates (using samba update (bug 12999) as an example)

Assing advisory id (note: sometimes there can be split advisories in which case you would use mgaadv publish 12999.mga3 and mgaadv publish 12999.mga4):

[tmb@laptop advisories]$ mgaadv publish 12999
Assigned ID MGASA-2014-0138 to advisory 12999

Check if there is potential problems (for perl advisory parser):

[tmb@laptop advisories]$ file 12999.adv
12999.adv: ASCII text (this is ok)

Check the contents of the advisory looks ok:

[tmb@laptop advisories]$ cat 12999.adv
type: security
subject: Updated samba packages fix security vulnerability
CVE:
 - CVE-2013-4496
src:
  3:
   core:
     - samba-3.6.15-1.4.mga3
  4:
   core:
     - samba-3.6.23-1.mga4
description: |
  In Samba before 3.6.23, the SAMR server neglects to ensure that attempted
  password changes will update the bad password count, and does not set the
  lockout flags.  This would allow a user unlimited attempts against the
  password by simply calling ChangePasswordUser2 repeatedly.  This is
  available without any other authentication (CVE-2013-4496)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=12999
 - http://www.samba.org/samba/security/CVE-2013-4496
ID: MGASA-2014-0138

On valstar, use Screen to make avoid breakages during package move if you loose network connection)

[root@valstar ~]# screen

Push srpm(s) according to advisory (verify that the srpm matches the advisory, if not, check the bugreport if something has changed and update advisory accordingly or ask QA people for clarification (format is mga-send-update-nosync <distro> <media> <srpm>):

[root@valstar ~]# ./mga-send-update-nosync 3 core samba
 This SRPM (and matching binarys) will be moved from updates_testing to updates:
 
 samba-3.6.15-1.4.mga3.src.rpm
 
 Are you sure ? y

moving binary and source rpms:

i586:
libnetapi0-3.6.15-1.4.mga3.i586.rpm
libnetapi-devel-3.6.15-1.4.mga3.i586.rpm
libsmbclient0-3.6.15-1.4.mga3.i586.rpm
libsmbclient0-devel-3.6.15-1.4.mga3.i586.rpm
libsmbclient0-static-devel-3.6.15-1.4.mga3.i586.rpm
libsmbsharemodes0-3.6.15-1.4.mga3.i586.rpm
libsmbsharemodes-devel-3.6.15-1.4.mga3.i586.rpm
libwbclient0-3.6.15-1.4.mga3.i586.rpm
libwbclient-devel-3.6.15-1.4.mga3.i586.rpm
nss_wins-3.6.15-1.4.mga3.i586.rpm
samba-client-3.6.15-1.4.mga3.i586.rpm
samba-common-3.6.15-1.4.mga3.i586.rpm
samba-doc-3.6.15-1.4.mga3.noarch.rpm
samba-domainjoin-gui-3.6.15-1.4.mga3.i586.rpm
samba-server-3.6.15-1.4.mga3.i586.rpm
samba-swat-3.6.15-1.4.mga3.i586.rpm
samba-virusfilter-clamav-3.6.15-1.4.mga3.i586.rpm
samba-virusfilter-fsecure-3.6.15-1.4.mga3.i586.rpm
samba-virusfilter-sophos-3.6.15-1.4.mga3.i586.rpm
samba-winbind-3.6.15-1.4.mga3.i586.rpm
samba-debuginfo-3.6.15-1.4.mga3.i586.rpm

x86_64:
lib64netapi0-3.6.15-1.4.mga3.x86_64.rpm
lib64netapi-devel-3.6.15-1.4.mga3.x86_64.rpm
lib64smbclient0-3.6.15-1.4.mga3.x86_64.rpm
lib64smbclient0-devel-3.6.15-1.4.mga3.x86_64.rpm
lib64smbclient0-static-devel-3.6.15-1.4.mga3.x86_64.rpm
lib64smbsharemodes0-3.6.15-1.4.mga3.x86_64.rpm
lib64smbsharemodes-devel-3.6.15-1.4.mga3.x86_64.rpm
lib64wbclient0-3.6.15-1.4.mga3.x86_64.rpm
lib64wbclient-devel-3.6.15-1.4.mga3.x86_64.rpm
nss_wins-3.6.15-1.4.mga3.x86_64.rpm
samba-client-3.6.15-1.4.mga3.x86_64.rpm
samba-common-3.6.15-1.4.mga3.x86_64.rpm
samba-doc-3.6.15-1.4.mga3.noarch.rpm
samba-domainjoin-gui-3.6.15-1.4.mga3.x86_64.rpm
samba-server-3.6.15-1.4.mga3.x86_64.rpm
samba-swat-3.6.15-1.4.mga3.x86_64.rpm
samba-virusfilter-clamav-3.6.15-1.4.mga3.x86_64.rpm
samba-virusfilter-fsecure-3.6.15-1.4.mga3.x86_64.rpm
samba-virusfilter-sophos-3.6.15-1.4.mga3.x86_64.rpm
samba-winbind-3.6.15-1.4.mga3.x86_64.rpm
samba-debuginfo-3.6.15-1.4.mga3.x86_64.rpm

SRPMS:
samba-3.6.15-1.4.mga3.src.rpm


[root@valstar ~]# ./mga-send-update-nosync 4 core samba
 This SRPM (and matching binarys) will be moved from updates_testing to updates:
 
 samba-3.6.23-1.mga4.src.rpm
 
 Are you sure ? y

moving binary and source rpms:

i586:
libnetapi0-3.6.23-1.mga4.i586.rpm
libnetapi-devel-3.6.23-1.mga4.i586.rpm
libsmbclient0-3.6.23-1.mga4.i586.rpm
libsmbclient0-devel-3.6.23-1.mga4.i586.rpm
libsmbclient0-static-devel-3.6.23-1.mga4.i586.rpm
libsmbsharemodes0-3.6.23-1.mga4.i586.rpm
libsmbsharemodes-devel-3.6.23-1.mga4.i586.rpm
libwbclient0-3.6.23-1.mga4.i586.rpm
libwbclient-devel-3.6.23-1.mga4.i586.rpm
nss_wins-3.6.23-1.mga4.i586.rpm
samba-client-3.6.23-1.mga4.i586.rpm
samba-common-3.6.23-1.mga4.i586.rpm
samba-doc-3.6.23-1.mga4.noarch.rpm
samba-domainjoin-gui-3.6.23-1.mga4.i586.rpm
samba-server-3.6.23-1.mga4.i586.rpm
samba-swat-3.6.23-1.mga4.i586.rpm
samba-virusfilter-clamav-3.6.23-1.mga4.i586.rpm
samba-virusfilter-fsecure-3.6.23-1.mga4.i586.rpm
samba-virusfilter-sophos-3.6.23-1.mga4.i586.rpm
samba-winbind-3.6.23-1.mga4.i586.rpm
samba-debuginfo-3.6.23-1.mga4.i586.rpm

x86_64:
lib64netapi0-3.6.23-1.mga4.x86_64.rpm
lib64netapi-devel-3.6.23-1.mga4.x86_64.rpm
lib64smbclient0-3.6.23-1.mga4.x86_64.rpm
lib64smbclient0-devel-3.6.23-1.mga4.x86_64.rpm
lib64smbclient0-static-devel-3.6.23-1.mga4.x86_64.rpm
lib64smbsharemodes0-3.6.23-1.mga4.x86_64.rpm
lib64smbsharemodes-devel-3.6.23-1.mga4.x86_64.rpm
lib64wbclient0-3.6.23-1.mga4.x86_64.rpm
lib64wbclient-devel-3.6.23-1.mga4.x86_64.rpm
nss_wins-3.6.23-1.mga4.x86_64.rpm
samba-client-3.6.23-1.mga4.x86_64.rpm
samba-common-3.6.23-1.mga4.x86_64.rpm
samba-doc-3.6.23-1.mga4.noarch.rpm
samba-domainjoin-gui-3.6.23-1.mga4.x86_64.rpm
samba-server-3.6.23-1.mga4.x86_64.rpm
samba-swat-3.6.23-1.mga4.x86_64.rpm
samba-virusfilter-clamav-3.6.23-1.mga4.x86_64.rpm
samba-virusfilter-fsecure-3.6.23-1.mga4.x86_64.rpm
samba-virusfilter-sophos-3.6.23-1.mga4.x86_64.rpm
samba-winbind-3.6.23-1.mga4.x86_64.rpm
samba-debuginfo-3.6.23-1.mga4.x86_64.rpm

SRPMS:
samba-3.6.23-1.mga4.src.rpm

Commit the advisory to svn (add advisory id and srpm(s) in message for easy svn browsing):

[tmb@laptop advisories]$ svn commit -m "MGASA-2014-0138: samba-3.6.15-1.4.mga3, samba-3.6.23-1.mga4" 12999.adv

Trigger advisory mail (I usually do this after every advisory to spot any perl parser issues, and to get the advisory mails sorted. If you forget this step, a cron job will send new/unpublished advisories every 10 minutes):

[mga-advisories@valstar ~]$ update_mga-advisories 

Copy the advisory link from the advisory mail (in the bug 12999 case: http://advisories.mageia.org/MGASA-2014-0138.html) and paste it in the bugreport and close it as fixed.

When all advisories are pushed, update hdlists and sync from bootstrap to distrib tree for every media you pushed updates to (format is mga-send-update-sync <distro> <media>):
(it will list all files it touches / moves wich I wont list here)

[root@valstar ~]# ./mga-send-update-nosync 3 core
... long list of files...

[root@valstar ~]# ./mga-send-update-nosync 4 core
... long list of files...

And you are done and can exit all terminal windows on valstar