Comment 1 Brian Evans (RETIRED) 2015-09-01 14:58:09 UTC

Converting this version bump into a security bug

Comment 2 Conrad Kostecki 2015-10-10 12:28:30 UTC

Will be this bumped?

I am running the old renamed ebuild without any problems..

Comment 3 Pacho Ramos 2015-10-14 20:21:18 UTC

Would you like to proxy maintain this?
https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers

Comment 4 Conrad Kostecki 2015-10-14 21:30:46 UTC

(In reply to Pacho Ramos from comment #3)
> Would you like to proxy maintain this?
> https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers

I've never done this before, but why not. I would be interested.
What would be the next steps?

Comment 5 Pacho Ramos 2015-10-15 19:29:04 UTC

Well, proxy-maint are already CCed, you should attach here the updated ebuild to let them review... also, remember that usually blindly renames are not enough and you should review Changes between versions to see if something in the ebuild (new dependencies, new options to handle...) needs to be changed

Thanks

Comment 6 Ian Delaney (RETIRED) 2015-10-16 03:31:18 UTC

(In reply to Conrad Kostecki from comment #4)
> (In reply to Pacho Ramos from comment #3)
> > Would you like to proxy maintain this?
> > https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers
> 
> I've never done this before, but why not. I would be interested.
> What would be the next steps?

First thing is you note pacho's comment about "usually blindly renames are not enough". Second thing you do is re-read it. Then I suggest you go through the tarballs with a fine tooth comb and re-check the bumped ebuild
.

In between i suggest you /j #gentoo-proxy-maintianers. Read the channel's title caption.

Comment 7 Conrad Kostecki 2015-10-16 07:15:44 UTC

(In reply to Pacho Ramos from comment #5)
> Well, proxy-maint are already CCed, you should attach here the updated
> ebuild to let them review... also, remember that usually blindly renames are
> not enough and you should review Changes between versions to see if
> something in the ebuild (new dependencies, new options to handle...) needs
> to be changed

Hi Pacho,
i understand, what you mean. I have already a couple of eBuilds, which I am updating in my local overlay. Mostly, this are packages, which are "maintainer-eeded". And I know, that not every update is just eBuild renaming etc..
Many thanks for your advise.

(In reply to Ian Delaney from comment #6)
> First thing is you note pacho's comment about "usually blindly renames are
> not enough". Second thing you do is re-read it. Then I suggest you go
> through the tarballs with a fine tooth comb and re-check the bumped ebuild

Teamspeak itself writes, that this is only a hotfix and no new features or changes. The only addition, which I've made to the ebuild, is currently an printed advise after the installation/update to block older clients, as teamspeak recommends this for the new teamspeak client. See here: http://forum.teamspeak.com/showthread.php/120755-SECURITY-UPDATE-TeamSpeak-3-Client-3-0-18-1-is-Available

> In between i suggest you /j #gentoo-proxy-maintianers. Read the channel's
> title caption.

I will do, thanks.

Cheers
Conrad

Comment 8 Conrad Kostecki 2015-10-16 08:21:43 UTC

Created attachment 414690 [details]
teamspeak-server-bin-3.0.11.4.ebuild

Comment 9 Conrad Kostecki 2015-10-16 08:22:00 UTC

Created attachment 414692 [details, diff]
teamspeak-server-bin-3.0.11.4.ebuild.diff

Comment 10 Ian Delaney (RETIRED) 2015-10-16 11:52:37 UTC

This package has a fetch restriction in place. Can you possibly acquire the tarballs and make them available so I can runtest?

Comment 11 Conrad Kostecki 2015-10-16 12:04:51 UTC

(In reply to Ian Delaney from comment #10)
> This package has a fetch restriction in place. Can you possibly acquire the
> tarballs and make them available so I can runtest?

http://dl.4players.de/ts/releases/3.0.11.4/teamspeak3-server_linux-amd64-3.0.11.4.tar.gz
http://dl.4players.de/ts/releases/3.0.11.4/teamspeak3-server_linux-x86-3.0.11.4.tar.gz

DIST teamspeak3-server_linux-amd64-3.0.11.4.tar.gz 5024057 SHA256 92123aff892740c88acc30a6e3e4df1615be44f9780acd396d663bac91323a40 SHA512 4e1d04e9943f02e1bc5042da0ee3cee3520a56eac9102c02ae6415e179a1daa4f8480c55eaa01c2c1d37a3c2bf6bd90b081131ea177a78f73ce2eddfb791224a WHIRLPOOL 19e1d3726d2782cca51495d6f7f034819596c3e04cacbd784c055b2baad03bf1aa92aa24223aa9f67f7ee5f1125c83556ed454bc9ceb62c14e0eb3166148c3f7
DIST teamspeak3-server_linux-x86-3.0.11.4.tar.gz 5178378 SHA256 ca25c53aaf61f2111ba425263cd782d1556b42d579607f5390268676645c8dd2 SHA512 6bb6edbb9f8e7b5aeadfae4e9e01da6be113348648cf307d92132eb1f9e6e09406c69ec5f2769b51a0cae17776899c99e0867963dd39a515f802e01dc285d8b3 WHIRLPOOL f5a5123c99ed41e1032d96a2396e3de1c957fb4dd12ec11407f28e8768325cfb85fb5314961b1e91a2c5d34ed7226d5df417d02fc50fc95d11e96b16312fba32

Or do you want, that I actually upload the *.tar.gz-packages here?

Tested ebuild + patch.
Merge's wiht out warning or error.

Tested ebuild + patch.
Merge's with out warning or error.

Fetched the tarball myself

Comment 14 Ian Delaney (RETIRED) 2015-10-17 00:02:08 UTC

commit 3bc7c56b1612961669fb9e790e67295fb49e6b76
Author: Ian Delaney <idella4@gentoo.org>
Date:   Sat Oct 17 08:00:08 2015 +0800

    media-sound/teamspeak-server-bin:  bump to -3.0.11.4
    
    Added new proxy maintainer C. Kosteki to metadata under
    proxy-maintainers herd, bump submitted via the gentoo bug,
    cross tested by user 'undersys', vulnerable version cleaned
    
    Gentoo bug: #559112 (Security bug)

See Conrad Kostecki is set as proxy maintainer

Comment 15 Conrad Kostecki 2016-01-08 01:10:43 UTC

Since 3.0.11.4 is in portage, should be this bug closed, as it's the only one release in portage?

Comment 16 Kristian Fiskerstrand (RETIRED) 2016-01-08 08:29:33 UTC

(In reply to Conrad Kostecki from comment #15)
> Since 3.0.11.4 is in portage, should be this bug closed, as it's the only
> one release in portage?

Yup. Proprietary software so no CVE followup through our usual channels and since it is not in stable no GLSA is needed for this.