- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Andreas Beckmann
- Date:
- 2022-07-09 10:51:15 UTC
- Severity:
- normal
- Tags:
Hi, I'd like to update nvidia-graphics-drivers/non-free to a new upstream release to fix CVE-2022-21813, CVE-2022-21814. Since the 460 driver series seems to be EoL now, we need to switch to the 470 series (supported until 07/2024), which supports a superset of the GPUs supported by the 460 drivers. The first 470 release was only a few days before the bullseye release and therefore too late to migrate in time. (The 495 and later releases drop again support for some ancient cards (and therefore I won't consider them for bullseye-pu), leaving the legacy support in the 470 series). It comes with a few packaging changes: There is a new B-D: libnvidia-egl-wayland1 - we use the library built from source instead of the one bundled with the blob. There is a new binary package: libnvidia-nvvm4 This binary package was removed: libegl1-nvidia, leftover from the non-glvnd packages and no longer usable. It was still installable, but not along the other driver components. Consequently, some non-glvnd alternatives have been dropped as well. (nvidia-driver-libs-nonglvnd only existed up to the 418 series) The tesla-440 driver is no longer in the archive (and was not in bullseye), dropping it from alternatives. There are some files with large pci id lists being added: two are used by nvidia-detect for the 470 driver (debian/detect/*.ids), the other are for maintainer convenience to document the EoL GPU models (debian/end-of-life-*) A new conffile (nvidia-options.conf) is being added to show in a working way how to load the module with custom options set. (The existing one from nvidia-kernel-support did not take into account our weird way of module renaming for co-installability.) Not to forget the usual patch and lintian refresh. Some ancient history was added to the changelog to better document kernel support backporting that happened for legacy drivers. If you have more questions, please let me know. This update will also require updates to nvidia-modprobe (versioned Depends) nvidia-setting (versioned Recommends) nvidia-xconfig (keep mayor version in sync) nvidia-persistenced (keep major version in sync) Andreas
Control: tags -1 + confirmed Please go ahead; thanks. As with the other updates which will need to go through NEW, if this one doesn't make it in time for 11.3, are there any other nvidia-* updates that we'll need to hold as well? Should this update wait for the nvidia-*-tesla-470 packages to be available? I realise the drivers are only in Suggests, so I guess it should be fine, but just wanted to confirm. Regards, Adam
other updates We could do the update of nvidia-graphics-drivers/470.103.01 in two stages: * deb11u1 with libnvidia-nvvm4 disabled (there are no rdepends), avoiding NEW + all the other */470.* (but not *-tesla-470/*) updates * deb11u2 with libnvidia-nvvm4 enabled, going through NEW, s.t. the driver does not differ feature wise from 470 elsewhere If libnvidia-nvvm4 doesn't make it through NEW in time, we only lose an "optional" package but are still able to update the whole stack to 470. The two *-tesla-470 source packages need to go in together, but the rest of the stack does not have to wait for them. The only dependency is to have nvidia-modprobe/470.* first ;-) Once we have *-tesla-470, I'll come with an update for *-tesla-460 to turn it into transitional packages switching to *-tesla-470 (first test uploaded a few days ago to sid) Andreas
That might be best if we want to get the rest of the stack into 11.3. The window closes "tomorrow", which is mostly "when Adam has had enough", but is usually by the start of the 19:52 dinstall at the latest. Regards, Adam
FTR, the incremental debdiff from 470.103.01-1 to 470.103.01-3~deb11u1 it contains the same additional changes also added with the tesla-450 upload and some preparations for phasing out tesla-460 in favor of tesla-470. Having these changes without adding tesla-470 driver and turning tesla-460 into transitional packages at the same time does no harm (some Suggests will be gone and nvidia-detect will no longer report tesla-460 as a candidate while it might mention "you could also install the tesla-470 driver"). There is also temporarily turning off libnidia-nvvm4 to avoid NEW, which will be turned on again in ~deb11u2 going through NEW. Andreas
Not sure if relative date "tomorrow" meant Sunday or Monday. If it's too late now, no problem, we can postpone the remaining updates for the next point release (and have NEW processed by then, too). Andreas
Apologies for the confusion - "tomorrow" was Sunday, so it is indeed too late for 11.3 now. We have nvidia-graphics-drivers-tesla-450 and nvidia-modprobe in p-u ready to be part of the point release. My understanding from your previous comments is that should work OK without the remaining updates, but please yell if I've misunderstood. Regards, Adam
package release.debian.org tags 1005129 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details ============== Package: nvidia-graphics-drivers Version: 470.103.01-3~deb11u1 Explanation: new upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]
package release.debian.org tags 1005129 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details ============== Package: nvidia-graphics-drivers Version: 470.103.01-3~deb11u2 Explanation: new upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]
package release.debian.org tags 1005129 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details ============== Package: nvidia-graphics-drivers Version: 470.103.01-3~deb11u1 Explanation: new upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]
package release.debian.org tags 1005129 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details ============== Package: nvidia-graphics-drivers Version: 470.103.01-3~deb11u2 Explanation: new upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]
(re-sending with fixed bug numbers) Hi, The updates discussed in these bugs were included in today's bullseye point release. Regards, Adam