Bug#1074054: gdk-pixbuf 2.42.2+dfsg-1+deb11u2 flagged for acceptance
package release.debian.org tags 1074054 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: gdk-pixbuf Version: 2.42.2+dfsg-1+deb11u2 Explanation: ANI: Reject files with multiple anih chunks [CVE-2022-48622]; ANI: Reject files with multiple INAM or IART chunks; ANI: Validate anih chunk size
Bug#1074059: nodejs 18.19.0+dfsg-6~deb12u2 flagged for acceptance
package release.debian.org tags 1074059 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: nodejs Version: 18.19.0+dfsg-6~deb12u2 Explanation: skip flaky tests for mipsel/mips64el
Bug#1073967: jose 11-2+deb12u1 flagged for acceptance
package release.debian.org tags 1073967 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: jose Version: 11-2+deb12u1 Explanation: fix potential denial-of-service issue [CVE-2023-50967]
Bug#1073966: jose 10-3+deb11u1 flagged for acceptance
package release.debian.org tags 1073966 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: jose Version: 10-3+deb11u1 Explanation: fix potential denial-of-service issue [CVE-2023-50967]
Bug#1073923: mobian-keyring 20230202.0+deb12u1 flagged for acceptance
package release.debian.org tags 1073923 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: mobian-keyring Version: 20230202.0+deb12u1 Explanation: update Mobian archive key
Bug#1070137: cloud-init-22.4.2 22.4.2-2~deb11u1 flagged for acceptance
package release.debian.org tags 1070137 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: cloud-init-22.4.2 Version: 22.4.2-2~deb11u1 Explanation: introduce later-versioned replacement for cloud-init package
Bug#1072122: cloud-init 22.4.2-1+deb12u1 flagged for acceptance
package release.debian.org tags 1072122 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: cloud-init Version: 22.4.2-1+deb12u1 Explanation: declare conflicts/replaces on versioned package introduced for bullseye
Bug#1071449: sendmail 8.17.1.9-2+deb12u1 flagged for acceptance
package release.debian.org tags 1071449 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: sendmail Version: 8.17.1.9-2+deb12u1 Explanation: fix SMTP smuggling issue [CVE-2023-51765]
Bug#1073231: sendmail 8.15.2-22+deb11u1 flagged for acceptance
package release.debian.org tags 1073231 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: sendmail Version: 8.15.2-22+deb11u1 Explanation: fix SMTP smuggling issue [CVE-2023-51765]
Bug#1069284: libmail-dkim-perl 1.20230212-2~deb12u1 flagged for acceptance
package release.debian.org tags 1069284 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: libmail-dkim-perl Version: 1.20230212-2~deb12u1 Explanation: add dependency on libgetopt-long-descriptive-perl
Bug#1069281: what-is-python 13+deb12u1 flagged for acceptance
package release.debian.org tags 1069281 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: what-is-python Version: 13+deb12u1 Explanation: declare breaks and replaces on python-dev-is-python2; fix version mangling in build rules
Bug#1068717: rails 6.1.7.3+dfsg-2~deb12u1 flagged for acceptance
package release.debian.org tags 1068717 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: rails Version: 6.1.7.3+dfsg-2~deb12u1 Explanation: declare breaks and replaces on obsolete ruby-arel package
Bug#1073206: python-aiosmtpd 1.2.2-1+deb11u1 flagged for acceptance
package release.debian.org tags 1073206 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: python-aiosmtpd Version: 1.2.2-1+deb11u1 Explanation: fix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083]
Bug#1073174: lacme 0.8.0-2+deb11u2 flagged for acceptance
package release.debian.org tags 1073174 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: lacme Version: 0.8.0-2+deb11u2 Explanation: fix post-issuance validation logic
Bug#1073115: python-idna 2.10-1+deb11u1 flagged for acceptance
package release.debian.org tags 1073115 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: python-idna Version: 2.10-1+deb11u1 Explanation: fix denial of service issue [CVE-2024-3651]
Bug#1070484: tryton-client 6.0.26-1+deb12u1 flagged for acceptance
package release.debian.org tags 1070484 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: tryton-client Version: 6.0.26-1+deb12u1 Explanation: only send compressed content in authenticated sessions
Bug#1070478: tryton-server 6.0.29-2+deb12u2 flagged for acceptance
package release.debian.org tags 1070478 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: tryton-server Version: 6.0.29-2+deb12u2 Explanation: prevent "zip-bomb" attacks from unauthenticated sources
Bug#1070153: qtbase-opensource-src 5.15.8+dfsg-11+deb12u2 flagged for acceptance
package release.debian.org tags 1070153 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: qtbase-opensource-src Version: 5.15.8+dfsg-11+deb12u2 Explanation: fix buffer overflow with crafted KTX image file [CVE-2024-25580]; fix HPack integer overflow check [CVE-2023-51714]
Bug#1070425: numpy 1.24.2-1+deb12u1 flagged for acceptance
package release.debian.org tags 1070425 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: numpy Version: 1.24.2-1+deb12u1 Explanation: conflict with python-numpy
Bug#1068715: ruby-premailer-rails 1.10.3-4~deb12u1 flagged for acceptance
package release.debian.org tags 1068715 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: ruby-premailer-rails Version: 1.10.3-4~deb12u1 Explanation: remove build-dependency on obsolete ruby-arel
Bug#1050588: nsis 3.08-3+deb12u1 flagged for acceptance
package release.debian.org tags 1050588 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: nsis Version: 3.08-3+deb12u1 Explanation: don't allow unprivileged users to delete the uninstaller directory [CVE-2023-37378]; fix regression in disabling stub relocations; build reproducibly for arm64
Bug#1068920: bookworm-pu: package node-zx/7.1.1+~cs6.7.23-2+deb12u1
Control: tag -1 = bookworm confirmed On Sun, Jun 16, 2024 at 01:44:47AM +0200, Jérémy Lal wrote: > Package: release.debian.org > Followup-For: Bug #1068920 > > > Here it is. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1
Control: tag -1 confirmed On Mon, Feb 05, 2024 at 11:26:12AM +0100, Didier 'OdyX' Raboud wrote: > Here comes the debdiff as I would upload it. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Control: tag -1 confirmed On Tue, Apr 09, 2024 at 04:36:05AM +0300, Maytham Alsudany wrote: > Thank you for your feedback, attached is a revised debdiff. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1071449: bookworm-pu: package sendmail/8.17.1.9-2+deb12u1
Control: tag -1 confirmed On Sun, May 19, 2024 at 02:03:09PM +, Bastien Roucariès wrote: > diff -Nru sendmail-8.17.1.9/debian/changelog > sendmail-8.17.1.9/debian/changelog > --- sendmail-8.17.1.9/debian/changelog2023-01-11 22:26:28.0 > + > +++ sendmail-8.17.1.9/debian/changelog2024-05-13 18:44:56.0 > + > @@ -1,3 +1,24 @@ > +sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=high Target should be bookworm. > diff -Nru sendmail-8.17.1.9/debian/NEWS.Debian > sendmail-8.17.1.9/debian/NEWS.Debian > --- sendmail-8.17.1.9/debian/NEWS.Debian 1970-01-01 00:00:00.0 > + > +++ sendmail-8.17.1.9/debian/NEWS.Debian 2024-05-13 18:44:56.0 > + > @@ -0,0 +1,19 @@ > +sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=medium > + > + Sendmail was affected by SMTP smurgling (CVE-2023-51765). ^ "smuggling" Same query over a news file as for the bullseye request. With a couple of fixes please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068016: bookworm-pu: package node-babel7/7.20.15+ds1+~cs214.269.168-3+deb12u2
Control: tag -1 confirmed On Sat, Apr 13, 2024 at 06:36:51PM +0200, Jérémy Lal wrote: > node-babel7 needs node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 > (see release.d.o. #1068912). > > Also, even with that, the current debdiff *will FTBFS*, see #1068933. > > Please find attached another debdiff that addresses that issue. Pleaes go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068715: bookworm-pu: package ruby-premailer-rails/1.10.3-4~deb12u1
Control: tag -1 confirmed On Tue, Apr 09, 2024 at 05:40:55PM +0200, Andreas Beckmann wrote: > [ Reason ] > In order to get rid of the obsolete and incompatible ruby-arel, > ruby-premailer-rails has to drop its superfluous build dependency on it. > ruby-arel is nowadays integrated into ruby-actionmailer and the > incompatible ruby-arel version fortunately does not get used during > build. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068932: bookworm-pu: package node-v8-compile-cache/2.3.0-3+deb12u1
Control: tag -1 confirmed On Sat, Apr 13, 2024 at 06:01:37PM +0200, Jérémy Lal wrote: > [ Reason ] > FTBFS because of test failures, see #1068921 > These are regressions caused by nodejs 18.19.0+dfsg-6~deb12u1 Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068920: bookworm-pu: package node-zx/7.1.1+~cs6.7.23-2+deb12u1
Control: tag -1 moreinfo On Sat, Apr 13, 2024 at 02:21:09PM +0200, Jérémy Lal wrote: > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable The debdiff is missing, please attach. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068912: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4
Control: tag -1 confirmed On Sat, Apr 13, 2024 at 11:52:38AM +0200, Jérémy Lal wrote: > [ Reason ] > node-undici: FTBFS with nodejs 18.19.0+dfsg-6~deb12u1 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063530 Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2
Control: tag -1 moreinfo Hi, On Fri, Apr 12, 2024 at 10:18:02PM +, Bastien Roucariès wrote: > diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog > --- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.0 + > +++ zookeeper-3.8.0/debian/changelog 2024-03-25 08:30:56.0 + > @@ -1,3 +1,22 @@ > +zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium Target should be bookworm. > diff -Nru > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > --- > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > 1970-01-01 00:00:00.0 + > +++ > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > 2024-03-25 08:30:56.0 + > @@ -0,0 +1,1223 @@ This patch confuses me. It seems to contain a whole series of nested patches? How do they get applied to the source package? > diff -Nru zookeeper-3.8.0/debian/patches/series > zookeeper-3.8.0/debian/patches/series > --- zookeeper-3.8.0/debian/patches/series 2023-10-29 07:57:11.0 > + > +++ zookeeper-3.8.0/debian/patches/series 2024-03-25 08:30:56.0 > + > @@ -1,19 +1,10 @@ > -#01-add-jtoaster-to-zooinspector.patch > -#02-patch-build-system.patch > 03-disable-cygwin-detection.patch > 05-ZOOKEEPER-770.patch > 06-ftbfs-gcc-4.7.patch > 07-remove-non-reproducible-manifest-entries.patch > -#08-reproducible-javadoc.patch > 10-cppunit-pkg-config.patch > 11-disable-minikdc-tests.patch > 12-add-yetus-annotations.patch > -#13-disable-netty-connection-factory.patch > -#14-ftbfs-with-gcc-8.patch > -#15-javadoc-doclet.patch > -#16-ZOOKEEPER-1392.patch > -#17-gcc9-ftbfs-925869.patch > -#18-java17-compatibility.patch > 19-add_missing-plugins-versions.patch > 20-no-Timeout-in-tests.patch > 21-use-ValueSource-with-ints.patch > @@ -33,3 +24,4 @@ > 35-flaky-test.patch > 36-JUnitPlatform-deprecation.patch > CVE-2023-44981.patch > +0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch Presumably these dropped patches get integrated into the nested set in 0027? Or are they actually dropped? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068762: bookworm-pu: package oar/2.5.9-1+deb12u1
Control: tag -1 moreinfo On Wed, Apr 10, 2024 at 03:10:25PM +0200, Vincent Danjean wrote: > + * oar-web-status: add missing dependency to libcgi-fast-perl (Closes: > +#1068711) This seems to be missing in the diff, unless I've misunderstood something? debian/control isn't changed. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068717: bookworm-pu: package rails/2:6.1.7.3+dfsg-2~deb12u1
Control: tag -1 confirmed On Tue, Apr 09, 2024 at 07:12:15PM +0200, Andreas Beckmann wrote: > [ Reason ] > The obsolete (but unfortunately still in bookworm present) ruby-arel is > not compatible with ruby-activerecord in bookworm (which now integrates > ruby-arel functionality), causing schleuder to fail in its maintainer > scripts during upgrades. > Let's add Breaks+Replaces to ruby-activerecord to ensure ruby-arel gets > removed on upgrades from bookworm. This may make ruby-arel uninstallable > in stable, so let's follow up with a RM request for that. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068954: bookworm-pu: package libnvme/1.3-1+deb12u1
Control: tag -1 confirmed On Sun, Apr 14, 2024 at 09:08:01AM +0200, Daniel Baumann wrote: > diff --git a/debian/changelog b/debian/changelog > index 2666b0a..d7cef38 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,11 @@ > +libnvme (1.3-1+deb12u1) bookworm; urgency=medium > + > + * Uploading to bookworm. This doesn't need repeating, the target is already in the change header. Otherwise please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1070193: bookworm-pu: package ansible-core/2.14.16-0+deb12u1
Control: tag -1 confirmed On Wed, May 01, 2024 at 05:05:05PM +0200, Lee Garrett wrote: > [ Reason ] > This is a bugfix-only update from ansible-core 2.14.3 to 2.14.16. This fixes > three CVEs: > - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690) > - Address issues where internal templating can cause unsafe variables to > lose their unsafe designation (CVE-2023-5764) > - Prevent roles from using symlinks to overwrite files outside of the > installation directory (CVE-2023-5115) > > and various other bugfixes as seen here: > https://salsa.debian.org/python-team/packages/ansible-core/-/blob/debian/bookworm-proposed/changelogs/CHANGELOG-v2.14.rst 1051 files changed, 8802 insertions(+), 159082 deletions(-) Normally I'd been looking for targetted fixes for the security issues but upstream's descriptive changelog does look quite sensible. You might want to change your version number - if 2.14.16-1 was never in sid you could use that. A +/~ revision to a version which never existed feels odd, as do -0 Debian versions (-1 being the first Debian release of this upstream version, -0 is... the zeroth?). Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1069891: bookworm-pu: package ansible/7.7.0+dfsg-3+deb12u1
Control: tag -1 moreinfo On Fri, Apr 26, 2024 at 03:05:00PM +0200, Lee Garrett wrote: > I'm requesting to bump the version of the ansible package ("ansible-community > collection") to the last minor semantic version of the v7 series in bookworm. > This version has previously spent ~10 months in testing/unstable, so I'm > fairly > confident that any potential regressions would have been caught (so far none). If upstream uses semver then 7.3 -> 7.7 implies new features. Along with a 10MiB diff this is usually a good indicator that it's inappropriate for stable. The trouble with a package's time spent in sid as an indicator of reliability isn't so much the package itself, but all the differences around it like library versions. We've been bitten by that assumption before now. Are there known issues for users which you can target with fixes rather than a wholesale backport? Otherwise maybe bookworm-backports is a better place for this, so users can choose to take slightly more risk for features, or stick with the released version and put up with known quantity bugs. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1070998: bookworm-pu: package fossil/2.24-5~deb11u1
Control: tag -1 moreinfo On Sun, May 12, 2024 at 05:47:31PM +, Bastien Roucariès wrote: > I have not attached the debdiff due to the fix beeing a backport from sid. > Attached debdiff to sid instead This is not sufficient, you need to attach the source debdiff of your proposed upload relative to bookworm please. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1071267: bookworm-pu: package ipmitool/1.8.19-4
Control: tag -1 confirmed On Fri, May 17, 2024 at 02:38:48PM +0200, Thomas Goirand wrote: > [ Reason ] > Currently, every time someone uses ipmitool on the command line, > a nasty error missage is displayed. Example: > > $ ipmitool -I lanplus -H 10.0.0.160 -U root -P mypass chassis power status > IANA PEN registry open failed: No such file or directory > Chassis Power is on > > This patch fixes it by included the missing file. You can go ahead once the bug is marked fixed in unstable. The metadata on #1040186 doesn't show it fixed, but there's reference to a fixed version in the bug traffic so it may just need a fixed version adding. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1073202: bookworm-pu: package python-aiosmtpd/1.4.3-1.1+deb12u1
Control: tag -1 confirmed On Fri, Jun 14, 2024 at 02:01:36PM +0100, Dale Richards wrote: > [ Reason ] > This update resolves two security vulnerabilities present in > the version of python-aiosmtpd in Bookworm (1.4.3-1.1): > > * CVE-2024-27305 - SMTP smuggling due to poor handling of > non-standard line endings (Bug: #1066820) > * CVE-2024-34083 - STARTTLS unencrypted command injection > (Bug: #1072119) > > These have both been deemed unworthy of a DSA, but the > Security Team have suggested we update this package for the > next Bookworm point release. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1073194: bookworm-pu: package lxc-templates/3.0.4.48.g4765da8-1+deb12u1
Control: tag -1 moreinfo On Fri, Jun 14, 2024 at 11:53:38AM +0200, Pierre-Elliott Bécue wrote: > [ Reason ] > Two bugs within the lxc-debian template were spotted. Each one prevents > using a custom mirror when generating a debian-based container with the > lxc-debian template. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073130 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073131 These need to be fixed in unstable before an upload to bookworm will be authorised. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1073193: bookworm-pu: package tor/0.4.8.12-X
Control: tag -1 moreinfo On Fri, Jun 14, 2024 at 09:42:39AM +, Peter Palfrader wrote: > I see the following options: > > (1) Update Tor in stable to the currently released Tor stable version, > 0.4.8.12. I have been building backports for current Tor releases for > a long time and generally Tor behaves well on stable. > > (2) Keep the current Tor version (0.4.7.16-1) in stable, but update the > list of directory authorities in a 0.4.7.16-2 upload. This involves > changing a few lines in the default config [dirauths-update]. > > (3) Remove Tor from stable as the version is EOL. > > My preference is for (1). What say you? Typically ours would be (2), but I would be open to (1) depending what the diff looks like. Are the changes extensive? Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1073175: bookworm-pu: package lacme/0.8.2-1+deb12u1
Control: tag -1 confirmed On Fri, Jun 14, 2024 at 02:10:30AM +0200, Guilhem Moulin wrote: > diff -Nru lacme-0.8.2/debian/changelog lacme-0.8.2/debian/changelog > --- lacme-0.8.2/debian/changelog 2023-04-25 20:08:21.0 +0200 > +++ lacme-0.8.2/debian/changelog 2024-06-14 01:20:13.0 +0200 > @@ -1,3 +1,17 @@ > +lacme (0.8.2-1+deb12u1) bookworm; urgency=medium > + > + * Backport upstream patches to fix post-issuance validation logic. > +We avoid pining the intermediate certificates in the bundle and instead ^ "pinning" (>1 occurrences) Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1072122: bookworm-pu: package cloud-init/22.4.2-1
Control: tag -1 confirmed On Tue, May 28, 2024 at 02:18:40PM -0700, Noah Meyerhans wrote: > In #1070137 we introduced a backport of cloud-init 22.4.2-1 to bullseye as a > versioned package cloud-init-22.4.2. In order to support transitioning back > to an unversioned package on bullseye->bookworm upgrades, we introduce > Conflicts and Replaces relationships here to the bookworm package to replace > the versioned backport. Is this already done in unstable? Once it is, please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1072817: openrc 0.45.2-2+deb12u1 flagged for acceptance
package release.debian.org tags 1072817 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: openrc Version: 0.45.2-2+deb12u1 Explanation: ignore non-executable scripts in /etc/init.d
Bug#1072009: systemd 247.3-7+deb11u5 flagged for acceptance
package release.debian.org tags 1072009 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: systemd Version: 247.3-7+deb11u5 Explanation: meson: drop arch filtering in syscall list; unset TZ before timezone-sensitive unit tests are run
Bug#1070702: nano 7.2-1+deb12u1 flagged for acceptance
package release.debian.org tags 1070702 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: nano Version: 7.2-1+deb12u1 Explanation: fix format string issues; fix "with --cutfromcursor, undoing a justification can eat a line"; fix malicious symlink issue; fix example bindings in nanorc
Bug#1069836: libkf5ksieve 20.08.3-1+deb11u1 flagged for acceptance
package release.debian.org tags 1069836 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: libkf5ksieve Version: 20.08.3-1+deb11u1 Explanation: prevent leaking passwords into server-side logs
Bug#1069672: flatpak 1.14.8-1~deb12u1 flagged for acceptance
package release.debian.org tags 1069672 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: flatpak Version: 1.14.8-1~deb12u1 Explanation: new upstream stable release
Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1
Control: tag -1 confirmed On Fri, Jun 14, 2024 at 09:01:06PM +, Bastien Roucariès wrote: > diff -Nru sendmail-8.15.2/debian/NEWS.Debian > sendmail-8.15.2/debian/NEWS.Debian > --- sendmail-8.15.2/debian/NEWS.Debian1970-01-01 00:00:00.0 > + > +++ sendmail-8.15.2/debian/NEWS.Debian2024-05-13 18:44:56.0 > + > @@ -0,0 +1,19 @@ > +sendmail (8.18.1-3) unstable; urgency=medium > + > + Sendmail was affected by SMTP smurgling (CVE-2023-51765). ^ "smuggling" > + Remote attackers can use a published exploitation technique > + to inject e-mail messages with a spoofed MAIL FROM address, > + allowing bypass of an SPF protection mechanism. > + This occurs because sendmail supports some combinaison of > + . > + . > + This particular injection vulnerability has been closed, > + unfortunatly full closure need to reject mail that > + contain NUL. > + . > + This is slighly non conformant with RFC and could > + be opt-out by setting confREJECT_NUL to 'false' > + in sendmail.mc file. > + > + -- Bastien Roucariès Sun, 12 May 2024 19:38:09 + > + Is "slightly non-conformant" really good justification for a pop-up news item on upgrades? I don't recall the other MTAs doing this. It's up to you, either way please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1073206: bullseye-pu: package python-aiosmtpd/1.2.2-1+deb11u1
Control: tag -1 confirmed On Fri, Jun 14, 2024 at 03:00:46PM +0100, Dale Richards wrote: > [ Reason ] > This update resolves two security vulnerabilities present in > the version of python-aiosmtpd in Bullseye (1.2.2-1): > > * CVE-2024-27305 - SMTP smuggling due to poor handling of > non-standard line endings (Bug: #1066820) > * CVE-2024-34083 - STARTTLS unencrypted command injection > (Bug: #1072119) Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1073174: bullseye-pu: package lacme/0.8.0-2+deb11u2
Control: tag -1 confirmed On Fri, Jun 14, 2024 at 02:07:33AM +0200, Guilhem Moulin wrote: > diff -Nru lacme-0.8.0/debian/changelog lacme-0.8.0/debian/changelog > --- lacme-0.8.0/debian/changelog 2023-04-28 10:25:54.0 +0200 > +++ lacme-0.8.0/debian/changelog 2024-06-13 19:19:07.0 +0200 > @@ -1,3 +1,16 @@ > +lacme (0.8.0-2+deb11u2) bullseye; urgency=medium > + > + * Backport upstream patches to fix fix post-issuance validation logic. > +We avoid pining the intermediate certificates in the bundle and instead ^ "pinning" (>1 occurrences) Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1073115: bullseye-pu: package python-idna/2.10-1+deb11u1
Control: tag -1 confirmed On Thu, Jun 13, 2024 at 12:38:03AM +0200, Guilhem Moulin wrote: > Fix CVE-2024-3651: Specially crafted inputs to idna.encode() can consume > significant resources, which may lead to denial of service. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1072856: djangorestframework 3.14.0-2+deb12u1 flagged for acceptance
package release.debian.org tags 1072856 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: djangorestframework Version: 3.14.0-2+deb12u1 Explanation: reinstate missing static files
Bug#1072626: rust-cbindgen-web 0.26.0-3~deb12u1 flagged for acceptance
package release.debian.org tags 1072626 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: rust-cbindgen-web Version: 0.26.0-3~deb12u1 Explanation: new source package to support builds of newer Firefox ESR versions
Bug#1072680: rust-cbindgen-web 0.26.0-3~deb11u1 flagged for acceptance
package release.debian.org tags 1072680 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: rust-cbindgen-web Version: 0.26.0-3~deb11u1 Explanation: backport from bookworm
Bug#1072965: nvidia-graphics-drivers 470.256.02-1 flagged for acceptance
package release.debian.org tags 1072965 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: nvidia-graphics-drivers Version: 470.256.02-1 Explanation: upstream LTS and security update [CVE-2024-0090 CVE-2024-0092]
Bug#1060774: bullseye-pu: netatalk/3.1.12~ds-8+deb11u2
On Sat, Feb 24, 2024 at 11:16:47AM +, Daniel Markstedt wrote: > If it looks good, I will arrange for this to get uploaded. Yes, you can go ahead with that. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1069836: bullseye-pu: package libkf5ksieve/20.08.3-1+deb11u1
Control: tag -1 confirmed On Thu, Apr 25, 2024 at 05:52:55PM +0200, Patrick Franz wrote: > [ Reason ] > There is a bug in libkf5sieve where the password instead of the > username is sent when using managesieve and could therefore be > logged on a server as the login will fail. Please go ahead (you may also wish to update the found versions in the original bug report). Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1072653: dns-root-data 2024041801~deb11u1 flagged for acceptance
package release.debian.org tags 1072653 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: dns-root-data Version: 2024041801~deb11u1 Explanation: update root hints; update expired security information
Bug#1072239: intel-microcode 3.20240514.1~deb12u1 flagged for acceptance
package release.debian.org tags 1072239 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: intel-microcode Version: 3.20240514.1~deb12u1 Explanation: mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors
Bug#1072238: intel-microcode 3.20240514.1~deb11u1 flagged for acceptance
package release.debian.org tags 1072238 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: intel-microcode Version: 3.20240514.1~deb11u1 Explanation: mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors
Bug#1070108: bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u2
Control: tag -1 = bullseye pending On Thu, Jun 06, 2024 at 07:54:04AM +0800, Sean Whitton wrote: > Hmm, I uploaded it when I filed the bug. I just checked and I got an > ACCEPTED for this version number. So you did; sorry. It was linked instead to the emacs request, so I've fixed that. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1036083: galera-4 26.4.18-0+deb11u1 flagged for acceptance
package release.debian.org tags 1036083 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: galera-4 Version: 26.4.18-0+deb11u1 Explanation: new upstream bugfix release; update upstream release signing key; prevent date-related test failures
Bug#1069639: galera-4 26.4.18-0+deb12u1 flagged for acceptance
package release.debian.org tags 1069639 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: galera-4 Version: 26.4.18-0+deb12u1 Explanation: new upstream bugfix release; update upstream release signing key; prevent date-related test failures
Bug#1072035: dns-root-data 2024041801~deb12u1 flagged for acceptance
package release.debian.org tags 1072035 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: dns-root-data Version: 2024041801~deb12u1 Explanation: update root hints; update expired security information
Bug#1070108: bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u2
Control: tag -1 confirmed Hi, On Tue, Apr 30, 2024 at 09:16:06AM +0100, Sean Whitton wrote: > This is security update for CVEs marked no-dsa by the secteam. > It backports a series of upstream commits for CVE-2024-30203, CVE-2024-30204 > and CVE-2024-30205. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1072239: bookworm-pu: package intel-microcode/3.20240514.1~deb12u1
Control: tag -1 confirmed Hi, On Thu, May 30, 2024 at 04:37:22PM -0300, Henrique de Moraes Holschuh wrote: > As requested by the security team, I would like to bring the microcode > update level for Intel processors in Bullseye and Bookworm to match what > we have in Sid and Trixie. This is the bug report for Bookworm, a > separate one will be filled for Bullseye. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1072238: bullseye-pu: package intel-microcode/3.20240514.1~deb11u1
Control: tag -1 confirmed Hi, On Thu, May 30, 2024 at 03:56:03PM -0300, Henrique de Moraes Holschuh wrote: > As requested by the security team, I would like to bring the microcode > update level for Intel processors in Bullseye and Bookworm to match what > we have in Sid and Trixie. This is the bug report for Bullseye, a > separate one will be filled for Bookworm. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1072248: bullseye-pu: package runc/1.0.0~rc93+ds1-5+deb11u4
Control: tag -1 confirmed Hi, On Fri, May 31, 2024 at 01:07:48AM +0200, Daniel Leidert wrote: > This proposed update fixes all the outstanding CVEs in runc that have already > been fixed in Buster, Bookworm, and Trixie/Sid. The affected CVEs are: > > - - CVE-2021-43784 > - - CVE-2023-25809 > - - CVE-2023-27561/CVE-2023-28642 > Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1072653: bullseye-pu: package dns-root-data/2024041802~deb11u1
Hi, On Sat, Jun 01, 2024 at 01:35:19AM +0200, Marco d'Itri wrote: > On May 30, Emilio Pozuelo Monfort wrote: > > > This looks reasonable to me. Should a similar update be proposed for > > bullseye? > Yes, uploaded. What you've actually uploaded for bullseye differs in version number: +dns-root-data (2024041802~deb11u1) bullseye; urgency=medium This is greater than the proposed bookworm update, causing upgrades to fail. Please upload again with 2024041801~deb11u1 and I will reject the incorrect one. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1071417: org-mode 9.4.0+dfsg-1+deb11u2 flagged for acceptance
package release.debian.org tags 1071417 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: org-mode Version: 9.4.0+dfsg-1+deb11u2 Explanation: protect against unsafe remote resources [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]
Bug#1069943: emacs 27.1+1-3.1+deb11u4 flagged for acceptance
package release.debian.org tags 1069943 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: emacs Version: 27.1+1-3.1+deb11u4 Explanation: fix memory leak in patch for CVE-2022-48337
Bug#1069802: bullseye-pu: package galera-4 26.4.18-0+deb11u1
Control: tag -1 confirmed On Fri, May 24, 2024 at 11:27:12PM -0700, Otto Kekäläinen wrote: > I uploaded now with 'dput --delayed=7 ftp-master *.changes' as it is > unlikely this will get any further review, nor need it as it is just a > regular new minor upstream release. You can reschedule with no delay. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1069639: Acknowledgement (bookworm-pu: package galera-4 26.4.18-0+deb12u1)
Control: tag -1 confirmed On Fri, May 24, 2024 at 11:04:01PM -0700, Otto Kekäläinen wrote: > I uploaded now with 'dput --delayed=7 ftp-master *.changes' as it is > unlikely this will get any further review, nor need it as it is just a > regular new minor upstream release. You can reschedule with no delay. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1070137: bullseye-pu: package cloud-init/22.4.2-1
On Sat, May 25, 2024 at 10:42:42AM -0700, Noah Meyerhans wrote: > Yes, we will need to add that in a bookworm stable update. I expect > we'll want a separate spu bug to track that, correct? Yes please. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1068695: json-smart 2.2-2+deb12u1 flagged for acceptance
package release.debian.org tags 1068695 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: json-smart Version: 2.2-2+deb12u1 Explanation: fix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684]
Bug#1068694: json-smart 2.2-2+deb11u1 flagged for acceptance
package release.debian.org tags 1068694 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: json-smart Version: 2.2-2+deb11u1 Explanation: fix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684]
Bug#1069943: bullseye-pu: package emacs/27.1+1-3.1+deb11u3
Control: tag -1 confirmed Control: retitle -1 bullseye-pu: package emacs/27.1+1-3.1+deb11u4 On Sun, May 19, 2024 at 11:30:26AM +0100, Sean Whitton wrote: > How should we proceed? Please go ahead. Since the test package Adam built installs correctly, which was the original symptom, I'm satisfied that users will be able to install it as well or we will get better reports to inform a regression update. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1070137: bullseye-pu: package cloud-init/22.4.2-1
Control: tag -1 confirmed On Thu, May 16, 2024 at 11:05:50AM -0700, Noah Meyerhans wrote: > > diff --git a/debian/changelog b/debian/changelog > index 9bd33d11..bc3b921c 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,9 @@ > +cloud-init-22.4.2 (22.4.2-2~bpo11+1) bullseye-security; urgency=medium That should be 22.4.2-2~deb11u1 and targetting bullseye. Otherwise please go ahead. How will users upgrading from bullseye to bookworm get back to the normal cloud-init package? Do you plan to have versioned replaces in reverse so apt transitions them back? Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#985257: Location of example scripts?
Hi, On Thu, May 16, 2024 at 11:30:26AM +, c.bu...@posteo.jp wrote: > I do have a side question regarding to a possible solution of this issue. > Back In Time (BIT) still have eight example callback scripts in a separate > repo [1]. I plan to integrate them into the primary repo. But I ask myself > where to install them when "./configure && make && sudo make install" is > called? > > BIT does look in "~/.config/backintime" for a file named "user-callback". > > I would propose to install the 8 example scripts in this folder with a > naming pattern that backintime does treat them as not active in the first > place. > > ~./config/user-callback.example.default > ~./config/user-callback.example.apt-backup > ~./config/user-callback.example.sendmail > ~./config/user-callback.example.notify > ... > > So this scripts would become a part of the "backintime-commen" package. > > Is this acceptable for you as Debian Maintainers? The correct place for these is in /usr/share/doc/, at least as far as Debian is concerned. The package manager has no business touching files in user home directories and if you build that into upstream, the Debian packaging will have to work around it. Cheers, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1070158: qtbase-opensource-src 5.15.2+dfsg-9+deb11u1 flagged for acceptance
package release.debian.org tags 1070158 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: qtbase-opensource-src Version: 5.15.2+dfsg-9+deb11u1 Explanation: security fixes [CVE-2022-25255 CVE-2023-24607 CVE-2023-32762 CVE-2023-32763 CVE-2023-33285 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197 CVE-2023-51714 CVE-2024-25580]
Bug#1064029: mailman3 3.3.8-2~deb12u2 flagged for acceptance
package release.debian.org tags 1064029 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: mailman3 Version: 3.3.8-2~deb12u2 Explanation: depend alternatively on cron-daemon; fix postgresql:// url in post-installation script
Bug#1055656: ms-gsl 4.0.0-2+deb12u1 flagged for acceptance
package release.debian.org tags 1055656 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: ms-gsl Version: 4.0.0-2+deb12u1 Explanation: mark not_null constructors as noexcept
Bug#1070158: distro-info-data 0.51+deb11u6 flagged for acceptance
package release.debian.org tags 1070158 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: distro-info-data Version: 0.51+deb11u6 Explanation: declare intentions for bulllseye/bookworm; fix past data; add Ubuntu 24.10
Bug#1070137: bullseye-pu: package cloud-init/22.4.2-1
Control: tag -1 moreinfo Hi, On Tue, Apr 30, 2024 at 11:21:01AM -0700, Noah Meyerhans wrote: > There are pros and cons to each option. Given bullseye's age and > cloud-init's blast radius (a regression could potentially disrupt the > provisioning process of cloud VMs, which is particularly disruptive in > such environments) I lean toward option (2) above, as it minimizes the > changes. The obvious drawback is that we now have two versions of > cloud-init in the bullseye repositories, which was not the case > previously. The cloud team is committed to supporting this situation > for the duration of the bullseye LTS lifetime. I think I lean towards option 2 as well. I assume the versioning is calendar-based not semantic, so it's hard to know how disruptive 20.x -> 22.x would be, and meaningful testing across all the platforms it could be deployed on is unrealistic. Can you attach proposed debian/control and debian/changelog files please? Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1069880: bullseye-pu: package cpu/1.4.3-14~deb11u1
Control: tag -1 confirmed On Fri, Apr 26, 2024 at 12:01:33PM +0200, Andreas Beckmann wrote: > The last QA upload four years ago fixed a FTBFS (multiple definitions of > a global variable) by replacing that variable with an extern declaration > and zero definitions. This didn't result in a linker error (missing > symbol) because it happens in a plugin library and thus is only detected > at runtime when the plugin gets loaded (i.e. always). > So let's ship the plugin with *one* definition of the global variable > ;-) Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1069943: bullseye-pu: package emacs/27.1+1-3.1+deb11u3
Control: tag -1 moreinfo Hi, On Sat, Apr 27, 2024 at 12:34:45PM +0100, Sean Whitton wrote: > This update also has the effect of rolling in changes already in > oldstable-security earlier than the usual point release copy, as > oldstable-security has deb11u2, while oldstable still has deb11u1. The security release hasn't been accepted into bullseye yet because there were reports of it being broken on mips64el. There was a bug but I'm afraid I don't have a reference to it. Do you know if your version solves the issue? If it does I can accept the security first for you to rebase against if that helps with the diffs. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1070158: bullseye-pu: package distro-info-data/0.51+deb11u6
On Sun, May 12, 2024 at 11:55:45AM +, stefa...@debian.org wrote: > Hi Jonathan (2024.05.12_10:56:13_+) > > Control: tag -1 confirmed > > > > On Tue, Apr 30, 2024 at 08:58:52PM -0400, Stefano Rivera wrote: > > > 1. bullseye and bookworm LTS & ELTS. > > > 2. Ubuntu 24.10 Oracular Oriole > > > > Please go ahead, but if you'd prefer to wait until the final date for > > bullseye is determined feel free to wait and amend. > > It was uploaded when I filed the bug. So it was, sorry. > I'd say accept it now, and if we miss getting bullseye's final EoL in, > we can do it via LTS. Ok. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1070761: bart-cuda 0.6.00-1+deb11u1 flagged for acceptance
package release.debian.org tags 1070761 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: bart-cuda Version: 0.6.00-1+deb11u1 Explanation: fix build test failures by relaxing a floating-point comparison
Bug#1070723: bart 0.6.00-3+deb11u1 flagged for acceptance
package release.debian.org tags 1070723 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: bart Version: 0.6.00-3+deb11u1 Explanation: fix build test failures by relaxing a floating-point comparison
Bug#1070154: bullseye-pu: qtbase-opensource-src/5.15.2+dfsg-9+deb11u1
Control: tag -1 confirmed On Tue, Apr 30, 2024 at 11:26:17PM +, Thorsten Alteholz wrote: > The attached debdiff for qtbase-opensource-src fixes several CVEs in > Bullseye. All CVEs are marked as no-dsa by the security team. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1070799: bullseye-pu: package rustc-web/1.70.0+dfsg1-7~deb11u1
Control: tag -1 confimed moreinfo Hi, On Thu, May 09, 2024 at 12:36:16PM +0200, Emilio Pozuelo Monfort wrote: > rustc-web is needed to keep supporting firefox-esr/thunderbird on bullseye, > for the upcoming ESR 128 releases. Instead of updating rustc-mozilla, I > decided to backport the newer rustc-web (adopting that name) from bookworm. > The backport is clean, just a changelog bump. I'm attaching the debdiff from > the bookworm update to this one. Should rustc-mozilla be removed from oldstable as well as rustc-web introduced? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1070158: bullseye-pu: package distro-info-data/0.51+deb11u6
Control: tag -1 confirmed On Tue, Apr 30, 2024 at 08:58:52PM -0400, Stefano Rivera wrote: > 1. bullseye and bookworm LTS & ELTS. > 2. Ubuntu 24.10 Oracular Oriole Please go ahead, but if you'd prefer to wait until the final date for bullseye is determined feel free to wait and amend. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1067544: libmicrohttpd 0.9.72-2+deb11u1 flagged for acceptance
package release.debian.org tags 1067544 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: libmicrohttpd Version: 0.9.72-2+deb11u1 Explanation: fix out of bounds read with crafted POST requests [CVE-2023-27371]
Bug#1068082: intel-microcode 3.20240312.1~deb11u1 flagged for acceptance
package release.debian.org tags 1068082 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: intel-microcode Version: 3.20240312.1~deb11u1 Explanation: fixes for INTEL-SA-INTEL-SA-00972 [CVE-2023-39368], INTEL-SA-INTEL-SA-00982 [CVE-2023-38575], INTEL-SA-INTEL-SA-00898 [CVE-2023-28746], INTEL-SA-INTEL-SA-00960 [CVE-2023-22655] and INTEL-SA-INTEL-SA-01045 [CVE-2023-43490]
Bug#1064550: libjwt 1.10.2-1+deb11u1 flagged for acceptance
package release.debian.org tags 1064550 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: libjwt Version: 1.10.2-1+deb11u1 Explanation: fix a timing side channel via strcmp() [CVE-2024-25189]
Bug#1070157: distro-info-data 0.58+deb12u2 flagged for acceptance
package release.debian.org tags 1070157 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: distro-info-data Version: 0.58+deb12u2 Explanation: declare intentions for bulllseye/bookworm; fix past data; add Ubuntu 24.10
Bug#1066842: extrepo-data 1.0.3+deb12u1 flagged for acceptance
package release.debian.org tags 1066842 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: extrepo-data Version: 1.0.3+deb12u1 Explanation: update repository information
Bug#1068695: bookworm-pu: package json-smart/2.2-2+deb12u1
Control: tag -1 confirmed Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1066842: Updating extrepo-offline-data in Debian Stable (debdiff)
On Tue, Apr 23, 2024 at 09:10:54AM +0200, Thomas Goirand wrote: > diff -Nru extrepo-data-1.0.3/debian/changelog > extrepo-data-1.0.3+deb12u1+1/debian/changelog > --- extrepo-data-1.0.3/debian/changelog 2022-10-13 16:27:28.0 > +0200 > +++ extrepo-data-1.0.3+deb12u1+1/debian/changelog 2024-04-23 > 09:03:00.0 +0200 > @@ -1,3 +1,10 @@ > +extrepo-data (1.0.3+deb12u1+1) bookworm; urgency=medium > + > + * Update the repo data from the Debian unstable branch. > + * Fix d/copyright mime syntax. > + > + -- Thomas Goirand Tue, 23 Apr 2024 09:03:00 +0200 There's a stray "+1" in the version, should be 1.0.3+deb12u1. Is this actually a backport of current unstable though? In which case it should include the changelog from 1.0.4 and be 1.0.4~deb12u1. With one fix or the other, go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1