Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

[Christoph Biedl]

Salvatore Bonaccorso wrote...

> Is this still something it is worth to pursue and adress those two
> CVEs pending for stretch or is the regression risk to high?

In my opinion it is worth to pursue it - so let me rebase upon the
latest releas in Debian 9 ("stretch") and upload to (old)s-p-u soon,
just after another round of regression tests. Then there's a lot of time
to let things mature.

Adam (for the stable release team), can I just go ahead, or would you
like to see an updated patch first?

From the neverending story departement,

Christoph


signature.asc
Description: PGP signature

Re: Autopkgtest preventing ocaml-dune from migrating to testing

[Stéphane Glondu]

Hello,

Le 03/02/2020 à 21:05, Paul Gevers a écrit :
>> Currently, ocaml-dune/2.1.3-1 is blocked in unstable because of
>> autopkgtest failure of ocaml-sedlex/2.1-3. However, this test failure
>> has been fixed in ocaml-sedlex/2.1-4. Likewise, ocaml-sedlex/2.1-4 is
>> bloked in unstable because of autopkgtest failure of itself, but this
>> test has been done with ocaml-dune/1.11.0-2 (i.e. the testing version)
>> instead of the unstable version.
>>
>> What can be done to unblock the situation?
> 
> If the issue is only with the autopkgtest, than from our point of view,
> ideally one (or both) gains a breaks on the version of the other package
> in testing. If that happens, our migration software is able to schedule
> the right combination of tests. However, we realize that sometime
> maintainers consider such a breaks too strong. Then the only way
> currently is that we manually help the package.
> 
> Are you willing to add such a breaks to either package?

Yes, I added some breaks, and the packages migrated.

Thanks for the hint!

-- 
Stéphane

Re: [SUA 177-1] Upcoming Debian 10 Update (10.3)

[Jacek Rz]

UNSUBSCRIBE

On Mon, 3 Feb 2020, 22:40 Adam D. Barratt,  wrote:

>
> 
> Debian Stable Updates Announcement SUA 177-1
> https://www.debian.org/
> debian-release@lists.debian.org
> 
> Adam D. Barratt
> February 3rd, 2020
>
> 
>
> Upcoming Debian 10 Update (10.3)
>
> An update to Debian 10 is scheduled for Saturday, February 8th, 2020. As
> of now it will include the following bug fixes. They can be found in
> "buster-proposed-updates", which is carried by all official mirrors.
>
> Please note that packages published through security.debian.org are not
> listed, but will be included if possible. Some of the updates below are
> also
> already available through "buster-updates".
>
> Testing and feedback would be appreciated. Bugs should be filed in the
> Debian Bug Tracking System, but please make the Release Team aware of them
> by copying "debian-release@lists.debian.org" on your mails.
>
> The point release will also include a rebuild of debian-installer.
>
>
> Miscellaneous Bugfixes
> --
>
> This stable update adds a few important corrections to the following
> packages:
>
>   PackageReason
>   -----
>
>   alot   Remove expiration time from test suite keys,
>  fixing build failure
>
>   atril  Fix segfault when no document is loaded; fix
>  read of uninitialised memory [CVE-2019-11459]
>
>   base-files Update for the point release
>
>   beagle Provide wrapper script instead of symlinks to
>  JARs, making them work again
>
>   bgpdumpFix segmentation fault
>
>   boost1.67  Fix undefined behaviour leading to crashing
>  libboost-numpy
>
>   brightdActually compare the value read out of
>  /sys/class/power_supply/AC/online with '0'
>
>   casacore-data-jpldeInclude tables up to 2040
>
>   clamav New upstream release; fix denial of service
>  issue [CVE-2019-15961]; remove ScanOnAccess
>  option, replacing with clamonacc
>
>   compactheader  New upstream release compatible with
>  Thunderbird 68
>
>   console-common Fix regression that led to files not being
>  included
>
>   cshFix segfault on eval
>
>   cups   Fix memory leak in ppdOpen; fix validation of
>  default language in ippSetValuetag
>  [CVE-2019-2228]
>
>   cyrus-imapdAdd BACKUP type to cyrus-upgrade-db, fixing
>  upgrade issues
>
>   debian-edu-config  Keep proxy settings on client if wpad is
>  unreachable
>
>   debian-security-supportUpdate security support status of several
>  packages
>
>   debos  Rebuild against updated
> golang-github-go-debos-
>  fakemachine
>
>   dispmuaNew upstream release compatible with
>  Thunderbird 68
>
>   dkimpy New upstream stable release
>
>   dkimpy-milter  Fix privilege managment at startup so Unix
>  sockets work
>
>   dpdk   New upstream stable release
>
>   e2fsprogs  Fix potential stack underflow in e2fsck
>  [CVE-2019-5188]; fix use after free in e2fsck
>
>   fig2devAllow Fig v2 text strings ending with multiple
>  ^A [CVE-2019-19555]; reject huge arrow types
>  causing integer overflow [CVE-2019-19746]; fix
>  several crashes [CVE-2019-19797]
>
>   freerdp2   Fix realloc return handling [CVE-2019-17177]
>
>   freetdsTds: Make sure UDT has varint set to 8
>  [CVE-2019-13508]
>
>   git-lfsFix build issues with newer Go versions
>
>   gnubg  Increase the size of static buffers used to
>  build messages during program start so that
> the
>  Spanish translation doesn't overflow a buffer
>
>   gnutls28   Fix interop problems with gnutls 2.x; fix
>  parsing of certificates using RegisteredID
>
>   gtk2-engines-murrine   Fix co-installability with other themes
>
>   

Bug#950342: marked as done (RM: volatility/2.6.1-1)

[Debian Bug Tracking System]

Your message dated Sun, 9 Feb 2020 13:18:40 +0100
with message-id <1f31697a-3216-11e1-d043-60e0b1873...@debian.org>
and subject line Re: Bug#950342: RM: volatility/2.6.1-1
has caused the Debian Bug report #950342,
regarding RM: volatility/2.6.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
950342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950342
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Please remove volatility from testing;  volatility is the last reverse
dependency of python-openpyxl, which can then be dropped.

I've already filed an RC bug against src:volatility to keep it out of testing.

Thanks,
Sandro

-- System Information:
Debian Release: 10.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Hi Sandro,

On 07-02-2020 04:14, Sandro Tosi wrote:
>> But it still has a reverse dependency. I think that package should get
>> time drop the dependency first, don't you think (it seems to me that
>> it's a meta-package that could easily do that)?
> 
> `forensics-all` is a metapackage from `src:forensics-all`, and i
> thought we could ignore those?
> 
> anyhow, with this upload
> https://packages.qa.debian.org/f/forensics-all/news/20200205T132048Z.html
> volatility was dropped from forensics-all and now dak is clean:
> 
> ```
> $ ssh coccia.debian.org "dak rm -Rn -b volatility"
> Will remove the following packages from unstable:
> 
> volatility |2.6.1-1 | all
> 
> Maintainer: Debian Security Tools 
> 
> --- Reason ---
> 
> --
> 
> Checking reverse dependencies...
> No dependency problem found.
> ```
> 
> can we proceed?

The change migrated to testing. I have added a removal hint. Thanks.

Paul



signature.asc
Description: OpenPGP digital signature
--- End Message ---