Bug#1050121: cryptmount 5.3.3-1+deb11u1 flagged for acceptance
package release.debian.org tags 1050121 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: cryptmount Version: 5.3.3-1+deb11u1 Explanation: fix memory-initialization in command-line parser
Bug#1051910: mirror submission for ossmirror.mycloud.services
Hi, The published list is generated by an automated process that checks on the status of the mirror in recent days. You can see the current status of your mirror at https://mirror-master.debian.org/status/mirror-info/ossmirror.mycloud.services.html The score needs to reach at least 50 currently before the automation will consider including it. Regards, Adam On Mon, 2023-09-25 at 09:52 +0800, OSSMirror@OnboardCloud wrote: > Hi Adam, > > We were looking at the mirror listing and our mirror does not seem to > have been listed yet. > > https://www.debian.org/mirror/list-full#SG > > > May I enquire do you know roughly how long does it take for the > mirror to be listed? > > Best regards, > > -Original Message- > From: OSSMirror@OnboardCloud > Date: Sunday, 24 September 2023 at 3:31 AM > To: Adam D. Barratt > Cc: 1051...@bugs.debian.org <1051...@bugs.debian.org> > Subject: Re: Bug#1051910: mirror submission for > ossmirror.mycloud.services > > Thanks Adam for the clarification and kind assistance! > > On 24 Sep 2023, at 2:56 AM, Adam D. Barratt > wrote: > > On Sun, 2023-09-24 at 01:57 +0800, OSSMirror@OnboardCloud wrote: > > Hi Adam, > > > > Thanks for the reply. Could you elaborate further what do you mean > as > > the /debian/ works: > > > > http://ossmirror.mycloud.services/debian/ > > > > Ah, right - I was mislead by the index of > http://ossmirror.mycloud.services implying that only /os/ existed, > and > didn't check for an alias. > > Regards, > > Adam > > >
Bug#1049974: Bug#1052543: plasma-workspace 5.27.5-2+deb12u1 flagged for acceptance
package release.debian.org tags 1049974 = bookworm pending thanks Re-sending to the right bug... On Sun, 2023-09-24 at 19:38 +, Adam D Barratt wrote: > package release.debian.org > tags 1052543 = bookworm pending > thanks > > Hi, > > The upload referenced by this bug report has been flagged for > acceptance into the proposed-updates queue for Debian bookworm. > > Thanks for your contribution! > > Upload details > == > > Package: plasma-workspace > Version: 5.27.5-2+deb12u1 > > Explanation: fix crash in krunner > >
Bug#1052552: libapache-mod-jk 1.2.48-1+deb11u1 flagged for acceptance
package release.debian.org tags 1052552 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: libapache-mod-jk Version: 1.2.48-1+deb11u1 Explanation: remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081]
Bug#1052150: openssh 8.4p1-5+deb11u2 flagged for acceptance
package release.debian.org tags 1052150 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: openssh Version: 8.4p1-5+deb11u2 Explanation: fix remote code execution issue via a forwarded agent socket [CVE-2023-38408]
Bug#1050332: inetutils 2.0-1+deb11u2 flagged for acceptance
package release.debian.org tags 1050332 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: inetutils Version: 2.0-1+deb11u2 Explanation: check return values for set*id() functions, avoiding potential security issues [CVE-2023-40303]
Bug#1042057: pandoc 2.9.2.1-1+deb11u1 flagged for acceptance
package release.debian.org tags 1042057 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: pandoc Version: 2.9.2.1-1+deb11u1 Explanation: fix arbitrary file write issues [CVE-2023-35936 CVE-2023-38745]
Bug#1052543: plasma-workspace 5.27.5-2+deb12u1 flagged for acceptance
package release.debian.org tags 1052543 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: plasma-workspace Version: 5.27.5-2+deb12u1 Explanation: fix crash in krunner
Bug#1052543: plasma-framework 5.103.0-1+deb12u1 flagged for acceptance
package release.debian.org tags 1052543 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: plasma-framework Version: 5.103.0-1+deb12u1 Explanation: fix plasmashell crashes
Bug#1052149: openssh 9.2p1-2+deb12u1 flagged for acceptance
package release.debian.org tags 1052149 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: openssh Version: 9.2p1-2+deb12u1 Explanation: fix remote code execution issue via a forwarded agent socket [CVE-2023-38408]
Bug#1051594: samba 4.17.11+dfsg-0+deb12u1 flagged for acceptance
package release.debian.org tags 1051594 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: samba Version: 4.17.11+dfsg-0+deb12u1 Explanation: new upstream stable release
Bug#1051171: qtlocation-opensource-src 5.15.8+dfsg-3+deb12u1 flagged for acceptance
package release.debian.org tags 1051171 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: qtlocation-opensource-src Version: 5.15.8+dfsg-3+deb12u1 Explanation: fix freeze when loading map tiles
Bug#1052479: lxc 5.0.2-1+deb12u1 flagged for acceptance
package release.debian.org tags 1052479 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: lxc Version: 5.0.2-1+deb12u1 Explanation: fix nftables syntax for IPv6 NAT
Bug#1052070: mutt 2.2.12-0.1~deb12u1 flagged for acceptance
package release.debian.org tags 1052070 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: mutt Version: 2.2.12-0.1~deb12u1 Explanation: new upstream stable release
Bug#1052553: libapache-mod-jk 1.2.48-2+deb12u1 flagged for acceptance
package release.debian.org tags 1052553 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: libapache-mod-jk Version: 1.2.48-2+deb12u1 Explanation: remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081]
Bug#1052007: lxcfs 5.0.3-1+deb12u1 flagged for acceptance
package release.debian.org tags 1052007 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: lxcfs Version: 5.0.3-1+deb12u1 Explanation: fix CPU reporting within an arm32 container with large numbers of CPUs
Bug#1051302: jekyll 4.3.1+dfsg-3+deb12u1 flagged for acceptance
package release.debian.org tags 1051302 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: jekyll Version: 4.3.1+dfsg-3+deb12u1 Explanation: support YAML aliases
Bug#1050997: lemonldap-ng 2.16.1+ds-deb12u1 flagged for acceptance
package release.debian.org tags 1050997 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: lemonldap-ng Version: 2.16.1+ds-deb12u1 Explanation:
Bug#1042903: firewalld 1.3.3-1~deb12u1 flagged for acceptance
package release.debian.org tags 1042903 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: firewalld Version: 1.3.3-1~deb12u1 Explanation: don't mix IPv4 and IPv6 addresses in a single nftables rule
Bug#1051902: bullseye-pu: package dpkg/1.20.13
Control: tags -1 confirmed On Thu, 2023-09-14 at 00:28 +0200, Guillem Jover wrote: > This update backports the loong64 arch support as requested in > #1051763 because some of the Debian infra is still using bullseye. > There's also a fix for a segfault on virtual field formatting which > is rather easy to trigger for packages that are known to dpkg, but > are not installed, such as virtual packages or references from > Recommends or Suggests, which was also included in the 1.21.22 pre- > approval request included in bookworm. And finally a fix for a memory > leak, included in 1.22.0 in unstable. > Please go ahead, bearing in mind that the window for 11.8 closes over the coming weekend. Regards, Adam
Bug#1042058: bookworm-pu: package pandoc/2.17.1.1-2~deb12u1
Control: tags -1 confirmed On Tue, 2023-07-25 at 23:40 +0200, Guilhem Moulin wrote: > pandoc 2.17.1.1-1.1 is vulnerable to CVE-2023-35936: Arbitrary file > write vulnerability via specially crafted image element in the input > when generating files using the `--extract-media` option or > outputting to PDF format. > Please go ahead; sorry for the delay. Regards, Adam
Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1
On Sat, 2023-09-23 at 22:10 +0100, Adam D. Barratt wrote: > Control: tags -1 confirmed > > On Thu, 2023-09-21 at 13:37 -0400, Boyuan Yang wrote: > > As reported in https://bugs.debian.org/1051408 , current flameshot > > in Debian 11 (Bullseye) will silently upload the current captured > > screenshot to imgur without confirmation whenever the corresponding > > hotkey is pressed. This imposes a security risk of leaking > > sensitive > > information. > > > > In order to mitigate this issue, I propose to upload flameshot > > 0.9.0+ds1-2+deb11u1, which strips the embedded imgur token > > hardcoded > > in the source code. Users who wish to utilize the img uploading > > feature can fill in their own imgur token in flameshot config > > window to re-enable the feature. > > > > Please go ahead. > I should have spotted this before, but the news file in the source package should simply be named "debian/NEWS"; dh_installchangelogs will then install it as NEWS.Debian in the binary package. It's up to you whether you want to upload a +deb11u2 that simply fixes that, or would prefer that we reject the existing upload and you can upload a fixed +deb11u1. Regards, Adam
Bug#1049955: bookworm-pu: package qemu/1:7.2+dfsg-7+deb12u2
On Sun, 2023-09-24 at 06:52 +0300, Michael Tokarev wrote: > 23.09.2023 23:45, Adam D. Barratt wrote: > > Control: tags -1 confirmed > > > > On Thu, 2023-08-17 at 12:54 +0300, Michael Tokarev wrote: > > > There's a next upstream qemu stable/bugfix release, fixing a > > > big number of various issues, including 3 (minor) security > > > issues too. The full list is in the changelog below and > > > in the upstream git (mirrored in salsa too). > ... > > > Please go ahead. > > It is a "good" timing, Adam. Just 2 days ago I sent announcement > for a new qemu stable-7.2.6 release fixing a bunch of more bugs, > and fixing an important class of security issues too. > > https://lore.kernel.org/qemu-devel/bf422038-5f0a-e9ca-1eb3-ed25442c7...@tls.msk.ru/ > > "Good" because I forgot to send a note to this bug report about the > upcoming release (it was planned) and as a result we clashed. > > I prepared debian package (based on this new 7.2.6), it is in testing > now on my local machine. > > Will it be easier to upload the reviewed 7.2+dfsg-7+deb12u2 (based on > 7.2.5) and close this bug#, and later make 7.2+dfsg-7+deb12u3 (based > on 7.2.6), or update current bug# with new release? > > I guess it's better to do it step by step, closing this bug# and > filing a new one. > That might depend when you expect to be ready with the newer update. The window for 12.2 closes next weekend, so if you'd rather have more time to test and work on the 7.2.6 update, it would make sense to upload the 7.2.5-based update for 12.2, and then the newer update for 12.3. Regards, Adam
Bug#1052227: bookworm-pu (pre-approval): mutter/43.8-0+deb12u1
On Sun, 2023-09-24 at 11:31 +0100, Simon McVittie wrote: > On Sat, 23 Sep 2023 at 20:44:14 +0100, Adam D. Barratt wrote: > > On Tue, 2023-09-19 at 11:26 +0100, Simon McVittie wrote: > > > Several new upstream bugfix releases. I've been trying to get > > > these > > > into > > > a suitable state for a stable update since 12.1, but every time > > > I've > > > been testing one long enough to think about asking for upload > > > approval, > > > there have been more bugfixes upstream and the cycle starts > > > again. > > > > > > This might be the last upstream bugfix release in the 43.x > > > series, > > > or we might get a 43.9. > > > > > > > Please go ahead. > > To be clear, do you want this and the accompanying gnome-shell update > uploaded in time for 12.2, or should I upload them after 12.2 for > inclusion in 12.3 as I suggested in the request? > I'm more than happy to trust your judgement here. If you'd rather wait until 12.3, that's fine. There's certainly no need to rush from the SRM side. > I have been asked to roll one additional change into this update: > updating the (non-upstream) triple-buffering patch to its latest > version, which fixes an issue where some session types (Xorg and some > video drivers like Raspberry Pi) would only refresh at 30fps rather > than the intended 60fps, fixing > https://bugs.launchpad.net/ubuntu/+source/mutter/+bug/2017137 > and > https://bugs.launchpad.net/ubuntu/+source/mutter/+bug/2017097. I have > not tested that change yet, but the equivalent for mutter 44 has been > in Ubuntu since May. After I've tested it in v43 on Debian, would > that be OK to include? The additional diff (beyond what you already > saw) will be what's attached, plus a changelog entry. > That sounds OK; thanks. Regards, Adam
Bug#1052543: bookworm-pu: package plasma-framework/5.103.0-1+deb12u1
Control: tags -1 confirmed On Sun, 2023-09-24 at 13:26 +0200, Patrick Franz wrote: > Upstream KDE has received a number of bug reports about plasmashell > crashing when closing windows. This patch backports the fix to > avoid these crashes back into bookworm. > Please go ahead. Regards, Adam
Bug#1052455: bookworm-pu: package freetype/2.12.1+dfsg-5+deb12u1
Control: tags -1 confirmed
On Sun, 2023-09-24 at 22:27 +1000, Hugh McMaster wrote:
> Control: tags -1 -moreinfo
>
> Hi Adam,
>
> On Sun, 24 Sept 2023 at 05:53, Adam D. Barratt wrote:
> > Control: tags -1 moreinfo
> >
> > On Fri, 2023-09-22 at 22:16 +1000, Hugh McMaster wrote:
> > > FreeType 2.12.1 shipped with experimental COLRv1 support enabled.
> > > This was
> > > unintentional, as the implementation shipped in this release was
> > > incomplete and
> > > incompatible with the final COLRv1 API.
[...]
> > Do we know if any applications shipped in bookworm attempt to use
> > this
> > partial API? If so, do we know how they'll handle the change?
>
> The API function call appears in several packages that include
> internal copies of FreeType: openjdk-{11, 19, 20} and godot
> 3.5.2-stable-2. However, none of them call PUT_COLOR_LAYERS_V1() to
> access the API.
>
> I doubt many people know the COLRv1 API is in FreeType 2.12.1, as the
> API is not mentioned in the release notes for that version. In saying
> that, upstream recommends disabling the COLRv1 API.
OK, thanks.
Please go ahead.
Regards,
Adam
Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1
Control: tags -1 confirmed On Thu, 2023-09-21 at 13:37 -0400, Boyuan Yang wrote: > As reported in https://bugs.debian.org/1051408 , current flameshot > in Debian 11 (Bullseye) will silently upload the current captured > screenshot to imgur without confirmation whenever the corresponding > hotkey is pressed. This imposes a security risk of leaking sensitive > information. > > In order to mitigate this issue, I propose to upload flameshot > 0.9.0+ds1-2+deb11u1, which strips the embedded imgur token hardcoded > in the source code. Users who wish to utilize the img uploading > feature can fill in their own imgur token in flameshot config > window to re-enable the feature. > Please go ahead. Regards, Adam
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
Control: tags -1 moreinfo On Wed, 2023-09-20 at 21:40 +, Thorsten Alteholz wrote: > The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 > in > Bullseye. These CVEs have been marked as no-dsa by the security team, > but > at least CVE-2023-32360 got anRC bug (#1051953). > +cups (2.4.2-6) unstable; urgency=low + + In case this is not a fresh installation of cups, please double check + whether your cupsd.conf really does contain the limitiation for + "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch) The same query as for bookworm applies here - do we expect users to know how to find the patch? Regards, Adam
Bug#1052288: bullseye-pu: package qemu/1:5.2+dfsg-11+deb11u3
Control: tags -1 confirmed On Tue, 2023-09-19 at 23:11 +0200, Moritz Muehlenhoff wrote: > Various low severity security issues in qemu, debdiff below. > I've tested this on a Bullseye ganeti cluster using the > updated qemu. > Please go ahead. Regards, Adam
Bug#1052222: bullseye-pu: package python2.7/2.7.18-8+deb11u1
Control: tags -1 confirmed On Tue, 2023-09-19 at 10:36 +0200, Helmut Grohne wrote: > I know that officially, we do not consider Python 2.7 covered by > security support. In bullseye, it has merely been kept to support a > small minority of applications that would otherwise have been > removed. > Freexian SARL has an interest in updating it anyway. I am therefore > proposing a PU that fixes know security issues in Python 2.7. Do you > think we can accept this into bullseye? I recognize that such an > update > could be seen as a promise of support. Therefore, I've Cc'ed the > security team to have them veto if desired. In effect, Freexian > currently makes this promise to customers and will continue to update > security issues in Python 2.7 as it enters LTS. So we might as well > do it now already. > Please go ahead. Regards, Adam
Bug#1052150: bullseye-pu: package openssh/1:8.4p1-5+deb11u2
Control: tags -1 confirmed On Mon, 2023-09-18 at 09:03 +0100, Colin Watson wrote: > https://bugs.debian.org/1042460 is a security issue affecting > bullseye. > The security team doesn't think it warrants a DSA, but thinks it's > worth > fixing in a point release. I agree. > > [ Impact ] > Forwarding an SSH agent to a remote system may be exploitable by > administrators of that remote system in complicated conditions. See > https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt. > Please go ahead. Regards, Adam
Bug#1050538: bullseye-pu: package batik/1.12-4+deb11u2
Control: tags -1 confirmed On Fri, 2023-08-25 at 22:27 +0200, Pierre Gruet wrote: > I would like to propose an upload of batik in the next point release. > > [ Reason ] > CVE-2022-44729 and CVE-2022-44730 have been filed against batik. They > are fixed > in sid (and soon trixie). I discussed with Security team, they said a > DSA is > not needed but suggested to fix the CVE in bullseye in a point > release. > Please go ahead. Regards, Adam
Bug#1050332: bullseye-pu: package inetutils/2:2.0-1+deb11u2
Control: tags -1 confirmed On Wed, 2023-08-23 at 12:44 +0200, Guillem Jover wrote: > This update fixes a minor security issue, that the security team did > not feel worth a DSA. It is now fixed already in unstable and > testing. > Please go ahead. Regards, Adam
Bug#1049982: bullseye-pu: package riemann-c-client/1.10.4-2+b2
Control: tags -1 confirmed On Sat, 2023-08-19 at 10:41 -1000, Romain Tartière wrote: > On Thu, Aug 17, 2023 at 10:52:17PM +0100, Adam D. Barratt wrote: > > Please supply an appropriate debdiff. > > Sorry for the confusion, here is an updated debdiff. Thank you! Please go ahead. Regards, Adam
Bug#1050121: bullseye-pu: package cryptmount/5.3.3-1+deb11u1
Control: tags -1 confirmed On Sun, 2023-08-20 at 11:11 +0100, RW Penney wrote: > When cryptmount is passed invalid command-line arguments, it is > likely > to crash with a SEGV error due to inappropriately zeroed memory > passed > to getopt_long(). > Please go ahead. Regards, Adam
Bug#1035464: bullseye-pu: package lttng-modules/2.12.5-1+deb11u1
Control: tags -1 confirmed On Wed, 2023-05-03 at 11:34 -0400, Michael Jeanson wrote: > Fix the dkms build of lttng-modules against the current bullseye > kernel 5.10.0-22. > Please go ahead; sorry for the delay. Regards, Adam
Bug#1042057: bullseye-pu: package pandoc/2.9.2.1-1+deb11u1
Control: tags -1 confirmed On Tue, 2023-07-25 at 23:39 +0200, Guilhem Moulin wrote: > pandoc 2.9.2.1-1 is vulnerable to CVE-2023-35936: Arbitrary file > write > vulnerability via specially crafted image element in the input when > generating > files using the `--extract-media` option or outputting to PDF format. > > The Security Team decided not to issue a DSA for that CVE, but it's > now fixed in > buster-security (2.2.1-3+deb10u1) as well as sid (2.17.1.1-2), so it > makes sense > to fix it via (o)s-pu too. > Please go ahead; sorry for the delay. Regards, Adam
Bug#1036083: bullseye-pu: package galera-4 26.4.14-0+deb11u1
Control: tags -1 confirmed On Tue, 2023-07-25 at 14:52 -0700, Otto Kekäläinen wrote: > Sorry - attached now. Please go ahead; sorry for the delay. Regards, Adam
Bug#1035466: bullseye-pu: package postfix/3.5.18-0+deb11u1
Control: tags -1 confirmed On Sun, 2023-06-25 at 14:06 -0400, Scott Kitterman wrote: > While this has been pending, another postfix maintenance update has > been > released for 3.5. Postfix 3.5.20 provides the relevant fixes already > provided > to Bookworm via the 3.7.6 update. Debdiff attached is oldstable to > proposed > change (not just the additional changes brought by 3.5.20). > Please go ahead; sorry for the delays. Regards, Adam
Bug#1042903: bookworm-pu: package firewalld/1.3.3-1~deb12u1
Control: tags -1 confirmed On Wed, 2023-08-02 at 16:47 +0200, Michael Biebl wrote: > Sorry, forgot the attach the actual files. Please go ahead; sorry for the delay. Regards, Adam
Bug#1049955: bookworm-pu: package qemu/1:7.2+dfsg-7+deb12u2
Control: tags -1 confirmed On Thu, 2023-08-17 at 12:54 +0300, Michael Tokarev wrote: > There's a next upstream qemu stable/bugfix release, fixing a > big number of various issues, including 3 (minor) security > issues too. The full list is in the changelog below and > in the upstream git (mirrored in salsa too). > > There's also another fix for bookworm qemu xen build, which > is missing 9pfs support (#1049925). This is an easy one, as > it does not change runtime dependencies. > > [ Tests ] > The upstream qemu release passed the upstream testsuite (well, > almost, besides a few corner cases which didn't work before, > such as msys-win32 build takes too much time on gitlab.com). > Also, debian build of this qemu release works fine with my > collection of qemu guests, and qemu-user works too, - I used > it in my regular work. > Please go ahead. Regards, Adam
Bug#1049988: bookworm-pu: package riemann-c-client/1.10.4-2
Control: tags -1 confirmed On Sat, 2023-08-19 at 10:42 -1000, Romain Tartière wrote: > On Sat, Aug 19, 2023 at 04:58:51PM +0100, Jonathan Wiltshire wrote: > > This seems to be a copy of the most recent upload to unstable; > > please > > consult the developers' reference and prepare an appropriate diff > > for a > > stable update. > > Sorry for the confusion, here is an updated debdiff. Thank you! > Please go ahead. Regards, Adam
Bug#1049974: bookworm-pu: package plasma-workspace/5.27.5-2+deb12u1
Control: tags -1 confirmed On Thu, 2023-08-17 at 20:01 +0200, Patrick Franz wrote: > krunner (a launcher built into KDE Plasma capable of doing all > sorts of things) crashes when characters or numbers are typed > in a rapid fashion. > The bug was sadly introduced in Plasma 5.27.5, but subsequently > fixed in Plasma 5.27.6. The Debian bug report can be found under > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037557 > Please go ahead. Regards, Adam
Bug#1051024: bookworm-pu: package igtf-policy-bundle/1.22-1~deb12u1
Control: tags -1 moreinfo On Fri, 2023-09-01 at 13:30 +0200, Dennis van Dok wrote: > The IGTF bundle provides important trust anchors for the Research and > Education communities. Both for reliance on the identity of servers > for compute and storage services, as well as user identification > based > on personal certificates. > > A recent change in the rules for S/MIME certificates[1] has urged a > change in the profiles for end user and robot certificates, > effectively > by 28 August 2023. Relying parties who need to authenticate users > should install this update as soon as possible. > > 1. https://cabforum.org/smime-br/ > [...] > [ Checklist ] > [*] *all* changes are documented in the d/changelog > [*] I reviewed all changes and I approve them > [*] attach debdiff against the package in (old)stable You appear to have forgotten the debdiff. > [ ] the issue is verified as fixed in unstable Is this fixed in unstable or not? Regards, Adam
Bug#1050997: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u1
Control: tags -1 confirmed On Fri, 2023-09-01 at 12:34 +0400, Yadd wrote: > Version 2.17.0 of lemonldap-ng fixes two low-level security issues: > * the "login" security regex wasn't applied when using AuthSlave > * lemonldap-ng portal can be used as open-redirection due to > incorrect >escape handling > Please go ahead. Regards, Adam
Bug#1050537: bookworm-pu: package batik/1.16+dfsg-1+deb12u1
Control: tags -1 confirmed On Fri, 2023-08-25 at 22:26 +0200, Pierre Gruet wrote: > CVE-2022-44729 and CVE-2022-44730 have been filed against batik. They > are fixed > in sid (and soon trixie). I discussed with Security team, they said a > DSA is > not needed but suggested to fix the CVE in bookworm in a point > release. > > The two CVE are corrected by backporting upstream changes. > > [ Impact ] > The two CVE would remain: > ``A malicious SVG can probe user profile / data and send it directly > as > parameter to a URL.'' > and > ``A malicious SVG could trigger loading external resources by > default, causing > resource consumption or in some cases even information disclosure.'' > Please go ahead. Regards, Adam
Bug#1052479: bookworm-pu: package lxc/1:5.0.2-1+deb12u1
Control: tags -1 confirmed On Fri, 2023-09-22 at 16:59 +, Mathias Gibbens wrote: > lxc 1:5.0.2-1 contains a typo in its IPv6 NAT rules, as reported in > #1049976. This prevents the lxc-net service from starting if > LXC_IPV6_NAT is set to true. > Please go ahead. Regards, Adam
Bug#1052425: dpdk 22.11.3-1~deb12u1 flagged for acceptance
package release.debian.org tags 1052425 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: dpdk Version: 22.11.3-1~deb12u1 Explanation: new upstream stable release
Bug#1052402: dpdk 20.11.9-1~deb11u1 flagged for acceptance
package release.debian.org tags 1052402 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: dpdk Version: 20.11.9-1~deb11u1 Explanation: new upstream stable release
Bug#1052068: dbus 1.14.10-1~deb12u1 flagged for acceptance
package release.debian.org tags 1052068 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: dbus Version: 1.14.10-1~deb12u1 Explanation: new upstream stable release; fix a dbus-daemon crash during policy reload if a connection belongs to a user account that has been deleted, or if a Name Service Switch plugin is broken, on kernels not supporting SO_PEERGROUPS; report the error correctly if getting the groups of a uid fails; dbus-user-session: Copy XDG_CURRENT_DESKTOP to activation environment
Bug#1052455: bookworm-pu: package freetype/2.12.1+dfsg-5+deb12u1
Control: tags -1 moreinfo On Fri, 2023-09-22 at 22:16 +1000, Hugh McMaster wrote: > FreeType 2.12.1 shipped with experimental COLRv1 support enabled. > This was > unintentional, as the implementation shipped in this release was > incomplete and > incompatible with the final COLRv1 API. > > Upstream's intention was to enable COLRv1 support in FreeType 2.13.0. > > Applications attempting to use the partial COLRv1 API in FreeType > 2.12.1 will > get unexpected (and incorrect) results. > Do we know if any applications shipped in bookworm attempt to use this partial API? If so, do we know how they'll handle the change? Regards, Aam
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
Control: tags -1 moreinfo On Wed, 2023-09-20 at 21:05 +, Thorsten Alteholz wrote: > The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 > in > Bookworm. These CVEs have been marked as no-dsa by the security > team, > but at least CVE-2023-32360 got an RC bug (#1051953). > +cups (2.4.2-6) unstable; urgency=low + + In case this is not a fresh installation of cups, please double check + whether your cupsd.conf really does contain the limitiation for + "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch) Hmm. Is there a better way we can point users to the required change here that doesn't require them knowing how to find patches applied to the source package? Regards, Adam
Bug#1052229: bookworm-pu (pre-approval): gnome-shell/43.9-0+deb12u1
Control: tags -1 confirmed On Tue, 2023-09-19 at 11:40 +0100, Simon McVittie wrote: > Several new upstream bugfix releases. I've been trying to get these > into > a suitable state for a stable update since 12.1, but every time I've > been testing one long enough to think about asking for upload > approval, > there have been more bugfixes upstream and the cycle starts again. > > This is probably going to be the last upstream release in the 43.x > series, > although we might get a 43.10. > Please go ahead. Regards, Adam
Bug#1052227: bookworm-pu (pre-approval): mutter/43.8-0+deb12u1
Control: tags -1 confirmed On Tue, 2023-09-19 at 11:26 +0100, Simon McVittie wrote: > Several new upstream bugfix releases. I've been trying to get these > into > a suitable state for a stable update since 12.1, but every time I've > been testing one long enough to think about asking for upload > approval, > there have been more bugfixes upstream and the cycle starts again. > > This might be the last upstream bugfix release in the 43.x series, > or we might get a 43.9. > Please go ahead. Regards, Adam
Bug#1052218: bookworm-pu: package monitoring-plugins/2.3.3-5+deb12u1
Control: tags -1 confirmed On Tue, 2023-09-19 at 08:35 +0200, Jan Wagner wrote: > As reported in #1051768, check_disk has gotten very slow on a > machine > with a huge number of mount points (in excess of 16000). > > [ Impact ] > check_disk used to take around 10 seconds on bullseye in this > scenario, > now it is more than one hour > Please go ahead. Regards, Adam
Bug#1052149: bookworm-pu: package openssh/1:9.2p1-2+deb12u1
Control: tags -1 confirmed On Mon, 2023-09-18 at 08:59 +0100, Colin Watson wrote: > https://bugs.debian.org/1042460 is a security issue affecting > bookworm. > The security team doesn't think it warrants a DSA, but thinks it's > worth > fixing in a point release. I agree. > > [ Impact ] > Forwarding an SSH agent to a remote system may be exploitable by > administrators of that remote system in complicated conditions. See > https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt. > Please go ahead. Regards, Adam
Bug#1052070: bookworm-pu: package mutt/2.2.12-0.1~deb12u1
Control: tags -1 confirmed On Sat, 2023-09-16 at 23:34 +0200, Sebastian Andrzej Siewior wrote: > On 2023-09-16 23:30:44 [+0200], To sub...@bugs.debian.org wrote: > > forgot to attach the debdiff. Here it comes… > Please go ahead. Regards, Adam
Bug#1052007: bookworm-pu: package lxcfs/5.0.3-1+deb12u1
Control: tags -1 confirmed On Fri, 2023-09-15 at 22:03 +, Mathias Gibbens wrote: > lxcfs 5.0.3-1 has a bug where /proc/cpuinfo is not properly reported > within a 32bit arm container when the 64bit host has more than ~13 > CPUs. This was initially reported in #1036818 and impacts some > autopkgtests run on the ci.debian.net arm hosts. > > Please go ahead. Regards, Adam
Bug#1051594: bookworm-pu: package samba/2:4.17.11+dfsg-0+deb12u1
Control: tags -1 confirmed On Sun, 2023-09-10 at 13:11 +0300, Michael Tokarev wrote: > There's a next upstream stable/bugfix release of samba series 4.17, > with a next share of bugfixes. This is the last regular stable > release, 4.17 switched to security-only bugfix mode once 4.19 is > out. > Please go ahead (including the CI change). Regards, Adam
Bug#1051302: bookworm-pu: package jekyll/4.3.1+dfsg-3+deb12u1
Control: tags -1 confirmed This update fixes processing user configuration that used YAML > aliases. > > [ Impact ] > User configuration with YAML aliases will cause jekyll to crash while > parsing it, and therefore jekyll will not work at all. > Please go ahead. Regards, Adam
Bug#1051239: bookworm-pu: package dar/2.7.8-2
Control: tags -1 confirmed On Mon, 2023-09-04 at 15:57 -0500, John Goerzen wrote: > A bug was recently reported to Debian as #1050663, and subsequently > to upstream. > This bug causes dar to create isolated catalog files that cannot be > read by a > future dar invocation. The catalog files are used as the basis for > backups, so > this breaks users' backup flows. > +dar (2.7.8-2) bookworm; urgency=high The conventional version here would be 2.7.8-1+deb12u1, but -2 is acceptable in this case, as no such version ever appears to have been uploaded to Debian. Please go ahead. Regards, Adam
Bug#1051171: bookworm-pu: package qtlocation-opensource-src/5.15.8+dfsg-3+deb12u1
Control: tags -1 + confirmed On Sun, 2023-09-03 at 22:29 +0300, Dmitry Shachnev wrote: > This fixes bug which made applications using Qt Location freeze when > trying to > load the map tiles. > Please go ahead. Regards, Adam
Bug#1052480: libpam-mklocaluser 0.18+deb12u1 flagged for acceptance
package release.debian.org tags 1052480 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: libpam-mklocaluser Version: 0.18+deb12u1 Explanation: pam-auth-update: ensure the module is ordered before other session type modules
Bug#1052463: debian-edu-doc 2.12.18~deb12u1 flagged for acceptance
package release.debian.org tags 1052463 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: debian-edu-doc Version: 2.12.18~deb12u1 Explanation: update Debian Edu Bookworm manual
Bug#1052433: pam 1.5.2-6+deb12u1 flagged for acceptance
package release.debian.org tags 1052433 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: pam Version: 1.5.2-6+deb12u1 Explanation: fix pam-auth-update --disable; update Turkish translation
Bug#1052325: systemd 252.17-1~deb12u1 flagged for acceptance
package release.debian.org tags 1052325 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: systemd Version: 252.17-1~deb12u1 Explanation: fix minor security issue in arm64 and riscv64 systemd-boot (EFI) with device tree blobs loading
Bug#1052283: mozjs102 102.15.1-1~deb12u1 flagged for acceptance
package release.debian.org tags 1052283 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: mozjs102 Version: 102.15.1-1~deb12u1 Explanation: new upstream stable release; fix "incorrect value used during WASM compilation" [CVE-2023-4046], potential use after free issue [CVE-2023-37202], memory safety issues [CVE-2023-37211 CVE-2023-34416]
Bug#1051395: pywinrm 0.3.0-4+deb12u1 flagged for acceptance
package release.debian.org tags 1051395 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: pywinrm Version: 0.3.0-4+deb12u1 Explanation: fix compatibility with Python 3.11
Bug#1051910: mirror submission for ossmirror.mycloud.services
On Sun, 2023-09-24 at 01:57 +0800, OSSMirror@OnboardCloud wrote: > Hi Adam, > > Thanks for the reply. Could you elaborate further what do you mean as > the /debian/ works: > > http://ossmirror.mycloud.services/debian/ > Ah, right - I was mislead by the index of http://ossmirror.mycloud.services implying that only /os/ existed, and didn't check for an alias. Regards, Adam
Bug#1021001: mirror-prg.webglobe.com: out-of-date
On Mon, 2022-10-03 at 11:23 +0200, Jiří Luňáček wrote: > We had some issues with storage provider software. > It should be fixed now and the mirror is in sync. > It looks like something still isn't set up as expected. http://mirror-prg.webglobe.com/debian/project/trace/ has current trace files for upstream mirrors, but the local file - i.e. http://mirror-prg.webglobe.com/debian/project/trace/mirror-prg.webglobe.com - is from May. Regards, Adam
Bug#1051910: mirror submission for ossmirror.mycloud.services
Control: tags -1 + moreinfo On Thu, 2023-09-14 at 05:27 +, OSSMirror@OnboardCloud wrote: > Submission-Type: new > Site: ossmirror.mycloud.services > Archive-architecture: ALL amd64 arm64 armel armhf hurd-i386 hurd- > amd64 i386 mips mips64el mipsel powerpc ppc64el riscv64 s390x > Archive-http: /debian/ > This appears to be incorrect - there's no /debian/ directory on your mirror as far as I can see. Regards, Adam
Bug#1051774: PySNMP asyncio backend unusable in Debian 12 (needs stable update?)
On 9/13/23 17:42, Thomas Goirand wrote: On 9/13/23 13:43, Adam Cecile wrote: On 9/13/23 12:55, Thomas Goirand wrote: On 9/12/23 18:16, Adam Cecile wrote: Hello, No hurry, I think we might want to wait for upstream to respond to my PR regarding double awaitable fix. It is indeed lextudio upstream that took over the PySNMP package and all patches are coming from us (except mine ofc). Regards, Adam. Because it messes up the order in which people normally read text. Why is top-posting such a bad thing? Top-posting. What is the most annoying thing in e-mail? Hello, you started first ! LOL ! :) Well, I was on my phone, sorry for that ... :P Thanks! :) I tried applying your patch at https://salsa.debian.org/acecile-guest/python-pysnmp4/-/commit/88d40f1225de8f7b42413b56206b41a6155fcf09 Unfortunately, it doesn't apply on top of 4.4.12-2, which is the current version of the package (in Bookworm, Unstable and Testing). Would you be able to rebase your patch on top of 4.4.12-2? Then I'll do the work to get this into Bookworm (and Unstable/Testing). Cheers, Thomas Goirand (zigo) Yes that's expected. Well, how can I then apply it to the version in Bookworm? Hello, Soory for the delay, I don't get the question, bookworm version is the same as unstable at the moment so my debian/4.4.12-3 branch also works: https://salsa.debian.org/acecile-guest/python-pysnmp4/-/commits/debian/4.4.12-3 If you want only the full patch fixing asyncio, you can find it as debian/patch: https://salsa.debian.org/acecile-guest/python-pysnmp4/-/blob/debian/4.4.12-3/debian/patches/0003-Merge-lextudio-upstream-fork-patch-related-to-asynci.patch This commit is only to fix double awaitable "new" upstream bug. It depends on a large amount of backported commits to fix asyncio / Python 3.11 support. Could you backport it to 4.4.12-2 as in Bookworm and Unstable? As I wrote already, I already packaged python-pysnmp-lextudio, which is currently in the NEW queue. I will be happy to apply your patch in there, but IMO, we should treat pysnmp-lextudio as a different source and binary package (my binary conflicts with python3-pysnmp4), because the dependency chain is very different. Yes it's already done, see above. You can see here a branch created from upstream 4.4.12 tag with asyncio patches cherry-pick from new upstream master: https://salsa.debian.org/acecile-guest/python-pysnmp4/-/commits/4.4.12+cherry-pick-asyncio-lextudio-fixes/ It has then been squashed into a single debian/patch: https://salsa.debian.org/acecile-guest/python-pysnmp4/-/commit/a5f17d27c7813dbdb64cdf674d1855a77c3eb0f0 Ah, super cool! It's too late for today (have to go back home), so I'll work on this tomorrow. Thanks a lot for your contrib. So, all good? BTW, we've been using your MegaCli repo (we mirror it), and I also would like to thank you for this. :) Thanks! Sadly I miss time to take care of it, but no matter how old and badly written was the Python code, it still works flawlessly :-) Cheers to LSI/Broadcom for not breaking tools and output format btw. I made my own forked repository because I'm unsure how we should proceed, but I can easily push the debian/4.4.12-3 tag to the regular Python module repository on Salsa. 4.4.12-3 will be for Unstable. For Stable, it's going to be something like 4.4.12-2+deb12u1, as per the normal process, and it will have to be (pre-)approved by the Debian Stable release team by filling a bug against release.debian.org. No worries, I do understand that Debian procedures are not easy to understand, though I'm happy to explain if you need. Cheers, Thomas Goirand (zigo)
Bug#1052082: rust-cbindgen 0.24.3-2~deb11u1 flagged for acceptance
package release.debian.org tags 1052082 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: rust-cbindgen Version: 0.24.3-2~deb11u1 Explanation: new "upstream" version, to support building newer firefox-esr versions
Bug#1052129: acpica-unix: Failed to migrate to Testing; missing s390x build not properly handled
On Sun, 2023-09-17 at 14:58 -0400, Boyuan Yang wrote: > If you are clear that upstream is completely not supporting big- > endian build anymore, please > submit a package removal request to Debian Release Team (using > reportbug tool) to remove > the current s390x package in Debian Testing. No. Architecture-specific removals happen in unstable, so the request needs to be made to the FTP Team. Regards, Adam
Bug#1052082: bullseye-pu: package rust-cbindgen/0.24.3-2~deb11u1
Control: tags -1 + confirmed On Sun, 2023-09-17 at 11:36 +0200, Emilio Pozuelo Monfort wrote: > This updates rust-cbindgen to 0.24, as required by Firefox ESR 115. > The risk is low as the only (build)rdep of cbindgen are firefox-esr > and thunderbird. > > Attached is a debian/ diff of the update. > - * Only build the cbindgen binary. afaict that's still true, so maybe the changelog entry should still be present? In any case, please go ahead. Regards, Adam
Bug#1052027: cargo-mozilla 0.66.0+ds1-1~deb11u1 flagged for acceptance
package release.debian.org tags 1052027 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: cargo-mozilla Version: 0.66.0+ds1-1~deb11u1 Explanation: new "upstream" version, to support building newer firefox-esr versions
Bug#1052058: apt: refuses to downgrade itself to a version that works on the system
Package: apt Version: 2.7.5 Severity: important Once again we have a package that some people consider broken. That's natural, disagreements happen. That apt insists on a bad scheme not supported by dpkg has been said about elsewhere. Normally, that would be solvable by a simple downgrade. Except, in this case, apt refuses to do this: # apt install apt=2.7.3 apt-utils=2.7.3 Reading package lists... Done Building dependency tree... Done Reading state information... Done Suggested packages: apt-doc The following packages will be DOWNGRADED: apt apt-utils 0 upgraded, 0 newly installed, 2 downgraded, 0 to remove and 2 not upgraded. E: /bin resolved to a different inode than /usr/bin E: Unmerged usr is no longer supported, install usrmerge to continue. N: See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#a-merged-usr-is-now-required for more details. As you can see, the action I requested specifically solves the problem, yet apt considers it no good. Thus, I'd need to take steps that are not obvious to a regular user, and for this specific package risky to break the system if done wrong. Thus, apt should consider an operation that touches apt itself to be another exception for the usrmerge demand. Meow! -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "amd64"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "1"; APT::Install-Suggests "0"; APT::Sandbox ""; APT::Sandbox::User "_apt"; APT::Authentication ""; APT::Authentication::TrustCDROM "true"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$"; APT::VersionedKernelPackages ""; APT::VersionedKernelPackages:: "linux-.*"; APT::VersionedKernelPackages:: "kfreebsd-.*"; APT::VersionedKernelPackages:: "gnumach-.*"; APT::VersionedKernelPackages:: ".*-modules"; APT::VersionedKernelPackages:: ".*-kernel"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "tasks"; APT::Move-Autobit-Sections ""; APT::Move-Autobit-Sections:: "oldlibs"; APT::Architectures ""; APT::Architectures:: "amd64"; APT::Architectures:: "i386"; APT::Compressor ""; APT::Compressor::. ""; APT::Compressor::.::Name "."; APT::Compressor::.::Extension ""; APT::Compressor::.::Binary ""; APT::Compressor::.::Cost "0"; APT::Compressor::zstd ""; APT::Compressor::zstd::Name "zstd"; APT::Compressor::zstd::Extension ".zst"; APT::Compressor::zstd::Binary "zstd"; APT::Compressor::zstd::Cost "60"; APT::Compressor::zstd::CompressArg ""; APT::Compressor::zstd::CompressArg:: "-19"; APT::Compressor::zstd::UncompressArg ""; APT::Compressor::zstd::UncompressArg:: "-d"; APT::Compressor::lz4 ""; APT::Compressor::lz4::Name "lz4"; APT::Compressor::lz4::Extension ".lz4"; APT::Compressor::lz4::Binary "lz4"; APT::Compressor::lz4::Cost "50"; APT::Compressor::lz4::CompressArg ""; APT::Compressor::lz4::CompressArg:: "-1"; APT::Compressor::lz4::UncompressArg ""; APT::Compressor::lz4::UncompressArg:: "-d"; APT::Compressor::gzip ""; APT::Compressor::gzip::Name "gzip"; APT::Compressor::gzip::Extension ".gz"; APT::Compressor::gzip::Binary "gzip"; APT::Compressor::gzip::Cost "100"; APT::Compressor::gzip::CompressArg ""; APT::Compressor::gzip::CompressArg:: "-6n"; APT::Compressor::gzip::UncompressArg ""; APT::Compressor::gzip::UncompressArg:: "-d"; APT::Compressor::xz ""; APT::Compressor::xz::Name "xz"; APT::Compressor::xz::Extension ".xz"; APT::Compressor::xz::Binary "xz"; APT::Compressor::xz::Cost "200"; APT::Compressor::xz::CompressArg ""; APT::Compressor::xz::CompressArg:: "-6"; APT::Compressor::xz::UncompressArg ""; APT::Compressor::xz::UncompressArg:: "-d"; APT::Compressor::bzip2 ""; APT::Compressor::bzip2::Name "bzip2"; APT::Compressor::bzip2::Extension ".bz2"; APT::Compressor::bzip2::Binary "bzip2"; APT::Compressor::bzip2::Cost "300"; APT::Compressor::bzip2::CompressArg ""; APT::Compressor::bzip2::CompressArg:: "-6"; APT::Compressor::bzip2::UncompressArg ""; APT::Compressor::bzip2::UncompressArg:: "-d"; APT::Compressor::lzma ""; APT::Compressor::lzma::Name "lzma"; APT::Compressor::lzma::Extension ".lzma"; APT::Compressor::lzma::Binary "xz"; APT::Compressor::lzma::Cost "400"; APT::Compressor::lzma::CompressArg ""; APT::Compressor::lzma::CompressArg:: "--format=lzma"; APT::Compressor::lzma::CompressArg:: "-6"; APT::Compressor::lzma::UncompressArg ""; APT::Compressor::lzma::UncompressArg:: "--format=lzma"; APT::Compressor::lzma::UncompressArg:: "-d"; Dir "/"; Dir::State "var/lib/apt"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::extended_states "extended_states"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc
Bug#1052021: nftables 1.0.6-2+deb12u2 flagged for acceptance
package release.debian.org tags 1052021 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: nftables Version: 1.0.6-2+deb12u2 Explanation: fix incorrect bytecode generation hit with new kernel check that rejects adding rules to bound chains
Bug#1051937: cairosvg 2.5.0-1.1+deb11u2 flagged for acceptance
package release.debian.org tags 1051937 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: cairosvg Version: 2.5.0-1.1+deb11u2 Explanation: handle data: URLs in safe mode
Bug#1051936: cairosvg 2.5.2-1.1+deb12u1 flagged for acceptance
package release.debian.org tags 1051936 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: cairosvg Version: 2.5.2-1.1+deb12u1 Explanation: handle data: URLs in safe mode
Bug#1051884: openssl 1.1.1w-0~deb11u1 flagged for acceptance
package release.debian.org tags 1051884 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: openssl Version: 1.1.1w-0~deb11u1 Explanation: new upstream stable release
Bug#1051580: gtk+3.0 3.24.38-2~deb12u1 flagged for acceptance
package release.debian.org tags 1051580 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: gtk+3.0 Version: 3.24.38-2~deb12u1 Explanation: new upstream stable release; fix several crashes; show more information in the "inspector" debugging interface; silence GFileInfo warnings if used with a backported version of GLib; use a light colour for the caret in dark themes, making it much easier to see in some apps, in particular Evince
Bug#1051578: gtk4 4.8.3+ds-2+deb12u1 flagged for acceptance
package release.debian.org tags 1051578 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: gtk4 Version: 4.8.3+ds-2+deb12u1 Explanation: fix truncation in places sidebar with large text accessibility setting
Bug#1051576: gjs 1.74.2-1+deb12u1 flagged for acceptance
package release.debian.org tags 1051576 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: gjs Version: 1.74.2-1+deb12u1 Explanation: avoid infinite loops of idle callbacks if an idle handler is called during GC
Bug#1051569: brltty 6.5-7+deb12u1 flagged for acceptance
package release.debian.org tags 1051569 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: brltty Version: 6.5-7+deb12u1 Explanation: xbrlapi: Do not try to start brltty with ba+a2 when unavailable; fix cursor routing and braille panning in Orca when xbrlapi is installed but the a2 screen driver is not
Bug#1051545: systemd 252.16-1~deb12u1 flagged for acceptance
package release.debian.org tags 1051545 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: systemd Version: 252.16-1~deb12u1 Explanation: new upstream stable release
Bug#1050722: runit-services 0.5.5~deb12u1 flagged for acceptance
package release.debian.org tags 1050722 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: runit-services Version: 0.5.5~deb12u1 Explanation: dhclient: don't hardcode use of eth1
Bug#1051552: timg 1.4.5-1+deb12u1 flagged for acceptance
package release.debian.org tags 1051552 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: timg Version: 1.4.5-1+deb12u1 Explanation: fix buffer overflow vulnerability [CVE-2023-40968]
Bug#1049899: bookworm-pu: package exim4/4.96-15+deb12u2
Control: tags -1 + confirmed On Sun, 2023-09-03 at 14:03 +0200, Andreas Metzler wrote: > On 2023-08-16 Andreas Metzler wrote: > [...] > > I would like to push another round of cherry-picked upstream fixes > > to > > bookworm. They have been part of the uploads to sid up to and > > including > > 4.96-19. > [...] > > Hello, > > I had to update the update since 75_78-Fix-free-of-value-after- > run.patch > broke a specific expansion. While at it I also pulled the CI related > changes from -21. > Please go ahead; sorry for the delay. Regards, Adam
Bug#1052027: bullseye-pu: package cargo-mozilla/0.66.0+ds1-1~deb11u1
Control: tags -1 + confirmed On Sat, 2023-09-16 at 11:15 +0200, Emilio Pozuelo Monfort wrote: > Following up on #1051051, this updates cargo-mozilla for the upcoming > Firefox ESR 115. Just like for rustc-mozilla, the risk here is small > as this package is only used to build firefox-esr and thunderbird. > > I have used the resulting package to successfully build and test > firefox-esr 115.0.2 on bullseye. > Please go ahead. Regards, Adam
Bug#1051051: rustc-mozilla 1.63.0+dfsg1-2~deb11u1 flagged for acceptance
package release.debian.org tags 1051051 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: rustc-mozilla Version: 1.63.0+dfsg1-2~deb11u1 Explanation: new "upstream" version, to support newer firefox-esr builds
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On Thu, 2023-09-14 at 17:00 +0100, Adam D. Barratt wrote: > On Thu, 2023-09-14 at 08:31 +0200, Sebastian Andrzej Siewior wrote: > > On 2023-09-14 06:31:26 [+0100], Adam D. Barratt wrote: > > > On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior > > > wrote: > > > > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > > > > > How does this sound for an SUA? > > > [...] [...] > Great, we agree. :) I'll try and get this sorted this evening, worst > case it should be tomorrow. > That's now out, as SUA-240-1. Regards, Adam
Bug#1051959: RFP: itd -- daemon to control watches running InfiniTime (such as PineTime)
Package: wnpp Severity: wishlist X-Debbugs-Cc: kilob...@angband.pl * Package name: itd Upstream Contact: Arsen Musyaelyan * URL : https://gitea.elara.ws/Elara6331/itd * License : GPL3 Programming Lang: Go :( Description : daemon to control watches running InfiniTime (such as PineTime) InfiniTime is a daemon to connect to and control watches running InfiniTime (currently PineTime but it's open hardware). It can update time, relay messages, send weather/navigation/files, receive music control, do firmware upgrades, and more. (There's also an optional GUI, but even upstream packages don't ship it, and I haven't tried it.) Alas, this piece of software is written in an unholy language I've learned to stay away from, thus I can't package this myself. Requesting then...
Bug#1051948: irssi: no indication that you're scrolled up
Package: irssi Version: 1.4.4-1 Severity: normal X-Debbugs-Cc: kilob...@angband.pl Hi! If you use PgUp to scroll up, there is no visual indication of any kind that what you're seeing is not the most recent data. This notoriously leads to responding to days old stuff, etc -- especially if you're an inattentive oaf like me. Unlike most other programs with such a kind of display, switching off a window and back to it doesn't scroll you to the bottom; such a position persistence is likely to make you forget that you've scrolled. Possible ideas: * (like I did in kbtin): the input bar replaced with a line of ^ * (like in zMud): split window with a few lines on the bottom showing what is going on * an extra indicator on the edge of the status bar Meow! -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing'), (250, 'unstable'), (201, 'experimental') merged-usr: no Architecture: arm64 (aarch64) Kernel: Linux 6.4.0-4-arm64 (SMP w/6 CPU threads) Kernel taint flags: TAINT_CRAP Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages irssi depends on: ii libc6 2.37-7 ii libglib2.0-02.78.0-1 ii libperl5.36 5.36.0-7 ii libssl3 3.0.10-1 ii libtinfo6 6.4+20230625-2 ii perl5.36.0-7 ii perl-base [perlapi-5.36.0] 5.36.0-7 irssi recommends no packages. Versions of packages irssi suggests: pn irssi-scripts -- no debconf information
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On Thu, 2023-09-14 at 08:31 +0200, Sebastian Andrzej Siewior wrote: > On 2023-09-14 06:31:26 [+0100], Adam D. Barratt wrote: > > On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior wrote: > > > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > > > > How does this sound for an SUA? > > [...] > > > This sounds entirely fine to me. I don't think that it is needed > > > to > > > point out that bullseye is not affected by the second issue. > > > > > > > Great, thanks. > > > > > There is also this thing regarding libclamunrar and the update to > > > v6.2.10 of the bundled libbrary. I *think* it is related to > > > CVE-2023-40477. Since unrar itself is only in -pu I think it is > > > okay > > > for libclamunar to follow the same fate. > > > > > > > Just to be completely sure, "follow the same fate" here means > > leaving > > libclamunrar in (o-)p-u until the point releases? > > I mean there is no reason to push libclamunrar via d/updates if the > unrar package isn't. Therefore I don't mind keeping libclamunrar in > o-)p-u until the point release. It is non-free after all. Great, we agree. :) I'll try and get this sorted this evening, worst case it should be tomorrow. Regards, Adam
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior wrote: > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > > How does this sound for an SUA? [...] > This sounds entirely fine to me. I don't think that it is needed to > point out that bullseye is not affected by the second issue. > Great, thanks. > There is also this thing regarding libclamunrar and the update to > v6.2.10 of the bundled libbrary. I *think* it is related to > CVE-2023-40477. Since unrar itself is only in -pu I think it is okay > for libclamunar to follow the same fate. > Just to be completely sure, "follow the same fate" here means leaving libclamunrar in (o-)p-u until the point releases? I assume the bundled library isn't used as-is in the Debian packaging, that being why libclamunrar exists. Regards, Adam
Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1
On Sat, 2023-09-09 at 23:22 +0200, Sebastian Andrzej Siewior wrote: > > This is a quick update that I updated to 1.0.3+dfsg-1~deb12u1 as of > today. The diff mostly a version update. I additionally removed a log > line from freshclam which logged harmless 304 "not modified" > requests. > This line was added in 1.0.0 and people complained, it got in as of > 1.0.0 and is already removed in 1.1.x and later. > > The main reason for 1.0.3 was the unrar update and I updated so > clamav > does not complain about the lower version. > > It would be nice if this could be made available via d/updates. How does this sound for an SUA? === Package : clamav Version : 1.0.3+dfsg-1~deb12u1 [bookworm] 0.103.10+dfsg-0+deb11u1 [bullseye] Importance : medium ClamAV is an AntiVirus toolkit for Unix. Upstream published versions 1.0.3 and 0.103.10. This is a bug-fix release and an upstream LTS release. The changes are not currently required for operation, but upstream strongly recommends that users update. Changes since 1.0.1 and 0.103.8 currently in bookworm and bullseye include fixes for a security issue: CVE-2023-20197: Possible denial of service vulnerability in the HFS+ file parser. The update for bookworm also includes a fix for a second security issue: CVE-2023-20212: Possible denial of service vulnerability in the AutoIt module. If you use clamav, we recommend that you install this update. === I'm not entirely happy with the CVE section, but not sure how else to present it, given that both updates fix one issue but aiui the second only applies to bookworm. Regards, Adam
Bug#1051774: PySNMP asyncio backend unusable in Debian 12 (needs stable update?)
On 9/13/23 12:55, Thomas Goirand wrote: On 9/12/23 18:16, Adam Cecile wrote: Hello, No hurry, I think we might want to wait for upstream to respond to my PR regarding double awaitable fix. It is indeed lextudio upstream that took over the PySNMP package and all patches are coming from us (except mine ofc). Regards, Adam. Because it messes up the order in which people normally read text. Why is top-posting such a bad thing? Top-posting. What is the most annoying thing in e-mail? Hello, you started first ! Thanks! :) I tried applying your patch at https://salsa.debian.org/acecile-guest/python-pysnmp4/-/commit/88d40f1225de8f7b42413b56206b41a6155fcf09 Unfortunately, it doesn't apply on top of 4.4.12-2, which is the current version of the package (in Bookworm, Unstable and Testing). Would you be able to rebase your patch on top of 4.4.12-2? Then I'll do the work to get this into Bookworm (and Unstable/Testing). Cheers, Thomas Goirand (zigo) Yes that's expected. This commit is only to fix double awaitable "new" upstream bug. It depends on a large amount of backported commits to fix asyncio / Python 3.11 support. You can see here a branch created from upstream 4.4.12 tag with asyncio patches cherry-pick from new upstream master: https://salsa.debian.org/acecile-guest/python-pysnmp4/-/commits/4.4.12+cherry-pick-asyncio-lextudio-fixes/ It has then been squashed into a single debian/patch: https://salsa.debian.org/acecile-guest/python-pysnmp4/-/commit/a5f17d27c7813dbdb64cdf674d1855a77c3eb0f0 I made my own forked repository because I'm unsure how we should proceed, but I can easily push the debian/4.4.12-3 tag to the regular Python module repository on Salsa. Adam.
Bug#1051774: Asyncio fix available
Hello, So it turns out there was two issues here: * New "lextudio" upstream patch broke asyncio support by converting regular function returning future into awaitable function returning Future (double await needed). I fixed the issue and send a PR upstream: https://github.com/lextudio/pysnmp/pull/24 Bug was already reported but not taken in account: https://github.com/lextudio/pysnmp/issues/19 * Upstream "lextudio" patches to fix asyncio backend (including my own PR from today) had to be merged into debian package. I created an upstream based branch here to see what patches have been cherry-picked: https://salsa.debian.org/acecile-guest/python-pysnmp4/-/commits/4.4.12+cherry-pick-asyncio-lextudio-fixes/ And created a Debian 4.4.12-3 release so I can build and test the package: https://salsa.debian.org/acecile-guest/python-pysnmp4/-/commit/a5f17d27c7813dbdb64cdf674d1855a77c3eb0f0 I'll now try to reach Debian Python team to see if we should proceed further. Regards, Adam.
Bug#1051774: python3-pysnmp4: Asyncio backend is incompatible with default Python 3.11
Package: python3-pysnmp4 Version: 4.4.12-2 Severity: important Hello, Current version shipped with Debian 12 is partially broken, asyncio backend is using deprecated feature that have been removed from Python 3.11: Traceback (most recent call last): File "/home/acecile/dev/c/ltms/monitoring/check-ntcip-road- sign/check_ntcip_road_sign.py", line 16, in from pysnmp.hlapi.asyncio import SnmpEngine, getCmd, CommunityData, UdpTransportTarget, ContextData, ObjectType, ObjectIdentity File "/usr/lib/python3/dist-packages/pysnmp/hlapi/asyncio/__init__.py", line 12, in from pysnmp.hlapi.asyncio.transport import * File "/usr/lib/python3/dist-packages/pysnmp/hlapi/asyncio/transport.py", line 9, in from pysnmp.carrier.asyncio.dgram import udp, udp6 File "/usr/lib/python3/dist-packages/pysnmp/carrier/asyncio/dgram/udp.py", line 35, in from pysnmp.carrier.asyncio.dgram.base import DgramAsyncioProtocol File "/usr/lib/python3/dist-packages/pysnmp/carrier/asyncio/dgram/base.py", line 36, in from pysnmp.carrier.asyncio.base import AbstractAsyncioTransport File "/usr/lib/python3/dist-packages/pysnmp/carrier/asyncio/base.py", line 33, in from pysnmp.carrier.asyncio.dispatch import AsyncioDispatcher File "/usr/lib/python3/dist-packages/pysnmp/carrier/asyncio/dispatch.py", line 46, in class AsyncioDispatcher(AbstractTransportDispatcher): File "/usr/lib/python3/dist-packages/pysnmp/carrier/asyncio/dispatch.py", line 57, in AsyncioDispatcher @asyncio.coroutine ^ After looking at GitHub, here is what I figured out: * Upstream maintainer of pySNMP4 has passed away so no more update are being done (https://github.com/etingof/pysnmp/issues/429) * A new upstream seems to have taken over the project (https://github.com/lextudio/pysnmp) * It is probably possible to backport a couple of asyncio fix to get the package working with Python 3.11, I may be able to help but I'm not sure if this is the way to go (https://github.com/lextudio/pysnmp/commits/main/pysnmp/carrier/asyncio/dispatch.py) In my opinion the bug is serious enough to require a fix for Debian 12, but it is not my call. I'll try to backport asyncio fixes from new upstream into stable package to see if it helps. Best regards, Adam. -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-11-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3-pysnmp4 depends on: ii python3 3.11.2-1+b1 ii python3-pyasn10.4.8-3 ii python3-pycryptodome 3.11.0+dfsg1-4 ii python3-pysmi 0.3.2-3 python3-pysnmp4 recommends no packages. python3-pysnmp4 suggests no packages. -- no debconf information
