Bug#1071449: bookworm-pu: package sendmail/8.17.1.9-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: sendm...@packages.debian.org Control: affects -1 + src:sendmail User: release.debian@packages.debian.org Usertags: pu [ Reason ] sendmail was affected by CVE-2023-51765 [ Impact ] close CVE-2023-51765 and reject NUL mail [ Tests ] CVE-2023-51765 fix was tested manually and cross checked [ Risks ] Code is complex and rejecting NUL is slighly RFC non conformant [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Fix CVE-2023-51765 (Closes: #1059386): sendmail allowed SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports . but some other popular e-mail servers do not. This is resolved with 'o' in srv_features. * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that include NUL byte * By default enable rejecting mail that include NUL byte. set confREJECT_NUL to 'true' by default . User could disable by setting confREJECT_NUL to false. (Closes: #1070190). Close a variant of CVE-2023-51765 aka SMTP smuggling. [ Other info ] No regression bugs in sid/trixie since at least two week diff -Nru sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in --- sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in 2024-05-13 18:44:56.0 + @@ -65,6 +65,9 @@ dnl # define(`confDEF_USER_ID', `mail:mail')dnl dnl # +ifelse(eval(index(sm_ffr, `-D_FFR_REJECT_NUL_BYTE') >= 0), `1',dnl +`define(`confREJECT_NUL',`true')')dnl +dnl # dnl #- dnl # mailer paths and options dnl #- diff -Nru sendmail-8.17.1.9/debian/changelog sendmail-8.17.1.9/debian/changelog --- sendmail-8.17.1.9/debian/changelog 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/changelog 2024-05-13 18:44:56.0 + @@ -1,3 +1,24 @@ +sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=high + + * QA upload + * Fix CVE-2023-51765 (Closes: #1059386): +sendmail allowed SMTP smuggling in certain configurations. +Remote attackers can use a published exploitation +technique to inject e-mail messages with a spoofed +MAIL FROM address, allowing bypass of an SPF protection +mechanism. This occurs because sendmail supports +. but some other popular e-mail servers +do not. This is resolved with 'o' in srv_features. + * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that +include NUL byte + * By default enable rejecting mail that include NUL byte. +set confREJECT_NUL to 'true' by default . +User could disable by setting confREJECT_NUL to false. +(Closes: #1070190). Close a variant of CVE-2023-51765 +aka SMTP smuggling. + + -- Bastien Roucari??s Mon, 13 May 2024 18:44:56 + + sendmail (8.17.1.9-2) unstable; urgency=medium * QA upload. diff -Nru sendmail-8.17.1.9/debian/configure.ac sendmail-8.17.1.9/debian/configure.ac --- sendmail-8.17.1.9/debian/configure.ac 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/configure.ac 2024-05-13 18:44:56.0 + @@ -466,6 +466,7 @@ sm_envdef="$sm_envdef -DHASFLOCK=1"; sm_libsm_envdef="$sm_libsm_envdef -DHAVE_NANOSLEEP=1"; sm_ffr="$sm_ffr -D_FFR_QUEUE_SCHED_DBG"; # %% TESTING +sm_ffr="$sm_ffr -D_FFR_REJECT_NUL_BYTE"; # # version specific setup if test "$sm_version_major" = "8.17"; then diff -Nru sendmail-8.17.1.9/debian/NEWS.Debian sendmail-8.17.1.9/debian/NEWS.Debian --- sendmail-8.17.1.9/debian/NEWS.Debian 1970-01-01 00:00:00.0 + +++ sendmail-8.17.1.9/debian/NEWS.Debian 2024-05-13 18:44:56.0 + @@ -0,0 +1,19 @@ +sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=medium + + Sendmail was affected by SMTP smurgling (CVE-2023-51765). + Remote attackers can use a published exploitation technique + to inject e-mail messages with a spoofed MAIL FROM address, + allowing bypass of an SPF protection mechanism. + This occurs because sendmail supports some combinaison of + . + . + This particular injection vulnerability has been closed, + unfortunatly full closure need to reject mail that + contain NUL. + . + This is slighly non conformant with RFC and could + be opt-out by setting confREJECT_NUL to 'false' + in sendmail.mc file. + + -- Bastien Roucari??s Sun, 12 May 2024 19:38:09 + + diff -Nru sendmail-8.17.1.9/debian/patches/0024-CVE-2023-51765.patch sendmail-8.17.1.9/debian/patches/0024-CVE-2023-51765.patch
Bug#1071417: bullseye-pu: package fossil/2.15.2-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: fos...@packages.debian.org
Control: affects -1 + src:fossil
User: release.debian@packages.debian.org
Usertags: pu
this bug was opened by previous arrangement with maintainer.
[ Reason ]
fossil is affected by a regression due to a security update of apache
CVE-2024-24795. Backport was choosen
because upstream does not document all commit needed for fixing the regression.
[ Impact ]
Fossil is broken at least server part
[ Tests ]
Full upstream test suite
[ Risks ]
Broken fossil
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Cherry picked and backport fix
[ Other info ]
None
diff -Nru fossil-2.15.2/debian/changelog fossil-2.15.2/debian/changelog
--- fossil-2.15.2/debian/changelog 2021-06-15 09:55:20.0 +
+++ fossil-2.15.2/debian/changelog 2024-05-14 21:29:39.0 +
@@ -1,3 +1,13 @@
+fossil (1:2.15.2-1+deb11u1) bullseye; urgency=medium
+
+ * Non maintainer fix with acknowlegment by maintainer.
+ * Cherry-pick fix f4ffefe708793b03 for CVE-2024-24795 and add
+"Breaks: apache2 (<< 2.4.59-1~)" to stage fix; see
+https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
+(closes: #1070069)
+
+ -- Bastien Roucari??s Tue, 14 May 2024 21:29:39 +
+
fossil (1:2.15.2-1) unstable; urgency=high
* New upstream version, announcement (expurgated) says:
diff -Nru fossil-2.15.2/debian/control fossil-2.15.2/debian/control
--- fossil-2.15.2/debian/control 2021-04-07 08:12:51.0 +
+++ fossil-2.15.2/debian/control 2024-05-14 21:29:39.0 +
@@ -22,6 +22,7 @@
Architecture: any
Multi-Arch: foreign
Depends: libtcl8.6 | libtcl, ${misc:Depends}, ${shlibs:Depends}
+Breaks: apache2 (<< 2.4.59-1~), apache2-bin (<< 2.4.59-1~)
Suggests: gnupg | gnupg2
Description: DSCM with built-in wiki, http interface and server, tickets database
Fossil is an easy-to-use Distributed Source Control Management system
diff -Nru fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch
--- fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch 1970-01-01 00:00:00.0 +
+++ fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch 2024-05-14 21:29:39.0 +
@@ -0,0 +1,361 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?=
+Date: Tue, 14 May 2024 21:23:16 +
+Subject: Deal with the missing Content-Length field
+
+fix regression of CVE-2024-24795
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
+origin: https://fossil-scm.org/home/vpatch?from=9c40ddbcd182f264=a8e33fb161f45b65
+---
+ src/cgi.c | 43 -
+ src/clone.c | 14 +++-
+ src/http.c | 71 +
+ src/main.c | 14 ++--
+ src/xfer.c | 1 +
+ 5 files changed, 121 insertions(+), 22 deletions(-)
+
+diff --git a/src/cgi.c b/src/cgi.c
+index d47575b..aade0fb 100644
+--- a/src/cgi.c
b/src/cgi.c
+@@ -1034,7 +1034,7 @@ void cgi_trace(const char *z){
+ }
+
+ /* Forward declaration */
+-static NORETURN void malformed_request(const char *zMsg);
++static NORETURN void malformed_request(const char *zMsg, ...);
+
+ /*
+ ** Initialize the query parameter database. Information is pulled from
+@@ -1080,6 +1080,7 @@ void cgi_init(void){
+ const char *zRequestUri = cgi_parameter("REQUEST_URI",0);
+ const char *zScriptName = cgi_parameter("SCRIPT_NAME",0);
+ const char *zPathInfo = cgi_parameter("PATH_INFO",0);
++ const char *zContentLength = 0;
+ #ifdef _WIN32
+ const char *zServerSoftware = cgi_parameter("SERVER_SOFTWARE",0);
+ #endif
+@@ -1186,7 +1187,15 @@ void cgi_init(void){
+ g.zIpAddr = fossil_strdup(z);
+ }
+
+- len = atoi(PD("CONTENT_LENGTH", "0"));
++ zContentLength = P("CONTENT_LENGTH");
++ if( zContentLength==0 ){
++len = 0;
++if( sqlite3_stricmp(PD("REQUEST_METHOD",""),"POST")==0 ){
++ malformed_request("missing CONTENT_LENGTH on a POST method");
++}
++ }else{
++len = atoi(zContentLength);
++ }
+ zType = P("CONTENT_TYPE");
+ zSemi = zType ? strchr(zType, ';') : 0;
+ if( zSemi ){
+@@ -1593,11 +1602,22 @@ void cgi_vprintf(const char *zFormat, va_list ap){
+ /*
+ ** Send a reply indicating that the HTTP request was malformed
+ */
+-static NORETURN void malformed_request(const char *zMsg){
+- cgi_set_status(501, "Not Implemented");
+- cgi_printf(
+-"Bad Request: %s\n", zMsg
+- );
++static NORETURN void malformed_request(const char *zMsg, ...){
++ va_list ap;
++ char *z;
++ va_start(ap, zMsg);
++ z = vmprintf(zMsg, ap);
++ va_end(ap);
++ cgi_set_status(400, "Bad Request");
++ zContentType = "text/plain";
++ if(
Bug#1070998: bookworm-pu: package fossil/2.24-5~deb11u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: fos...@packages.debian.org Control: affects -1 + src:fossil User: release.debian@packages.debian.org Usertags: pu this bug was opened by previous arrangement with maintainer. [ Reason ] fossil is affected by a regression due to a security update of apache CVE-2024-24795. Backport was choosen because upstream does not document all commit needed for fixing the regression. [ Impact ] Fossil is broken at least server part [ Tests ] Full upstream test suite [ Risks ] Broken fossil [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Backport from sid. They are no incompatibility and this is upstream maintenance and fix only version. [ Other info ] I have not attached the debdiff due to the fix beeing a backport from sid. Attached debdiff to sid instead diff -Nru fossil-2.24/debian/changelog fossil-2.24/debian/changelog --- fossil-2.24/debian/changelog 2024-04-30 14:32:05.0 + +++ fossil-2.24/debian/changelog 2024-05-07 19:26:27.0 + @@ -1,3 +1,10 @@ +fossil (1:2.24-6~deb12u1) bookworm; urgency=medium + + * Non maintainer upload with acknowledgement by maintainer + * Backport to bookworm + + -- Bastien Roucari??s Tue, 07 May 2024 19:26:27 + + fossil (1:2.24-6) unstable; urgency=medium * Add "Breaks: apache2-bin (<< 2.4.59-1~)" per #1070069 discussion. signature.asc Description: This is a digitally signed message part.
Bug#1070190: sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup
Le samedi 4 mai 2024, 12:40:25 UTC Andreas Beckmann a écrit : > On 04/05/2024 13.02, Andreas Beckmann wrote: > >> I have patched sendmail in order to enable O RejectNUL=True directive, > >> but I do not achieved the fact to enable it by default. > > >> Andreas could you get a glimpse at how to render RejectNUL a default ? > > Second attempt. Completely untested. This should work for both fresh > installations and upgrades (as long as *.cf gets regenerated). > > Could you try that? And especially that the opt-out instructions are > working? > > Short explanation of the changes: > - Patch upstream proto.m4 to unconditionally emit 'O RejectNUL' with a >default of 'false'. As long as confREJECT_NUL is not defined (also the >default), this will be commented, so safe if built without >_FFR_REJECT_NUL_BYTE > - In debian.m4 define confREJECT_NUL to 'true' if sendmail was built >with _FFR_REJECT_NUL_BYTE, so it is enabled by default on Debian > - If sendmail.mc undefines confREJECT_NUL (or defines it to 'false'), >RejectNUL will be disabled again. > > If that works on sid, it should be trivially backportable to > (old)*stable. There should be NEWS about that change. Test validated and pushed to git. Lack only the NEWS entry. Due to the complexity of this issue, as an outsider due you have an idea how to explain to a simple user. Bastien > > Andreas > signature.asc Description: This is a digitally signed message part.
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le lundi 29 avril 2024, 18:40:39 UTC Barak A. Pearlmutter a écrit : > Bastien, > > Okay, got it. Thanks for letting me know. > > I can cherry-pick that fossil commit, but you know the right magic for > a versioned apache2 breakage and how to deal with proposed-updates. > So I think it would make sense for you to do all of this in a > coordinated fashion? > If that's okay with you, please feel free to just do a regular upload > if you want, or an NMU, as you please. > I will push your changes into the debian fossil branch, unless you'd > like write access to my fossil packaging repo > https://people.debian.org/~bap/fossil.fsl > which I'd be happy to set up. > > Cheers, > > --Barak. > Thanks for you work, do you think a full backport of fossil is worthwhile for stable ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070190: sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup
Package: sendmail-bin Severity: important Tags: security help Forwarded: https://marc.info/?l=oss-security=171447187004229=2 Dear Maintainer, CVE-2023-51765 is not fully fixed at least for forwarding bad mail. We must reject NUL including mail as a stop gap method. I have patched sendmail in order to enable O RejectNUL=True directive, but I do not achieved the fact to enable it by default. It will need a NEWS.debian entry I suppose Andreas could you get a glimpse at how to render RejectNUL a default ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070155: bullseye-pu: package wpa/2.9.0-21+deb11u1
Package: release.debian.org Severity: important Tags: bullseye X-Debbugs-Cc: w...@packages.debian.org Control: affects -1 + src:wpa User: release.debian@packages.debian.org Usertags: pu tags: security [ Reason ] CVE-2023-52160 security bug [ Impact ] security bug is present [ Tests ] Test suite run fine [ Checklist ] [ X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [ X] attach debdiff against the package in (old)stable [ X] the issue is verified as fixed in unstable [ Changes ] The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. [ Other info ] Buster is fixed so upgrade reintroduce the CVE Bastiendiff -Nru wpa-2.9.0/debian/changelog wpa-2.9.0/debian/changelog --- wpa-2.9.0/debian/changelog 2021-02-25 21:19:14.0 + +++ wpa-2.9.0/debian/changelog 2024-04-30 22:45:18.0 + @@ -1,3 +1,19 @@ +wpa (2:2.9.0-21+deb11u1) bullseye; urgency=high + + * Non-maintainer upload on behalf of the Security Team. + * Fix CVE-2023-52160 (Closes: #1064061): +The implementation of PEAP in wpa_supplicant allows +authentication bypass. For a successful attack, +wpa_supplicant must be configured to not verify +the network's TLS certificate during Phase 1 +authentication, and an eap_peap_decrypt vulnerability +can then be abused to skip Phase 2 authentication. +The attack vector is sending an EAP-TLV Success packet +instead of starting Phase 2. This allows an adversary +to impersonate Enterprise Wi-Fi networks. + + -- Bastien Roucari??s Tue, 30 Apr 2024 22:45:18 + + wpa (2:2.9.0-21) unstable; urgency=high * Fix typos in the package descriptions. diff -Nru wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch --- wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 1970-01-01 00:00:00.0 + +++ wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 2024-04-30 22:45:18.0 + @@ -0,0 +1,211 @@ +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication + requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not used
Bug#1070151: bookworm-pu: package wpa/2:2.10-12
Package: release.debian.org Severity: important Tags: bookworm X-Debbugs-Cc: w...@packages.debian.org Control: affects -1 + src:wpa User: release.debian@packages.debian.org Usertags: pu tags: security [ Reason ] CVE-2023-52160 security bug [ Impact ] security bug is present [ Tests ] Test suite run fine [ Checklist ] [ X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [ X] attach debdiff against the package in (old)stable [ X] the issue is verified as fixed in unstable [ Changes ] The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. [ Other info ] Buster is fixed so upgrade reintroduce the CVE Bastiendiff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog --- wpa-2.10/debian/changelog 2023-02-24 13:01:35.0 + +++ wpa-2.10/debian/changelog 2024-04-30 22:45:18.0 + @@ -1,3 +1,19 @@ +wpa (2:2.10-12+deb12u1) bookworm; urgency=high + + * Non-maintainer upload on behalf of the Security Team. + * Fix CVE-2023-52160 (Closes: #1064061): +The implementation of PEAP in wpa_supplicant allows +authentication bypass. For a successful attack, +wpa_supplicant must be configured to not verify +the network's TLS certificate during Phase 1 +authentication, and an eap_peap_decrypt vulnerability +can then be abused to skip Phase 2 authentication. +The attack vector is sending an EAP-TLV Success packet +instead of starting Phase 2. This allows an adversary +to impersonate Enterprise Wi-Fi networks. + + -- Bastien Roucari??s Tue, 30 Apr 2024 22:45:18 + + wpa (2:2.10-12) unstable; urgency=medium * Prevent hostapd units from being started if there???s diff -Nru wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch --- wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 1970-01-01 00:00:00.0 + +++ wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 2024-04-30 22:42:02.0 + @@ -0,0 +1,211 @@ +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication + requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le mardi 30 avril 2024, 14:56:07 UTC Barak A. Pearlmutter a écrit : > I've uploaded a package with this fixed to unstable, 1:2.24-5, and > it's been autobuilt and pushed out. Seems to work okay, and can be > co-installed with apache2/sid. > > Just uploaded 1:2.24-6 that adds Breaks: apach2-bin per your recent message. > > Honestly, I'm not confident in my ability to properly back-port > security-related patches to old versions of fossil. It's a big > network-facing program with a large number of moving parts and a > substantial attack surface, all written in C. It uses its own sqlite3 > copy when the shared library in Debian isn't a high enough version or > doesn't have the right options enabled (currently Debian sqlite3 is > compiled without SQLITE_ENABLE_JSON1 so the internal version is used.) > All this means it would be super easy for me to miss some issue and > introduce a vulnerability if I try to back-port a security patch, > > particularly without myself deeply understanding the security issue. > > Stable has 1:2.21-1. > > I just made a debian-bookworm-proposed-updates branch rooted there and > tried to cherry-pick the fix, > https://fossil-scm.org/home/info/f4ffefe708793b03 but it does not > apply cleanly. Obviously I can do it manually though, however there > have been changes in the neighborhood. > > Also, are you *sure* I shouldn't also be applying > https://fossil-scm.org/home/info/71919ad1b542832c to the fixed > versions? Because I'm not! I'd be most comfortable if upstream simply > made a proper release with this fixed (which I bet they'd do upon > request), and I uploaded that with the appropriate "Breaks: > apache2-bin (<<...)", and did the (trivial) backport of that package > to bookworm and bullseye, with the "breaks:" modified to the > appropriate version. I agree with you, may be a fullbackport is better for bookworm see changes here (line with * are interesting commit to backport) Yadd do you have a piece of advice ? Bastien 2024-04-22 *16:29 cgi.md: be less specific about the Apache version in which the Content-Length change happened because a new forum post reports that it happens at least as far back as 2.4.41. ... 2024-04-21 18:51 Merge the update to zLib-1.3.1. ... 18:46 Improvements to comments in graph.c. No changes to actual code. ... *16:20 Fix parsing of the argument to the "Connection:" header of HTTP reply messages to deal with unusual arguments added by Apache mod_cgi. See forum thread ca6fc85c80f4704f. ... *15:37 Simplify parsing of the Connection: header in HTTP replies. ... *06:15 Only accept commas as separators for multiple values in "Connection:" HTTP headers, and ignore any white space surrounding (but not embedded into) values. The previous method would fall for (fictional) HTTP header values containing spaces, like "Connection: don't close", and recognize a value of "close". ... 2024-04-20 21:58 In /chat preview mode, apply the click handlers to pikchrs in the preview. ... *14:42 Fix parsing of "Connection:" HTTP headers with multiple values. ... 2024-04-19 16:08 Fix a minor problem in graph layout for timelines that made use of the offset-merge-riser enhancement. Problem originally seen on the bottom node of /timeline?p=6da255034b30b4b4=47362306a7dd7c6f. ... *13:11 More change-log enhancements: More details about the work-around for the Apache mod_cgi breakage, and put that work-around first on the change log since it seems to be important to people. ... 12:59 Formatting enhancements to the change log for the upcoming 2.24 release. ... 2024-04-18 17:14 Update the built-in SQLite to the latest pre-release of version 3.46.0, including the bug fix for the use of VALUES-as-coroutine with an OUTER JOIN. ... 17:00 Typo fix and add specific Apache version number to the notes about the Content-Length change. ... 2024-04-17 17:59 Change log updates. ... *15:30 • Edit [18d76fff]: Edit check-in comment. ... *14:02 Output a warning if a client sync or clone gets back a keep-alive HTTP reply that lacks a content-length header. ... *13:27 Only process HTTP replies that lack a Content-Length header if the connection is set to be closed. Suggested by https://bz.apache.org/bugzilla/show_bug.cgi?id=68905. ... *13:21 Update the change log in order to mention the Apache mod_cgi/Content-Length fix. ... *13:14 Update Apache mod_cgi/Content-Length documentation. ... *12:58 Fix the HTTP-reply parser so that it is able to deal with replies that lack a Content-Length header field. This resolves the issue reported by forum post 12ac403fd29cfc89. Also in this merge: (1) Add the --xverbose option to "fossil clone". (2) Improved error messages when web
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le mardi 30 avril 2024, 14:56:07 UTC Barak A. Pearlmutter a écrit : > currently Debian sqlite3 is > compiled without SQLITE_ENABLE_JSON1 so the internal version is used.) On this proble could you cross check ? >SQLITE_ENABLE_JSON1 > >This compile-time option is a no-op. Prior to SQLite version 3.38.0 > (2022-02-22), it was necessary to compile with this option in order to > include the JSON SQL functions in the build. However, beginning with SQLite > version 3.38.0, those functions are included by default. Use the > -DSQLITE_OMIT_JSON option to omit them. If so you could drop for bookworm (if release team is ok) and sid this embeded code copy BTW I have just opened a bug and add some comment on embded code copy Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070126: fossil: Do not use embded sqlite
Source: fossil Severity: important Dear Maintainer, > currently Debian sqlite3 is > compiled without SQLITE_ENABLE_JSON1 so the internal version is used.) On this proble could you cross check ? >SQLITE_ENABLE_JSON1 > >This compile-time option is a no-op. Prior to SQLite version 3.38.0 (2022-02-22), it was necessary to compile with this option in order to include the JSON SQL functions in the build. However, beginning with SQLite version 3.38.0, those functions are included by default. Use the -DSQLITE_OMIT_JSON option to omit them. If so you could drop for bookworm (if release team is ok) and sid this embeded code copy Bastien signature.asc Description: This is a digitally signed message part.
Bug#1069063: distro-info: Please support distro-info --alias=trixie -r
Le mardi 30 avril 2024, 15:24:11 UTC Benjamin Drung a écrit : > Hi, > > On Mon, 2024-04-15 at 18:58 +, Bastien Roucariès wrote: > > Package: distro-info > > Version: 1.7 > > Severity: minor > > > > Dear Maintainer, > > > > distro-info --alias=trixie -r is misleading it return trixie instead of > > 13... > > > > Maybe a feature but should be documented > > > > I workarround by doing in my script in two steps: > > distro-info --$(distro-info --alias=trixie) -r > > --alias was not developed to be combined with -c/-r/-f. So either > distro-info should reject this parameter combination or change the > behaviour to what you wanted to do. > > Yes that is the bug, with additionnally a documentation bug. Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070120: postfix: can't send mail due to obsolete /var/spool/postfix/etc/resolv.conf on new network
Le mardi 30 avril 2024, 14:52:46 UTC Vincent Lefevre a écrit : Hi, > Control: tags -1 security > > On 2024-04-30 16:33:14 +0200, Vincent Lefevre wrote: > > If I try to restart postfix, I get: > > > > postfix/postfix-script: warning: /var/spool/postfix/etc/resolv.conf and > > /etc/resolv.conf differ A solution may be to bind mount ro /etc/resolv.conf to /var/spool/postfix/etc/resolv.conf Bastien > > BTW, note that this is a security issue, because with wifi, > the DNS server often corresponds to the local router (e.g. > 10.3.0.1), and it may happen that the obsolete IP address > may correspond to some random machine on the network, which > could act as a malicious DNS server. > > > Indeed, /var/spool/postfix/etc/resolv.conf contains obsolete data. > > > > I had to do "cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf". > > I don't know how the update should be done. I suppose that > /etc/network/if-up.d/postfix is pointless in case of wifi as > it says "Called when a new interface comes up", but for wifi, > this is the same interface, only a new network. > > And I don't understand why restarting postfix did not update > the file. > > BTW, even ethernet connections may be affected in case of > network reconfiguration. > > signature.asc Description: This is a digitally signed message part.
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le lundi 29 avril 2024, 18:40:39 UTC Barak A. Pearlmutter a écrit : > Bastien, > > Okay, got it. Thanks for letting me know. > > I can cherry-pick that fossil commit, but you know the right magic for > a versioned apache2 breakage and how to deal with proposed-updates. > So I think it would make sense for you to do all of this in a > coordinated fashion? > If that's okay with you, please feel free to just do a regular upload > if you want, or an NMU, as you please. > I will push your changes into the debian fossil branch, unless you'd > like write access to my fossil packaging repo > https://people.debian.org/~bap/fossil.fsl > which I'd be happy to set up. Hi I give up for fossil patches (i am not fossil fluent) The bookworm version will need: - to add the patch - Breaks against apache2-bin ( 2.4.59-1~) The bullseye version will need: - to add the patch - Breaks against apache2-bin ( 2.4.59-1~) We have done a full backport of apache due to several bug BTW I suppose that sid version should for extra safety break against apache2-bin ( 2.4.59-1~) instead of apache2 You should begin and apache2 will follow ASAP Bastien For buster I will reprod you when done, > > Cheers, > > --Barak. > signature.asc Description: This is a digitally signed message part.
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le lundi 29 avril 2024, 18:40:39 UTC Barak A. Pearlmutter a écrit : > Bastien, > > Okay, got it. Thanks for letting me know. > > I can cherry-pick that fossil commit, but you know the right magic for > a versioned apache2 breakage and how to deal with proposed-updates. > So I think it would make sense for you to do all of this in a > coordinated fashion? Yes except for unstable where you could go without coordination Fixed apache is 2.4.59-1 So I think a breaks: apache2 (<<2.4.59-1~) is safe on your side (transition will be blocked) When done I will upload a apache2 version with breaks: fossil ( << 2.4.59-2~) I will do the bpu when done with release team Bastien > If that's okay with you, please feel free to just do a regular upload > if you want, or an NMU, as you please. > I will push your changes into the debian fossil branch, unless you'd > like write access to my fossil packaging repo > https://people.debian.org/~bap/fossil.fsl > which I'd be happy to set up. > > Cheers, > > --Barak. > signature.asc Description: This is a digitally signed message part.
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Package: fossil Severity: serious Justification: break unreleated package affects: apache2 Dear Maintainer, CVE-2024-24795 is fixed in apache2. However it break fossil You need to apply https://fossil-scm.org/home/info/f4ffefe708793b03 See bug here: https://bz.apache.org/bugzilla/show_bug.cgi?id=68905 I can help here and do proposed update We also need to use breaks relationship in apache2, in order to allow smooth upgrade Bastien signature.asc Description: This is a digitally signed message part.
Bug#1061519: shim: CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551
Le lundi 15 avril 2024, 13:58:19 UTC Steve McIntyre a écrit : > On Mon, Apr 15, 2024 at 11:33:14AM +0000, Bastien Roucariès wrote: > >Source: shim > >Followup-For: Bug #1061519 > >Control: tags -1 + patch > > > >Dear Maintainer, > > > >Please find a MR here > >https://salsa.debian.org/efi-team/shim/-/merge_requests/13 > > ACK. Thanks for trying to help, but the merge isn't the hard bit here. > > Tthe new upstream is a little problematic and I'm debugging some boot > failures in my local CI already. I have backported here https://salsa.debian.org/efi-team/shim/-/merge_requests/14 Need test > > signature.asc Description: This is a digitally signed message part.
Bug#1069063: distro-info: Please support distro-info --alias=trixie -r
Package: distro-info Version: 1.7 Severity: minor Dear Maintainer, distro-info --alias=trixie -r is misleading it return trixie instead of 13... Maybe a feature but should be documented I workarround by doing in my script in two steps: distro-info --$(distro-info --alias=trixie) -r Bastien signature.asc Description: This is a digitally signed message part.
Bug#1069054: shim: install ca for secure boot
Source: shim Severity: minor Dear Maintainer, Could you install the ca used for secure boot somewhere in the tree ? It will help to check by autopkgtest the ca chain Bastien signature.asc Description: This is a digitally signed message part.
Bug#1061519: shim: CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551
Source: shim Followup-For: Bug #1061519 Control: tags -1 + patch Dear Maintainer, Please find a MR here https://salsa.debian.org/efi-team/shim/-/merge_requests/13 Bastien signature.asc Description: This is a digitally signed message part.
Bug#1068940: json-smart: please package the new upstream version
Source: json-smart Version: 2.2-3 Severity: wishlist Dear Maintainer, Please package the new upstream version I do not achieve to get maven compile it Bastien signature.asc Description: This is a digitally signed message part.
Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1
Le samedi 13 avril 2024, 14:01:24 UTC Bastien Roucariès a écrit : > Le samedi 13 avril 2024, 14:00:00 UTC Moritz Mühlenhoff a écrit : > Hi, > > > Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann: > > > Package: release.debian.org > > > Severity: normal > > > Tags: bullseye > > > User: release.debian@packages.debian.org > > > Usertags: pu > > > X-Debbugs-Cc: Bastien Roucariès > > > Control: affects -1 + src:json-smart > > > Control: block 1039985 with -1 > > > Control: block 1033474 with -1 > > > > > > [ Reason ] > > > Two CVEs were fixed in buster-lts, but not yet in bullseye or later, > > > causing version skew on upgrades: > > > > CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable > > is a pre condition for a point update. > > > > Bastien, since you fixed it in buster-lts, can you please also take care > > of addressing unstable? Done > > > Ok will do > > > > Cheers, > > Moritz > > > > signature.asc Description: This is a digitally signed message part.
Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1
Le samedi 13 avril 2024, 14:00:00 UTC Moritz Mühlenhoff a écrit : Hi, > Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann: > > Package: release.debian.org > > Severity: normal > > Tags: bullseye > > User: release.debian@packages.debian.org > > Usertags: pu > > X-Debbugs-Cc: Bastien Roucariès > > Control: affects -1 + src:json-smart > > Control: block 1039985 with -1 > > Control: block 1033474 with -1 > > > > [ Reason ] > > Two CVEs were fixed in buster-lts, but not yet in bullseye or later, > > causing version skew on upgrades: > > CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable > is a pre condition for a point update. > > Bastien, since you fixed it in buster-lts, can you please also take care > of addressing unstable? Ok will do > > Cheers, > Moritz > signature.asc Description: This is a digitally signed message part.
Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: zookee...@packages.debian.org Control: affects -1 + src:zookeeper User: release.debian@packages.debian.org Usertags: pu [ Reason ] CVE-2024-23944 (Closes: #1066947): An information disclosure in persistent watchers handling was found in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. [ Impact ] CVE-2024-23944 is not fixed [ Tests ] Full upstream testsuite run at build time [ Risks ] None know [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] See debdiff diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog --- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.0 + +++ zookeeper-3.8.0/debian/changelog 2024-03-25 08:30:56.0 + @@ -1,3 +1,22 @@ +zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium + + * Team upload + * Bug fix: CVE-2024-23944 (Closes: #1066947): +An information disclosure in persistent watchers handling was found in +Apache ZooKeeper due to missing ACL check. It allows an attacker to +monitor child znodes by attaching a persistent watcher (addWatch +command) to a parent which the attacker has already access +to. ZooKeeper server doesn't do ACL check when the persistent watcher +is triggered and as a consequence, the full path of znodes that a +watch event gets triggered upon is exposed to the owner of the +watcher. It's important to note that only the path is exposed by this +vulnerability, not the data of znode, but since znode path can contain +sensitive information like user name or login ID, this issue is +potentially critical. + * Add salsa CI + + -- Bastien Roucari??s Mon, 25 Mar 2024 08:30:56 + + zookeeper (3.8.0-11+deb12u1) bookworm-security; urgency=medium * Team upload: diff -Nru zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch --- zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 1970-01-01 00:00:00.0 + +++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 2024-03-25 08:30:56.0 + @@ -0,0 +1,1223 @@ +From: Andor Molnar +Date: Tue, 28 Nov 2023 21:25:00 +0100 +Subject: CVE-2024-23944: ZOOKEEPER-4799: Refactor ACL check in 'addWatch' + command + +As of today, it is impossible to diagnose which watch events are dropped +because of ACLs. Let's centralize, systematize, and log the checks at +the 'process()' site in the Netty and NIO connections. + +(These 'process()' methods contain some duplicated code, and should also +be refactored at some point. This series does not change them.) + +This patch also adds a substantial number of tests in order to avoid +unexpected regressions. + +Co-authored-by: Patrick Hunt +Co-authored-by: Damien Diederen + +origin: https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d +bug: https://issues.apache.org/jira/browse/ZOOKEEPER-4799 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-23944 +--- + .../apache/zookeeper/server/watch/WatchBench.java | 6 +- + .../java/org/apache/zookeeper/server/DataTree.java | 23 +- + .../org/apache/zookeeper/server/DumbWatcher.java | 4 +- + .../org/apache/zookeeper/server/NIOServerCnxn.java | 16 +- + .../apache/zookeeper/server/NettyServerCnxn.java | 17 +- + .../org/apache/zookeeper/server/ServerCnxn.java| 10 +- + .../org/apache/zookeeper/server/ServerWatcher.java | 29 + + .../zookeeper/server/watch/IWatchManager.java | 7 +- + .../zookeeper/server/watch/WatchManager.java | 15 +- + .../server/watch/WatchManagerOptimized.java| 15 +- + .../apache/zookeeper/server/MockServerCnxn.java| 4 +- + .../zookeeper/server/watch/WatchManagerTest.java | 14 +- + .../zookeeper/test/PersistentWatcherACLTest.java | 629 + + .../zookeeper/test/UnsupportedAddWatcherTest.java | 9 +- + 14 files changed, 763 insertions(+), 35 deletions(-) + create mode 100644
Bug#1064061: CVE-2023-52160
control: tags -1 + patch Hi, You will find a merge request for fixing CVE-2023-52160 https://salsa.debian.org/debian/wpa/-/merge_requests/15 I can do a NMU if neeeded Bastien signature.asc Description: This is a digitally signed message part.
Bug#1067130: modernizr: NMU or update to latest upstream 3.12 or 3.13
Le jeudi 28 mars 2024, 18:36:54 UTC Fab Stz a écrit : > To build modernizr an additional source file is required (file.js) this file > is added to missing-sources (it comes from the npm package of the same name > from npm server or from upstreams repo). It is required by the build script > from upstream. > > The patch is only here to use that file. That way there is no need to create > a Debian package for it (packaging npm nodes is beyond my knowledge and I'm > not really interested in doing that). > > Concerning your other question, I don't understand it. The binary packages > only ships the js & min.js, not the build script. The missing sources is > required only by the build script iirc. Thanks, this should be documented in: - the comment at the begiging of missing-source/file - the header of patch see https://dep-team.pages.debian.net/deps/dep3/ > > > Le 28 mars 2024 19:23:08 GMT+01:00, "Bastien Roucariès" a > écrit : > >Le jeudi 28 mars 2024, 18:16:09 UTC Fab Stz a écrit : > >> Hello Bastien, > >> > >> Iirc not so many packages depend on it and none seems to use the files > >> that are not shipped anymore in the binary package (the individual > >> 'rules'). > >> > >> Concerning the build maybe you could look at d/rules on the merge request. > >> It uses upstream's build script that builds the complete js. > > > >I do not understand: > >- please document the patch using dep format > >- explain how the build script do not ship in /usr/share > >debian/missingsources > > > >bastien > >> > >> Regards > >> Fab > >> > >> Le 28 mars 2024 18:54:27 GMT+01:00, "Bastien Roucariès" > >> a écrit : > >> >Le jeudi 28 mars 2024, 17:21:48 UTC Fab Stz a écrit : > >> >> Dear Maintainers, > >> >> > >> >> I'm thinking of doing an NMU for the package by updating it to > >> >> 3.13.0-0.1. The > >> >> MR is now open since July 2023 and this bug referencing it has been > >> >> existing > >> >> for about 10 days (in case the MR wouldn't have been noticed). > >> >> > >> >> There is also bug > >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001203 > >> >> which request a newer version since 2021. > >> >> > >> >> BTW, I would require a sponsor to upload the NMU. > >> >> > >> >> Do you have advice or comment on this?* > >> > > >> >What is the state of reverse depends ? > >> > > >> >How does it build ? > >> > > >> >Bastien > >> >> > >> >> Regards > >> >> Fab > >> >> > >> >> On Tue, 19 Mar 2024 08:58:23 +0100 Fab Stz wrote: > >> >> > Source: modernizr > >> >> > Version: update > >> >> > Severity: wishlist > >> >> > Tags: patch > >> >> > > >> >> > Dear Maintainer, > >> >> > > >> >> > Please update to latest upstream version 3.12 or 3.13 > >> >> > > >> >> > For 3.12 I created a merge request on the VCS at > >> >> > > >> >> > https://salsa.debian.org/js-team/modernizr/-/merge_requests/2 > >> >> > > >> >> > There is also one for 2.* in > >> >> > > >> >> > https://salsa.debian.org/js-team/modernizr/-/merge_requests/1 > >> >> > > >> >> > You just have to choose which you prefer or both one after the other. > >> >> > > >> >> > > >> >> > > >> >> > -- System Information: > >> >> > Debian Release: 12.5 > >> >> > APT prefers stable-updates > >> >> > APT policy: (991, 'stable-updates'), (991, 'stable-security'), > >> >> > (991, > >> >> > 'stable'), (990, 'proposed-updates'), (390, 'oldstable-security'), > >> >> > (390, > >> >> > 'oldstable'), (389, 'oldstable-updates'), (380, 'oldoldstable'), > >> >> > (379, > >> >> > 'oldoldstable-updates'), (370, 'oldoldstable'), (95, 'testing'), (94, > >> >> > 'unstable'), (93, 'experimental') > >> >> > Architecture: amd64 (x86_64) > >> >> > Foreign Architectures: i386 > >> >> > > >> >> > Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT) > >> >> > Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, > >> >> > TAINT_UNSIGNED_MODULE > >> >> > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), > >> >> > LANGUAGE=fr:en_US > >> >> > Shell: /bin/sh linked to /usr/bin/dash > >> >> > Init: systemd (via /run/systemd/system) > >> >> > LSM: AppArmor: enabled > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> =<3776087.mvXUDI8C0e.ref@debian> > >> >> <3776087.mvXUDI8C0e@debian> > >> >> > >> >> > >> >> > >> > > >> > > > signature.asc Description: This is a digitally signed message part.
Bug#1067130: modernizr: NMU or update to latest upstream 3.12 or 3.13
Le jeudi 28 mars 2024, 18:16:09 UTC Fab Stz a écrit : > Hello Bastien, > > Iirc not so many packages depend on it and none seems to use the files that > are not shipped anymore in the binary package (the individual 'rules'). > > Concerning the build maybe you could look at d/rules on the merge request. It > uses upstream's build script that builds the complete js. I do not understand: - please document the patch using dep format - explain how the build script do not ship in /usr/share debian/missingsources bastien > > Regards > Fab > > Le 28 mars 2024 18:54:27 GMT+01:00, "Bastien Roucariès" a > écrit : > >Le jeudi 28 mars 2024, 17:21:48 UTC Fab Stz a écrit : > >> Dear Maintainers, > >> > >> I'm thinking of doing an NMU for the package by updating it to 3.13.0-0.1. > >> The > >> MR is now open since July 2023 and this bug referencing it has been > >> existing > >> for about 10 days (in case the MR wouldn't have been noticed). > >> > >> There is also bug > >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001203 > >> which request a newer version since 2021. > >> > >> BTW, I would require a sponsor to upload the NMU. > >> > >> Do you have advice or comment on this?* > > > >What is the state of reverse depends ? > > > >How does it build ? > > > >Bastien > >> > >> Regards > >> Fab > >> > >> On Tue, 19 Mar 2024 08:58:23 +0100 Fab Stz wrote: > >> > Source: modernizr > >> > Version: update > >> > Severity: wishlist > >> > Tags: patch > >> > > >> > Dear Maintainer, > >> > > >> > Please update to latest upstream version 3.12 or 3.13 > >> > > >> > For 3.12 I created a merge request on the VCS at > >> > > >> > https://salsa.debian.org/js-team/modernizr/-/merge_requests/2 > >> > > >> > There is also one for 2.* in > >> > > >> > https://salsa.debian.org/js-team/modernizr/-/merge_requests/1 > >> > > >> > You just have to choose which you prefer or both one after the other. > >> > > >> > > >> > > >> > -- System Information: > >> > Debian Release: 12.5 > >> > APT prefers stable-updates > >> > APT policy: (991, 'stable-updates'), (991, 'stable-security'), (991, > >> > 'stable'), (990, 'proposed-updates'), (390, 'oldstable-security'), (390, > >> > 'oldstable'), (389, 'oldstable-updates'), (380, 'oldoldstable'), (379, > >> > 'oldoldstable-updates'), (370, 'oldoldstable'), (95, 'testing'), (94, > >> > 'unstable'), (93, 'experimental') > >> > Architecture: amd64 (x86_64) > >> > Foreign Architectures: i386 > >> > > >> > Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT) > >> > Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE > >> > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), > >> > LANGUAGE=fr:en_US > >> > Shell: /bin/sh linked to /usr/bin/dash > >> > Init: systemd (via /run/systemd/system) > >> > LSM: AppArmor: enabled > >> > > >> > > >> > > >> > > >> > > >> =<3776087.mvXUDI8C0e.ref@debian> > >> <3776087.mvXUDI8C0e@debian> > >> > >> > >> > > > signature.asc Description: This is a digitally signed message part.
Bug#1067130: modernizr: NMU or update to latest upstream 3.12 or 3.13
Le jeudi 28 mars 2024, 17:21:48 UTC Fab Stz a écrit : > Dear Maintainers, > > I'm thinking of doing an NMU for the package by updating it to 3.13.0-0.1. > The > MR is now open since July 2023 and this bug referencing it has been existing > for about 10 days (in case the MR wouldn't have been noticed). > > There is also bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001203 > which request a newer version since 2021. > > BTW, I would require a sponsor to upload the NMU. > > Do you have advice or comment on this?* What is the state of reverse depends ? How does it build ? Bastien > > Regards > Fab > > On Tue, 19 Mar 2024 08:58:23 +0100 Fab Stz wrote: > > Source: modernizr > > Version: update > > Severity: wishlist > > Tags: patch > > > > Dear Maintainer, > > > > Please update to latest upstream version 3.12 or 3.13 > > > > For 3.12 I created a merge request on the VCS at > > > > https://salsa.debian.org/js-team/modernizr/-/merge_requests/2 > > > > There is also one for 2.* in > > > > https://salsa.debian.org/js-team/modernizr/-/merge_requests/1 > > > > You just have to choose which you prefer or both one after the other. > > > > > > > > -- System Information: > > Debian Release: 12.5 > > APT prefers stable-updates > > APT policy: (991, 'stable-updates'), (991, 'stable-security'), (991, > > 'stable'), (990, 'proposed-updates'), (390, 'oldstable-security'), (390, > > 'oldstable'), (389, 'oldstable-updates'), (380, 'oldoldstable'), (379, > > 'oldoldstable-updates'), (370, 'oldoldstable'), (95, 'testing'), (94, > > 'unstable'), (93, 'experimental') > > Architecture: amd64 (x86_64) > > Foreign Architectures: i386 > > > > Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT) > > Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE > > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), > > LANGUAGE=fr:en_US > > Shell: /bin/sh linked to /usr/bin/dash > > Init: systemd (via /run/systemd/system) > > LSM: AppArmor: enabled > > > > > > > > > > > =<3776087.mvXUDI8C0e.ref@debian> > <3776087.mvXUDI8C0e@debian> > > > signature.asc Description: This is a digitally signed message part.
Bug#1067020: jupyterlab: please use node-get-intrinsic
Source: jupyterlab Version: 4.0.11+ds1-1 Severity: important Dear Maintainer, Your package include files included elsewhere: python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/.eslintrc python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/.github/FUNDING.yml python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/.nycrc python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/CHANGELOG.md python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/LICENSE python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/README.md python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/index.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/package.json python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/test/GetIntrinsic.js -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.6.15-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1067019: jupyterlab: use pacckaged node-call-bind (provided package)
Source: jupyterlab Version: 4.0.11+ds1-1 Severity: important Dear Maintainer, node-call-bind provided virtual package provides these files python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/.eslintignore python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/.eslintrc python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/.github/FUNDING.yml python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/.nycrc python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/CHANGELOG.md python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/LICENSE python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/README.md python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/callBound.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/index.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/package.json python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/test/callBound.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/test/index.js -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.6.15-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1067017: jupyterlab: Use node-long package
Source: jupyterlab Version: 4.0.11+ds1-1 Severity: serious Justification: duplicate code source not build from source Dear Maintainer, Your package include the following file packaged elsewhere python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/LICENSE python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/README.md python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/dist/long.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/dist/long.js.map python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/index.d.ts python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/index.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/package.json python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/src/long.js Moreover, it was hard for debian to get this files builded and @xtuc ones does not build from source Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.6.15-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1063508: ITP: node-long -- Class for representing 64-bit two's-complement integer value
control: tags -1 + pending Uploaded waiting ftpmaster Le vendredi 9 février 2024, 03:39:41 UTC Marco Trevisan a écrit : > Package: wnpp > Severity: wishlist > Owner: Marco Trevisan (Treviño) > X-Debbugs-CC: debian-de...@lists.debian.org > > * Package name: node-long > Version : 5.2.3 > Upstream Author : Daniel Wirtz > * URL : https://github.com/dcodeIO/long.js#readme > * License : Apache-2.0 > Programming Lang: JavaScript > Description : Class for representing 64-bit two's-complement > integer value > > A Long class for representing a 64 bit two's-complement integer value > derived from the Closure Library for stand-alone use and extended with > unsigned support. > . > This is a class used by various modules that does not use newer bigint. > . > Node.js is an event-based server-side JavaScript engine. > > This is a tiny module that is needed for protobufjs (bug #977564), > although being widely used according to npm stats, I feel it's better to > package it as standalone and not as grouped package. > > Salsa repository is at: > https://salsa.debian.org/3v1n0-guest/node-esm2umd/-/tree/debian/latest > > Please mark the debian/latest as default branch since I can't change it > myself. > > The package had a dependency on a very tiny project (esm2umd) that was > just basically a tiny wrapper to babel. I've also prepared the packaging > for it [1], but given that such project has not a clear license (I > mailed the maintainer meanwhile), I preferred to avoid using it, also > because it's really just a script using babel and I have been able to > easily re-implement it, making the build process slightly bigger > > The package needs sponsor, since I'm only a maintainer, but I'll be > happy keeping the maintenance of it. > > I've given access to the js salsa team. > > [1] https://salsa.debian.org/3v1n0-guest/node-esm2umd/ > > signature.asc Description: This is a digitally signed message part.
Bug#1019980: lintian: source-is-missing check for HTML is much too sensitive
Le jeudi 8 février 2024, 19:57:22 UTC Bill Allombert a écrit : > On Thu, Feb 08, 2024 at 06:39:18PM +0000, Bastien Roucariès wrote: > > Le jeudi 8 février 2024, 18:31:28 UTC Santiago Ruano Rincón a écrit : > > > On Sat, 14 Oct 2023 20:23:18 +0200 Bill Allombert > > > wrote: > > > > On Sun, Sep 18, 2022 at 12:14:07AM +0100, Colin Watson wrote: > > > > > Package: lintian > > > > > Version: 2.115.3 > > > > > Severity: normal > > > > > > > > > > Lintian issues these errors for putty 0.77-1: > > > > > > > > > > E: putty source: source-is-missing [doc/html/AppendixA.html] > > > > > E: putty source: source-is-missing [doc/html/AppendixB.html] > > > > > E: putty source: source-is-missing [doc/html/AppendixE.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter10.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter2.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter3.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter4.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter5.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter7.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter8.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter9.html] > > > > > E: putty source: source-is-missing [doc/html/IndexPage.html] > > > > > > > > > > This is pretty oversensitive. Firstly, it's HTML, which is still > > > > > often > > > > > enough written by hand anyway. As it happens, these particular HTML > > > > > files are generated from halibut input that's also provided in the > > > > > source package, though I can't see how Lintian could possibly expect > > > > > to > > > > > know that. > > > > Are you sure it is not embdeded base64 encoded png or minified javascript* ? > > > > If not we could try to know why it choke ? > > > > In this particular case, it is the source package that choke. If halibut > > include the name of the source > > in the html we could magically remove the source is missing warnings. > > > > Another alternative if we could determine the file was compiled by halibut, > > we could demote to pedantic warning > > and ask to repack in order to be sure to recompile from source. > > There are far too many different HTML generators out there to handle. We have done this for doxyen and sphinx, so maybe not for more > You would need to define a standard way to indicate the path to the source in > the generated file. > But some generator authors might consider this is an inacceptable data leak, > so > this would only be done if some environment variable is defined. for doxygen or sphinx we only detect some string in html file and whitelist Generared by something will work Moreover adding missing-source override like could be done be done by adding manualy a symlink debian/missing-sources/ fullname pointing to the righ location. We also magically search know source by using some heurtistic in SourceMissing.pm So the basic framework is here, we only need to add more rules Bastien > > In the short term, I suggest to disable it since there is no policy > requirement > for the source code to be in a particular path, so it is not an error. > > At the very least, it should not be generated more than once per package. > > Cheers, > signature.asc Description: This is a digitally signed message part.
Bug#1019980: lintian: source-is-missing check for HTML is much too sensitive
Le jeudi 8 février 2024, 18:31:28 UTC Santiago Ruano Rincón a écrit : > On Sat, 14 Oct 2023 20:23:18 +0200 Bill Allombert wrote: > > On Sun, Sep 18, 2022 at 12:14:07AM +0100, Colin Watson wrote: > > > Package: lintian > > > Version: 2.115.3 > > > Severity: normal > > > > > > Lintian issues these errors for putty 0.77-1: > > > > > > E: putty source: source-is-missing [doc/html/AppendixA.html] > > > E: putty source: source-is-missing [doc/html/AppendixB.html] > > > E: putty source: source-is-missing [doc/html/AppendixE.html] > > > E: putty source: source-is-missing [doc/html/Chapter10.html] > > > E: putty source: source-is-missing [doc/html/Chapter2.html] > > > E: putty source: source-is-missing [doc/html/Chapter3.html] > > > E: putty source: source-is-missing [doc/html/Chapter4.html] > > > E: putty source: source-is-missing [doc/html/Chapter5.html] > > > E: putty source: source-is-missing [doc/html/Chapter7.html] > > > E: putty source: source-is-missing [doc/html/Chapter8.html] > > > E: putty source: source-is-missing [doc/html/Chapter9.html] > > > E: putty source: source-is-missing [doc/html/IndexPage.html] > > > > > > This is pretty oversensitive. Firstly, it's HTML, which is still often > > > enough written by hand anyway. As it happens, these particular HTML > > > files are generated from halibut input that's also provided in the > > > source package, though I can't see how Lintian could possibly expect to > > > know that. Are you sure it is not embdeded base64 encoded png or minified javascript* ? If not we could try to know why it choke ? In this particular case, it is the source package that choke. If halibut include the name of the source in the html we could magically remove the source is missing warnings. Another alternative if we could determine the file was compiled by halibut, we could demote to pedantic warning and ask to repack in order to be sure to recompile from source. Thanks > > > > Dear Lintian maintainers, > > > > This test is causing hundreds of false positive and should be disabled as > > soon as possible. This is a huge waste of time for everybody. > > > > If you need help with that, please tell me, I have worked on lintian in the > > past. > > Dear Lintian maintainers, > > I cannot offer the same help as ballombe, but I also find it would help > to disable these errors. At least, could they be "demoted" to warnings? > Thanks in advance, > > Santiago > signature.asc Description: This is a digitally signed message part.
Bug#1012289: RFH: lintian -- Debian package checker
Le lundi 5 février 2024, 12:42:04 UTC Bill Allombert a écrit : > On Mon, Feb 05, 2024 at 12:28:02PM +0100, Axel Beckert wrote: > > Hi Bill, > > > > Bill Allombert wrote: > > > By the way, what happened to lintian.debian.org ? > > > > Seems as if someone (not me, just noticed it today when > > "private/refresh-data" failed…) pulled the plug on at least the DNS > > name. Probably because it hasn't been updated since Felix' try to > > rewrite it, which AFAIK was never finished, but the old thing also no > > more worked. (There's probably a lot of legacy code in > > "lib/Lintian/Output" related to one of these two website generations, > > maybe even both.) > > I used to generate my own copy of it because the official one was > out of date. Help here is welcome. I really like the l.d.o site particularly the graph > > > IMHO it's generally a good thing, except that it would have been > > better to redirect it to the according UDD pages instead. > > Yes, because there are ton of places still linking to lintian.debian.org > (e.g. wikipedia). We should ask DSA to redirect to salsa or UDD. > > Cheers, > signature.asc Description: This is a digitally signed message part.
Bug#1012289: RFH: lintian -- Debian package checker
Le dimanche 4 février 2024, 14:02:58 UTC Bill Allombert a écrit : > On Tue, Aug 16, 2022 at 11:56:20AM +0000, Bastien Roucariès wrote: > > Source: lintian > > Version: 2.115.2 > > Followup-For: Bug #1012289 > > > > Dear Maintainer, > > > > I will restep to be a lintian maint.Could you please prepare a list of > > urgent > > action ? > > Areyou still available as lintian maintainer ? It sure would need an upload. I can I am doing some pull request update Bastien > > Cheers, > signature.asc Description: This is a digitally signed message part.
Bug#1060103: transition: imagemagick7
Le vendredi 2 février 2024, 16:53:10 UTC Sebastian Ramacher a écrit : > Control: tags -1 moreinfo > > Hi Bastien > > On 2024-01-05 22:35:44 +, Bastien Roucariès wrote: > > Package: release.debian.org > > Severity: important > > User: release.debian@packages.debian.org > > Usertags: transition > > X-Debbugs-CC: ftpmas...@debian.org > > > > Imagemagick will need a new major bump > > > > I achieved to get imagemagick 7 build for experimental (it is only on salsa > > not > > uploaded yet). > > > > Every package include a version in the package name (except legacy package > > name > > and perl*) so I plan to do some step by step migration, because it is mainly > > coinstallable with imagemagick 6. > > Why does this migration require co-instabillity with the old version? > This makes the transition overly complicated. Do you expect major > changes required in reverse dependencies of imagemagick's shared > library? The problem is not the library but the command line interface that may need change. Librarry will break (I think here about php module that will need a update), but it is treatable. convert6 is not fully compatible with convert7 convert6 will be co installable with convert7 in order to test, and convert will be provided by alternative system. We avoid a flag day, but we need co installable library. Bastien > > PS: Before the time_t transition is done, we will not process other > transitions. Not a problem, but I will like to upload work on experimental in order to test other arch than i386/amd64/arm that I could test Bastien > > Cheers > signature.asc Description: This is a digitally signed message part.
Bug#1060103: Remainder of imagemagick7 transition plan
Hi, A gentle remainder about imagemagick7 transition plan. Many thanks for santiago to review partially it, but I need green light from release team. Bastien signature.asc Description: This is a digitally signed message part.
Bug#1062428: tinyxml: Swith to maintained fork
Source: tinyxml Version: 2.6.2-6;1 Severity: important Tags: security Justification: security support X-Debbugs-Cc: Debian Security Team Dear Maintainer, It seems that a fork of tinyxml is well maintained here https://github.com/leethomason/tinyxml2 Could be possible to evaluate the switch of fork ? Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.5.0-5-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1061272: sudo: Does not build from prefered source
Source: sudo Severity: serious Tags: ftbfs Justification: yacc/lex are prefered source Dear Maintainer, You do not pass the --with-devel=yes configure flags thus you do not rebuild from source autogenerated file like gram.c and gram.h from gram.y Usually debian build from source grammar file particularly for sensitive security components like sudo Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.5.0-5-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information
Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
On Sun, 31 Dec 2023 07:14:26 +0100 Salvatore Bonaccorso wrote: Hi Guilhem, hi Moritz, > Hi Guilhem, hi Moritz, > > On Sat, Dec 30, 2023 at 11:26:02PM +0100, Guilhem Moulin wrote: > > On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > > > There are some minor changes staged in the salsa git repo. It would be > > > good > > > to include them as well. Feel free to push the patch to git and upload. > > > Alternatively a merge request works as well of course. > > > > Thanks for the fast response! Tagged and uploaded. > > > > Security team, if you agree with my assessment that CVE-2023-40462 is a > > duplicate of CVE-2023-34194 (but for a separate project that embeds > > libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but > > for a separate project that embeds libxml), I can propose debdiffs for > > bullseye and bookworm. > > I think the former is correct but still bit biased. We initially had > exactly CVE-2023-40462 as NFU and CVE-2023-34194 for tinyxml. I have > now commmited > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b > hich does match my understanding for this doubled CVE assignment. The > document is actually not very very clear. It still metnions > CVE-2023-40462 but does not consistently say "TinyXML as used in". > Still hope we can agree the above matches our all udnerstanding. > Moritz given you updated back then the entry from NFU and tinyxml, if > you still strongly disagree I will revert the above, but I tried to > explain my reasoning in the commit message. > > Now for CVE-2023-40458 I'm not sure. Looking back at the references > for CVE-2021-42260 and the issue report at > https://sourceforge.net/p/tinyxml/bugs/141/ this sensibly match the > description for CVE-2023-40458, but will want to see if Moritz has an > additional input here. > > If this is the case we either have the otpion to mark it really as > duplicate (and request a reject from MITRE) or it is again just a > ALEOS issue "... tinyxml as used in". Again the table here is not very > clear in the report, for the CVE-2023-34194 and CVE-2023-40462 there > were explicitly listed the two CVEs with brackeds including the > product in the the table, but this is not the case for CVE-2023-40458. > > Moritz? Any news of this triagging ? Bastien > > Regards, > Salvatore > > signature.asc Description: This is a digitally signed message part.
Bug#1060103: transition: imagemagick7
Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: transition X-Debbugs-CC: ftpmas...@debian.org Imagemagick will need a new major bump I achieved to get imagemagick 7 build for experimental (it is only on salsa not uploaded yet). Every package include a version in the package name (except legacy package name and perl*) so I plan to do some step by step migration, because it is mainly coinstallable with imagemagick 6. - upload to experimental a version with perl and without legacy name - migrate perl and versioned package - add to experimental libmakickgwand-dev libmagick++-dev libmagickcore-dev - migrate package that depends on libmakickgwand-dev libmagick++-dev libmagickcore-dev (every thing that build against imagemagick) to imagemagick7 - add to experimental imagemagick package - migrate imagemagick package to unstable What do you think of this plan ? From a security point of view it is better to go to imagemagick7 (so important severity) I expect breakage only on the last step. See https://imagemagick.org/script/porting.php ftpmaster it need more work because it will need three manual step. Bastien * perlmagick, libmagickcore-dev, libmakickgwand-dev libmagick++-dev, imagemagick, libimage-magick-perl libimage-magick-q16-perl libimage- magick-q16hdri-perl signature.asc Description: This is a digitally signed message part.
Bug#989998: Fixed upstream: need help ?
Hi, I have just fix this CVE for buster and I want to know if you need help to release a fix for unstable ? The LTS fix are here https://salsa.debian.org/lts-team/packages/keystone/ Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1037219: Uploaded imagemagick/8:6.9.11.60+dfsg-1.3+deb11u2
Hi, I have just uploaded Bastien signature.asc Description: This is a digitally signed message part.
Bug#1055300: Reopen + fix
control: reopen -1 control: found -1 5.4.0-1 control: forwarded -1 https://github.com/ansible-collections/amazon.aws/pull/1704 control: tag -1 + fixed-upstream Hi, This bug lie in ansible... Reopen this bug and use the patch as fwd field. rouca signature.asc Description: This is a digitally signed message part.
Bug#975405: libwabt.js => sucess but need policy and help
Le lundi 13 novembre 2023, 11:18:42 UTC Markus Koschany a écrit : > Hey, > > Am Montag, dem 13.11.2023 um 09:19 + schrieb Bastien Roucariès: > > [...] > > Apo can I add myself to your package ? Do you care to comaintain with > > javascript team ? > > I assume you are referring to wabt and this bug report [1] ? > > Do you have a solution for the circular dependency that building libwabt.js > would create? > > In general I would be totally fine if you or the Javascript team would > completely take over wabt and binaryen because both of them and emscripten are > closely related. See also #1052003; emscripten FTBFS with binaryen from > experimental. > > Personally I only need wabt and binaryen to build WebAssembly code from source > for the ublock-origin Firefox/Chromium addon but I'm not really interested in > becoming more involved in the Javascript ecosystem. So feel free to take over > both packages and remove me as the maintainer. I think the solution here is build profiles like we other package involving this kind of stuff. Ok will take for it and add javascript team > > Regards, > > Markus > > [1] https://bugs.debian.org/975405 > > signature.asc Description: This is a digitally signed message part.
Bug#1008017: audiofile: CVE-2022-24599/CVE-2019-13147 Fix
Le samedi 11 novembre 2023, 18:22:41 UTC Bastien Roucariès a écrit : > control: tags -1 + patch > > Hi, > > Could you apply the merge request > https://salsa.debian.org/multimedia-team/audiofile/-/merge_requests/5 and > made a release ? > > It fix the two CVE > > Bastien Send fix to DELAYED/7 Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1008017: audiofile: CVE-2022-24599/CVE-2019-13147 Fix
control: tags -1 + patch Hi, Could you apply the merge request https://salsa.debian.org/multimedia-team/audiofile/-/merge_requests/5 and made a release ? It fix the two CVE Bastien signature.asc Description: This is a digitally signed message part.
Bug#1041112: Merge request
control: tags -1 + pending I have a merge request waiting here Plan a NMU/7 https://salsa.debian.org/multimedia-team/sox/-/merge_requests?scope=all=opened rouca signature.asc Description: This is a digitally signed message part.
Bug#1055370: Important for a few package: add security support
Hi, I have one package that fail actually due to this. A CVE was fixed by coordinating a fix between rmagick and imagemagick and I test that the CVE is closed using an autopkgtest I believe also it is important from a security point of view to add fix for security issue Bastien signature.asc Description: This is a digitally signed message part.
Bug#1055585: ITP: node-envinfo -- Generate reports of the common details used by Node.js packages
Package: wnpp Severity: important Owner: Bastien Roucariès X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-envinfo Version : 7.11.0+~cs13.4.1 Upstream Contact: https://github.com/tabrindle/envinfo#readme https://github.com/sindresorhus/os-name/tags https://github.com/sindresorhus/macos-release/tags https://github.com/sindresorhus/windows-release/tags https://registry.npmjs.org/yamlify-object * URL : https://github.com/tabrindle/envinfo#readme https://github.com/sindresorhus/os-name/tags https://github.com/sindresorhus/macos-release/tags https://github.com/sindresorhus/windows-release/tags https://registry.npmjs.org/yamlify-object * License : Expat Programming Lang: Typescript/javascript Description : Generate reports of the common details used by Node.js packages Generate reports of the common details used by Node.js packages This package generate reports of common software installed on our computer, including browser version, Node.js version, Operating System and programming language support. . This is used by webpack a javascript module bundler, for generating build time report. . Node.js is an event-based server-side JavaScript engine. This package is needed for rebuild from source webpack that is an essential package of javascript team
Bug#1055346: dh-nodejs: should provide dh_nodejs_autodocs
Package: dh-nodejs Version: 0.15.15 Severity: important Dear Maintainer, dh-nodejs should provide dh-nodejs-autodocs -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.5.0-3-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dh-nodejs depends on: ii debhelper 13.11.7 ii libdebian-copyright-perl 0.2-6 ii libdebian-source-perl 0.122 ii libdpkg-perl 1.22.1 ii libgraph-perl 1:0.9727-1 ii libipc-run-perl 20231003.0-1 ii libjson-perl 4.1-1 ii libyaml-perl 1.30-2 ii nodejs18.13.0+dfsg1-1 ii perl 5.36.0-9 dh-nodejs recommends no packages. Versions of packages dh-nodejs suggests: ii node-rollup-plugin-commonjs 25.0.4+ds1-1 ii node-rollup-plugin-node-resolve 15.1.0+ds-1 ii pkg-js-tools 0.15.15 ii rollup 3.28.0-2 -- no debconf information
Bug#1055328: node-minimatch: could not build using webpack
Package: node-minimatch Version: 9.0.3-4 Severity: serious Justification: FTBFS other package Dear Maintainer, I could not build node-envinfo due to the trick done for default export only for require. Webpack do a mix of two and do not find the import default... Therefore it is required to export default for both Bastien signature.asc Description: This is a digitally signed message part.
Bug#1055172: python3 should recommend netbase
Package: python3 Version: 3.11.4-5+b1 Severity: important Tags: newcomer Dear Maintainer, I order to avoid some strange error in autopkgtest of python related package, could be possible to recommend netbase ? It is needed for acessing /etc/services and well known port/host Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.5.0-2-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3 depends on: ii libpython3-stdlib 3.11.4-5+b1 ii python3-minimal3.11.4-5+b1 ii python3.11 3.11.6-3 python3 recommends no packages. Versions of packages python3 suggests: ii python3-doc 3.11.4-5 ii python3-tk3.11.5-1 ii python3-venv 3.11.4-5+b1 -- no debconf information
Bug#1055103: webpack: split env
Package: webpack Version: 5.76.1+dfsg1+~cs17.16.16-1 Severity: important Dear Maintainer, I think the way to go is to split env from webpack env need webpack to build but need a few package Yadd what do you think ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1055053: RM: {imagemagick-doc, imagemagick-common} [all] -- ROM; removed from source package
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: imagemag...@packages.debian.org Control: affects -1 + src:imagemagick Please remove this two transitionnal package Thanks Bastien
Bug#1054444: golang-github-facebook-ent: website is build with Docusaurus not packaged for debian
control: retitle -1 golang-github-facebook-ent: include non free font Calibre Le mardi 24 octobre 2023, 06:13:41 UTC Cyril Brulebois a écrit : > Hi Bastien, > > Bastien Roucariès (2023-10-23): > > Source: golang-github-facebook-ent > > Version: 0.5.4-3 > > Severity: serious > > Tags: ftbfs > > Justification: FTBFS > > Control: block -1 by 1054426 > > > > Dear Maintainer, > > > > The documentation is build with docusaurus. > > > > See website directory > > https://sources.debian.org/src/golang-github-facebook-ent/0.5.4-3/doc/website/ > > > > You should repack or package docusaurus and rebuild > > Please describe the actual problem you're seeing. I have just checked docusaurus build package, but here .js code is readable, except the woff file that are build from calibre without source and non-free https://klim.co.nz/licences/#enterprise > > Cheers, > signature.asc Description: This is a digitally signed message part.
Bug#1054433: node-puppeteer: website is build with Docusaurus not packaged for debian
control: retitle -1 fasttext: website is build with Docusaurus not packaged for debian Le mardi 24 octobre 2023, 06:41:55 UTC Andrius Merkys a écrit : > Hi, > > On 2023-10-23 22:06, Bastien Roucariès wrote: > > Source: fasttext > > Source package names in Subject and Source do not match. Please retitle > if this is not intentional. > > Best, > Andrius > signature.asc Description: This is a digitally signed message part.
Bug#1054432: [Pkg-javascript-devel] Bug#1054432: node-puppeteer: website is build with Docusaurus not packaged for debian
control: retitle -1 node-katex: website is build with Docusaurus not packaged for debian Le mardi 24 octobre 2023, 06:40:59 UTC Andrius Merkys a écrit : > Hi, > > On 2023-10-23 22:04, Bastien Roucariès wrote: > > Source: node-katex > > Source package names in Subject and Source do not match. Please retitle > if this is not intentional. > > Best, > Andrius > signature.asc Description: This is a digitally signed message part.
Bug#1054444: golang-github-facebook-ent: website is build with Docusaurus not packaged for debian
Source: golang-github-facebook-ent Version: 0.5.4-3 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/golang-github-facebook-ent/0.5.4-3/doc/website/ You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054443: node-graphql: website is build with Docusaurus not packaged for debian
Source: node-graphql Version: 16.8.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/node-graphql/16.8.1-1/website/src/pages/index.jsx/?hl=2#L2 You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054440: reassign
control: reassign -1 ts-node signature.asc Description: This is a digitally signed message part.
Bug#1054441: node-ts-jest: website is build with Docusaurus not packaged for debian
Source: node-ts-jest Version: 29.1.1+~cs0.2.6-2 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/data/main/n/node-ts-jest/29.1.1%2B~cs0.2.6-2/website/ You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054440: ts-node: website is build with Docusaurus not packaged for debian
Source: ts-nod Version: 10.9.1+~cs8.8.29-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/ts-node/10.9.1%252B~cs8.8.29-1/website/ You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian
Source: node-rjsf Version: 5.6.2+~5.0.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54 You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054438: golang-entgo-ent: website is build with Docusaurus not packaged for debian
Source: golang-entgo-ent Version: 0.11.3-4 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/data/main/g/golang-entgo-ent/0.11.3-4/doc/website You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054437: golang-ariga-atlas: website is build with Docusaurus not packaged for debian
Source: golang-ariga-atlas Version: 0.7.2-2 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/golang-ariga-atlas/0.7.2-2/doc/website/ You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054435: node-react-redux: website is build with Docusaurus not packaged for debian
Source: node-react-redux Version: 8.1.2+dfsg1+~cs1.2.3-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian
Source: node-redux Version: 4.2.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054433: node-puppeteer: website is build with Docusaurus not packaged for debian
Source: fasttext Version: 0.9.2+ds-5 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054432: node-puppeteer: website is build with Docusaurus not packaged for debian
Source: node-katex Version: 0.16.4+~cs6.1.0-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See: https://sources.debian.org/src/node-katex/0.16.4+~cs6.1.0-1/website/ You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054431: node-puppeteer: website is build with Docusaurus not packaged for debian
Source: node-puppeteer Version: 13.4.1+dfsg-2 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See: https://sources.debian.org/src/node-puppeteer/13.4.1+dfsg-2/website/ You should repack or package docusaurus and rebuild Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.5.0-2-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1054426: RFP: docusaurus -- Docusaurus is a project for building, deploying, and maintaining open source project websites easily
Package: wnpp Severity: wishlist * Package name: docusaurus Version : 1 Upstream Contact: Facebook, Inc. and its affiliates. (Facebook, Inc. and its affiliates.) * URL : https://github.com/facebook/docusaurus * License : expat Programming Lang: javascript Description : Docusaurus is a project for building, deploying, and maintaining open source project websites easily Docusaurus is a project for building, deploying, and maintaining open source project websites easily. Docusaurus is built in a way so that it can get running in as little time as possible. We've built Docusaurus to handle the website build process so you can focus on your project. Docusaurus ships with localization support via CrowdIn. Empower and grow your international community by translating your documentation. While Docusaurus ships with the key pages and sections you need to get started, including a home page, a docs section, a blog, and additional support pages, it is also customizable as well to ensure you have a site that is uniquely yours. This is needed for: node-puppeteer ts-node thunderbird netdata golang-github-facebook-ent golang-entgo-ent node-ts-jest firefox-esr mkdocs-material firefox fasttext node-react-redux gitlab node-redux node-rjsf node-jest node-webassemblyjs golang-ariga-atlas node-graphql node-katex gitaly
Bug#1054405: RM: libjs-punycode [all] -- NVIU; Provided now by nodejs-punycode
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: ruby-rails-assets-punyc...@packages.debian.org Control: affects -1 + src:ruby-rails-assets-punycode Control: block 1051089 by -1 Please remove libjs-punycode. It is now provide by nodejs-punycode Thanks bastien
Bug#994540: Go ahead with imagemagick/experimental ?
Le dimanche 22 octobre 2023, 15:03:50 UTC Sebastian Ramacher a écrit : > Control: tags -1 confirmed > > On 2023-10-22 14:51:42 +, Bastien Roucariès wrote: > > Le dimanche 22 octobre 2023, 14:08:20 UTC Sebastian Ramacher a écrit : > > > Hi Bastien > > > > > > On 2023-10-21 20:10:47 +, Bastien Roucariès wrote: > > > > Can I go ahead with imagemagick experimental ? > > > > > > As a year has past since the last mail to the transition bug report: did > > > any new build failures in reverse dependencies appear? What's the > > > status? > > > > Reverse build are ok (just tested in pbuilder), so for me it is a green > > light > > Please go ahead. Done > > Cheers > signature.asc Description: This is a digitally signed message part.
Bug#994540: Go ahead with imagemagick/experimental ?
Le dimanche 22 octobre 2023, 14:08:20 UTC Sebastian Ramacher a écrit : > Hi Bastien > > On 2023-10-21 20:10:47 +, Bastien Roucariès wrote: > > Can I go ahead with imagemagick experimental ? > > As a year has past since the last mail to the transition bug report: did > any new build failures in reverse dependencies appear? What's the > status? Reverse build are ok (just tested in pbuilder), so for me it is a green light > > Cheers > signature.asc Description: This is a digitally signed message part.
Bug#994540: Go ahead with imagemagick/experimental ?
Hi, Can I go ahead with imagemagick experimental ? Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1051089: Fwd: Moreinformation
control: tags -1 + moreinfo Hi, >ruby-rails-assets-punycode depends on libjs-punycode but nothing >builds that package. It used to be provided by the same source >package. I do not understand what break libjs-punycode is provided by node-punycode See https://tracker.debian.org/media/packages/n/node-punycode/control-2.2.3-2 piupart is ok so it is normally ok Could you restest ? Bastien - signature.asc Description: This is a digitally signed message part.
Bug#1053243: prometheus-alertmanager: Please package the gui
Source: prometheus-alertmanager Severity: important Dear Maintainer, Could you package the GUI. ELM is now under debian Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.4.0-4-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#941627: Take grub-btrfs
control: owner -1 ! Control: retitle -1 ITP: grub-btrfs -- provides grub entries for btrfs snapshots (boot environments/restore points) Hi, I need this package for day work (for teaching). The kaisen linux is suitable for me to be imported and sponsored. Kaisen do you want some sponsoring and comaintain debian side this package ? I only need that dracut is supported and tested. Kaisen could you support dracut ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#991984: closed by Russ Allbery (Re: Bug#991984: Please document minimal environment variable needed for sensible-utils)
Le dimanche 10 septembre 2023, 04:33:06 UTC Debian Bug Tracking System a écrit : > This is an automatic notification regarding your Bug report > which was filed against the debian-policy package: > > #991984: Please document minimal environment variable needed for > sensible-utils > > It has been closed by Russ Allbery . > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Russ Allbery > by > replying to this email. > Seems sensible note that linux manpages mandate now some behavior for EDITOR, PAGER and VISUAL Bastien signature.asc Description: This is a digitally signed message part.
Bug#1051474: libreoffice: Please add embeded code copies to embeded-code-copies on security tracker debian.tar.xz/tarballs
Le dimanche 10 septembre 2023, 05:44:02 UTC Rene Engelhard a écrit : > severity 1051474 important > > thanks > > Hi, > > Am 08.09.23 um 19:19 schrieb Bastien Roucariès: > > Source: libreoffice > > Severity: serious > > Tags: security > > Justification: Document embdeded code copy + copyright > > X-Debbugs-Cc: Debian Security Team > > Since when is that serious? It isn't. There have been no complains from > anyone in the security team in any of the last security updates? I have reason to complain security wise > > (None of which affected any of the internal copies used,) > > The policy says "should". And it it it followed. > > The most stuff isn't used as internal code copies, only the unavoidable > ones is. And TTBOMK the security team DOES know it. Yes I know > > > Could you document that you embded a few tar ball under the security > tracker ? > > You mean I should send MRs to it? Yes I think so > > >Moreover you do not document where you downloaded these file a comment > under > > copyright will be helpful (README.source say how to retrieve it not the > > link to > > get). > > The fetch it manually and put it there. (Which normally would be done > from upstreams build systeem for ALL tarballs, even those not used..) > > (It basically always is https://dev-www.libreoffice.org/src/ (which > mirrors stuff they got from the website): :S I will really prefer that we download from upstream > > Makefile:$(call > fetch_Download_item_unchecked,https://download.documentfoundation.org/libreoffice/src/$(shell > > echo $(gb_LO_VER) | sed -e > "s/\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/"),libreoffice-$(i)-$(gb_LO_VER).tar.xz)) > > > Regards, > > > Rene > > signature.asc Description: This is a digitally signed message part.
Bug#1051474: libreoffice: Please add embeded code copies to embeded-code-copies on security tracker debian.tar.xz/tarballs
Source: libreoffice Severity: serious Tags: security Justification: Document embdeded code copy + copyright X-Debbugs-Cc: Debian Security Team Dear Maintainer, Could you document that you embded a few tar ball under the security tracker ? For oldstable/stable/unstable Version should be documented. Moreover you do not document where you downloaded these file a comment under copyright will be helpful (README.source say how to retrieve it not the link to get). Thanks Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.4.0-3-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1042757: ublock-origin: embded javascript lib
Le vendredi 18 août 2023, 23:16:04 UTC Markus Koschany a écrit :
> Am Montag, dem 31.07.2023 um 11:56 + schrieb Bastien Roucariès:
> > Source: ublock-origin
> > Severity: serious
> > Justification: not prefered form of modification
> >
> > Dear Maintainer,
> >
> > src/lib include a few library that are already packaged for debian.
> >
> > per se it is not a serious bug, but we should try if possible after testing
> > to
> > use packaged version
> >
> > The serious bug is due that for instance punycode was not in prefered form
> > of
> > modification due to being wepackaged (transpiled) in order to be an ES
> > module.
> >
> > They may be other transpiled package in this subdirectory
>
> Hello Bastien,
>
> thanks for the report. I have reviewed the src/lib directory and replaced the
> embedded Javascript libraries of csstree and js-beautify with Debian's system
> libraries. I also added the source file of hsluv to debian/missing-sources and
> documented the licenses of these three Javascript libraries in
> debian/copyright.
>
> I decided against replacing punycode because punycode.js in ublock-origin
> looks
> like the preferred form for me.
No unfortunatly this is transpiled aka compiled by webpack
see the first line
export default (function() {
This is make by webpack or rollup that are automated tools. This means that
this code is transpiled and I do not know the extend of transpiling.
it may be only the es6 upstream code:
https://sources.debian.org/src/node-punycode/2.2.3-2/scripts/prepublish.js/
or something worst that replace the constant by something else.
if you see the original code here:
https://sources.debian.org/src/node-punycode/2.2.3-2/punycode.js/
you do not see the export default (function() {
line
Javascript is strange you could edit generated file and min.js is not the only
problem
Thanks
Bastien
> The file is not minified and can be edited
> without problems. I believe you were referring to hsluv instead. I believe
> this
> issue is fixed in version 1.51.0+dfsg-2 soon.
>
> Regards,
>
> Markus
>
>
signature.asc
Description: This is a digitally signed message part.
Bug#1041112: Patch
control: tags -1 + patch
Hi,
Find the patch hereFrom: =?utf-8?q?Bastien_Roucari=C3=A8s?=
Date: Sun, 13 Aug 2023 14:14:09 +
Subject: CVE-2023-32627 Filter null sampling rate in VOC coder
Avoid a divide by zero and out of bound read by rejecting null sampling rate in VOC file
bug: https://sourceforge.net/p/sox/bugs/369/
bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2212282
bug-debian: https://bugs.debian.org/1041112
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-32627
---
src/voc.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/voc.c b/src/voc.c
index f44933d..cad32fa 100644
--- a/src/voc.c
+++ b/src/voc.c
@@ -351,6 +351,11 @@ static size_t read_samples(sox_format_t * ft, sox_sample_t * buf,
v->block_remaining = 0;
return done;
}
+ if(uc == 0) {
+lsx_fail_errno(ft, EINVAL, "invalid rate value");
+v->block_remaining = 0;
+return done;
+ }
*buf = SOX_UNSIGNED_8BIT_TO_SAMPLE(uc,);
lsx_adpcm_init(>adpcm, 6 - v->size, SOX_SAMPLE_TO_SIGNED_16BIT(*buf, ft->clips));
++buf;
signature.asc
Description: This is a digitally signed message part.
Bug#1041113: Fixed by CVE-2022-31650.patch fix
Hi, This problem is fixed by CVE-2022-31650.patch Channel could not overflow signature.asc Description: This is a digitally signed message part.
Bug#1042970: zoneminder: Embded cakephp
Source: zoneminder Severity: serious Justification: embded code copy Dear Maintainer, Your package include a copy of cake php. Could you use the packaged one ? Thanks signature.asc Description: This is a digitally signed message part.
Bug#976697: webext-umatrix: no longer developed upstream, remove or switch to LibreMatrix or?
Source: umatrix Followup-For: Bug #976697 Forwarded: https://gitlab.com/vannilla/ematrix/ Dear Maintainer, I have asked guidance to the last fork about firefox/chromium support. If not RM is the wayto go Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.3.0-1-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1042757: ublock-origin: embded javascript lib
Source: ublock-origin Severity: serious Justification: not prefered form of modification Dear Maintainer, src/lib include a few library that are already packaged for debian. per se it is not a serious bug, but we should try if possible after testing to use packaged version The serious bug is due that for instance punycode was not in prefered form of modification due to being wepackaged (transpiled) in order to be an ES module. They may be other transpiled package in this subdirectory Bastien signature.asc Description: This is a digitally signed message part.
Bug#1042738: ruby-rails-assets-punycode: Do not ship libjs-punycode
Source: ruby-rails-assets-punycode Severity: serious Justification: source is missing Dear Maintainer, You package node-punycode without source... I plan to fix this Bastien signature.asc Description: This is a digitally signed message part.
Bug#1042715: php-horde-editor: Please drop ckeditor3
Source: php-horde-editor
Severity: serious
Tags: security
Justification: security reason EOL
X-Debbugs-Cc: Debian Security Team
Dear Maintainer,
ckeditor4 go to EOL since June by upstream.
You use ckeditor3. With my javascript hat maint of ckeditor I think we could
migrate your software to ckeditor4
I believe the first change is the following patch:
diff --git a/Horde_Editor-2.0.5/lib/Horde/Editor/Ckeditor.php
b/Horde_Editor-2.0.5/lib/Horde/Editor/Ckeditor.php
index 3a58ccd..33e8564 100644
--- a/Horde_Editor-2.0.5/lib/Horde/Editor/Ckeditor.php
+++ b/Horde_Editor-2.0.5/lib/Horde/Editor/Ckeditor.php
@@ -40,9 +40,7 @@ class Horde_Editor_Ckeditor extends Horde_Editor
return;
}
-$ck_file = empty($params['basic'])
-? 'ckeditor/ckeditor.js'
-: 'ckeditor/ckeditor_basic.js';
+$ck_file = 'ckeditor/ckeditor.js';
if (isset($params['config'])) {
if (is_array($params['config'])) {
@@ -84,6 +82,7 @@ class Horde_Editor_Ckeditor extends Horde_Editor
case 'msie':
case 'mozilla':
case 'opera':
+case 'edge':
// MSIE: 5.5+
// Firefox: 1.5+
// Opera: 9.5+
After it will need to change if needed the config here in order to remove
plugins
https://sources.debian.org/src/php-horde-
imp/6.2.27-3/imp-6.2.27/lib/Script/Package/Editor.php/?hl=33#L33
I could help if needed but I need a means to test the modification
Bastien
signature.asc
Description: This is a digitally signed message part.
Bug#1042536: firefox-esr: Please allow a smooth upgrade from webext-https-everywhere by providing/breaking/replace
Package: firefox-esr Version: 115.0.2esr-1 Severity: important control: clone -1 src:firefox control: clone -1 src:chromium Dear Maintainer, Could you allow by providing a webext-https-everywhere and correct break replace (versionned) a smooth upgrade for webext-https-everywhere firefox/chromium include this functionnality so technically it is a replace signature.asc Description: This is a digitally signed message part.
Bug#1042533: netdata: Please use packaged pako
Source: netdata Severity: serious Dear Maintainer, pako is packaged for debian as node-pako and minify now under /usr/share/javascript/pako Moreover the first line of your missing source show a webpack line so your source are not on the prefered form and thus this is a serious bug You should also review the other js file and ask if needed help from debian javascript team to package Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1042532: mediawiki: Vendoring a few javascript library without source
Source: mediawiki Version: 1:1.39.4-2 Severity: serious Justification: missing source Dear Maintainer, resources/lib/ (https://sources.debian.org/src/mediawiki/1:1.39.4-2/resources/lib/) include a few library already packaged for debian. Moreover some source are missing (I have only checked pako). You could use the packaged library under debian Bastien signature.asc Description: This is a digitally signed message part.
Bug#1042531: novnc: Embded copy of node-pako
Source: novnc Severity: serious Justification: embed code copy Dear Maintainer, Your package include an embded code copy of node-pako (under vendor) Could you please use the packaged node-pako ? Thanks bastien signature.asc Description: This is a digitally signed message part.
Bug#1042529: sogo: Multiple embdeded and minified javascript library
Source: sogo Severity: serious Tags: ftbfs security Justification: FTBFS + security X-Debbugs-Cc: Debian Security Team Dear Maintainer, https://sources.debian.org/src/sogo/5.8.4-1/UI/WebServerResources/js/vendor/ inlclude a few library precompiled and that seems outdated (bad from a security point of view due to recent CVE for ckeditor) Could you deembed and use packaged library Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1042528: ldap-account-manager: Multiple embeded and minified javascript library
Source: ldap-account-manager Severity: serious Tags: ftbfs security Justification: FTBFS + security Dear Maintainer, Ldap-account-manager include a few vendored and outdated (without security support) javascript library Could you remove this depends and use packaged library Thanks
Bug#1042527: request-tracker5: Include ckeditor minimified
Source: request-tracker5 Severity: serious Tags: ftbfs Justification: FTBFS Control: tags -1 + security Dear Maintainer, https://sources.debian.org/src/request- tracker5/5.0.3+dfsg-3/share/static/RichText/ include ckeditor outdated (with CVE) and moreover minified Could you use the packaged ckeditor. Note also that I am going to package ckeditor5 (ckeditor 4 is EOL) Bastien signature.asc Description: This is a digitally signed message part.
Bug#1042470: node-lodash: please add lodash-es
Package: node-lodash Version: 4.17.21+dfsg+~cs8.31.198.20210220-9 Severity: important Dear Maintainer, Could you add lodash-es mini package to lodash It is only running lodash modularize exports=es -o ./ and installing to right part. it is needed for ckeditor5 Thanks signature.asc Description: This is a digitally signed message part.
Bug#1041471: Reassign
control: reopen -1 control: notfound -1 19 control: reassign -1 qemu-user control: found -1 1:8.0.2+dfsg-3 control: found -1 control: forwarded -1 https://gitlab.com/qemu-project/qemu/-/issues/1776 control: affects -1 src:isa-support control: severity -1 important Hi, THis is a qemu bug mark as qemu bug Bastien signature.asc Description: This is a digitally signed message part.
