Bug#874663: Document +dfsg as extenson when repacking upstream sources
Hi, Le 08/09/2017 à 07:44, Simon McVittie a écrit : > On Fri, 08 Sep 2017 at 16:10:44 +0200, Guido Günther wrote: >> when upstream tarballs need to be repacked because they contain non-dfsg >> free data appending '+dfsg' to the upstream version seems common >> practice. […] > It's a coincidence that you should mention this today. I've just run > into a situation where routinely appending +dfsg causes brokenness: […] > This made me think that we should maybe only be doing this when > a *pre-existing* upstream version needs to be repacked. > […] when upstream releases > foo/1.2.4, even if the non-freeness has not been fixed, the > maintainer would repack it as 1.2.4 rather than 1.2.4+dfsg. That is be a bit misleading: since we are not using the upstream version, using the same version is a lie. Another data point: I used to package something that upstream was also distributing on their own, and I used a tilde before “dfsg” to avoid confusion. That way, people using upstream version (picked from upstream servers) was always higher than the version in Debian (and because upstream version didn’t follow policy or even FHS, switching from one version to another would cause huge brokenness…). Regards David signature.asc Description: OpenPGP digital signature
Bug#873198: php-doctrine-cache-bundle FTBFS: test failures
Control: reassign -1 php-doctrine-cache Control: found -1 1.7.0-1 Control: affects -1 php-doctrine-cache-bundle Control: retitle -1 php-doctrine-cache should not (silently) depend on php 7.1 Thank you Adrian for filling this issue. On Fri, Aug 25, 2017 at 04:13:47PM +0300, Adrian Bunk wrote: > Source: php-doctrine-cache-bundle […] > Some recent change in unstable makes php-doctrine-cache-bundle FTBFS: […] > There were 2 errors: > > 1) > Doctrine\Bundle\DoctrineCacheBundle\Tests\Functional\PhpFileCacheTest::testCacheDriver > ParseError: syntax error, unexpected '?' Right. The latest php-doctrine-cache version in unstable depends on php 7.1, and the default version in unstable is still php 7.0 (and there is no proper way to depend on the more recent php7.1 package available in unstable). I’ll fix this issue by uploading back the 1.6.1 version of php-doctrine-cache to unstable. Regards David signature.asc Description: PGP signature
Bug#872165: [pkg-php-pear] Bug#872165: composer 1.4.3-2 fails its autopkgtests
Hi Steve, Thanks for the fedback. Le 14/08/2017 à 08:19, Steve Langasek a écrit : > Source: composer > Version: 1.4.3-2 > Severity: important > User: ubuntu-de...@lists.ubuntu.com > Usertags: origin-ubuntu artful autopkgtest […] > The autopkgtests for composer 1.4.3-2 have been failing since upload, > despite the fact that they previously passed in version 1.2.2-1 […] > I have not analyzed the failures to understand if they point to bugs in the > test or bugs in the code, I did already and committed a fix in the Git repository: one of the tests needing remote access (for PEAR) fails also in the CI infrastructure (but not at home), so it also needs to be ignored (as in the proper build). A new upstream release is also available, so we may fix this issue with the next version (while checking if the test is more reliable). Regards David signature.asc Description: OpenPGP digital signature
Bug#864791: Acknowledgement (firefox-esr: OAtab order cannot be changed with TabMixPlus)
Hi, Thank you for your report(s). On Thu, Jun 15, 2017 at 12:27:24AM +0200, Christoph Anton Mitterer wrote: > Control: reassign -1 xul-ext-tabmixplus > Seems the bug is rather in TMP or the combination of newer FF, TMP and > other addons. Can you please confirm if this issue is fixed with the latest version (0.5.0.3-1). I was not bitten myself with it and the set of addons currently installed on my development box… Regards David
Bug#866182: xul-ext-tabmixplus: new upstream version
Hi, On Wed, Jun 28, 2017 at 03:39:15AM +0200, Christoph Anton Mitterer wrote: > Package: xul-ext-tabmixplus > Version: 0.5.0.1-1 > Severity: wishlist > There's a newer upstream version. Perhaps even the devel version > could be packaged (e.g. in experimental) as this may fix several issues > that make TabMix+ unusable with the current FF/FF-esr versions in sid. I guess this bug is also (or will also be) relevant for Stretch, since FF gets updated there too. Can you please describe how unusable it is? This may rather be a serious bug if the package is totally useless. Regards David signature.asc Description: PGP signature
Bug#861266: cmocka: Please package new upstream version
Hi Sandro, Le 02/07/2017 à 03:00, Sandro Knauß a écrit : > the new version is now available in git repository: Great! > @taffit: what is your policy to upload new version of cmocka? I don’t have much. There are a few libcmocka-dev build-rdepends, so you may want to build test some of them with the new version. Regards David signature.asc Description: OpenPGP digital signature
Bug#866351: stretch-pu: package phpunit/5.4.6-2~deb9u1
Hi Cyril, Le 30/06/2017 à 14:36, Cyril Brulebois a écrit : > Control: retitle -1 stretch-pu: package phpunit/5.4.6-2~deb9u1 > Control: tag -1 moreinfo > David Prévot <taf...@debian.org> (2017-06-28): >> Please, allow this patched version of phpunit, built and tested in a >> Stretch environment, fixing an arbitrary PHP code execution via HTTP >> POST [CVE-2017-9841], aka #866200. > Stretch is Debian 9. :) Ooops, things are moving so quickly… > Please post an updated source debdiff with the proper version number for > a last look before an ACK for the upload. Attached (with package rebuilt, and tested again), thanks! Regards David diff -Nru phpunit-5.4.6/debian/changelog phpunit-5.4.6/debian/changelog --- phpunit-5.4.6/debian/changelog 2016-06-18 12:34:11.0 -1000 +++ phpunit-5.4.6/debian/changelog 2017-06-28 17:03:35.0 -1000 @@ -1,3 +1,18 @@ +phpunit (5.4.6-2~deb9u1) stretch; urgency=high + + * Team upload + * Upload previous fix to Stretch + + -- David Prévot <taf...@debian.org> Wed, 28 Jun 2017 17:03:35 -1000 + +phpunit (5.4.6-2) unstable; urgency=high + + * Team upload + * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841] +(Closes: #866200) + + -- David Prévot <taf...@debian.org> Wed, 28 Jun 2017 16:43:26 -1000 + phpunit (5.4.6-1) unstable; urgency=medium * Team upload diff -Nru phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch --- phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch 1969-12-31 14:00:00.0 -1000 +++ phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch 2017-06-28 16:41:16.0 -1000 @@ -0,0 +1,34 @@ +From: Bob Weinand <bobw...@hotmail.com> +Date: Sun, 13 Nov 2016 18:52:50 +0100 +Subject: Correct fix for #1956 + +Origin: upstream, https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5 +Bug: https://github.com/sebastianbergmann/phpunit/pull/2356 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200 +--- + src/Util/PHP/Template/TestCaseMethod.tpl.dist | 2 +- + src/Util/PHP/eval-stdin.php | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist +index 47ef6e4..c7172b9 100644 +--- a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist +@@ -58,7 +58,7 @@ function __phpunit_run_isolated_test() + $output = $test->getActualOutput(); + } + +-rewind(STDOUT); ++@rewind(STDOUT); /* @ as not every STDOUT target stream is rewindable */ + if ($stdout = stream_get_contents(STDOUT)) { + $output = $stdout . $output; + } +diff --git a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php +index fe1b8bd..3b3a6d0 100644 +--- a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php +@@ -1,3 +1,3 @@ + ' . file_get_contents('php://input')); ++eval('?>' . file_get_contents('php://stdin')); diff -Nru phpunit-5.4.6/debian/patches/series phpunit-5.4.6/debian/patches/series --- phpunit-5.4.6/debian/patches/series 2016-06-18 12:15:55.0 -1000 +++ phpunit-5.4.6/debian/patches/series 2017-06-28 16:41:16.0 -1000 @@ -1 +1,2 @@ 0001-Remove-Composer-autoload.patch +0002-Correct-fix-for-1956.patch signature.asc Description: OpenPGP digital signature
Bug#866351: stretch-pu: package phpunit/5.4.6-2~deb8u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi stable managers, Please, allow this patched version of phpunit, built and tested in a Stretch environment, fixing an arbitrary PHP code execution via HTTP POST [CVE-2017-9841], aka #866200. As discussed with the security team, PHPUnit should not be available on a production server, even less publicly accessible (so we’d prefer to pass on a proper DSA), yet, we’d prefer not to let such a big flaw available, so please, accept it in the next stable update. Regards David diff -Nru phpunit-5.4.6/debian/changelog phpunit-5.4.6/debian/changelog --- phpunit-5.4.6/debian/changelog 2016-06-18 12:34:11.0 -1000 +++ phpunit-5.4.6/debian/changelog 2017-06-28 17:03:35.0 -1000 @@ -1,3 +1,18 @@ +phpunit (5.4.6-2~deb8u1) stretch; urgency=high + + * Team upload + * Upload previous fix to Stretch + + -- David Prévot <taf...@debian.org> Wed, 28 Jun 2017 17:03:35 -1000 + +phpunit (5.4.6-2) unstable; urgency=high + + * Team upload + * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841] +(Closes: #866200) + + -- David Prévot <taf...@debian.org> Wed, 28 Jun 2017 16:43:26 -1000 + phpunit (5.4.6-1) unstable; urgency=medium * Team upload diff -Nru phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch --- phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch 1969-12-31 14:00:00.0 -1000 +++ phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch 2017-06-28 16:41:16.0 -1000 @@ -0,0 +1,34 @@ +From: Bob Weinand <bobw...@hotmail.com> +Date: Sun, 13 Nov 2016 18:52:50 +0100 +Subject: Correct fix for #1956 + +Origin: upstream, https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5 +Bug: https://github.com/sebastianbergmann/phpunit/pull/2356 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200 +--- + src/Util/PHP/Template/TestCaseMethod.tpl.dist | 2 +- + src/Util/PHP/eval-stdin.php | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist +index 47ef6e4..c7172b9 100644 +--- a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist +@@ -58,7 +58,7 @@ function __phpunit_run_isolated_test() + $output = $test->getActualOutput(); + } + +-rewind(STDOUT); ++@rewind(STDOUT); /* @ as not every STDOUT target stream is rewindable */ + if ($stdout = stream_get_contents(STDOUT)) { + $output = $stdout . $output; + } +diff --git a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php +index fe1b8bd..3b3a6d0 100644 +--- a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php +@@ -1,3 +1,3 @@ + ' . file_get_contents('php://input')); ++eval('?>' . file_get_contents('php://stdin')); diff -Nru phpunit-5.4.6/debian/patches/series phpunit-5.4.6/debian/patches/series --- phpunit-5.4.6/debian/patches/series 2016-06-18 12:15:55.0 -1000 +++ phpunit-5.4.6/debian/patches/series 2017-06-28 16:41:16.0 -1000 @@ -1 +1,2 @@ 0001-Remove-Composer-autoload.patch +0002-Correct-fix-for-1956.patch signature.asc Description: PGP signature
Bug#863493: [pkg-php-pear] Bug#863493: FTBFS with PHP 7.0.18+
Hi James, Le 27/05/2017 à 09:08, James Clarke a écrit : > Source: symfony > Version: 2.8.7+dfsg-1.2 > I noticed that symfony now FTBFS after the upload of php7.0 7.0.18-1, Thanks! > I am happy to NMU again with just the changes needed Please, go ahead, I don’t have much time currently, and haven’t heard of Daniel for quite some time either. Your help is much appreciated. Regards signature.asc Description: OpenPGP digital signature
Bug#861294: jessie-pu: package spip/3.0.17-2+deb8u3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, I’ve been asked by the security team to fix the (pile of) security issues currently affecting the spip package in Jessie. Please find attached the full debdiff, here is the proposed changelog: spip (3.0.17-2+deb8u3) jessie; urgency=medium * Document CVE in previous changelog entry * Update security screen to 1.3.0 * Backport security fixes from 3.0.23 - Multiple XSS issues * Backport security fixes from 3.0.24 - Server side request forgery (SSRF) attacks via the var_url parameter [CVE-2016-7999] - Directory traversal vulnerability in ecrire/exec/valider_xml.php [CVE-2016-7982] - Execution of arbitrary PHP code by authenticated users [CVE-2016-7998] - Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php [CVE-2016-7980] - Cross-site scripting (XSS) vulnerability in valider_xml.php [CVE-2016-7981] * Backport security fixes from 3.2-alpha-1 - Reflected Cross Site Scripting Vulnerabilities in /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641) - Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php [CVE-2016-9152] (Closes: #847156) * Backport security fix from 3.0.25 - Execution of arbitrary PHP code -- David Prévot <taf...@debian.org> Wed, 26 Apr 2017 18:02:00 -1000 I’ve just deployed the package on production server, and will follow up if any issue rises before Saturday, in the hope I’m not too late for the 8.8 update. Thanks in advance for considering it, and also sorry for all those French comments… Regards David diff -Nru spip-3.0.17/debian/changelog spip-3.0.17/debian/changelog --- spip-3.0.17/debian/changelog 2016-03-11 10:32:29.0 -1000 +++ spip-3.0.17/debian/changelog 2017-04-26 18:02:00.0 -1000 @@ -1,8 +1,35 @@ +spip (3.0.17-2+deb8u3) jessie; urgency=medium + + * Document CVE in previous changelog entry + * Update security screen to 1.3.0 + * Backport security fixes from 3.0.23 +- Multiple XSS issues + * Backport security fixes from 3.0.24 +- Server side request forgery (SSRF) attacks via the var_url parameter + [CVE-2016-7999] +- Directory traversal vulnerability in ecrire/exec/valider_xml.php + [CVE-2016-7982] +- Execution of arbitrary PHP code by authenticated users [CVE-2016-7998] +- Cross-site request forgery (CSRF) vulnerability in + ecrire/exec/valider_xml.php [CVE-2016-7980] +- Cross-site scripting (XSS) vulnerability in valider_xml.php + [CVE-2016-7981] + * Backport security fixes from 3.2-alpha-1 +- Reflected Cross Site Scripting Vulnerabilities in + /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php + [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641) +- Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php + [CVE-2016-9152] (Closes: #847156) + * Backport security fix from 3.0.25 +- Execution of arbitrary PHP code + + -- David Prévot <taf...@debian.org> Wed, 26 Apr 2017 18:02:00 -1000 + spip (3.0.17-2+deb8u2) jessie-security; urgency=high * Backport security fixes from 3.0.22 -- PHP code injection -- Objects injection via unserialize +- PHP code injection [CVE-2016-3153] +- Objects injection via unserialize [CVE-2016-3154] * Update security screen to 1.2.4 -- David Prévot <taf...@debian.org> Thu, 10 Mar 2016 19:18:09 -0400 diff -Nru spip-3.0.17/debian/patches/0009-Update-security-screen.patch spip-3.0.17/debian/patches/0009-Update-security-screen.patch --- spip-3.0.17/debian/patches/0009-Update-security-screen.patch 2016-03-11 10:32:29.0 -1000 +++ spip-3.0.17/debian/patches/0009-Update-security-screen.patch 2017-04-26 17:46:18.0 -1000 @@ -1,13 +1,13 @@ From: =?utf-8?q?David_Pr=C3=A9vot?= <da...@tilapin.org> -Date: Thu, 10 Mar 2016 19:17:47 -0400 +Date: Tue, 25 Apr 2017 15:07:50 -1000 Subject: Update security screen --- - config/ecran_securite.php | 164 +++--- - 1 file changed, 98 insertions(+), 66 deletions(-) + config/ecran_securite.php | 187 +- + 1 file changed, 120 insertions(+), 67 deletions(-) diff --git a/config/ecran_securite.php b/config/ecran_securite.php -index 36b0044..0bd8e65 100644 +index 36b0044..ba47691 100644 --- a/config/ecran_securite.php +++ b/config/ecran_securite.php @@ -5,7 +5,7 @@ @@ -15,7 +15,7 @@ */ -define('_ECRAN_SECURITE', '1.1.9'); // 2014-03-13 -+define('_ECRAN_SECURITE', '1.2.4'); // 2016-03-10 ++define('_ECRAN_SECURITE', '1.3.0'); // 2017-03-06 /* * Documentation : http://www.spip.net/fr_article4200.html @@ -46,7 +46,7 @@ // UA plus cibles - . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|Google|INA dlweb|Java VM|
Bug#858086: RM: owncloud/7.0.4+dfsg-4~deb8u4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, As discussed with the security team, please remove owncloud from stable: we’re not able to maintain this version on our own anymore, especially since we had to give up our efforts to provide it for Stretch. Please note that a fair amount of related packages won’t be useful anymore (owncloud-doc and owncloud-apps come to mind, but there are many PHP classes and few other things that were only packaged for ownCloud). I can try to draft a complete list if you’re in the mood of mass-rm. Sorry for the inconvenience, that request comes sooner that what we expected when we were releasing Jessie. Regards David signature.asc Description: PGP signature
Bug#857818: spip: broken symlinks: /usr/share/spip/plugins-dist/jquery_ui/prive/javascript/ui/*.js -> ../../../../../../javascript/jquery-ui/ui/jquery.ui.*.js
Hi Andreas, Thanks a lot for your report. On 15/03/2017 02:42, Andreas Beckmann wrote: > Package: spip […] > during a test with piuparts I noticed your package ships (or creates) > a broken symlink. > >>From the attached log (scroll to the bottom...): > > 1m5.5s ERROR: FAIL: Broken symlinks: > /usr/share/spip/plugins-dist/jquery_ui/prive/javascript/ui/widget.js -> > ../../../../../../javascript/jquery-ui/ui/jquery.ui.widget.js […] > libjs-jquery-ui has /usr/share/javascript/jquery-ui/ui/widget.js > but no jquery.ui.widget.js ... Great, I missed that libjs-jquery-ui changed again its layout… Do you believe it’s worth fixing for Stretch (I hadn’t noticed any problem yet, but can only assume there are usability issues without jquery-ui properly available)? Will perform some more tests if we’re going the road of freeze exception. Regards David signature.asc Description: OpenPGP digital signature
Bug#857421: Many plugins are lost since Jessie
Package: kipi-plugins Version: 4:5.3.0-1 Severity: important Hi, Thank you for taking care of these plugins! More than half the plugins advertised in the package description (including BatchProcess) seem to have been lost after an upgrade from Jessie to Stretch. Indeed, only 15 of them seem available while over 30 are still present in the package description. Note that we’re using these plugins via gwenview, in case it matters Is there any way to have them back (even individually) in a Stretch system (is it a packaging or an upstream issue? I couldn’t find much information after a quick look in the changelogs)? At worst, you may wish to update the list in the package description, and maybe add a NEWS entry describing the situation. Regards David -- System Information: Debian Release: 9.0 APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.10.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages kipi-plugins depends on: ii digikam-private-libs 4:5.3.0-1 ii kio 5.28.0-1 ii kipi-plugins-common 4:5.3.0-1 ii libc6 2.24-9 ii libkf5archive55.28.0-1 ii libkf5completion5 5.28.0-1 ii libkf5configcore5 5.28.0-1 ii libkf5configgui5 5.28.0-1 ii libkf5configwidgets5 5.28.0-1 ii libkf5coreaddons5 5.28.0-1 ii libkf5i18n5 5.28.0-1 ii libkf5kiocore55.28.0-1 ii libkf5kiowidgets5 5.28.0-1 ii libkf5kipi31.0.0 4:16.08.2-1 ii libkf5windowsystem5 5.28.0-1 ii libkf5xmlgui5 5.28.0-1 ii libqt5core5a 5.7.1+dfsg-3+b1 ii libqt5gui55.7.1+dfsg-3+b1 ii libqt5network55.7.1+dfsg-3+b1 ii libqt5printsupport5 5.7.1+dfsg-3+b1 ii libqt5widgets55.7.1+dfsg-3+b1 ii libqt5xml55.7.1+dfsg-3+b1 ii libqt5xmlpatterns55.7.1~20161021-3 ii libstdc++66.3.0-8 Versions of packages kipi-plugins recommends: ii enblend 4.2-2 ii enfuse 4.2-2 ii hugin2016.2.0+dfsg-1 ii imagemagick 8:6.9.7.4+dfsg-2 ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-2 ii konqueror4:16.08.3-1 ii minidlna 1.1.6+dfsg-1 Versions of packages kipi-plugins suggests: ii gimp 2.8.20-1 ii kmail 4:16.04.3-3 ii vorbis-tools 1.4.0-10+b1 -- no debconf information signature.asc Description: PGP signature
Bug#816664: [Pkg-owncloud-maintainers] Bug#816664: Useless in Debian
Control : retitle -1 Useless in Stretch On 23/12/2016 13:41, Balint Reczey wrote: > On Thu, 3 Mar 2016 15:18:51 -0400 David =?iso-8859-1?Q?Pr=E9vot?= >wrote: >> Package: libjs-soundmanager2 >> Version: 2.97a.20150601+dfsg-1 >> Severity: serious >> >> [ Filled as an RC-bug by the maintainer to see the package auto-removed >> from testing. ] […] > Please keep the package in Debian for at least Stretch. > > Kodi upstream recently switched to a new web interface which uses > soundmanager2 and to provide the same web interface in Debian I need to > have it packaged. That didn’t happen in time for Stretch. Regards David signature.asc Description: OpenPGP digital signature
Bug#854592: [pkg-php-pear] Bug#854592: dokuwiki: Unable to login, missing usr/share/php/Crypt/AES.php
Hi, On 13/02/2017 06:21, Joost van den Berg wrote: > unfortunately the patch does not solve the problem. > I believe that the patch generates the wrong > links to phpseclib/Crypt/AES.php instead of > ../phpseclib/Crypt/AES.php . Then it sounds like this bug was incorrectly reassigned to php-phpseclib: either dokuwiki should depend on version 1 of phpseclib via the php-seclib package and have the files where expected, or it is able to use version 2 via the php-phpseclib package installed where it belongs. In any way, please, do keep both packages installable together, the proposed patch is not acceptable. Either way, dokuwiki should be able to use the provided autoloader: - /usr/share/php/phpseclib/autoload.php for php-phpseclib - /usr/share/php/phpseclib.autoloader.php for php-seclib Regards David signature.asc Description: OpenPGP digital signature
Bug#851289: O: soundmanager2
Package: wnpp Severity: normal Following up from #816664. Balint, I can’t see any new reverse-dependency on soundmanager2, do you actually expect one to be part of Stretch? Regards David signature.asc Description: PGP signature
Bug#850646: [copyright-format] Allow https version of Format URI
Hi, Le 08/01/2017 à 09:42, Russ Allbery a écrit : > […] the Format > URI for the current copyright-format document is actually a redirect. Nitpicking: it’s actually not a real redirect. Fetching it directly (e.g., using wget) works via plain HTTP. Regards. David signature.asc Description: OpenPGP digital signature
Bug#814030: Security flaw fixed in version 6.2.0
Hi, I just add maintainer and uploader to the loop. Hopefully, they should know something about the package/code/issue. Le 04/01/2017 à 21:42, Salvatore Bonaccorso a écrit : > On Sun, Mar 27, 2016 at 01:33:01PM +0200, Moritz Mühlenhoff wrote: >> On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote: >>> Package: php-tcpdf >>> Version: 6.0.093+dfsg-1 >>> Severity: serious >>> Tags: security upstream >>> >>> According to their changelog [1], upstream fixed a security issue over a >>> year ago: >>> >>> 6.2.0 (2014-12-10) >>> - Bug #1005 "Security Report, LFI posting internal files externally >>> abusing default parameter" was fixed. >>> >>> 1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT >>> >>> The upstream bug report [2] is not public, so I don’t have much >>> information about the issue, the fix, nor it’s actual severity. >>> >>> 2: https://sourceforge.net/p/tcpdf/bugs/1005/ >> >> Can you contact upstream for information on this security bug? I have >> no idea what that could possibly mean. > > Did you got any information on that from upstream? The bug is stil > closed, so does not really help. > > Regards, > Salvatore signature.asc Description: OpenPGP digital signature
Bug#816664: libjs-soundmanager2 in Debian [Was: Bug#816664: Useless in Debian]
Hi Balint, Le 23/12/2016 à 13:41, Balint Reczey a écrit : > Please keep the package in Debian for at least Stretch. > > Kodi upstream recently switched to a new web interface which uses > soundmanager2 and to provide the same web interface in Debian I need to > have it packaged. Please, consider stepping up for its maintenance (or at least orphan it on my behalf since my reportbug setup is a mess while I’m traveling). Regards David signature.asc Description: OpenPGP digital signature
Bug#847156: [Spip-maintainers] Bug#847156: spip: CVE-2016-9152
Hi Salvatore, Thanks for the report, Le 05/12/2016 à 20:11, Salvatore Bonaccorso a écrit : > the following vulnerability was published for spip. > > CVE-2016-9152[0]: > cross-site scripting […] > [0] https://security-tracker.debian.org/tracker/CVE-2016-9152 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9152 I was about to ask where did you find the link between the CVE entry and the commit, but my search engine was quicker to answer ;). FYI, a few other security-oriented commits are being staged for the next upstream release (coming soon), and the previous fixes that already made it in a “recent” DLA are still waiting for an upstream ack (they recently acknowledge on IRC that they have to reply to us). Regards David signature.asc Description: OpenPGP digital signature
Bug#817751: [pkg-php-pear] Bug#817754: google-auth-library-php in unstable prevents removal of src:php5
Hi, Le 27/11/2016 à 23:31, Ondřej Surý a écrit : > Different package and bug, but same email. Please sort it out. CCing Benoit who expressed interest in those libraries: if are you still interested in having php-google-auth and php-google-api-php-client in Debian, now would be a good time to step up before they get removed from the archive. Regards David signature.asc Description: OpenPGP digital signature
Bug#845708: O: libjs-chosen -- select box enhancer for jQuery and Protoype
Package: wnpp Severity: normal X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org, haskell-hoo...@packages.debian.org I intend to orphan the libjs-chosen package. The package description is: Chosen is a JavaScript plugin that makes long, unwieldy select boxes more user-friendly. Context in #818561, not sure the package is usable anymore (#797166). signature.asc Description: OpenPGP digital signature
Bug#818561: Useless in Debian
Hi Axel, haskell-hoogle maintainers, Le 31/10/2016 à 13:25, Axel Beckert a écrit : > David Prévot wrote: >> Package: libjs-chosen >> Version: 0.9.11-2 >> Severity: serious >> Tags: sid stretch >> >> [ Filled as an RC-bug by the maintainer to see the package auto-removed >> from testing. ] >> >> I packaged libjs-chosen as used by owncloud, but owncloud is going away, >> see #816376. There is a priori little point to ship libjs-chosen in the >> next Debian stable release. > JFTR: The recent hoogle update pulled this in. So it seems no more > useless but now even has reverse dependencies again. :-) Thank you Axel for the heads up. I guess someone (maybe from the hoogle team) will want to take over the maintenance. Feel free to remove me from Uploaders when you do. Regards David signature.asc Description: OpenPGP digital signature
Bug#842130: Useless in Stretch
Package: libjs-ie7 Version: 2.1~beta4-2 Severity: serious Tags: sid stretch X-Debbugs-CC: s...@packages.debian.org [ Filed with RC-severity by the maintainer to see it removed from testing. ] libjs-ie7 was packaged as a dependency for spip, but the dependency has recently been dropped (in version 3.1, now available in Sid and Stretch). There is little point in keeping libjs-ie7 in Stretch as nothing uses it anymore. I intend to ask for removal of this package in a few month. Please do provide information to this bug report if you disagree with this removal. Regards David signature.asc Description: OpenPGP digital signature
Bug#840569: [Pkg-mozext-maintainers] Bug#840569: xul-ext-nosquint is dead, long live nosquint
Control: severity -1 serious Le 12/10/2016 à 10:35, shirish शिरीष a écrit : > Source: nosquint > Version: 2.1.9-4 > Severity: important > > Dear Maintainer, > > Nosquint is dead, please remove it Then let’s use a proper RC-severity so it gets removed from Stretch. If someone wants to follow up and package something equivalent instead, please step up before the freeze (i.e., soon). Regards David signature.asc Description: OpenPGP digital signature
Bug#840206: [Pkg-mozext-maintainers] Bug#840206: whonix-de...@whonix.org
Control: retitle -1 Please remove premium proxy advertising page Control: severity wishlist Thank you for your report. Le 09/10/2016 à 05:05, ban...@openmailbox.org a écrit : > Package: foxyproxy > Version: 3.4-1.1 I assume this is still valid for 4.5.6-debian-2. > Dear maintainer, please consider patching the package source to remove > the premium proxy advertising page that opens on first start. Regards David signature.asc Description: OpenPGP digital signature
Bug#835086: RFP: nextcloud -- self-hosted cloud services
Le 22/09/2016 à 01:08, Sam Hartman a écrit : >> "Xavier" == Xavier Bestelwrites: > Xavier> Le mardi 20 septembre 2016 à 19:38 +0200, Moritz Mühlenhoff > >> > * Package name: nextcloud > >> Nack. It's not an important package if we can't support it > >> properly. Let's not repeat the owncloud disaster. > > Xavier> OK, I understand the "official" debian point of view. > > I don't think this is an official Debian POV, simply the opinion of some > Debian contributors... Moritz is an active and well known member of the security team. As the current (or previous…) almost only maintainer of owncloud in Debian, I do agree with this (strong) advice. The current ownCloud upstream maintainers reached back to us a few months ago and are willing to help (or at least not be as obnoxious as the ones who drove the package away from Debian, and are now gone in the nextcloud fork team). If someone wants the owncloud package back, I suggest them to join the current packaging team and eventually take over. Regards David signature.asc Description: OpenPGP digital signature
Bug#835902: Useless in Debian
Package: php-zend-db Version: 2.8.1-1 Severity: serious X-Debbugs-CC: gale...@packages.debian.org [ Filed with RC-severity by the maintainer to see it removed from testing. This package is not part of Jessie. ] php-zend-db was recently packaged as a dependency for galette, but galette has been removed from testing. There is little point in keeping php-zend-db in shape for Stretch if nothing uses it. Feel free to remove this bug (and be welcome to take the package over) once galette (or any other package depending on php-zend-db) is ready for a Debian release. Regards David signature.asc Description: OpenPGP digital signature
Bug#835704: [Pkg-javascript-devel] Bug#835704: It's mostly fixed already!
Control: reassign -1 node-ast-types Control: affects -1 node-ast-utils Control: done -1 0.9.0-2 Hi, Le 28/08/2016 à 09:08, Julien Puydt a écrit : > today's upload of node-ast-types 0.9.0-2 fixes this problem in > node-ast-utils (and all its rdepends). > > I don't know how to say to control@bugs.d.o that a problem in a package > is fixed by an upload of another. That should do. Regards David signature.asc Description: OpenPGP digital signature
Bug#834479: xul-ext-* (Was: Bug#834480: jessie-pu: package mozilla-noscript/2.9.0.11-1~deb8u1)
Hi, Le 28/08/2016 à 04:09, Adam D. Barratt a écrit : > Control; tags -1 + confirmed […] > Oh, how I've missed Firefox plugin updates. :-| Same here :/ > Please go ahead. Thanks, all uploaded. Regards David signature.asc Description: OpenPGP digital signature
Bug#831418: #831418 EOL: not to be released with Stretch
Control: severity -1 serious Le 21/08/2016 à 02:26, Markus Frosch a écrit : > On 25.07.2016 13:11, Markus Frosch wrote: >> this is a interesting problem, while looking on the 3 dependent packages. >> (see below) >> >> We have 3 choices to go on: >> >> 1. Still provide zendframework 1 in a separated path, so it won't conflict >> with ZF2/3 >> 2. Embed needed code into the packages, and drop the full library Both those proposals are not acceptable now that upstream dropped security support for it. Given the amount of security issues patched into zendframework regularly (we’ve made six stable update since Jessie has been released, three or four via a DSA), keeping part of its code in the archive without anyone to audit the code is not an option IMO. Maybe the security team will have another opinion about it, but I believe they are relying in the maintainers for those PHP classes. >> 3. Remove all 3 packages from stretch 4. Wait for (or help) upstream to move away from deprecated code. > I'd prefer not to remove zendframework from Debian. > > Downgrading bug to important. Please, don’t hide issues. There is still time right now to get the reverse dependencies in shape for Stretch, waiting for the freeze won’t help anyone. Regards David signature.asc Description: OpenPGP digital signature
Bug#834906: [Pkg-mozext-maintainers] Bug#834906: xul-ext-adblock-plus: please support conkeror
Control: tag -1 upstream Hi David, Thank you for your report. Le 20/08/2016 à 04:15, David Bremner a écrit : > Package: xul-ext-adblock-plus > Version: 2.7.3+dfsg-1 > Severity: wishlist […] > I know very little about mozilla extensions, but I _think_ it just > needs an entry in > > /usr/share/mozilla/extensions/{a79fe89b-6662-4ff4-8e88-09950ad4dfde} Whatever the fix is, I guess it is worth pushing it upstream. Can you open (or is there already) an issue upstream about it? Regards David signature.asc Description: OpenPGP digital signature
Bug#827277: [Pkg-mozext-maintainers] Bug#827277: xul-ext-firegestures: Gesture database empty with firefox-esr
Control: fixed -1 1.10.9-1 Hi Christopher, Thank you for your report. Le 14/06/2016 à 04:05, Christopher Wellons a écrit : > Package: xul-ext-firegestures > Version: 1.8.7-1 > When used with the new firefox-esr, the gesture database is empty and > the built-in gestures are unavailable. Looks like the latest stable version in Debian Stretch (and Sid) is not affected, so I’ll ask the release team for another stable update. Regards David signature.asc Description: OpenPGP digital signature
Bug#834484: jessie-pu: package firegestures/1.10.9-1~deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu X-Debbugs-CC: pkg-mozext-maintain...@lists.alioth.debian.org [ Yet another xul-ext-* RC-buggy package in stable. It wasn’t properly triaged, sorry for my initial overlook. ] Hi, The latest firefox major update in stable broke firegestures (#827277). The latest version of firegestures in Debian (1.10.9) is known to work with it, and has been in Sid and Stretch for a while. Unfortunately, the debdiff against the version is Jessie is big (50 files changed, 1216 insertions(+), 303 deletions(-) while ignoring all spaces and blank lines)… I’m simply attaching the debdiff against Sid (adding a changelog entry). The package, rebuilt in a Jessie chroot, has been successfully tested in Jessie. Regards David diff --git a/debian/changelog b/debian/changelog index 0c6f48b..cf52cbf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +firegestures (1.10.9-1~deb8u1) jessie; urgency=medium + + * Upload compatible version with recent Firefox in Jessie (Closes: #827277) + + -- David Prévot <taf...@debian.org> Mon, 15 Aug 2016 18:49:34 -1000 + firegestures (1.10.9-1) unstable; urgency=medium * Team upload signature.asc Description: OpenPGP digital signature
Bug#834483: jessie-pu: package tabmixplus/0.5.0.0-1~deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu [ Note: This is the first out of four similar requests for xul-ext-* packages ] Hi, The latest firefox major update in stable broke again tabmixplus (#826995). The latest stable version of tabmixplus in debian (0.5.0.0) is known to work with it, and has been in Sid and Stretch for a while. Unfortunately, the debdiff against the version is Jessie is again quite insane (293 files changed, 9739 insertions(+), 6153 deletions(-) while ignoring all spaces and blank lines)… I’m simply attaching the debdiff against Sid (mostly adding a changelog entry). The package, rebuild in a Jessie chroot, has been successfully tested in Jessie. Regards David diff --git a/debian/changelog b/debian/changelog index c188c5d..93c8a2d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +tabmixplus (0.5.0.0-1~deb8u1) jessie; urgency=medium + + * Upload compatible version with recent Firefox in Jessie (Closes: #826995) + + -- David Prévot <taf...@debian.org> Mon, 15 Aug 2016 16:34:54 -1000 + tabmixplus (0.5.0.0-1) unstable; urgency=medium * Upload stable version to unstable @@ -96,6 +102,12 @@ tabmixplus (0.4.1.9~150703a1-1) experimental; urgency=medium -- David Prévot <taf...@debian.org> Sun, 05 Jul 2015 10:53:40 -0400 +tabmixplus (0.4.1.8-1~deb8u1) jessie; urgency=medium + + * Track the jessie branch + + -- David Prévot <taf...@debian.org> Fri, 14 Aug 2015 17:03:55 +0200 + tabmixplus (0.4.1.8-1) unstable; urgency=medium * Upload stable version to unstable diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 000..fae4302 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie signature.asc Description: OpenPGP digital signature
Bug#834482: jessie-pu: package adblock-plus/2.7.3+dfsg-1~deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu X-Debbugs-CC: pkg-mozext-maintain...@lists.alioth.debian.org Hi, The latest firefox major update in stable broke adblock-plus (#829267). The latest version of adblock-plus in Debian (2.7.3) is known to work with it, and has been in Sid and Stretch for a while. Unfortunately, the debdiff against the version is Jessie is pretty insane (611 files changed, 21429 insertions(+), 6423 deletions(-) while ignoring all spaces and blank lines, as well as most renamed and moved files)… I’m simply attaching the debdiff against Sid (adding a changelog entry). The package, rebuild in a Jessie chroot, has been successfully tested in Jessie. This is the last of the four currently RC-buggy packages in stable from the xul-ext-* team I’m aware of. Hopefully no other should pop up (Firefox has been in Jessie for a little while now). Thanks in advance for accepting them for the next point release. Regards David diff --git a/debian/changelog b/debian/changelog index ebfb4a3..642abe0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +adblock-plus (2.7.3+dfsg-1~deb8u1) jessie; urgency=medium + + * Upload compatible version with recent Firefox in Jessie (Closes: #829267) + + -- David Prévot <taf...@debian.org> Mon, 15 Aug 2016 16:53:49 -1000 + adblock-plus (2.7.3+dfsg-1) unstable; urgency=medium [ Wladimir Palant ] signature.asc Description: OpenPGP digital signature
Bug#834480: jessie-pu: package mozilla-noscript/2.9.0.11-1~deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, The latest firefox major update in stable broke noscript (#826896). The latest version of noscript in Debian (2.9.0.11) is known to work with it, and has been in Sid and Stretch for a while. Unfortunately, the debdiff against the version is Jessie is quite insane (169 files changed, 3584 insertions(+), 1594 deletions(-) while ignoring all spaces and blank lines)… I’m simply attaching the debdiff against Sid (adding a changelog entry). The package, rebuild in a Jessie chroot, has been successfully tested in Jessie. Regards David diff --git a/debian/changelog b/debian/changelog index 62fec8b..40171aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +mozilla-noscript (2.9.0.11-1~deb8u1) jessie; urgency=medium + + * Upload compatible version with recent Firefox in Jessie (Closes: #826896) + + -- David Prévot <taf...@debian.org> Mon, 15 Aug 2016 16:45:33 -1000 + mozilla-noscript (2.9.0.11-1) unstable; urgency=medium * Drop Iceape and Iceweasel from description signature.asc Description: OpenPGP digital signature
Bug#834479: jessie-pu: package greasemonkey/3.8-1~deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, The latest firefox major update in stable broke greasemonkey (#828622). The latest stable version of greasemonkey in Debian (3.8) is known to work with it, and has been in Sid and Stretch for a while. Unfortunately, the debdiff against the version is Jessie is quite insane (252 files changed, 6416 insertions(+), 3144 deletions(-) while ignoring all spaces and blank lines)… I’m simply attaching the debdiff against Sid (adding a changelog entry). The package, rebuild in a Jessie chroot, has been successfully tested in Jessie. Regards David diff --git a/debian/changelog b/debian/changelog index 5c62a31..42b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +greasemonkey (3.8-1~deb8u1) jessie; urgency=medium + + * Upload compatible version with recent Firefox in Jessie (Closes: #828622) + + -- David Prévot <taf...@debian.org> Sat, 16 Jul 2016 08:54:01 -0400 + greasemonkey (3.8-1) unstable; urgency=medium * Team upload, to unstable since it’s a stable release signature.asc Description: OpenPGP digital signature
Bug#825749: xul-ext-foxyproxy-standard: foxyproxy cannot be installed if icedove 45 is present
Control: unmerge -1 with 827170 Control: reopen -1 Control: reassign -1 icedove 1:45.1.0-1 Hi Christoph and all, On Sun, May 29, 2016 at 09:50:40AM -0400, Robbie Harwood wrote: > Package: xul-ext-foxyproxy-standard > Version: 4.5.6-debian-1 > Severity: important > > Dear Maintainer, > > It is currently not possible to have both xul-ext-foxyproxy-standard and > icedove 45.1.0-1 (i.e., the icedove from sid) present on the same system: > > ``` > $ aptitude -s install -t unstable icedove […] > The following packages have unmet dependencies: > icedove : Breaks: xul-ext-foxyproxy-standard (> 3.4-1) but 4.5.6-debian-1 is > installed. > The following actions will resolve these dependencies: > > Remove the following packages: > 1) xul-ext-foxyproxy-standard Since 4.5.6-debian-2, xul-ext-foxyproxy-standard is not available (thus does not show up) in Icedove/Thunderbird anymore (since #827170 has been fixed), so please, do change the Breaks: […] xul-ext-foxyproxy-standard (>> 3.4-1) into Breaks: xul-ext-foxyproxy-standard (<< 4.5.6-debian-2~) If a fix for #820026 is also needed for stable, we can provide a version 3.4-1.1+deb8u1 including a similar patch to 827170 (and of course, the Break will need to be changed against “<< 3.4-1.1+deb8u1~”). Regards David signature.asc Description: PGP signature
Bug#831418: EOL: not to be released with Stretch
Source: zendframework Severity: serious Tags: security sid stretch Hi, Upstream recently stated [0] that “Zend Framework 1 reaches its End of Life (EOL) […] on 28 September 2016.” 0: https://framework.zend.com/blog/2016-06-28-zf1-eol.html Therefore, we should not release it with Stretch (and we’ll do our best to support it during Jessie lifetime). Reverse dependencies already had an important bug report about zendframework removal for Stretch a while ago. Regards David signature.asc Description: PGP signature
Bug#819900: [Pkg-mozext-maintainers] Bug#819900: Configuration page doesn't work on Firefox 45.0.1
Hi Evgeny, Le 13/07/2016 à 13:50, Evgeny Kapun a écrit : > Control: tags -1 - upstream > > Looks like the problem is caused by the file > being not found. Thanks a lot for the debbuging and the explanations! I’ll try to fix it ASAP (but it may be a while before I have some time for that). Regards David signature.asc Description: OpenPGP digital signature
Bug#829764: [pkg-php-pear] Bug#829764: php-monolog: add stage1 and nocheck build profiles
Control: tag -1 pending Le 05/07/2016 à 20:13, Nish Aravamudan a écrit : > On 05.07.2016 [16:51:48 -0400], David Prévot wrote: >> Le 05/07/2016 à 16:19, Nishanth Aravamudan a écrit : >>> Package: php-monolog >> […] >>> * Add nocheck and stage1 build profiles. >> >> Thanks for your patch. Please, do commit it directly: > Done, looking at master's history, I believe you'll take care of the > corresponding changelog entry? Thanks! Indeed, “gbp dch” will take care of the changelog. Regards David signature.asc Description: OpenPGP digital signature
Bug#829764: [pkg-php-pear] Bug#829764: php-monolog: add stage1 and nocheck build profiles
Hi Nishanth, Le 05/07/2016 à 16:19, Nishanth Aravamudan a écrit : > Package: php-monolog […] > * Add nocheck and stage1 build profiles. Thanks for your patch. Please, do commit it directly: I have no way to test it nor any setup to maintain it anyway, besides being able to revert it in case it breaks (broken) expectations in Debian infrastructure. Regards David signature.asc Description: OpenPGP digital signature
Bug#827695: [pkg-php-pear] Bug#827695: zendframework: Rename zend-framework in Ubuntu to allow for a package sync
Hi, Le 19/06/2016 à 15:35, Nishanth Aravamudan a écrit : > Package: zendframework > Version: 1.12.18+dfsg-1 […] > I am hoping to get rid of the Ubuntu zend-framework package and simply > sync the zendframework package from Debian. I’m not clear about why Debian should carry Ubuntu-specific hacks for Ubuntu-specific transitions. Why not simply make those changes directly in the zend-framework Ubuntu-specific package? zendframework is targeted for removal ASAP anyway. Any help into fixing the current reverse dependencies would be welcome, some bugs already filed are affecting zendframework, maybe more need to be filed. https://bugs.debian.org/zendframework Regards David signature.asc Description: OpenPGP digital signature
Bug#827698: Depends on zendframework, but zendframework is going away
Package: php-letodms-lucene Version: 1.1.1-2 Severity: important Control: affects -1 zendframework Hi, php-letodms-lucene depends on zendframework (version 1), but this package is unlikely to make it in Stretch: we intend to ship version 3 of zendframework, that is maintained in separate packages (associated with separate upstream components). We’d thus like to get rid of the zendframework package as soon as possible now that Jessie got released. I’ve not looked at how Zend is actually used, but feel free to point it new packages that will be needed in order to ensure smooth upgrade. Do not hesitate to stay in touch with the Debian PHP PEAR Maintainers teamif you need any help moving forward. Regards David signature.asc Description: PGP signature
Bug#827483: [pkg-horde] Bug#827483: php-horde-mapi: fix autopkgtest errors
Hi, Le 18/06/2016 à 16:32, Mathieu Parent a écrit : > Some other things may break, but I'll vote still vote for this patch, > as only 6 packages depends on it. > > David, what do you think? I disagree, and stand to what I’ve written in the last changelog entry: Actually fixing the constructors requires to also fix all their calls, both internally and externally. This backward-incompatible change has been achieved in version 2 of phpseclib, packaged in Debian as php-phpseclib to ensure co-installability. (Closes: #819420) From http://phpseclib.sourceforge.net/: The 2.0 branch has pretty much the exact same API as the 1.0 branch, save for that it is namespaced, uses PHP5-style constructors (thereby avoiding E_DEPRECATED errors) and requires the use of an autoloader. A proper fix to the deprecated constructor syntax is maintained upstream, provided in Debian via php-phpseclib (version 2). If you want to use it, you should depend on php-phpseclib instead of php-seclib (helping various upstreams to move away from version 1 to version 2 will probably be a better use of our collective time than patching the version 1 ourselves). Regards David signature.asc Description: OpenPGP digital signature
Bug#816389: transition: php7.0
Hi, Le 15/06/2016 à 03:56, Ondřej Surý a écrit : > - php-guzzle - seems fixed to me, but dak still wants to remove the > package Code is PHP5-specific, it’s superseded by php-guzzlehttp. None of them should be released in Stretch, so it’s perfectly fine to see it go away. Regards David signature.asc Description: OpenPGP digital signature
Bug#826896: [Pkg-mozext-maintainers] Bug#826896: xul-ext-noscript: incompatible with firefox-esr in jessie
Hi Vagrant, Le 10/06/2016 à 01:30, Vagrant Cascadian a écrit : > FWIW, I also did the same with xul-ext-tabmixplus, though I should > probably report a separate bug about that... Please do: the team is pretty low in human power currently: bug reports will help tracking the issues. Having multiple actors on them will help explaining the need of a fix to the release team. Regards David signature.asc Description: OpenPGP digital signature
Bug#826896: xul-ext-noscript: incompatible with firefox-esr in jessie
Hi Vagrant, On Thu, Jun 09, 2016 at 03:39:00PM -0700, Vagrant Cascadian wrote: > Package: xul-ext-noscript > Version: 2.6.9.3-1 > Apparently, the xul-ext-noscript package in jessie is incompatible > with the new firefox-esr security update just released. Thank you for your report. > I presume this is fixed in stretch/sid versions of xul-ext-noscript. Can you please check that it does? I just rebuilt it in a Jessie chroot: https://people.debian.org/~taffit/xul/xul-ext-noscript_2.9.0.11-1~deb8u1_all.deb Thanks in advance. Regards David signature.asc Description: PGP signature
Bug#825572: Source only upload [Was: Uploaded to DELAYED/2]
Hi Mathieu, On Tue, Jun 07, 2016 at 08:33:43PM +0200, Mathieu Parent wrote: > 2016-06-07 0:16 GMT+02:00 David Prévot <taf...@debian.org>: > > FYI, there is now a buildd available for arch:all, so you could have > > simply dput the _source.changes without any binary package. > > Yes I know. But I don't have yet a simple way to build this > _source.changes from "gbp buildpackage". how to ? I guess it depends on what you use behind gbp to actually build the package. I use pbuilder, and added a hook [1] recently shared by another DD in order to get both the _amd64.changes (to run lintian, debdiff and all) as well as the _source.changes for the upload. 1: https://www.corsac.net/?rub=blog=1579 “debuild -S” does the trick too afterward: the binary packages will anyway be built inside a proper chroot on the buildd system. Regards David signature.asc Description: PGP signature
Bug#825572: Uploaded to DELAYED/2
Hi Mathieu, On Mon, Jun 06, 2016 at 09:50:21PM +0200, Mathieu Parent wrote: > I've uploaded php-sabre-vobject (2.1.7-3) to DELAYED/2. to fix this RC Thanks for your update! No need to wait IMHO, so I just ran: dcut reschedule \ --file=php-sabre-vobject_2.1.7-3_amd64.changes --days=0 FYI, there is now a buildd available for arch:all, so you could have simply dput the _source.changes without any binary package. Regards David signature.asc Description: PGP signature
Bug#817751: [pkg-php-pear] Bug#817751: google-api-php-client: diff for NMU version 1.1.7-0.1
Control: retitle 817751 Useless in Debian Le 01/06/2016 à 11:50, Nish Aravamudan a écrit : > I've prepared an NMU for google-api-php-client Please don’t: this package should not end in a stable release without a proper maintainer. Regards David signature.asc Description: OpenPGP digital signature
Bug#814674: Providing map files in node-es6-shim
Hi, Le 29/05/2016 à 02:39, Julien Puydt a écrit : > In fact, I have already prepared a new version, which can be seen here: > https://mentors.debian.net/package/node-es6-shim Thanks! Is it available in some public VCS? > Does it fix the bug properly? owncloud(-news) has been removed from the archive in the mean time, so don’t count on me for some tests, sorry. Regards David signature.asc Description: OpenPGP digital signature
Bug#813653: [pkg-php-pear] Bug#813653: Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3
Hi, Le 27/05/2016 à 15:46, Julien Cristau a écrit : > On Thu, Mar 31, 2016 at 23:43:03 +0200, Daniel Beyer wrote: >> Can you give a short update regarding the proposed >> symfony/2.3.21+dfsg-4+deb8u3, fixing CVE-2016-1902? FYI, it should be dealt with via DSA with other issues soon, we should close this bug when that happens. Regards David signature.asc Description: OpenPGP digital signature
Bug#824507: [Pkg-owncloud-maintainers] Bug#824507: owncloud-client symbol lookup error
Hi, > Package: owncloud-client [ ] > trying to start the client I get this: > > leandro@sgorbio:~$ owncloud > owncloud: symbol lookup error: > /usr/lib/x86_64-linux-gnu/libowncloudsync.so.0: undefined symbol: > _ZN9QKeychain16WritePasswordJob6setKeyERK7QString [ ] > ii libqtkeychain00.6.2-1.1 Where does that come from? $ rmadison libqtkeychain0 libqtkeychain0 | 0.1.0-2~bpo70+1 | wheezy-backports | libqtkeychain0 | 0.4.0-1 | stable | libqtkeychain0 | 0.4.0-1 | stable-kfreebsd | libqtkeychain0 | 0.5.0-1 | testing | libqtkeychain0 | 0.5.0-1 | unstable | Regards David
Bug#824410: RM: php5-symfony-debug/experimental -- NBS; cruft
Package: ftp.debian.org Severity: normal Hi, As per #824148: the last symfony uploads got rid of php5-symfony-debug (arch:any), so only arch:all packages are build now. Version 3.0.4+dfsg-1 of php5-symfony-debug seems to prevent version 3.0.6+dfsg-1 of php-symfony* packages to be available in the archive. Thanks in advance for your prompt action: version 3.0.6+dfsg-1 contains security fixes. Regards David signature.asc Description: PGP signature
Bug#824175: Error: Class '...\PropertyAccess' not found
Control: tag -1 upstream On Fri, May 13, 2016 at 01:29:46PM +0200, Antonio Ospite wrote: > Package: php-symfony-serializer > Version: 2.8.6+dfsg-1 > Severity: normal > > Dear Maintainer, > > I installed php-symfony-serializer and tried the first example from the > documentation at > http://symfony.com/doc/current/components/serializer.html, the code is > like this: […] > PHP Fatal error: Uncaught Error: Class > 'Symfony\Component\PropertyAccess\PropertyAccess' not found in > /usr/share/php/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php:40 The documentation page you’re referring to already warns about it: “To use the ObjectNormalizer, the PropertyAccess component must also be installed.” > Of course the error goes away if I install the > php-symfony-property-access package. > > I see that php-symfony-property-access is a suggested package, but I was > wondering it if should be a dependency or a least a recommended > package. This is intended upstream, that only suggests symfony/property-info in their composer.json file. https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Serializer/composer.json Composer documents suggest as follow: Suggested packages that can enhance or work well with this package. These are just informational and are displayed after the package is installed, to give your users a hint that they could add more packages, even though they are not strictly required. https://getcomposer.org/doc/04-schema.md#suggest Debian documents suggests as follow: This is used to declare that one package may be more useful with one or more others. Using this field tells the packaging system and the user that the listed packages are related to this one and can perhaps enhance its usefulness, but that installing this one without them is perfectly reasonable. https://www.debian.org/doc/debian-policy/ch-relationships.html#s-binarydeps Both Composer and Debian interpretation of suggest seem to match well enough, so if you believe the relation is too weak, you should try to convince upstream about it. http://symfony.com/doc/current/contributing/code/bugs.html http://symfony.com/doc/current/contributing/code/patches.html Regards David signature.asc Description: PGP signature
Bug#821044: wheezy-pu: package zendframework/1.11.13-1.1+deb7u6
Hi, > Assuming that the resulting package has been tested on wheezy, please go > ahead. It just got accepted into oldstable-proposed-updates->oldstable-new, thanks (and yes, I do use it in some boxes). Regards David
Bug#815482: On bug #815482 (localized libjs-moment)
Hi Julien, > Could you have a look and tell me if it's ok? debian/libjs-moment.install contains now: locale usr/share/javascript/moment/locale You probably meant: locale usr/share/javascript/moment (Assuming you dont want the locales in /usr/share/javascript/moment/locale/locale since they seems looked up in ('./locale/' + name) according to the code.) owncloud-news has been removed from the archive in the mean time, so I dont have a real testbed to check it further, sorry. Regards David
Bug#824148: RM: php5-symfony-debug -- NBS; cruft
Package: ftp.debian.org Severity: normal Hi, The last symfony uploads got rid of php5-symfony-debug (arch:any), so only arch:all packages are build now. Version 2.8.4+dfsg-1 [3.0.4+dfsg-1 in experimental] of php5-symfony-debug seems to prevent version 2.8.6+dfsg-1 [3.0.6+dfsg-1 in experimental] of php-symfony* packages to be available in the archive, and also prevents symfony to migrate into testing. Thanks in advance for your prompt action: version 2.8.6+dfsg-1 [3.0.6+dfsg-1 in experimental] contains security fixes. Regards David signature.asc Description: PGP signature
Bug#824147: RM: php5-twig -- NBS; cruft
Package: ftp.debian.org Severity: normal Hi, The last twig upload got rid of php5-twig (arch:any), so it only builds arch:all packages now. Version 1.24.0-1 of php5-twig seems to prevent version 1.24.0-2 of php-twig* to be available in the archive, and also prevents twig to migrate into testing. Thanks in advance. Regards David signature.asc Description: PGP signature
Bug#823768: Useless in Stretch
Package: php-jmespath Version: 2.3.0-2 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I recently packaged php-jmespath as used by php-aws-sdk (in experimental), but it won’t be part of Stretch as per #821698. There is a priori little point in shipping php-jmespath in the next Debian stable release. Since php-aws-sdk is still in experimental, I don’t intend to request the removal of this package. Regards David signature.asc Description: PGP signature
Bug#823683: PHP 7.0 Transition
Package: php-services-json Version: 1.0.3-1 Severity: serious User: pkg-php-ma...@lists.alioth.debian.org Usertags: php7.0-transition Hi, As shown by php7cc, php-services-json contains deprecated PHP 4 constructors. As outlined in #783422, upstream has not been active in years, so unless that changes, this package should probably not be shipped in the next Debian stable release. Regards David signature.asc Description: PGP signature
Bug#823649: libjs-mediaelement: Reflected XSS vulnerability
Hi, On Sat, May 07, 2016 at 11:58:22AM +1000, Craig Small wrote: > Package: libjs-mediaelement > Version: 2.15.1+dfsg-1 > Severity: important > Tags: security upstream > > I saw this regarding the wordpress 4.5.2 release[1]. Thank you for the heads up. > MediaElement.js is > vulnerable to a reflected XSS attack. The wordpress patch is at [2] > but I cannot exactly find what has changed but I think it is the > url has the time added to randomize it more. [3] Looks like the issue is confined in the Flash player that is disabled in Debian, so we should be on the safe side. I’ll backport the fix anyway to be on the safer side, thanks. > 1: https://wordpress.org/news/2016/05/wordpress-4-5-2/ > 2: https://core.trac.wordpress.org/changeset/37370 > 3: > https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e Regards David signature.asc Description: PGP signature
Bug#823511: Useless in Debian
Package: php-psr-http-message Version: 1.0-2 Severity: serious I recently packaged php-psr-http-message as used by php-guzzlehttp-psr7 and php-google-auth, but php-guzzlehttp-psr7 is going away, see #823505 (so is php-google-auth, see #817754). There is a priori little point in shipping php-psr-http-message in the next Debian stable However, Benoit Mortier suggested [817754#10] that php-google-auth may be useful for a FusionDirectory google-apps plugin soon, so I don’t intend to request the removal of this package. 817754#10: https://bugs.debian.org/817754#10 Regards David signature.asc Description: PGP signature
Bug#823510: Useless in Debian
Package: php-react-promise Version: 2.4.1-1 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I packaged php-react-promise as used by php-guzzlehttp-ringphp, but php-guzzlehttp-ringphp is going away, see #823506. There is a priori little point in shipping php-react-promise in any Debian stable release anymore. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#823508: Useless in Debian
Package: python-guzzle-sphinx-theme Version: 0.7.10-1 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I packaged python-guzzle-sphinx-theme in order to build php-guzzle-doc, but php-guzzle is going away, see #821698. There is a priori little point in shipping python-guzzle-sphinx-theme in any Debian stable release anymore. I intend to follow up with an RM request once php-guzzle is gone, unless anyone objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#823507: Useless in Debian
Package: php-guzzle-stream Version: 3.0.0-5 Severity: normal [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I packaged php-guzzle-stream as used by php-guzzlehttp-ringphp, but php-guzzlehttp-ringphp is going away, see #823506. There is a priori little point in shipping php-guzzle-stream in any Debian stable release anymore. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#823506: Useless in Debian
Source: php-guzzlehttp-ringphp Version: 1.1.0-2 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I packaged php-guzzlehttp-ringphp as used by php-guzzlehttp (version 5, as in Jessie), but latest version (version 6.2, as in Sid) doesn’t use it anymore. There is a priori little point in shipping php-guzzlehttp-ringphp in any Debian stable release anymore. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#823505: Useless in Debian
Package: php-guzzlehttp-psr7 Version: 1.3.0-1 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I recently packaged php-guzzlehttp-psr7 as used by php-guzzlehttp, php-aws-sdk (in experimental), and php-google-auth, but php-guzzlehttp is going away (so is php-google-auth, see #817754). There is a priori little point in shipping php-guzzlehttp-psr7 in the next Debian stable release. However, Benoit Mortier suggested [817754#10] that php-google-auth may be useful for a FusionDirectory google-apps plugin soon, so I don’t intend to request the removal of this package. 817754#10: https://bugs.debian.org/817754#10 Regards David signature.asc Description: PGP signature
Bug#823504: Useless in Debian
Package: php-guzzlehttp-promises Version: 1.1.0-1 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I recently packaged php-guzzlehttp-promises as used by php-guzzlehttp and php-aws-sdk (in experimental), but php-guzzlehttp is going away, see #823502). There is a priori little point in shipping php-guzzlehttp-promises in the next Debian stable release. However, Benoit Mortier suggested [817754#10] that php-google-auth may be useful for a FusionDirectory google-apps plugin soon, so I don’t intend to request the removal of this package. 817754#10: https://bugs.debian.org/817754#10 Regards David signature.asc Description: PGP signature
Bug#823502: Useless in Debian
Source: php-guzzlehttp Version: 6.2.0-1 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I recently packaged php-guzzlehttp as used by owncloud and php-google-auth, but owncloud is going away, see #816376 (so is php-google-auth, see #817754). There is a priori little point in shipping php-guzzlehttp in the next Debian stable release. However, Benoit Mortier suggested [817754#10] that php-google-auth may be useful for a FusionDirectory google-apps plugin soon, so I don’t intend to request the removal of this package. 817754#10: https://bugs.debian.org/817754#10 Regards David signature.asc Description: PGP signature
Bug#823063: RM: php-irods -- ROM; Useless in Debian
Package: ftp.debian.org Severity: normal Hi, #756580 was reassigned with a broken title, and the source package hasn’t been removed AFAICT. Please, remove it too. Regards David signature.asc Description: PGP signature
Bug#822681: RM: owncloud -- ROM; Unfit upstream, uninstallable
Package: ftp.debian.org Severity: normal As per #816376, we won’t be shipping ownCloud in the next Debian release, and since the version in Sid is not installable anymore (see #821826), there is no point in keeping it at all. The following reverse dependencies can also go away: - owncloud-antivirus - owncloud-apps - owncloud-music - owncloud-tasks I’ll take care of filling RM bugs for the many packages introduced for it later (there are already RC-bugs preventing them to be part of the next Debian release). Thanks in advance Regards David signature.asc Description: PGP signature
Bug#816796: php-apigen: Useless in Debian
Hi Florian, Le 22/04/2016 à 16:09, Florian Schlichting a écrit : > On Wed, Apr 20, 2016 at 04:00:40PM -0400, David Prévot wrote: >> Le 20/04/2016 à 15:43, Florian Schlichting a écrit >>> So if it's not too difficult to maintain with PHP 7, I'd love for >>> php-apigen to be kept in Debian in the future! >> >> Feel free to take it over (with its dependency chain). > > OK, I'll have a look at php-apigen and dependencies, preparing updates > for PHP 7. Can I keep you in Uploaders, or would you rather be removed? Please, remove me (I’m still around the team, and willing to help for general or specific issues, but don’t wish to be part of the main contacts for packages I don’t use anymore). > I may need a hand or > helpful hint getting used to the pkg-php tools, though, so if you see me > doing something stupid please do tell! The <pkg-php-p...@lists.alioth.debian.org> should be the good place to ask for advice in doubt, I won’t the only one willing to help. > I have requested to join pkp-php on alioth. I’m not an admin, but those are usually dealt with in a timely manner, so welcome! Regards David signature.asc Description: OpenPGP digital signature
Bug#816796: php-apigen: Useless in Debian
Hi Florian, Le 20/04/2016 à 15:43, Florian Schlichting a écrit > So if it's not too difficult to maintain with PHP 7, I'd love for > php-apigen to be kept in Debian in the future! Feel free to take it over (with its dependency chain). Regards David signature.asc Description: OpenPGP digital signature
Bug#821123: Useless in Debian
Package: doctrine-sphinx-theme Version: 0~20130227-1 Severity: serious Tags: sid stretch [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I packaged doctrine-sphinx-theme to build doctrine-orm-doc, but we stopped building it (not DFSG compliant anymore). There is a priori little point in shipping doctrine-sphinx-theme with the next Debian stable release. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#821044: wheezy-pu: package zendframework/1.11.13-1.1+deb7u6
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Hi, As agreed with the security team, Iâd like to fix another potential entropy vulnerability that has been fixed in zendframework. The fix also gets rid of openssl_random_pseudo_bytes() introduced in the previous ZF2015-09 fix, and I also added a regression fix from the CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1). Please find attached the proposed debdiff for Wheezy, itâs pretty similar to the one from #821042. zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium * Fix regression from ZF2015-08: binary data corruption * Backport security fix from 1.12.18: - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 http://framework.zend.com/security/advisory/ZF2016-01 Regards David diff -u zendframework-1.11.13/debian/changelog zendframework-1.11.13/debian/changelog --- zendframework-1.11.13/debian/changelog +++ zendframework-1.11.13/debian/changelog @@ -1,6 +1,15 @@ +zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium + + * Fix regression from ZF2015-08: binary data corruption + * Backport security fix from 1.12.18: +- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 + http://framework.zend.com/security/advisory/ZF2016-01 + + -- David Prévot <taf...@debian.org> Wed, 13 Apr 2016 16:34:02 -0400 + zendframework (1.11.13-1.1+deb7u5) wheezy; urgency=medium - * Backport security fix from 1.12.17 + * Backport security fix from 1.12.17: - ZF2015-09: Fixed entropy issue in word CAPTCHA http://framework.zend.com/security/advisory/ZF2015-09 @@ -8,7 +17,7 @@ zendframework (1.11.13-1.1+deb7u4) wheezy-security; urgency=high - * Backport security fixes from 1.12.16 + * Backport security fixes from 1.12.16: - ZF2015-07: Filesystem Permissions Issues in Multiple Components http://framework.zend.com/security/advisory/ZF2015-07 [CVE-2015-5723] diff -u zendframework-1.11.13/debian/patches/series zendframework-1.11.13/debian/patches/series --- zendframework-1.11.13/debian/patches/series +++ zendframework-1.11.13/debian/patches/series @@ -15,0 +16 @@ +0016-Fixed-the-rand-usage.patch diff -u zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch --- zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch +++ zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch @@ -5,37 +5,31 @@ This addresses the same issue as found in ZF2014-06, but within the PDO MsSql adapter. Additionally, it fixes transaction tests for that adapter. -Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 +Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416 --- - library/Zend/Db/Adapter/Pdo/Abstract.php | 3 +- - library/Zend/Db/Adapter/Pdo/Mssql.php| 2 +- - tests/TestConfiguration.php.dist | 5 ++-- - tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 47 +++- - tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++ - tests/Zend/Db/Adapter/TestCommon.php | 5 ++-- + library/Zend/Db/Adapter/Pdo/Abstract.php | 1 - + library/Zend/Db/Adapter/Pdo/Mssql.php| 19 +-- + library/Zend/Db/Adapter/Pdo/Sqlite.php | 14 + tests/TestConfiguration.php.dist | 5 +-- + tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 58 + tests/Zend/Db/Adapter/Pdo/MysqlTest.php | 13 +-- + tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 10 ++ + tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++ + tests/Zend/Db/Adapter/TestCommon.php | 5 ++- tests/Zend/Db/TestUtil/Pdo/Mssql.php | 4 ++- - 7 files changed, 31 insertions(+), 45 deletions(-) + 10 files changed, 91 insertions(+), 48 deletions(-) diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php -index 95f3734..8fde066 100644 +index 95f3734..d718255 100644 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php -@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract - if (is_int($value) || is_float($value)) { - return $value; - } -+// Fix for null-byte injection -+$value = addcslashes($value, "\000\032"); - $this->_connect(); - return $this->_connection->quote($value); - } -@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract +@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends
Bug#821042: jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, As agreed with the security team, Iâd like to fix another potential entropy vulnerability has been fixed in zendframework. The fix also gets rid of openssl_random_pseudo_bytes() introduced in the previous ZF2015-09 fix, and I also added a regression fix from the CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1). Please find attached the proposed debdiff for Jessie (a similar request for Wheezy follows), the changelog entry is: zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium * Fix regression from ZF2015-08: binary data corruption * Backport security fix from 1.12.18: - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 http://framework.zend.com/security/advisory/ZF2016-01 Regards David diff -Nru zendframework-1.12.9+dfsg/debian/changelog zendframework-1.12.9+dfsg/debian/changelog --- zendframework-1.12.9+dfsg/debian/changelog 2015-11-24 18:25:30.0 -0400 +++ zendframework-1.12.9+dfsg/debian/changelog 2016-04-13 17:12:29.0 -0400 @@ -1,6 +1,15 @@ +zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium + + * Fix regression from ZF2015-08: binary data corruption + * Backport security fix from 1.12.18: +- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 + http://framework.zend.com/security/advisory/ZF2016-01 + + -- David Prévot <taf...@debian.org> Wed, 13 Apr 2016 16:37:00 -0400 + zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium - * Backport security fix from 1.12.17 + * Backport security fix from 1.12.17: - ZF2015-09: Fixed entropy issue in word CAPTCHA http://framework.zend.com/security/advisory/ZF2015-09 diff -Nru zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch --- zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 2015-11-24 18:18:19.0 -0400 +++ zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 2016-04-13 17:12:29.0 -0400 @@ -5,37 +5,31 @@ This addresses the same issue as found in ZF2014-06, but within the PDO MsSql adapter. Additionally, it fixes transaction tests for that adapter. -Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 +Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416 --- - library/Zend/Db/Adapter/Pdo/Abstract.php | 3 +- - library/Zend/Db/Adapter/Pdo/Mssql.php| 2 +- - tests/TestConfiguration.php.dist | 5 ++-- - tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 47 +++- - tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++ - tests/Zend/Db/Adapter/TestCommon.php | 5 ++-- + library/Zend/Db/Adapter/Pdo/Abstract.php | 1 - + library/Zend/Db/Adapter/Pdo/Mssql.php| 17 +- + library/Zend/Db/Adapter/Pdo/Sqlite.php | 14 + tests/TestConfiguration.php.dist | 5 +-- + tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 58 + tests/Zend/Db/Adapter/Pdo/MysqlTest.php | 13 +-- + tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 11 ++ + tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++ + tests/Zend/Db/Adapter/TestCommon.php | 5 ++- tests/Zend/Db/TestUtil/Pdo/Mssql.php | 4 ++- - 7 files changed, 31 insertions(+), 45 deletions(-) + 10 files changed, 91 insertions(+), 47 deletions(-) diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php -index 84a76f3..7699d7a 100644 +index 84a76f3..e12b602 100644 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php -@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract - if (is_int($value) || is_float($value)) { - return $value; - } -+// Fix for null-byte injection -+$value = addcslashes($value, "\000\032"); - $this->_connect(); - return $this->_connection->quote($value); - } -@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract +@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract } } } - diff --git a/library/Zend/Db/Adapter/Pdo/Mssql.php b/library/Zend/Db/Adapter/Pdo/Mssql.php -index e3d8c7a..8a8d306 100644 +index e3d8c7a..6081887 100644 --- a/library/Zend/Db/Adapter/Pdo/Mssql.php +++ b/library/Zend/Db/Adapter/Pdo/Mssql.php @@ -410,7 +410,7 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract @@ -47,6 +41,49
Bug#820336: composer: remove mercurial from Recommends
Hi Thijs, Thanks for you interest in the composer package. Le 07/04/2016 09:57, Thijs Kinkhorst a écrit : > Installing composer by default also pulls in mercurial because it's in > Recommends. I personally doubt that the amount of mercurial use justifies > pulling it in by default (and e.g. not svn). On top of the default Hg driver, there is one specific to Bitbucket, so I initially assumed it should be useful enough, but I have never seen any PHP package hosted on Mercurial yet. > I'd say it could be better > moved to Suggests. Agreed, added subversion to suggest too since there is also a Svn driver. Regards David signature.asc Description: OpenPGP digital signature
Bug#819415: [pkg-php-pear] Bug#819420: php-seclib: Call to undefined method Crypt_Base::Crypt_Base()
Hi, Thank you for your report. CCing Perpetuum who reported a similar issue in #819415, and Mathieu who uploaded php-seclib 1.0.1-3. Le 28/03/2016 07:31, Frank Jung a écrit : > Package: php-seclib > Version: 1.0.1-3 > Loading Dokuwiki running on lighttpd reported a 500 "The localhost page isn’t > working" error. Looking into lighttpd logs I see in error.log > > (mod_fastcgi.c.2520) FastCGI-stderr: PHP Fatal error: Call to undefined > method > Crypt_Base::Crypt_Base() in /usr/share/php/Crypt/Rijndael.php on line 269 I guess the “Fix Methods with the same name as their class” is incomplete, can you please roll back to 1.0.1-2 and comment if it fixes the issue for you. Regards David signature.asc Description: OpenPGP digital signature
Bug#819322: Useless in Debian
Package: php-xml-parser Version: 1.3.6-1 Severity: serious Control: block -1 by 818800 User: pkg-php-ma...@lists.alioth.debian.org Usertags: php7.0-transition [ Filled as an RC-bug by a team member to see the package auto-removed from testing, and not let it block the PHP 7.0 transition. ] php-xml-parser “has been superseded” according to upstream [0], and has only two reverse dependencies left in Sid: php-xml-serializer (not in testing) and simplesamlphp (that should be a mistake, see #818800). 0: http://pear.php.net/package/XML_Parser There is a priori little point in shipping php-xml-parser with the next Debian stable release. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#819031: jessie-pu: package mozilla-devscripts/0.39+deb8u1
Hi, Le 24/03/2016 15:13, Adam D. Barratt a écrit : > Thanks for the review and the examples. Please feel free to upload. Uploaded and accepted, thanks. Regards David signature.asc Description: OpenPGP digital signature
Bug#819031: jessie-pu: package mozilla-devscripts/0.39+deb8u1
Hi, On Tue, Mar 22, 2016 at 08:45:02PM -0700, Sean Whitton wrote: > The version of mozilla-devscripts currently in Jessie generates > references to the iceweasel and icedove packages. But iceweasel is to > be replaced with firefox-esr, and icedove is probably going to be > replaced with thunderbird. FWIW, I’ve reviewed Sean Whitton’s changes, built the mozilla-devscripts in Jessie, and tested it there in order to rebuild some xul-ext-* packages. I believe those changes are short, fine, and will allow us to make an “as smooth as possible” transition from iceweasel to firefox (and icedove to thunderbird) whenever those packages reached stable (i.e., probably via stable-security, thus the idea to push those changes prior to the forced transition). I’m happy to upload this package in a timely manner if you agree with this proposal. Packages built with this latest mozilla-devscripts can be installed with iceweasel as well as firefox, here are a few examples of binary debdiff, for xul-ext-noscript and xul-ext-adblock-plus, between the version currently in stable and the no-change rebuild with this version of mozilla-devscripts. $ debdiff /var/cache/apt-cacher-ng/debrep/pool/main/m/mozilla-noscript/xul-ext-noscript_2.6.9.3-1_all.deb /var/cache/pbuilder/result/xul-ext-noscript_2.6.9.3-1_all.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Breaks: {+firefox (<< 3.0.9), firefox-esr (<< 3.0.9),+} iceape (>> 2.33+), iceape (<< 2.0), iceweasel (<< 3.0.9) Depends: iceweasel (>= 3.0.9) | {+firefox (>= 3.0.9) | firefox-esr (>= 3.0.9) |+} iceape (>= 2.0) Enhances: {+firefox, firefox-esr,+} iceape, iceweasel Installed-Size: [-1129-] {+1019+} Provides: {+firefox-esr-noscript, firefox-noscript,+} iceape-noscript, iceweasel-noscript $ debdiff /var/cache/apt-cacher-ng/debrep/pool/main/a/adblock-plus/xul-ext-adblock-plus_2.6.6+dfsg-1_all.deb /var/cache/pbuilder/result/xul-ext-adblock-plus_2.6.6+dfsg-1_all.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Breaks: {+firefox (<< 22.0), firefox-esr (<< 22.0),+} iceape (>> 2.34+), iceape (<< 2.19), icedove (<< 22.0), iceweasel (<< {+22.0), thunderbird (<<+} 22.0) Depends: iceweasel (>= 22.0) | {+firefox (>= 22.0) | firefox-esr (>= 22.0) | thunderbird (>= 22.0) |+} icedove (>= 22.0) | iceape (>= 2.19) Enhances: {+firefox, firefox-esr,+} iceape, icedove, [-iceweasel-] {+iceweasel, thunderbird+} Installed-Size: [-2603-] {+2306+} Provides: adblock-plus, {+firefox-adblock-plus, firefox-esr-adblock-plus,+} iceape-adblock-plus, icedove-adblock-plus, [-iceweasel-adblock-plus-] {+iceweasel-adblock-plus, thunderbird-adblock-plus+} Thanks in advance for considering. Regards David signature.asc Description: PGP signature
Bug#818756: fixed in mozilla-devscripts 0.45.1
Hi Sean, Thank you for your work on the xul-ext-* tools! On Tue, Mar 22, 2016 at 04:51:15PM +, Debian Bug Tracking System wrote: […] > mozilla-devscripts (0.45.1) unstable; urgency=high > . >* Restore generation of iceweasel entries for Depends:, Enhances: > etc. to ease the Iceweasel -> Firefox transition. (Closes: #818756) > Update test suite accordingly. >* Also restore generation of iceweasel-* binary packages. >* Preemptively add generation of thunderbird entries for Depends:, > Enhances: etc. for the upcoming Icedove -> Thunderbird transition. > Update test suite accordingly. Would you be willing to propose a fix of #818013 and #818756 for stable (including the thunderbird change too)? Extra bonus points if its ready ASAP, i.e. within the next few days, in order to make it for the upcoming stable point release (8.4). 8.4: https://lists.debian.org/debian-release/2016/03/msg00211.html I haven’t yet had a look at the changes, nor actually tested them, but am willing to look and do some tests in a stable environment for such a pu request. It would be nice to have all the needed tools to prepare an “as smooth as possible” transition in stable too… Regards David signature.asc Description: PGP signature
Bug#818800: simplesamlphp: Useless dependency on php-xml-parser
Package: simplesamlphp Version: 1.14.2-1 Severity: normal Hi, It seems like simplesamlphp is the last bit in Debian depending on php-xml-parser, but it doesn’t seem to actually use it. If php-xml-parser is not used by simplesamlphp, please drop the dependency on it, so we can get rid of it for the next stable release. Regards David signature.asc Description: PGP signature
Bug#818756: [Pkg-mozext-maintainers] Bug#818756: Bug#818756: dh_xul-ext: please add alternative dependency on iceweasel
Hi, > On Sun, Mar 20, 2016 at 01:05:22PM +0100, Jakub Wilk wrote: >> To facilitate smoother partial jessie->stretch upgrades, it would be >> good if iceweasel was added as an alternative dependency. > > I'm not familiar with this use case: could you explain why someone might > want to do that, please? It makes the life of the package manager (solver) less painful. It also would allow one to use xul-ext-* packages from unstable or testing on a stable release without the hassle of rebuilding it, again not a bad thing. > Further, firefox-esr will replace iceweasel in Jessie when the next ESR > release is made by Mozilla. That will make the current rebuild all the xul-ext-* world again more painful (because stable). If we can start handling this mess sooner, that would not be bad either (i.e., we could make the xul-ext-* packages from stable installable with firefox{,-esr} as well as iceweasel right now). That also means preparing a stable upload of mozilla-devscripts ASAP (needed anyway, if we want to binNMU or even full upload the xul-ext-* world in stable). Starting right now to depend on thunderbird on top of icedove could also be a good idea, no need to wait for #816679 to be fixed. Regards David
Bug#818104: Possible MBF: Packages depending on iceweasel but not firefox/firefox-esr
Le 18/03/2016 18:06, Josh Triplett a écrit : > I would suggest that Firefox addon packages should depend on "firefox | > firefox-esr" Most of those packages are mozilla-devscripts for the build and just need to be rebuilt to get fixed. Even if our infrastructure has all the needed tools to binNMU all of them as a proper transition, some limitations on the way arch:all binNMU are handled currently prevents us from having most of them already fixed, see #818104. What is currently needed if the arch:all binNMU doesn’t get fixed, is “just” to upload all of them. I’m currently dragged into doing that for hundred of PHP classes packages because of this no arch:all binNMU limitation, so I hope someone else from the Debian Mozilla Extension Maintainers could take the lead on it (new members are welcome ;). Regards David signature.asc Description: OpenPGP digital signature
Bug#783422: php-services-json: Useless in Debian?
Hi Dmitry, > My concern for removal of this package is that recently introduced CiviCRM > loosely depends on it. Looks like civicrm only build-depends on it, that seems strange (I wonder how php-services-json is used during the build). Looks like civicrm is using dh_linktree for embedding PHP classes, that seems like a awful tool for the un-bundling job, you may wish to properly load the needed classes instead. Since there is no actual dependencies, I wonder how php-services-json is actually useful for civicrm currently. Anyway, if you wish to see php-services-json stay, you should consider taking over its maintenance, and ensure its ready for PHP 7.0. Regards David
Bug#818709: Useless in Debian
Package: php-mail-mimedecode Version: 1.5.5-3 Severity: serious [Filled as RC by a team member to see it autoremoved from testing if nobody disagrees. Please, do downgrade it with an explanation if you disagree.] This package has no reverse dependencies anymore in Stretch, and hasn’t seen any activity upstream in over five years. There is a priori little point in shipping php-mail-mimedecode with the next Debian stable release. I don’t intend to follow up with an RM request since Thomas said he’d wish to see extplorer in Debian again at some point. Regards David signature.asc Description: PGP signature
Bug#818558: Useless in Debian
Package: libjs-jquery-minicolors Version: 1.2.1-1 Severity: serious Tag: sid stretch [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I packaged libjs-jquery-minicolors as used by owncloud, but owncloud is going away, see #816376. There is a priori little point to ship libjs-jquery-minicolors in the next Debian stable release. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#818674: Useless in Debian
Package: owncloud-doc Version: 0~20160302-1 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I packaged owncloud-doc as used by owncloud, but owncloud is going away, see #816376. There is a priori little point in shipping owncloud-doc with the next Debian stable release. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#818673: Useless in Debian
Package: python-sphinxcontrib.phpdomain Version: 0.1.4-2 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I packaged python-sphinxcontrib.phpdomain to build owncloud-doc and php-opencloud-doc as used by owncloud, but owncloud is going away, see #816376. There is a priori little point in shipping sphinxcontrib-phpdomain with the next Debian stable release. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#818561: Useless in Debian
Package: libjs-chosen Version: 0.9.11-2 Severity: serious Tags: sid stretch [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I packaged libjs-chosen as used by owncloud, but owncloud is going away, see #816376. There is a priori little point to ship libjs-chosen in the next Debian stable release. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#818412: Please adapt code for the PHP 7.0 transition
Package: debpear Version: 0.4 Severity: serious [ Filled as an RC-bug by a team member to ensure the package does not get released with this status in Stretch. ] Even if it doesn’t show up in the package metadata, according to a quick look at the code, there are some assumptions about at least the php5-* naming scheme. Disclaimer: I don’t intend to look into fixing it myself in the near future. Regards David signature.asc Description: PGP signature
Bug#817754: php-google-a* maybe not so useless (Was: Useless in Debian)
Hi Benoit, Le 15/03/2016 04:54, Benoit Mortier a écrit : > Le 09/03/16 21:38, David Prévot a écrit : >> Package: php-google-api-php-client […] >> Package: php-google-auth >> [ Filled as an RC-bug by the maintainer to see the package auto-removed >> from testing, and not let it block the PHP 7.0 transition. ] >> >> I packaged php-google-api-php-client as used by owncloud […] >> I intend to follow up with an RM request in a few months if nobody >> objects (but feel free to beat me to it). > we are the developper of FusionDirectory and we will soon have a > google-apps plugin that will use this library > > could we keep it inside debian Let’s hold on the RM request then. Please ping us back when your plugin is in the archive. You may wish to step up for the maintenance (including dependencies) then: not sure I’ll stay around the PHP PEAR (and Composer) Maintainers much longer once the ownCloud mess is done. Regards David signature.asc Description: OpenPGP digital signature
Bug#818034: Useless in Debian
Package: php-picofeed Version: 0.1.19-1 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing, and not let it block the PHP 7.0 transition. ] I recently packaged php-picofeed, as used by owncloud-news, but it’s now gone as per #816901 since owncloud is going away, see #816376. There is a priori little point to ship php-picofeed in a Debian stable release. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#818033: Useless in Debian
Package: php-nette Version: 2.3.9-1 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing, and not let it block the PHP 7.0 transition. ] I packaged php-nette as used by php-apigen in order to build php-opencloud(-doc), as used by owncloud, but owncloud is going away, see #816376 (so is php-apigen, see #816796). There is a priori little point to ship php-apigen in the next Debian stable release. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#818012: RM: phpseclib/experimental -- ROM; Superseded by php-phpseclib
Package: ftp.debian.org Severity: normal Hi, Please remove phpseclib from experimental, the version 2 is now provided by php-phpseclib. Regards David signature.asc Description: PGP signature
Bug#817765: Useless in Stretch
Package: php-psr-cache Version: 1.0.0-1 Severity: serious [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing, and not let it block the PHP 7.0 transition. ] I recently packaged php-psr-cache as a new symfony dependency, but it shouldn’t be useful before 3.1 (with the php-symfony-cache component) while Stretch should ship with Symfony 2.8. There is a priori little point shipping php-psr-cache in the upcoming Debian release, but feel free to downgrade or close with an explanation if there is. I do not intend to follow up with an RM request, but rather close this bug once Stretch is frozen or the package actually needed. Regards David signature.asc Description: PGP signature