Bug#1069581: pymongo: CVE-2024-21506 out-of-bound read

[Markus Koschany]

Package: pymongo
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for pymongo.

CVE-2024-21506[0]:
| Versions of the package pymongo before 4.6.3 are vulnerable to Out-
| of-bounds Read in the bson module. Using the crafted payload the
| attacker could force the parser to deserialize unmanaged memory. The
| parser tries to interpret bytes next to buffer and throws an
| exception with string. If the following bytes are not printable
| UTF-8 the parser throws an exception with a single byte.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-21506
https://www.cve.org/CVERecord?id=CVE-2024-21506

Please adjust the affected versions in the BTS as needed.

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1068514: bullseye-pu: package imlib2/1.7.1-2

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: iml...@packages.debian.org, a...@debian.org
Control: affects -1 + src:imlib2

[ Reason ]

Fixing CVE-2024-25447, CVE-2024-25448 and CVE-2024-25450 in bullseye.

[ Impact ]

CVE remain unfixed in bullseye while they are already fixed in stable
and newer distributions.

[ Tests ]

Code changes are trivial

[ Risks ]

Code changes are trivial and are already present in bookworm. No
regressions have been reported.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

A variable in the tgaflip function was multiplied with the height and not
the width which can cause a heap buffer overflow.
diff -Nru imlib2-1.7.1/debian/changelog imlib2-1.7.1/debian/changelog
--- imlib2-1.7.1/debian/changelog   2021-01-23 22:00:25.0 +0100
+++ imlib2-1.7.1/debian/changelog   2024-04-06 22:40:50.0 +0200
@@ -1,3 +1,11 @@
+imlib2 (1.7.1-2+deb11u1) bullseye; urgency=medium
+
+  * Fix CVE-2024-25447 and CVE-2024-25448 and CVE-2024-25450.
+A heap-buffer overflow vulnerability was discovered in imlib2 when using
+the tgaflip function in loader_tga.c
+
+ -- Markus Koschany   Sat, 06 Apr 2024 22:40:50 +0200
+
 imlib2 (1.7.1-2) unstable; urgency=medium
 
   * Drop obsolete libltdl3-dev dependency.
diff -Nru 
imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch
 
imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch
--- 
imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch
  1970-01-01 01:00:00.0 +0100
+++ 
imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch
  2024-04-06 22:40:50.0 +0200
@@ -0,0 +1,26 @@
+From: Markus Koschany 
+Date: Fri, 5 Apr 2024 16:29:27 +0200
+Subject: CVE-2024-25447 and CVE-2024-25448 and CVE-2024-25450
+
+Origin: 
https://git.enlightenment.org/old/legacy-imlib2/commit/e9c09deb08047c9e902ce37144e82b6edb8aedb6
+---
+ src/modules/loaders/loader_tga.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/modules/loaders/loader_tga.c 
b/src/modules/loaders/loader_tga.c
+index e9729b0..ae96a3b 100644
+--- a/src/modules/loaders/loader_tga.c
 b/src/modules/loaders/loader_tga.c
+@@ -595,9 +595,9 @@ tgaflip(DATA32 * in, int w, int h, int fliph, int flipv)
+ x2 = fliph ? w - 1 : 0;
+ for (x = 0; x < nx; x++, x2 += dx)
+   {
+- tmp = in[y * h + x];
+- in[y * h + x] = in[y2 * h + x2];
+- in[y2 * h + x2] = tmp;
++ tmp = in[y * w + x];
++ in[y * w + x] = in[y2 * w + x2];
++ in[y2 * w + x2] = tmp;
+   }
+  }
+ }
diff -Nru imlib2-1.7.1/debian/patches/series imlib2-1.7.1/debian/patches/series
--- imlib2-1.7.1/debian/patches/series  2021-01-23 22:00:25.0 +0100
+++ imlib2-1.7.1/debian/patches/series  2024-04-06 22:40:50.0 +0200
@@ -1 +1,2 @@
 01_removed-data-dir.patch
+CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch

Bug#1060381: tomcat10: catalina.out is not recreated after deletion

[Markus Koschany]

Control: tags -1 moreinfo

[already CCed the submitter but forgot to add the bug report]

Hello Daniel,

On Wed, 10 Jan 2024 12:42:34 +0100 Daniel von Obernitz
 wrote:
> Package: tomcat10
> Version: 10.1.6-1+deb12u1
> Severity: normal
> X-Debbugs-Cc: t...@security.debian.org
> 
> Dear Maintainer,
> 
> when you stop tomcat10.service and delete the /var/log/tomcat10/catalina.out,
the file will not be recreated after the next tomcat10.service start.

[...]

I don't understand the problem here. You deliberately deleted catalina.out.
What stops you from using

touch /var/log/tomcat10/catalina.out

to recreate it?

Regards,

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1066983: monopd: Fails to start monopd.service

[Markus Koschany]

Hello Shriram,

Am Mittwoch, dem 27.03.2024 um 15:10 +0530 schrieb Shriram Ravindranathan:
> Dear Markus,
> 
> On 27/03/24 13:01, Markus Koschany wrote:
> > As this bug report proves, normal people tend to have problems with system
> > services. A system administrator would have simply disabled or masked the
> > service. There is nothing here what could not have been resolved with some
> > systemctl commands.
> I am sorry but I don't understand the point you are trying to make here. 
> I don't think it is in the right spirit that we should expect anybody 
> (even sysadmins) to bodge the package somehow and get it to work.
> 

The package is not broken and the bug severity is incorrect. Sylvain already
explained what you could have done with systemctl to solve this issue. 


signature.asc
Description: This is a digitally signed message part

Bug#1066983: monopd: Fails to start monopd.service

[Markus Koschany]

Hi Sylvain,

Am Montag, dem 25.03.2024 um 18:48 +0100 schrieb Sylvain Rochet:
> Hi Markus,
> 
> On Mon, Mar 25, 2024 at 02:36:59AM +0100, Markus Koschany wrote:
> > Sylvain Rochet wrote:
> > > Actually, the main problem is /lib/systemd/system/monopd.socket which 
> > > set Accept=yes while monopd needs Accept=no (which is the default value).
> > 
> > I wonder if monopd needs a systemd socket file at all and if we should 
> > disable the service after the installation. We have been using this 
> > setting since the introduction of systemd. If monopd runs with 
> > Accept=no then we also don't need a service template file. At some 
> > point I also noticed the same warning as Shriram
> > 
> > "monopd.socket is a disabled or a static unit not running, not 
> > starting it."  and then followed [1] and added the required template 
> > file.
> 
> Yeah, socket activation is not really useful for public servers 
> services, it is mostly used for local services that can be spawned on 
> the fly later. Furthermore, socket activation breaks monopd metaserver 
> registration because the daemon must be running to register, so better 
> only ship the service file. I let you decide whether the service should 
> be disabled or enabled by default (but unless something recently 
> changed, daemon usually runs by default on Debian. I admit having lost 
> track :D).

Our Policy is still to enable autostarting a service but I also don't see a
must directive in 9.3.3.1 [1], so if there is a good reason it should be OK to
disable the service and let the local administrator re-enable it, if desired. 

> > I have been running monopd for the past decade and I also suspect the 
> > daemon is affected by some bugs which might be remotely exploitable.
> 
> What makes you think that?
> 
> My daemon is running attached to gdb so I can easily catch and trace any 
> issue that would kill the process. So far it's been over 10 years 
> without a single issue, some process lived for several years between 
> systems reboot.
> 
> I am not saying it is bug free because nothing is bug free, but if it is 
> remotely exploitable and actively exploited, I would be aware of it on 
> my running instance.

I have seen multiple lines like that in my log files before:

monopd.service: main process exited, code=killed, status=11/SEGV

It happens from time to time but at some time it was more frequent which made
me believe that some players found a way to reproducibly crash the server. I
can send you my log file but you probably can't easily debug the problem
because there was no gdb attached to the process. 

> > Since users usually don't need the monopd server anyway, if they want 
> > to play a game, they should make a conscious decision to start it if 
> > they want to use it locally. For a simple internet game, the daemon is 
> > not required.
> 
> Installing the server package isn't already a conscious decision?

As this bug report proves, normal people tend to have problems with system
services. A system administrator would have simply disabled or masked the
service. There is nothing here what could not have been resolved with some
systemctl commands.

However I believe I just remove the systemd socket file now and be done with
it. There are pros and cons for autostarting the service or disabling it but we
don't need to overthink this.

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1066983: monopd: Fails to start monopd.service

[Markus Koschany]

Sylvain Rochet wrote:
> Actually, the main problem is /lib/systemd/system/monopd.socket which 
> set Accept=yes while monopd needs Accept=no (which is the default value).

I wonder if monopd needs a systemd socket file at all and if we should disable
the service after the installation. We have been using this setting since the
introduction of systemd. If monopd runs with Accept=no then we also don't need
a service template file. At some point I also noticed the same warning as
Shriram

"monopd.socket is a disabled or a static unit not running, not starting it." 
and then followed [1] and added the required template file.

I have been running monopd for the past decade and I also suspect the daemon is
affected by some bugs which might be remotely exploitable. Since users usually
don't need the monopd server anyway, if they want to play a game, they should
make a conscious decision to start it if they want to use it locally. For a
simple internet game, the daemon is not required.

[1] https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html


signature.asc
Description: This is a digitally signed message part

Bug#1060857: squid: updating to 4.6-1+deb10u9 causes empty responses for some HTTP requests

[Markus Koschany]

Hi,

Am Dienstag, dem 16.01.2024 um 08:18 +0100 schrieb Lucas Nussbaum:
> Hi,
> 
> Adding debian-lts@l.d.o in the email loop, as asked on IRC.
> 
> On 15/01/24 at 21:16 +0100, Lucas Nussbaum wrote:
> > On 15/01/24 at 20:31 +0100, Lucas Nussbaum wrote:
> > > Package: squid
> > > Version: 4.6-1+deb10u9
> > > Severity: important
> > > 
> > > Hi,
> > > 
> > > After updating to 4.6-1+deb10u9, squid returns empty responses for some
> > > URLs.
> 
> I also confirmed that the regression is between 4.6-1+deb10u8 and 4.6-
> 1+deb10u9 (4.6-1+deb10u8 is OK)

Thank you for the report. I believe this is related to the fix for CVE-2023-
46846. I am currently investigating the problem.

Regards,

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1004844: games-finest: Consider adding endless-sky

[Markus Koschany]

Am Freitag, dem 12.01.2024 um 03:25 -0500 schrieb Dave Vasilevsky:
> Hi again. It looks like endless-sky 0.10.2 has been in testing for awhile,
> with no reported bugs. This version is quite new, updated in 2023. What do
> you think about adding it to games-finest now?

Hi,

It's still on my todo list but with a low priority. As long as there are no
major issue with endless-sky, it will be part of games-finest when I update
src:debian-games again.

Cheers,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1059545: webext-ublock-origin-firefox: I get YouTube ads when Private Browsing

[Markus Koschany]

Hello,

> Hi,
> Lately I've been getting YouTube ads when I play videos on private windows.
> This among other YouTube bugs (slow loading and such) have been fixed for
> testing and unstable.   If they can be backported it would be great.
> 
> 
> (can be reproduced on a VM with defaults)

My intention was to backport ublock-origin to Bookworm in January 2024. This
will be a normal point update as usual, so you have to enable bookworm
proposed-updates for early access. I try to update Bullseye as well. Stay tuned
and a happy new year 2024.

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1055147: seahorse-adventures: No keypress recognised

[Markus Koschany]

Hi Francesco,

Am Sonntag, dem 03.12.2023 um 17:42 +0100 schrieb Francesco Ariis:
> Il 03 dicembre 2023 alle 17:14 Markus Koschany ha scritto:
> > I spoke too soon. Tested the wrong Debian release. So it appears the
> > underlying
> > problem is in python3-pygame which changed significantly between Bullseye
> > and
> > Bookworm but I'm not sure how I can fix this in seahorse-adventures right
> > now. 
> 
> I managed to get keydown working like this:
> - in /usr/share/games/seahorse-adventures/lib/menu.py
> - go to line 119
> - substitute
>     if e.type is USEREVENT and e.action == 'down':
>   with
>     if e.type == USEREVENT and e.action == 'down':
> - keydown will work again

Thanks a lot for the report and your proposed patch. As soon as I'm back home
tomorrow, I'll give it a try. Thanks for mentioning the other seahorse-
adventures fork. Maybe there are even more improvements. I'll check that too.

Best,

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1055147: seahorse-adventures: No keypress recognised

[Markus Koschany]

Control: severity -1 grave

I spoke too soon. Tested the wrong Debian release. So it appears the underlying
problem is in python3-pygame which changed significantly between Bullseye and
Bookworm but I'm not sure how I can fix this in seahorse-adventures right now. 


signature.asc
Description: This is a digitally signed message part

Bug#1057047: tomcat10-common: Tomcat 10 helper script doesn't look for temurin based jdk installs

[Markus Koschany]

On Tue, 28 Nov 2023 17:59:18 +0100 Joan  wrote:
> Package: tomcat10-common
> Version: 10.1.15-1
> Severity: normal
> X-Debbugs-Cc: aseq...@gmail.com
> 
> Dear Maintainer,
> 
>    * What led up to the situation?
> I am trying to use debian's tomcat 10 with java 21, since it's not present on
debian I used the one from 
> https://adoptium.net/installation/linux/ that has a repository.

[...]

Hello,

we support only OpenJDK and there is even openjdk-21-jre in unstable. For
stable releases only one version of openjdk is supported in general, currently
OpenJDK 17.


signature.asc
Description: This is a digitally signed message part

Bug#1057315: tiles: CVE-2023-49735

[Markus Koschany]

Am Sonntag, dem 03.12.2023 um 15:10 +0100 schrieb Moritz Muehlenhoff:
> > But maybe we can set it as "no-dsa", is it only used as build
> > dependency for libspring-java and not sensible outside?
> 
> Spring is already marked as unsupported, so we can simply extend that.

+1 This is sensible in this case.


signature.asc
Description: This is a digitally signed message part

Bug#1055147: seahorse-adventures: No keypress recognised

[Markus Koschany]

Control: severity -1 normal

On Wed, 01 Nov 2023 09:25:19 +0100 Francesco Ariis  wrote:
> Package: seahorse-adventures
> Version: 1.1+dfsg-6
> Severity: grave
> Justification: renders package unusable
> X-Debbugs-Cc: fa...@ariis.it
> 
> Dear Maintainer,
> 
> to replicate:
> 
> 1. Launch `seahorse-adventures`
> 2. Now you are in the menu.
> 3. Press any direction key
> 3. The grey indicator in the menu does not move. It seems that keypresses
>    are not recognised. The game is thus unplayable.


I could not reproduce your problem. The keys work as expected and I can
navigate the menu and the game without any problems.


signature.asc
Description: This is a digitally signed message part

Bug#933264: gradle: Nearly 3-year-old version almost useless

[Markus Koschany]

Am Freitag, dem 01.12.2023 um 13:06 +0100 schrieb Matthias Geiger:
> 
> Kotlin is now in debian, is there anything else blocking the update ?

As a start I have built Gradle 4.6 from source with almost only system
libraries but I hit a wall because there seems to be a bug in our Kotlin
version or rather 4.6 requires a different version, so this version still
relies on upstream's binary distribution of Kotlin. I will push this in a few
days and then let's see how we can proceed from here on. Why still 4.6? Jumping
to a newer version like 6.x (which is already superseded by 8.x) requires
updates of many different system libraries which in turn requires updates of
reverse-dependencies of said libraries and so on. So whenever you change
something in Debian's Java eco system you have to be prepared to fix a bunch of
other seemingly (un)related stuff as well. More details follow soon.

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1056754: marked as done (bouncycastle: CVE-2023-33202)

[Markus Koschany]

Hi tony,

Am Donnerstag, dem 30.11.2023 um 21:02 -0800 schrieb tony mancill:
> On Thu, Nov 30, 2023 at 09:51:09PM +, Debian Bug Tracking System wrote:
> > Subject: Bug#1056754: fixed in bouncycastle 1.77-1
> > 
> > Source: bouncycastle
> > Version: 1.77-1
> > Distribution: unstable
> > Changed-By: Markus Koschany 
> >    * New upstream version 1.77. (Closes: #1049356)
> 
> Hi Markus,
> 
> Thank you for your efforts to get BC updated.
> 
> >    * Remove backward-compatibility.patch. It is time to fix those issues
> >  properly in our reverse-dependencies.
> 
> I agree completely.  And thank you for filing bugs for the r-deps that
> need to be addressed.

thanks. Fortunately there is enough time to fix them. I'll try to help fixing
them step by step.



signature.asc
Description: This is a digitally signed message part

Bug#1057171: libitext5-java: FTBFS with bouncycastle 1.77

[Markus Koschany]

Source: libitext5-java
Version: 5.5.13.3-2
Severity: serious
Tags: ftbfs sid
User: a...@debian.org
Usertags: bouncycastle-1.77
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

libitext5-java fails to build from source with bouncycastle 1.77. The reason
is the removal of long deprecated methods. The (hopefully) relevant
error message from the build log.

BUILD FAILURE
[INFO] 
[INFO] Total time:  12.832 s
[INFO] Finished at: 2023-11-30T13:27:49+01:00
[INFO] 
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-
plugin:3.10.1:compile (default-compile) on project itextpdf: Compilation
failure: Compilation failure: 
[ERROR]
/<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja
va:[223,95] cannot find symbol
[ERROR]   symbol:   method getObject()
[ERROR]   location: class org.bouncycastle.asn1.ASN1TaggedObject
[ERROR]
/<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja
va:[246,109] cannot find symbol
[ERROR]   symbol:   method getObject()
[ERROR]   location: class org.bouncycastle.asn1.ASN1TaggedObject
[ERROR]
/<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja
va:[346,70] cannot find symbol
[ERROR]   symbol:   method getObject()
[ERROR]   location: variable tg of type org.bouncycastle.asn1.ASN1TaggedObject
[ERROR]
/<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja
va:[350,70] cannot find symbol
[ERROR]   symbol:   method getObject()
[ERROR]   location: variable tg of type org.bouncycastle.asn1.ASN1TaggedObject
[ERROR]
/<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja
va:[1286,28] cannot find symbol
[ERROR]   symbol:   method getObject()
[ERROR]   location: variable tag of type org.bouncycastle.asn1.ASN1TaggedObject
[ERROR]
/<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja
va:[1287,48] cannot find symbol
[ERROR]   symbol:   method getObject()
[ERROR]   location: variable tag of type org.bouncycastle.asn1.ASN1TaggedObject
[ERROR]
/<>/itext/src/main/java/com/itextpdf/text/pdf/security/Certificate
Util.java:[123,67] incompatible types: org.bouncycastle.asn1.ASN1IA5String
cannot be converted to org.bouncycastle.asn1.DERIA5String
[ERROR] -> [Help 1]
[ERROR] 


signature.asc
Description: This is a digitally signed message part

Bug#1057170: ssl-utils-clojure: FTBFS with bouncycastle 1.77

[Markus Koschany]

Source: ssl-utils-clojure
Version: 3.5.0-2
Severity: serious
Tags: ftbfs sid
User: a...@debian.org
Usertags: bouncycastle-1.77
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

ssl-utils-clojure fails to build from source with bouncycastle 1.77. The reason
is the removal of long deprecated methods. The (hopefully) relevant
error message from the build log.


lein jar
Compiling 2 source files to /<>/target/classes
/<>/src/java/com/puppetlabs/ssl_utils/ExtensionsUtils.java:632:
error: cannot find symbol
return asn1ObjToObj(taggedObj.getObject());
 ^
  symbol:   method getObject()
  location: variable taggedObj of type ASN1TaggedObject
1 error
Compilation of Java sources(lein javac) failed.
make[1]: *** [debian/rules:19: override_dh_auto_build] Error 1
make[1]: Leaving directory '/<>'
make: *** [debian/rules:11: binary] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
---
-



signature.asc
Description: This is a digitally signed message part

Bug#1057169: pdftk-java: FTBFS with bouncycastle 1.77

[Markus Koschany]

Source: pdftk-java
Version: 3.3.3-1
Severity: serious
Tags: ftbfs sid
User: a...@debian.org
Usertags: bouncycastle-1.77
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

pdftk-java fails to build from source with bouncycastle 1.77. The reason
is the removal of long deprecated methods. The (hopefully) relevant
error message from the build log.

[javac]
/<>/java/com/gitlab/pdftk_java/com/lowagie/text/pdf/PdfPKCS7.java:
228: error: cannot find symbol
[javac] ASN1Sequence content =
(ASN1Sequence)((DERTaggedObject)signedData.getObjectAt(1)).getObject();
[javac]   
^
[javac]   symbol:   method getObject()
[javac]   location: class DERTaggedObject
[javac]
/<>/java/com/gitlab/pdftk_java/com/lowagie/text/pdf/PdfPKCS7.java:
261: error: cannot find symbol
[javac] DEROctetString rsaDataContent =
(DEROctetString)((DERTaggedObject)rsaData.getObjectAt(1)).getObject();
[javac]   
^
[javac]   symbol:   method getObject()
[javac]   location: class DERTaggedObject
[javac]
/<>/java/com/gitlab/pdftk_java/com/lowagie/text/pdf/PdfPKCS7.java:
297: error: cannot find symbol
[javac] ASN1Sequence sseq = (ASN1Sequence)tagsig.getObject();
[javac] ^
[javac]   symbol:   method getObject()
[javac]   location: variable tagsig of type ASN1TaggedObject
[javac] /<>/java/com/gitlab/pdftk_


signature.asc
Description: This is a digitally signed message part

Bug#1057168: jdeb: FTBFS with bouncycastle 1.77

[Markus Koschany]

Source: jdeb
Version: 1.9-1
Severity: serious
Tags: ftbfs sid
User: a...@debian.org
Usertags: bouncycastle-1.77
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

jdeb fails to build from source with bouncycastle 1.77. The reason
is the removal of long deprecated methods. The (hopefully) relevant
error message from the build log.

ERROR] Failures: 
[ERROR]   PGPSignerTestCase.testClearSign:79->Assert.assertEquals:146-
>Assert.assertEquals:117 expected:<...[]
-END PGP SIGNAT...> but was:<...[Sek]
-END PGP SIGNAT...>
[INFO] 
[ERROR] Tests run: 90, Failures: 1, Errors: 0, Skipped: 0
[INFO] 
[INFO] 
[INFO] BUILD FAILURE
[INFO] 
[INFO] Total time:  14.039 s
[INFO] Finished at: 2023-11-30T13:32:26+01:00
[INFO] 
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-
plugin:2.22.3:test (default-test) on project jdeb: There are test failures.
[ERROR] 
[ERROR] Please refer to /<>/target/surefire-reports for the
individual test results.
[ERROR] Please refer to dump files (if any exist) [date].dump, [date]-
jvmRun[N].dump and [date].dumpstream.
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please
read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
dh_auto_test: error: /usr/lib/jvm/default-java/bin/java -noverify -cp
/usr/share/maven/boot/plexus-classworlds-2.x.jar -Dmaven.home=/usr/share/maven
-Dmaven.multiModuleProjectDirectory=/<> -
Dclassworlds.conf=/etc/maven/m2-debian.conf -
Dproperties.file.manual=/<>/debian/maven.properties
org.codehaus.plexus.classworlds.launcher.Launcher -s/etc/maven/settings-
debian.xml -Ddebian.dir=/<>/debian -
Dmaven.repo.local=/<>/debian/maven-repo --batch-mode test returned
exit code 1
make: *** [debian/rules:6: build] Error 25
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2


signature.asc
Description: This is a digitally signed message part

Bug#1057167: libapache-poi-java: FTBFS with bouncycastle 1.77

[Markus Koschany]

Source: libapache-poi-java
Version: 4.0.1-4
Severity: serious
Tags: ftbfs sid
User: a...@debian.org
Usertags: bouncycastle-1.77
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

libapache-poi-java fails to build from source with bouncycastle 1.77. The
reason is the removal of long deprecated methods. The (hopefully) relevant
error message from the build log.

ompile-ooxml:
[javac] Compiling 589 source files to /<>/build/ooxml-classes
[javac] Ignoring source, target and bootclasspath as release has been set
[javac]
/<>/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESXLS
ignatureFacet.java:235: error: cannot find symbol
[javac] ASN1OctetString keyHashOctetString =
(ASN1OctetString)derTaggedObject.getObject();
[javac]   
^
[javac]   symbol:   method getObject()
[javac]   location: variable derTaggedObject of type DERTaggedObject
[javac]
/<>/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESXLS
ignatureFacet.java:239: error: cannot find symbol
[javac] X500Name name =
X500Name.getInstance(derTaggedObject.getObject());
[javac]   
^
[javac]   symbol:   method getObject()
[javac]   location: variable derTaggedObject of type DERTaggedObject
[javac] Note: Some input files use or override a deprecated API.
[javac] Note: Recompile with -Xlint:deprecation for details.
[javac] Note:
/<>/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.j
ava uses unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.
[javac] 2 errors

BUILD FAILED
/<>/build.xml:1133: Compile failed; see the compiler error output
for details.



signature.asc
Description: This is a digitally signed message part

Bug#1057166: pgpainless: FTBFS with bouncycastle 1.77

[Markus Koschany]

Source: pgpainless
Version: 1.3.16-2
Severity: serious
Tags: ftbfs sid
User: a...@debian.org
Usertags: bouncycastle-1.77
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

pgpainless fails to build from source with bouncycastle 1.77. The reason
is the removal of long deprecated methods. The (hopefully) relevant
error message from the build log. It seems, in this case, just a test is
failing now.

Failures (1):
  JUnit Jupiter:CertifyCertificateTest:testKeyDelegation()
MethodSource [className =
'org.pgpainless.key.certification.CertifyCertificateTest', methodName =
'testKeyDelegation', methodParameterTypes = '']
=> org.pgpainless.exception.SignatureValidationException: Cannot verify
direct-key signature correctness
  
org.pgpainless.signature.consumer.SignatureValidator$17.verify(SignatureValidat
or.java:547)
  
org.pgpainless.signature.consumer.SignatureVerifier.verifyDirectKeySignature(Si
gnatureVerifier.java:328)
  
org.pgpainless.key.certification.CertifyCertificateTest.testKeyDelegation(Certi
fyCertificateTest.java:98)
   java.base/java.lang.reflect.Method.invoke(Method.java:568)
   java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
   [...]
 Caused by: org.bouncycastle.openpgp.PGPException: signature is not a key
binding signature.
   org.bouncycastle.openpgp.PGPSignature.verifyCertification(Unknown
Source)
  
org.pgpainless.signature.consumer.SignatureValidator$17.verify(SignatureValidat
or.java:539)
   [...]

Test run finished after 44748 ms
[   240 containers found  ]
[ 0 containers skipped]
[   240 containers started]
[ 0 containers aborted]
[   240 containers successful ]
[ 0 containers failed ]
[   732 tests found   ]
[ 1 tests skipped ]
[   731 tests started ]
[ 0 tests aborted ]
[   730 tests successful  ]
[ 1 tests failed  ]





signature.asc
Description: This is a digitally signed message part

Bug#1057165: libitext-java: FTBFS with bouncycastle 1.77

[Markus Koschany]

Source: libitext-java
Version: 2.1.7-14
Severity: serious
Tags: ftbfs sid
User: a...@debian.org
Usertags: bouncycastle-1.77
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

libitext-java fails to build from source with bouncycastle 1.77. The reason
is the removal of long deprecated methods. The (hopefully) relevant
error message from the build log.



compile:
[mkdir] Created dir: /<>/build/bin
[javac] /<>/ant/compile.xml:45: warning: 'includeantruntime'
was not set, defaulting to build.sysclasspath=last; set to false for repeatable
builds
[javac] Using javac -source 1.5 is no longer supported, switching to 7
[javac] Using javac -target 1.5 is no longer supported, switching to 7
[javac] Compiling 359 source files to /<>/build/bin
[javac] warning: [options] bootstrap class path not set in conjunction with
-source 7
[javac] warning: [options] source value 7 is obsolete and will be removed
in a future release
[javac] warning: [options] target value 7 is obsolete and will be removed
in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use
-Xlint:-options.
[javac]
/<>/core/com/lowagie/text/pdf/MappedRandomAccessFile.java:58:
warning: [removal] AccessController in java.security has been deprecated and
marked for removal
[javac] import java.security.AccessController;
[javac] ^
[javac] /<>/core/com/lowagie/text/pdf/PdfPKCS7.java:356:
error: cannot find symbol
[javac] if (tag.getObject() instanceof ASN1Sequence) {
[javac]^
[javac]   symbol:   method getObject()
[javac]   location: variable tag of type ASN1TaggedObject
[javac] /<>/core/com/lowagie/text/pdf/PdfPKCS7.java:357:
error: cannot find symbol
[javac] seq = (ASN1Sequence)tag.getObject();
[javac]^
[javac]   symbol:   method getObject()
[javac]   location: variable tag of type ASN1TaggedObject
[javac] /<>/core/com/lowagie/text/pdf/PdfPKCS7.java:403:
error: cannot find symbol
[javac] ASN1Sequence content =
(ASN1Sequence)((DERTaggedObject)signedData.getObjectAt(1)).getObject();
[javac]   
^
[javac]   symbol:   method getObject()
[javac]   location: class DERTaggedObject
[javac] /<>/core/com/lowagie/text/pdf/PdfPKCS7.java:435:
error: cannot find symbol
[javac] DEROctetString rsaDataContent =
(DEROctetString)((DERTaggedObject)rsaData.getObjectAt(1)).getObject();
[javac]   
^
[javac]   symbol:   method getObject()
[javac]   location: class DERTaggedObject
[javac] /<>/core/com/lowagie/text/pdf/PdfPKCS7.java:488:
error: cannot find symbol
[javac] ASN1Sequence seqin =
(ASN1Sequence)tg.getObject();
[javac]  ^
[javac]   symbol:   method getObject()
[javac]   location: variable tg of type ASN1TaggedObject
[javac] /<>/core/com/lowagie/text/pdf/FontDetails.java:264:
warning: [removal] Integer(int) in Integer has been deprecated and marked for
removal
[javac] Integer codeKey = new Integer(code);
[javac]   ^
[javac]
/<>/core/com/lowagie/text/pdf/TrueTypeFontUnicode.java:144:
warning: [removal] Integer(int) in Integer has been deprecated and marked for
removal
[javac] inverseCmap.put(new
Integer(metrics[0]), code);
[javac] ^
[javac]
/<>/core/com/lowagie/text/pdf/TrueTypeFontUnicode.java:150:
warning: [removal] Integer(int) in Integer has been deprecated and marked for
removal
[javac] return inverseCmap == null ? null : (Integer)
inverseCmap.get(new Integer(code));
[javac] 
 
^
[javac]
/<>/core/com/lowagie/text/pdf/MappedRandomAccessFile.java:203:
warning: [removal] AccessController in java.security has been deprecated and
marked for removal
[javac] Boolean b = (Boolean) AccessController.doPrivileged(new
PrivilegedAction() {
[javac]   ^
[javac] Note: Some input files use or override a deprecated API.
[javac] Note: Recompile with -Xlint:deprecation for details.
[javac] Note: Some input files use unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.
[javac] 5 errors
[javac] 9 warnings


signature.asc
Description: This is a digitally signed message part

Bug#1057162: jglobus: FTBFS with bouncycastle 1.77

[Markus Koschany]

Source: jglobus
Version: 2.1.0-8.1
Severity: serious
Tags: ftbfs sid
User: a...@debian.org
Usertags: bouncycastle-1.77
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

jglobus fails to build from source with bouncycastle 1.77. The reason
is the removal of long deprecated methods. The (hopefully) relevant
error message from the build log.

[ERROR] COMPILATION ERROR :
[INFO] -
[ERROR] 
/<>/ssl-proxies/src/main/java/org/globus/gsi/proxy/ext/ProxyPolicy.java:[63,46]
 cannot find symbol
  symbol:   method getObject()
  location: class org.bouncycastle.asn1.DERTaggedObject
[INFO] 1 error

Bug#1032164: bouncycastle: inconsistency in debian/rules?

[Markus Koschany]

Hi,

On Tue, 28 Feb 2023 22:08:12 +0100 Thomas Uhle
 wrote:
> Source: bouncycastle
> Version: 1.72-1
> Severity: normal
> 
> Dear maintainers,
> 
> I wonder why in debian/rules the pom files were synchronized with the 
> ones from Maven having the suffix "-jdk18on" while for building the binary 
> packages still "ant/jdk15+.xml" is used instead of "ant/jdk18+.xml".

Good question. Perhaps the jdk18+ jar files were breaking some reverse-
dependencies in the past. The soon to be released 1.77 version of bouncycastle
will require updates of several of those reverse-dependencies. As soon as those
issues are fixed, we can rebuild everything with jdk18+ again.




signature.asc
Description: This is a digitally signed message part

Bug#1019488: bouncycastle: incomplete information in the manifest files

[Markus Koschany]

This problem still exists in 1.77 (to be released soon). That sounds like a bnd
problem. I can find a reference to a bnd.sh script but it is not included in
the source distribution. There is also a add_module.sh script. If we can't find
a way to automate this build step, we could use jh_manifest which I would
prefer over the patch. 


signature.asc
Description: This is a digitally signed message part

Bug#1052589: Additional information

[Markus Koschany]

> > https://salsa.debian.org/java-team/apache-directory-server/-/merge_requests/1
> 
> The patch looks good to me.  Markus, do you have a preference for this
> patch over updating to M27?  I haven't looked closely at the efforts to
> update to M27 aside from the fact that our (other) patches will need to
> be ported, and there could be some build adjustments for the dependency
> on BouncyCastle.

Hi tony and thanks Vladimir for preparing the patch. 

I only had a brief look at this issue but I am all for applying the patch now
rather than wait before someone can upgrade apache-directory-server to a new
upstream release. If it works, go for it. :)

Cheers,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#975405: libwabt.js => sucess but need policy and help

[Markus Koschany]

Hey,

Am Montag, dem 13.11.2023 um 09:19 + schrieb Bastien Roucariès:

[...]
> Apo can I add myself to your package ? Do you care to comaintain with
> javascript team ?

I assume you are referring to wabt and this bug report [1] ?

Do you have a solution for the circular dependency that building libwabt.js
would create?

In general I would be totally fine if you or the Javascript team would
completely take over wabt and binaryen because both of them and emscripten are
closely related. See also #1052003; emscripten FTBFS with binaryen from
experimental.

Personally I only need wabt and binaryen to build WebAssembly code from source
for the ublock-origin Firefox/Chromium addon but I'm not really interested in
becoming more involved in the Javascript ecosystem. So feel free to take over
both packages and remove me as the maintainer.

Regards,

Markus

[1] https://bugs.debian.org/975405
 


signature.asc
Description: This is a digitally signed message part

Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.ecl

[Markus Koschany]

Control: reassign -1 trapperkeeper-webserver-jetty9-clojure
Control: found -1 1.7.0-2+deb10u1
Control: close -1 1.7.0-2+deb10u2

I have just released DLA 3647-1. I believe this problem is fixed in version
1.7.0-2+deb10u2 of trapperkeeper-webserver-jetty9-clojure now.

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.ecl

[Markus Koschany]

Am Sonntag, dem 05.11.2023 um 20:35 + schrieb Adam D. Barratt:
> [...]
> After a bit of searching, I happened across a discussion of a similar
> change in a different product that mentioned the
> SslContextFactory$Server syntax, so gave that a try. The resulting
> package is now installed on handel.d.o and seems to work - at least,
> it's been running for 45 minutes now (whereas the broken versions
> lasted less than 5 minutes) and at least one client has successfully
> made a "puppet agent" run in the meantime.
> 
> I've attached a debdiff of the package we're now running, with the
> revised patch.

Great, thanks for the update. I feared the Java dot syntax couldn't be applied
one-to-one to Clojure. I suggest we wait another 24h to confirm it works and if
you don't see another regression then I'll release a new update tomorrow.

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.ecl

[Markus Koschany]

Am Sonntag, dem 05.11.2023 um 16:33 + schrieb Adam D. Barratt:
> [...]
> Do you have an idea how simple rebuilding the bullseye package on
> buster would be? I'm happy to try that in general, but I've not really
> looked at the Java ecosystem in Debian much.

Sorry, I missed those new or updated dependencies. That complicates the matter
a little. We also have to deal with clojure here, a LISP dialect of the Java
language with a different build system (leiningen), but if all dependencies
were in place a rebuild would be pretty simple. As a last resort I could bundle
all those dependencies together with trapperkeeper-* the Java way TM but I hope
we can avoid that.

The most ideal solution is a patch for the current version in Buster. I have
uploaded a new revision to people.debian.org with minimal changes here:

https://people.debian.org/~apo/lts/buster/trapperkeeper-webserver-jetty9-clojure/

dget -
x 
https://people.debian.org/~apo/lts/buster/trapperkeeper-webserver-jetty9-clojure/
trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.1.dsc 

should work as expected. I'm attaching the debdiff as well.

My solution is to replace the old SslContextFactory class with the new inner
SslContextFactory.Server class but I don't know if this change has the desired
effect because I couldn't test it.

FTR, the already applied 0005-maint-Disable-EndpointIdentification.patch (new
in version +deb10u1) is related to the problem. Actually back then it did "fix"
the SSL problem and I'm a bit surprised it resurfaced now. 

There is also a third alternative. I could revert the split change in jetty9.

https://github.com/jetty/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913

If the new revision doesn't work for you, please send me your puppetdb config,
and I try to figure out a solution myself without the feedback loop delay.
Thanks in advance.

Regards,

Markus
diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog
--- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog	2019-09-13 11:00:50.0 +0200
+++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog	2023-11-05 18:06:31.0 +0100
@@ -1,3 +1,10 @@
+trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1.1) buster-security; urgency=medium
+
+  * Non-maintainer upload.
+  * Replace deprecated class SslContextFactory with SslContextFactory.Server.
+
+ -- Markus Koschany   Sun, 05 Nov 2023 18:06:31 +0100
+
 trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1) buster; urgency=medium
 
   [ Manfred Stock ]
diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/0005-maint-Disable-EndpointIdentification.patch trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/0005-maint-Disable-EndpointIdentification.patch
--- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/0005-maint-Disable-EndpointIdentification.patch	2019-09-13 10:54:48.0 +0200
+++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/0005-maint-Disable-EndpointIdentification.patch	2023-11-05 18:06:31.0 +0100
@@ -1,4 +1,3 @@
-From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001
 From: Justin Stoller 
 Date: Fri, 24 May 2019 16:10:44 -0700
 Subject: [PATCH] (maint) Disable EndpointIdentification
@@ -30,10 +29,10 @@
  1 file changed, 1 insertion(+)
 
 diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
-index 3a577bb..02e7c7d 100644
+index 99c9885..28cfef7 100644
 --- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
 +++ b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj
-@@ -197,6 +197,7 @@
+@@ -192,6 +192,7 @@
(.setKeyStore (:keystore keystore-config))
(.setKeyStorePassword (:key-password keystore-config))
(.setTrustStore (:truststore keystore-config))
@@ -41,6 +40,3 @@
;; Need to clear out the default cipher suite exclude list so
;; that Jetty doesn't potentially remove one or more ciphers
;; that we want to be included.
--- 
-2.20.1
-
diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series
--- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series	2019-09-13 10:54:48.0 +0200
+++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series	2023-11-05 18:06:31.0 +0100
@@ -3,3 +3,4 @@
 0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch
 0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch
 0005-maint-Disable-EndpointIdentification.patch
+SslContextFactory.patch
diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/SslContextFactory.patch trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/S

Bug#1055382: trapperkeeper-webserver-jetty9-clojure: end-of-life support for jetty9

[Markus Koschany]

Source: trapperkeeper-webserver-jetty9-clojure
Version: 4.4.1-5
Severity: normal
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

this is a heads-up to let you know that jetty9 has reached its
end-of-life and will not receive official upstream security support anymore.

I plan to package a supported jetty version this release cycle which
will replace jetty9 eventually. At the moment jetty 11 seems to be the
best version because it supports the Jakarta servlet API but this is
not finally decided yet.

It seems trapperkeeper-webserver-jetty9-clojure is tightly coupled
with puppetdb and jetty9 is currently the only supported version.
Please prepare for the removal of jetty9 during the trixie release
cycle. If this is not feasible then there will be no security support
for jetty9 and thus puppetdb anymore.

Regards,

Markus

Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.ecl

[Markus Koschany]

Hello,

Am Samstag, dem 04.11.2023 um 17:03 + schrieb Adam D. Barratt:
> Source: jetty9
> Version: 9.4.50-4+deb10u1
> Severity: serious
> X-Debbugs-Cc: d...@debian.org
> 
> Hi,
> 
> Upgrading libjetty9-java and libjetty9-extra-java to the version from
> DLA 3641-1 reliably causes PuppetDB to fail to start, with the
> stacktrace shown below. Downgrading resolves the issue.
> 
> I'm not sure which keystore is being referred to, but none of the files
> listed in /etc/puppetdb/conf.d/jetty.ini appear to contain more than a
> single certificate.

thanks for the report. This looks like a bug in trapperkeeper-webserver-jetty9-
clojure to me. Upstream commit

https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/3ee6a410436c1a236ca33d511c5373c3328054ef

appears to address the problem. The version in Buster lacks the
InternalSslContextFactory class though. Instead the deprecated
SslContextFactory class is referenced in jetty9_config.clj and
jetty9_core.clj. 

My first idea is to change SslContextFactory occurrences to
SslContextFactory.Server.

Backporting the version of trapperkeeper-webserver-jetty9-clojure from Bullseye
to Buster is the second one. AFAICS puppetdb and puppetserver are the only
consumers.

Could you install the version of trapperkeeper-webserver-jetty9-clojure from
Bullseye and reinstall the jetty9 security update and report back if this
solves your problem?

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1054122: bookworm-pu: package axis/1.4-28

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

[ Reason ]

Fixing CVE-2023-40743: Axis allows potentially dangerous lookup
mechanisms which may lead to DoS, SSRF or even RCE.

[ Tests ]

The fix is trivial. If the name of the JNDI service contains a certain
string then do nothing. That filters out unsupported protocols
effectively.

[ Risks ]

Axis in Debian is mainly used to build other software packages and
serves no other purpose. It is very unlikely that it is used in third
party applications outside of Debian but better safe than sorry.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Markus
diff -Nru axis-1.4/debian/changelog axis-1.4/debian/changelog
--- axis-1.4/debian/changelog   2018-12-03 08:25:51.0 +0100
+++ axis-1.4/debian/changelog   2023-10-17 14:05:20.0 +0200
@@ -1,3 +1,15 @@
+axis (1.4-28+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2023-40743:
+When integrating Apache Axis 1.x in an application, it may not have been
+obvious that looking up a service through "ServiceFactory.getService"
+allows potentially dangerous lookup mechanisms such as LDAP. When passing
+untrusted input to this API method, this could expose the application to
+DoS, SSRF and even attacks leading to RCE. (Closes: #1051288)
+
+ -- Markus Koschany   Tue, 17 Oct 2023 14:05:20 +0200
+
 axis (1.4-28) unstable; urgency=medium
 
   * Fixed the build failure with Java 11 (Closes: #911187)
diff -Nru axis-1.4/debian/patches/CVE-2023-40743.patch 
axis-1.4/debian/patches/CVE-2023-40743.patch
--- axis-1.4/debian/patches/CVE-2023-40743.patch1970-01-01 
01:00:00.0 +0100
+++ axis-1.4/debian/patches/CVE-2023-40743.patch2023-10-17 
14:05:20.0 +0200
@@ -0,0 +1,32 @@
+From: Markus Koschany 
+Date: Tue, 17 Oct 2023 00:46:49 +0200
+Subject: CVE-2023-40743
+
+Origin: 
https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
+---
+ src/org/apache/axis/client/ServiceFactory.java | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/org/apache/axis/client/ServiceFactory.java 
b/src/org/apache/axis/client/ServiceFactory.java
+index 33054a5..73e89ee 100644
+--- a/src/org/apache/axis/client/ServiceFactory.java
 b/src/org/apache/axis/client/ServiceFactory.java
+@@ -106,6 +106,10 @@ public class ServiceFactory extends 
javax.xml.rpc.ServiceFactory
+ 
+ if (context != null) {
+ String name = (String)environment.get("jndiName");
++
++  if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || 
name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 
|| name.toUpperCase().indexOf("JMX")!=-1) || 
name.toUpperCase().indexOf("JRMP")!=-1 || 
name.toUpperCase().indexOf("JAVA")!=-1 || 
name.toUpperCase().indexOf("DNS")!=-1)  {
++  return null;
++}
+ if (name == null) {
+ name = "axisServiceName";
+ }
+@@ -120,6 +124,7 @@ public class ServiceFactory extends 
javax.xml.rpc.ServiceFactory
+ context.bind(name, service);
+ } catch (NamingException e1) {
+ // !!! Couldn't do it, what should we do here?
++  return null;
+ }
+ }
+ } else {
diff -Nru axis-1.4/debian/patches/series axis-1.4/debian/patches/series
--- axis-1.4/debian/patches/series  2018-12-03 00:33:50.0 +0100
+++ axis-1.4/debian/patches/series  2023-10-17 14:05:20.0 +0200
@@ -8,3 +8,4 @@
 java9-compatibility.patch
 java11-compatibility.patch
 CVE-2018-8032.patch
+CVE-2023-40743.patch

Bug#1054121: bullseye-pu: package axis/1.4-28

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

[ Reason ]

Fixing CVE-2023-40743: Axis allows potentially dangerous lookup
mechanisms which may lead to DoS, SSRF or even RCE.

[ Tests ]

The fix is trivial. If the name of the JNDI service contains a certain
string then do nothing. That filters out unsupported protocols
effectively.

[ Risks ]

Axis in Debian is mainly used to build other software packages and
serves no other purpose. It is very unlikely that it is used in third
party applications outside of Debian but better safe than sorry.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Markus
diff -Nru axis-1.4/debian/changelog axis-1.4/debian/changelog
--- axis-1.4/debian/changelog   2018-12-03 08:25:51.0 +0100
+++ axis-1.4/debian/changelog   2023-10-17 14:05:20.0 +0200
@@ -1,3 +1,15 @@
+axis (1.4-28+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2023-40743:
+When integrating Apache Axis 1.x in an application, it may not have been
+obvious that looking up a service through "ServiceFactory.getService"
+allows potentially dangerous lookup mechanisms such as LDAP. When passing
+untrusted input to this API method, this could expose the application to
+DoS, SSRF and even attacks leading to RCE. (Closes: #1051288)
+
+ -- Markus Koschany   Tue, 17 Oct 2023 14:05:20 +0200
+
 axis (1.4-28) unstable; urgency=medium
 
   * Fixed the build failure with Java 11 (Closes: #911187)
diff -Nru axis-1.4/debian/patches/CVE-2023-40743.patch 
axis-1.4/debian/patches/CVE-2023-40743.patch
--- axis-1.4/debian/patches/CVE-2023-40743.patch1970-01-01 
01:00:00.0 +0100
+++ axis-1.4/debian/patches/CVE-2023-40743.patch2023-10-17 
14:05:20.0 +0200
@@ -0,0 +1,32 @@
+From: Markus Koschany 
+Date: Tue, 17 Oct 2023 00:46:49 +0200
+Subject: CVE-2023-40743
+
+Origin: 
https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
+---
+ src/org/apache/axis/client/ServiceFactory.java | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/org/apache/axis/client/ServiceFactory.java 
b/src/org/apache/axis/client/ServiceFactory.java
+index 33054a5..73e89ee 100644
+--- a/src/org/apache/axis/client/ServiceFactory.java
 b/src/org/apache/axis/client/ServiceFactory.java
+@@ -106,6 +106,10 @@ public class ServiceFactory extends 
javax.xml.rpc.ServiceFactory
+ 
+ if (context != null) {
+ String name = (String)environment.get("jndiName");
++
++  if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || 
name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 
|| name.toUpperCase().indexOf("JMX")!=-1) || 
name.toUpperCase().indexOf("JRMP")!=-1 || 
name.toUpperCase().indexOf("JAVA")!=-1 || 
name.toUpperCase().indexOf("DNS")!=-1)  {
++  return null;
++}
+ if (name == null) {
+ name = "axisServiceName";
+ }
+@@ -120,6 +124,7 @@ public class ServiceFactory extends 
javax.xml.rpc.ServiceFactory
+ context.bind(name, service);
+ } catch (NamingException e1) {
+ // !!! Couldn't do it, what should we do here?
++  return null;
+ }
+ }
+ } else {
diff -Nru axis-1.4/debian/patches/series axis-1.4/debian/patches/series
--- axis-1.4/debian/patches/series  2018-12-03 00:33:50.0 +0100
+++ axis-1.4/debian/patches/series  2023-10-17 14:05:20.0 +0200
@@ -8,3 +8,4 @@
 java9-compatibility.patch
 java11-compatibility.patch
 CVE-2018-8032.patch
+CVE-2023-40743.patch

Bug#1053820: fixed in tomcat9 9.0.43-2~deb11u8

[Markus Koschany]

Am Dienstag, dem 17.10.2023 um 08:00 +1100 schrieb Sam Lander:
> Hi Emmanuel
> Last night, I re-enabled HTTP2 with the new (9.0.43-2~deb11u8) build.
> Unfortunately, it did not fix my problem.
> I am going to rummage with tcpdump and a purpose-installed debian VM to
> investigate further. 
> Hopefully I can either track the problem down myself (not very likely), or at
> least offer you a better quality bug report.
> 

Hello Sam,

there was another issue that we only found today. HTTP2 should work as expected
in version 9.0.43-2~deb11u9 again. It will be released shortly.

Regards,

Markus












signature.asc
Description: This is a digitally signed message part

Bug#1053820: libtomcat9-java: ERR_HTTP2_PROTOCOL_ERROR in browsers after upgrade 9.0.43-2~deb11u7 over u6

[Markus Koschany]

Hello and thanks for the report,

I am currently looking into some test failures caused by the recent changes to
Tomcat's HTTP2 stack. The following tests fail for Tomcat9 now. Your issue
might be related. If we can find out more about the problem, we will address it
in a future update as soon as possible.

[concat] TEST-org.apache.coyote.http2.TestAsync.NIO.txt
[concat] TEST-org.apache.coyote.http2.TestAsync.NIO2.txt
[concat] TEST-org.apache.coyote.http2.TestHttp2Section_5_1.NIO.txt
[concat] TEST-org.apache.coyote.http2.TestHttp2Section_5_1.NIO2.txt
[concat] TEST-org.apache.coyote.http2.TestHttp2Section_5_2.NIO.txt
[concat] TEST-org.apache.coyote.http2.TestHttp2Section_5_2.NIO2.txt
[concat] TEST-org.apache.coyote.http2.TestHttp2Section_6_4.NIO.txt
[concat] TEST-org.apache.coyote.http2.TestHttp2Section_6_4.NIO2.txt
[concat] TEST-org.apache.coyote.http2.TestHttp2Section_6_5.NIO.txt
[concat] TEST-org.apache.coyote.http2.TestHttp2Section_6_5.NIO2.txt
[concat] TEST-org.apache.coyote.http2.TestHttp2Timeouts.NIO.txt
[concat] TEST-org.apache.coyote.http2.TestHttp2Timeouts.NIO2.txt   



Markus



signature.asc
Description: This is a digitally signed message part

Bug#1053461: bookworm-pu: package openrefine/3.6.2-2+deb12u1

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

[ Reason ]

Fixing CVE-2023-41886 and CVE-2023-41887.

OpenRefine is a powerful free, open source tool for working with messy
data. Prior to this version, a remote code execution vulnerability
allows any unauthenticated user to execute code on the server.

[ Tests ]

I have verified that the new test case works as expected.

[ Risks ]

Low, leaf package, all tests work as expected.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Other info ]

Please note that I have previously uploaded another bookworm-pu,
#1051429, to fix CVE-2023-37476. This update addresses the new CVE
mentioned in this bug report. CVE-2023-37476 has been fixed with
3.6.2-2+deb12u1 already.
diff --git a/debian/changelog b/debian/changelog
index 16033d8..37acbbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openrefine (3.6.2-2+deb12u2) bookworm; urgency=medium
+
+  * Fix CVE-2023-41887 and CVE-2023-41886:
+OpenRefine is a powerful free, open source tool for working with messy
+data. Prior to this version, a remote code execution vulnerability allows
+any unauthenticated user to execute code on the server.
+
+ -- Markus Koschany   Wed, 04 Oct 2023 15:02:45 +0200
+
 openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium
 
   * Fix CVE-2023-37476:
diff --git a/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch 
b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
new file mode 100644
index 000..274b758
--- /dev/null
+++ b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
@@ -0,0 +1,183 @@
+From: Markus Koschany 
+Date: Wed, 4 Oct 2023 14:39:55 +0200
+Subject: CVE-2023-41887 and CVE-2023-41886
+
+Origin: 
https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511
+---
+ .../extension/database/DatabaseConfiguration.java   | 16 
+ .../database/mariadb/MariaDBConnectionManager.java  | 12 +---
+ .../database/mysql/MySQLConnectionManager.java  | 11 +--
+ .../database/pgsql/PgSQLConnectionManager.java  | 11 +--
+ .../database/sqlite/SQLiteConnectionManager.java|  9 -
+ .../database/DatabaseConfigurationTest.java | 21 +
+ 6 files changed, 48 insertions(+), 32 deletions(-)
+ create mode 100644 
extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+
+diff --git 
a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
 
b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+index 47dad7f..3f0dd57 100644
+--- 
a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
 
b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+@@ -29,6 +29,9 @@
+ package com.google.refine.extension.database;
+ 
+ 
++import java.net.URI;
++import java.net.URISyntaxException;
++
+ public class DatabaseConfiguration {
+ 
+ private String connectionName;
+@@ -128,4 +131,17 @@ public class DatabaseConfiguration {
+ 
+ 
+ 
++public URI toURI() {
++try {
++return new URI(
++"jdbc:" + databaseType.toLowerCase(),
++databaseHost + ((databasePort == 0) ? "" : (":" + 
databasePort)),
++"/" + databaseName,
++useSSL ? "useSSL=true" : null,
++null
++);
++} catch (URISyntaxException e) {
++throw new IllegalArgumentException(e);
++}
++}
+ }
+diff --git 
a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
 
b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
+index 4af014a..04c7dc8 100644
+--- 
a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
 
b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
+@@ -139,7 +139,7 @@ public class MariaDBConnectionManager {
+ 
+ Class.forName(type.getClassPath());
+ DriverManager.setLoginTimeout(10);
+-String dbURL = getDatabaseUrl(databaseConfiguration);
++String dbURL = databaseConfiguration.toURI().toString();
+ connection = DriverManager.getConnection(dbURL, 
databaseConfiguration.getDatabaseUser(),
+ databaseConfiguration.getDatabasePassword());
+ 
+@@ -173,14 +173,4 @@ public class MariaDBConnectionManager {
+ }
+  
+ }
+-
+-
+-   
+-private static St

Bug#1052575: jss: CVE-2022-4132

[Markus Koschany]

Package: jss
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for jss.

CVE-2022-4132[0]:
Tomcat: Memory leak in JSS


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-4132
https://www.cve.org/CVERecord?id=CVE-2022-4132

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1052572: hoteldruid: CVE-2023-43371 CVE-2023-43373 CVE-2023-43374 CVE-2023-43375 CVE-2023-43376 CVE-2023-43377

[Markus Koschany]

Package: hoteldruid
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for hoteldruid.

CVE-2023-43371[0]:
| Hoteldruid v3.0.5 was discovered to contain a SQL injection
| vulnerability via the numcaselle parameter at
| /hoteldruid/creaprezzi.php.


CVE-2023-43373[1]:
| Hoteldruid v3.0.5 was discovered to contain a SQL injection
| vulnerability via the n_utente_agg parameter at
| /hoteldruid/interconnessioni.php.


CVE-2023-43374[2]:
| Hoteldruid v3.0.5 was discovered to contain a SQL injection
| vulnerability via the id_utente_log parameter at
| /hoteldruid/personalizza.php.


CVE-2023-43375[3]:
| Hoteldruid v3.0.5 was discovered to contain multiple SQL injection
| vulnerabilities at /hoteldruid/clienti.php via the annonascita,
| annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita,
| and mesescaddoc parameters.


CVE-2023-43376[4]:
| A cross-site scripting (XSS) vulnerability in
| /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to
| execute arbitrary web scripts or HTML via a crafted payload injected
| into the nometipotariffa1 parameter.


CVE-2023-43377[5]:
| A cross-site scripting (XSS) vulnerability in
| /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows
| attackers to execute arbitrary web scripts or HTML via a crafted
| payload injected into the destinatario_email1 parameter.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-43371
https://www.cve.org/CVERecord?id=CVE-2023-43371
[1] https://security-tracker.debian.org/tracker/CVE-2023-43373
https://www.cve.org/CVERecord?id=CVE-2023-43373
[2] https://security-tracker.debian.org/tracker/CVE-2023-43374
https://www.cve.org/CVERecord?id=CVE-2023-43374
[3] https://security-tracker.debian.org/tracker/CVE-2023-43375
https://www.cve.org/CVERecord?id=CVE-2023-43375
[4] https://security-tracker.debian.org/tracker/CVE-2023-43376
https://www.cve.org/CVERecord?id=CVE-2023-43376
[5] https://security-tracker.debian.org/tracker/CVE-2023-43377
https://www.cve.org/CVERecord?id=CVE-2023-43377

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1052553: bookworm-pu: package libapache-mod-jk/1:1.2.48-2

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

[ Reason ]

Fixing CVE-2023-41081 in Bookworm.
Unintended exposure of the status worker and/or bypass security constraints
configured in httpd by using implicit mapping.

[ Tests ]

Implicit mapping no longer works with this update and users must
explicitly configure it. Otherwise an error message is logged now
which means the update works as intended.

[ Risks ]

Users who unintentionally relied on the implicit mapping functionality
will have to update their configuration but this is intended and
needed to avoid the bypass of other security constraints.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Markus
diff -Nru libapache-mod-jk-1.2.48/debian/changelog 
libapache-mod-jk-1.2.48/debian/changelog
--- libapache-mod-jk-1.2.48/debian/changelog2023-02-18 19:17:18.0 
+0100
+++ libapache-mod-jk-1.2.48/debian/changelog2023-09-24 16:40:59.0 
+0200
@@ -1,3 +1,20 @@
+libapache-mod-jk (1:1.2.48-2+deb12u1) bookworm; urgency=high
+
+  * Fix CVE-2023-41081:
+The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to
+forward requests from Apache to Tomcat, in some circumstances, such as when
+a configuration included "JkOptions +ForwardDirectories" but the
+configuration did not provide explicit mounts for all possible proxied
+requests, mod_jk would use an implicit mapping and map the request to the
+first defined worker. Such an implicit mapping could result in the
+unintended exposure of the status worker and/or bypass security constraints
+configured in httpd. As of this security update, the implicit mapping
+functionality has been removed and all mappings must now be via explicit
+configuration. This issue affects Apache Tomcat Connectors (mod_jk only).
+(Closes: #1051956)
+
+ -- Markus Koschany   Sun, 24 Sep 2023 16:40:59 +0200
+
 libapache-mod-jk (1:1.2.48-2) unstable; urgency=medium
 
   * Declare compliance with Debian Policy 4.6.2.
diff -Nru libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 
libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch
--- libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 1970-01-01 
01:00:00.0 +0100
+++ libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 2023-09-24 
16:40:59.0 +0200
@@ -0,0 +1,47 @@
+From: Markus Koschany 
+Date: Sun, 24 Sep 2023 16:39:43 +0200
+Subject: CVE-2023-41081
+
+Bug-Debian: https://bugs.debian.org/1051956
+Origin: 
https://github.com/apache/tomcat-connectors/commit/0095b6cb84f41313ee4c0364b49c766168790792
+---
+ native/apache-2.0/mod_jk.c | 19 ---
+ 1 file changed, 19 deletions(-)
+
+diff --git a/native/apache-2.0/mod_jk.c b/native/apache-2.0/mod_jk.c
+index b755116..d9345d7 100644
+--- a/native/apache-2.0/mod_jk.c
 b/native/apache-2.0/mod_jk.c
+@@ -2767,17 +2767,6 @@ static int jk_handler(request_rec * r)
+ rconf->rule_extensions = e;
+ }
+ }
+-else if (worker_env.num_of_workers == 1) {
+-  /** We have a single worker ( the common case ).
+-  ( lb is a bit special, it should count as a single worker but
+-  I'm not sure how ). We also have a manual config directive that
+-  explicitly give control to us. */
+-worker_name = worker_env.worker_list[0];
+-if (JK_IS_DEBUG_LEVEL(xconf->log))
+-jk_log(xconf->log, JK_LOG_DEBUG,
+-   "Single worker (%s) configuration for %s",
+-   worker_name, r->uri);
+-}
+ else {
+ if (!xconf->uw_map) {
+ if (JK_IS_DEBUG_LEVEL(xconf->log))
+@@ -2804,14 +2793,6 @@ static int jk_handler(request_rec * r)
+ r->uri = clean_uri;
+ }
+ }
+-
+-if (worker_name == NULL && worker_env.num_of_workers) {
+-worker_name = worker_env.worker_list[0];
+-if (JK_IS_DEBUG_LEVEL(xconf->log))
+-jk_log(xconf->log, JK_LOG_DEBUG,
+-   "Using first worker (%s) from %d workers for %s",
+-   worker_name, worker_env.num_of_workers, r->uri);
+-}
+ }
+ if (worker_name)
+ apr_table_setn(r->notes, JK_NOTE_WORKER_NAME, worker_name);
diff -Nru libapache-mod-jk-1.2.48/debian/patches/series 
libapache-mod-jk-1.2.48/debian/patches/series
--- libapache-mod-jk-1.2.48/debian/patches/series   2023-02-18 
19:17:18.0 +0100
+++ libapache-mod-jk-1.2.48/debian/patches/series   2023-09-24 
16:40:59.0 

Bug#1052552: bullseye-pu: package libapache-mod-jk/1:1.2.48-1

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org


[ Reason ]

Fixing CVE-2023-41081 in Bullseye.
Unintended exposure of the status worker and/or bypass security constraints
configured in httpd by using implicit mapping.

[ Tests ]

Implicit mapping no longer works with this update and users must
explicitly configure it. Otherwise an error message is logged now
which means the update works as intended.

[ Risks ]

Users who unintentionally relied on the implicit mapping functionality
will have to update their configuration but this is intended and
needed to avoid the bypass of other security constraints.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Markus
diff -Nru libapache-mod-jk-1.2.48/debian/changelog 
libapache-mod-jk-1.2.48/debian/changelog
--- libapache-mod-jk-1.2.48/debian/changelog2020-06-04 21:42:29.0 
+0200
+++ libapache-mod-jk-1.2.48/debian/changelog2023-09-24 17:09:51.0 
+0200
@@ -1,3 +1,20 @@
+libapache-mod-jk (1:1.2.48-1+deb11u1) bullseye; urgency=high
+
+  * Fix CVE-2023-41081:
+The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to
+forward requests from Apache to Tomcat, in some circumstances, such as when
+a configuration included "JkOptions +ForwardDirectories" but the
+configuration did not provide explicit mounts for all possible proxied
+requests, mod_jk would use an implicit mapping and map the request to the
+first defined worker. Such an implicit mapping could result in the
+unintended exposure of the status worker and/or bypass security constraints
+configured in httpd. As of this security update, the implicit mapping
+functionality has been removed and all mappings must now be via explicit
+configuration. This issue affects Apache Tomcat Connectors (mod_jk only).
+(Closes: #1051956)
+
+ -- Markus Koschany   Sun, 24 Sep 2023 17:09:51 +0200
+
 libapache-mod-jk (1:1.2.48-1) unstable; urgency=medium
 
   * New upstream version 1.2.48.
diff -Nru libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 
libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch
--- libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 1970-01-01 
01:00:00.0 +0100
+++ libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 2023-09-24 
17:09:51.0 +0200
@@ -0,0 +1,47 @@
+From: Markus Koschany 
+Date: Sun, 24 Sep 2023 16:39:43 +0200
+Subject: CVE-2023-41081
+
+Bug-Debian: https://bugs.debian.org/1051956
+Origin: 
https://github.com/apache/tomcat-connectors/commit/0095b6cb84f41313ee4c0364b49c766168790792
+---
+ native/apache-2.0/mod_jk.c | 19 ---
+ 1 file changed, 19 deletions(-)
+
+diff --git a/native/apache-2.0/mod_jk.c b/native/apache-2.0/mod_jk.c
+index b755116..d9345d7 100644
+--- a/native/apache-2.0/mod_jk.c
 b/native/apache-2.0/mod_jk.c
+@@ -2767,17 +2767,6 @@ static int jk_handler(request_rec * r)
+ rconf->rule_extensions = e;
+ }
+ }
+-else if (worker_env.num_of_workers == 1) {
+-  /** We have a single worker ( the common case ).
+-  ( lb is a bit special, it should count as a single worker but
+-  I'm not sure how ). We also have a manual config directive that
+-  explicitly give control to us. */
+-worker_name = worker_env.worker_list[0];
+-if (JK_IS_DEBUG_LEVEL(xconf->log))
+-jk_log(xconf->log, JK_LOG_DEBUG,
+-   "Single worker (%s) configuration for %s",
+-   worker_name, r->uri);
+-}
+ else {
+ if (!xconf->uw_map) {
+ if (JK_IS_DEBUG_LEVEL(xconf->log))
+@@ -2804,14 +2793,6 @@ static int jk_handler(request_rec * r)
+ r->uri = clean_uri;
+ }
+ }
+-
+-if (worker_name == NULL && worker_env.num_of_workers) {
+-worker_name = worker_env.worker_list[0];
+-if (JK_IS_DEBUG_LEVEL(xconf->log))
+-jk_log(xconf->log, JK_LOG_DEBUG,
+-   "Using first worker (%s) from %d workers for %s",
+-   worker_name, worker_env.num_of_workers, r->uri);
+-}
+ }
+ if (worker_name)
+ apr_table_setn(r->notes, JK_NOTE_WORKER_NAME, worker_name);
diff -Nru libapache-mod-jk-1.2.48/debian/patches/series 
libapache-mod-jk-1.2.48/debian/patches/series
--- libapache-mod-jk-1.2.48/debian/patches/series   2020-06-04 
21:42:29.0 +0200
+++ libapache-mod-jk-1.2.48/debian/patches/series   2023-09-24 
17:09:51.0 +0200
@@ -1,2 

Bug#1052197: xrdp: after bullseye-security upgrade, empty turquoise screen after logging in

[Markus Koschany]

I have just rebuilt and uploaded xorgxrdp 0.2.12-1+deb11u1 to bullseye-
security. That should resolve the problem at hand.

However I recommend to keep this bug report open and try to address the
dependency problem between xrdp and xorgxrdp. If you claim that without a
rebuild of xorgxrdp a new upstream version of xrdp would be broken, then this
is a strong indication that xorgxrdp should be more than a recommendation in
Debian terms:

From the Debian Policy "Declaring relationships between packages"

"The Depends field should be used if the depended-on package is required for
the depending package to provide a significant amount of functionality."

If xrdp only works with a specific version of xorgxrdp then this is true in my
opinion and the recommendation should be changed to a Depends.

We had a similar issue with librhino-java and shrinksafe in the recent past.
librhino-java had to declare a versioned Breaks on shrinksafe and shrinksafe
had to add a versioned (Build-)Depends on rhino/librhino-java. In my opinion we
have the exact same situation here. In any case I leave that to the maintainers
of xrdp/xorgxrdp to resolve.

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1052197: xrdp: after bullseye-security upgrade, empty turquoise screen after logging in

[Markus Koschany]

Hello,

the new Bullseye version of xrdp is identical to the version in Bookworm. Thus
the underlying problem is probably more complex and I don't suspect that
something is wrong with xrdp itself but more likely with a configuration option
or related software packages which do something different than in Bookworm.

I have tried to reproduce the problem on Bullseye with Gnome 3 installed. The
problem here is that gnome-remote-desktop appears to interfere with xrdp, so
I'm not totally sure what is caused by Gnome and what might be a bug in xrdp.
Then I restarted the session with Gnome in Xorg mode and a remote connection to
the xrdp server succeeded. However I got a black background instead of the
normal wallpaper I have. Applications were shown correctly though. 

I definitely need more information about your setup or xrdp in general to debug
this issue. Possible reasons for the behavior may be:

1. TLS / connection problem ? Did you do "adduser xrdp ssl-cert" ? Maybe a new
TLS configuration option in 0.9.21.1?

2. graphic drivers ? I read that hardware accelerated drivers may cause such
problems. Maybe try to disable them and use software rendering only?
LIBGL_ALWAYS_SOFTWARE = true

Please also upload the following log files: 

/var/log/xrdp-sesman.log
/var/log/xrdp.log
~/.xsession-errors

and 

journalctl -S -2m 

or something similar may provide more information about error messages, etc.

~/.xorgxrdp.10.log seems to belong to xorgxrdp. The package is only recommended
but I wonder if the problem is potentially caused by it. xrdp is a build-
dependency which suggests it might need a rebuild? But on the other hand then
recommending the package would be wrong and it should be added to Depends.
Someone else would have stumbled upon this sooner I guess.

Regards,

Markus





signature.asc
Description: This is a digitally signed message part

Bug#1042140: trophy: FTBFS: undefined reference to `pthread_mutexattr_setkind_np'

[Markus Koschany]

Control: reassign -1 src:clanlib
Control: tags -1 pending

This is actually a bug in clanlib which surfaced because of the recent uploads
/ rebuilds against glibc > 2.34. The pthread_mutexattr_setkind_np symbol is
obsolete and has been replaced by pthread_mutexattr_settype.




signature.asc
Description: This is a digitally signed message part

Bug#1052003: emscripten: FTBFS with binaryen in experimental

[Markus Koschany]

Package: emscripten
Version: 3.1.6~dfsg-5
Severity: important
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

emscripten fails to build from source with the latest version of
binaryen, currently 116, in experimental.

I'm attaching the complete build log. I intend to upload a new version
of binaryen to unstable next year because I know that emscripten has
no real maintainer and is currently maintained by the QA team. I will
ping this bug report again before I do the upload but I hope someone
else can look into this problem before that.

I wonder if emscripten should embed the exact version of binaryen
required to build the package to avoid a circular dependency (because
then I could use emscripten to build wabt.js for example).

These are the last log lines when emscripten fails:

embuilder:INFO: building struct_info
cache:INFO: generating system asset: 
sysroot/lib/wasm32-emscripten/struct_info.json... (this will be cached in 
"/<>/debian/em_cache/sysroot/lib/wasm32-emscripten/struct_info.json"
 for subsequent builds)
emscripten:ERROR: emscript: failure to parse metadata output from 
wasm-emscripten-finalize. raw output is: 

Traceback (most recent call last):
  File "/<>/emcc.py", line 3947, in 
sys.exit(main(sys.argv))
 ^^
  File "/usr/lib/python3.11/contextlib.py", line 81, in inner
return func(*args, **kwds)
   ^^^
  File "/<>/emcc.py", line 3940, in main
ret = run(args)
  ^
  File "/<>/emcc.py", line 1199, in run
phase_post_link(options, state, wasm_target, wasm_target, target)
  File "/usr/lib/python3.11/contextlib.py", line 81, in inner
return func(*args, **kwds)
   ^^^
  File "/<>/emcc.py", line 2753, in phase_post_link
phase_emscript(options, in_wasm, wasm_target, memfile)
  File "/usr/lib/python3.11/contextlib.py", line 81, in inner
return func(*args, **kwds)
   ^^^
  File "/<>/emcc.py", line 2781, in phase_emscript
emscripten.run(in_wasm, wasm_target, final_js, memfile)
  File "/<>/emscripten.py", line 932, in run
emscript(in_wasm, out_wasm, outfile_js, memfile)
  File "/<>/emscripten.py", line 297, in emscript
metadata = finalize_wasm(in_wasm, out_wasm, memfile)
   ^
  File "/<>/emscripten.py", line 521, in finalize_wasm
metadata = get_metadata_binaryen(infile, outfile, modify_wasm, args)
   ^
  File "/usr/lib/python3.11/contextlib.py", line 81, in inner
return func(*args, **kwds)
   ^^^
  File "/<>/emscripten.py", line 406, in get_metadata_binaryen
metadata = load_metadata_json(stdout)
   ^^
  File "/<>/emscripten.py", line 851, in load_metadata_json
metadata_json = json.loads(metadata_raw)

  File "/usr/lib/python3.11/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
   ^^
  File "/usr/lib/python3.11/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
   ^^
  File "/usr/lib/python3.11/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
FAIL: Compilation failed!: ['emcc', '-D_GNU_SOURCE', '-o', 
'/tmp/tmp3mop6qgt.js', '/tmp/tmpelb1y5rp.c', '-O0', '-Werror', '-Wno-format', 
'-nostdlib', 
'/<>/debian/em_cache/sysroot/lib/wasm32-emscripten/libcompiler_rt.a',
 '-sMEMORY64=0', '-sBOOTSTRAPPING_STRUCT_INFO=1', '-sLLD_REPORT_UNDEFINED=1', 
'-sSTRICT', '-sSINGLE_FILE', '-Wno-error=version-check', '-Wno-deprecated']
make[1]: *** [debian/rules:195: override_dh_auto_build] Error 1
make[1]: Leaving directory '/<>'
make: *** [debian/rules:378: binary] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2


emscripten_3.1.6~dfsg-5.gz
Description: application/gzip

Bug#1029064: Lintian Bug

[Markus Koschany]

Control: forwarded -1 https://github.com/WebAssembly/binaryen/issues/5947




signature.asc
Description: This is a digitally signed message part

Bug#1015358: binaryen: ftbfs with LTO (link time optimization) enabled

[Markus Koschany]

Control: forwarded -1 https://github.com/WebAssembly/binaryen/issues/5946


signature.asc
Description: This is a digitally signed message part

Bug#1051429: bookworm-pu: package openrefine/3.6.2-2

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

[ Reason ]

Fixing CVE-2023-37476 in Bookworm.

[ Tests ]

The patch checks if file paths inside Zip/Tar archives are valid and do not
try to escape their root directory. The code looks reasonable to me.

[ Risks ]

The code is trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
diff -Nru openrefine-3.6.2/debian/changelog openrefine-3.6.2/debian/changelog
--- openrefine-3.6.2/debian/changelog   2023-04-05 20:20:17.0 +0200
+++ openrefine-3.6.2/debian/changelog   2023-09-07 21:22:17.0 +0200
@@ -1,3 +1,13 @@
+openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium
+
+  * Fix CVE-2023-37476:
+OpenRefine is a free, open source tool for data processing. A carefully
+crafted malicious OpenRefine project tar file can be used to trigger
+arbitrary code execution in the context of the OpenRefine process if a user
+can be convinced to import it. (Closes: #1041422)
+
+ -- Markus Koschany   Thu, 07 Sep 2023 21:22:17 +0200
+
 openrefine (3.6.2-2) unstable; urgency=medium
 
   * Depend on libjoda-time-java and liboro-java.
diff -Nru openrefine-3.6.2/debian/patches/CVE-2023-37476.patch 
openrefine-3.6.2/debian/patches/CVE-2023-37476.patch
--- openrefine-3.6.2/debian/patches/CVE-2023-37476.patch1970-01-01 
01:00:00.0 +0100
+++ openrefine-3.6.2/debian/patches/CVE-2023-37476.patch2023-09-07 
21:22:17.0 +0200
@@ -0,0 +1,24 @@
+From: Markus Koschany 
+Date: Thu, 17 Aug 2023 21:33:50 +0200
+Subject: CVE-2023-37476
+
+Bug-Debian: https://bugs.debian.org/1041422
+Origin: 
https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651
+---
+ main/src/com/google/refine/io/FileProjectManager.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/main/src/com/google/refine/io/FileProjectManager.java 
b/main/src/com/google/refine/io/FileProjectManager.java
+index 09197f7..c913199 100644
+--- a/main/src/com/google/refine/io/FileProjectManager.java
 b/main/src/com/google/refine/io/FileProjectManager.java
+@@ -167,6 +167,9 @@ public class FileProjectManager extends ProjectManager  {
+ 
+ while ((tarEntry = tin.getNextTarEntry()) != null) {
+ File destEntry = new File(destDir, tarEntry.getName());
++if 
(!destEntry.toPath().normalize().startsWith(destDir.toPath().normalize())) {
++throw new IllegalArgumentException("Zip archives with files 
escaping their root directory are not allowed.");
++}
+ File parent = destEntry.getParentFile();
+ 
+ if (!parent.exists()) {
diff -Nru openrefine-3.6.2/debian/patches/series 
openrefine-3.6.2/debian/patches/series
--- openrefine-3.6.2/debian/patches/series  2023-04-05 20:20:17.0 
+0200
+++ openrefine-3.6.2/debian/patches/series  2023-09-07 21:22:17.0 
+0200
@@ -4,3 +4,4 @@
 log4j-api.patch
 no-java-files.patch
 gdata-extension.patch
+CVE-2023-37476.patch

Bug#1050044: bullseye-pu: package rar/2:5.5.0-1

[Markus Koschany]

There was another vulnerability, CVE-2023-40477, fixed in version 2:6.23-
1~deb11u1 now.


signature.asc
Description: This is a digitally signed message part

Bug#1050612: bookworm-pu: package rar/2:6.20.0.1

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

Please see Debian bug #1050044. Same reasoning applies to Bookworm.
Here rar is only affected by CVE-2023-40477 though.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

rar is a binary blob which is why I cannot provide a useful debdiff.

Regards,

Markus

Bug#1050119: bullseye-pu: package unrar-nonfree/1:6.0.3-1+deb11u1

[Markus Koschany]

Another security vulnerability was discovered in unrar-nonfree, CVE-2023-40477.
This issue has been corrected in 1:6.0.3-1+deb11u3. I'm attaching the new
debdiff.

Regards,

Markus
diff -Nru unrar-nonfree-6.0.3/debian/changelog unrar-nonfree-6.0.3/debian/changelog
--- unrar-nonfree-6.0.3/debian/changelog	2022-05-10 13:26:16.0 +0200
+++ unrar-nonfree-6.0.3/debian/changelog	2023-08-23 17:36:17.0 +0200
@@ -1,3 +1,19 @@
+unrar-nonfree (1:6.0.3-1+deb11u3) bullseye; urgency=high
+
+  * Fix CVE-2023-40477
+
+ -- YOKOTA Hiroshi   Thu, 24 Aug 2023 00:36:17 +0900
+
+unrar-nonfree (1:6.0.3-1+deb11u2) bullseye; urgency=high
+
+  [ Markus Koschany ]
+  * Fix CVE-2022-48579:
+It was discovered that UnRAR, an unarchiver for rar files, allows
+extraction of files outside of the destination folder via symlink chains.
+(Closes: #1050080)
+
+ -- YOKOTA Hiroshi   Thu, 17 Aug 2023 21:04:50 +0900
+
 unrar-nonfree (1:6.0.3-1+deb11u1) bullseye; urgency=high
 
   * Fix CVE-2022-30333 (Closes: #1010837)
diff -Nru unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
--- unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch	1970-01-01 01:00:00.0 +0100
+++ unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch	2023-08-23 17:36:17.0 +0200
@@ -0,0 +1,429 @@
+From: Markus Koschany 
+Date: Mon, 14 Aug 2023 15:43:54 +0200
+Subject: CVE-2022-48579
+
+Origin: https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f
+---
+ arcread.cpp   |  4 ++-
+ extinfo.cpp   | 89 +++
+ extinfo.hpp   |  3 +-
+ extract.cpp   | 44 +
+ extract.hpp   |  6 
+ hardlinks.cpp |  2 --
+ model.cpp |  6 ++--
+ os.hpp|  1 +
+ pathfn.cpp| 14 +++---
+ timefn.hpp| 11 
+ ulinks.cpp|  6 ++--
+ win32stm.cpp  |  9 --
+ 12 files changed, 170 insertions(+), 25 deletions(-)
+
+diff --git a/arcread.cpp b/arcread.cpp
+index d1df6c0..63858d9 100644
+--- a/arcread.cpp
 b/arcread.cpp
+@@ -1441,7 +1441,9 @@ bool Archive::ReadSubData(Array *UnpData,File *DestFile,bool TestMode)
+   {
+ if (SubHead.UnpSize>0x100)
+ {
+-  // So huge allocation must never happen in valid archives.
++  // Prevent the excessive allocation. When reading to memory, normally
++  // this function operates with reasonably small blocks, such as
++  // the archive comment, NTFS ACL or "Zone.Identifier" NTFS stream.
+   uiMsg(UIERROR_SUBHEADERUNKNOWN,FileName);
+   return false;
+ }
+diff --git a/extinfo.cpp b/extinfo.cpp
+index 5cb90a4..0f25f31 100644
+--- a/extinfo.cpp
 b/extinfo.cpp
+@@ -112,6 +112,68 @@ static bool LinkInPath(const wchar *Name)
+ }
+ 
+ 
++// Delete symbolic links in file path, if any, and replace them by directories.
++// Prevents extracting files outside of destination folder with symlink chains.
++bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,std::wstring )
++{
++  // Unlike Unix, Windows doesn't expand lnk1 in symlink targets like
++  // "lnk1/../dir", but converts the path to "dir". In Unix we need to call
++  // this function to prevent placing unpacked files outside of destination
++  // folder if previously we unpacked "dir/lnk1" -> "..",
++  // "dir/lnk2" -> "lnk1/.." and "dir/lnk2/anypath/poc.txt".
++  // We may still need this function to prevent abusing symlink chains
++  // in link source path if we remove detection of such chains
++  // in IsRelativeSymlinkSafe. This function seems to make other symlink
++  // related safety checks redundant, but for now we prefer to keep them too.
++  //
++  // 2022.12.01: the performance impact is minimized after adding the check
++  // against the previous path and enabling this verification only after
++  // extracting a symlink with ".." in target. So we enabled it for Windows
++  // as well for extra safety.
++//#ifdef _UNIX
++  wchar Path[NM];
++  if (wcslen(SrcName)>=ASIZE(Path))
++return false;  // It should not be that long, skip.
++  wcsncpyz(Path,SrcName,ASIZE(Path));
++
++  size_t SkipLength=wcslen(SkipPart);
++
++  if (SkipLength>0 && wcsncmp(Path,SkipPart,SkipLength)!=0)
++SkipLength=0; // Parameter validation, not really needed now.
++
++  // Do not check parts already checked in previous path to improve performance.
++  for (uint I=0;Path[I]!=0 && ISkipLength)
++  SkipLength=I;
++
++  wchar *Name=Path;
++  if (SkipLength>0)
++  {
++// Avoid converting symlinks in destination path part specified by user.
++Name+=SkipLength;
++while (IsPathDiv(*Name))
++  Name++;
++  }
++
++  for (wchar *s=Path+wcslen(Path)-1;s>Name;s--)
++if (IsPathDiv(*s))
++{
++  *s=0;
++  FindData FD;
++  if (FindFile::FastFind(Path,,true) &

Bug#1050311: bookworm-pu: package imlib2/1.10.0-4

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org


[ Reason ]

Fixing Debian bug #1041406 in Bookworm. imlib_clone_image()
no longer preserves the alpha channel flag.

[ Impact ]

This was an unintentional upstream change which also affects
libimage-imlib2-perl and every developer who relies on the preservation of
the alpha channel flag in imlib_clone_image()

[ Tests ]

Debian bug #1041406 has a test program attached which demonstrates the
regression in Bookworm and that 1.10.0-4+deb12u1 contains the fix.

[ Risks ]

Low. This is a straightforward fix with a clear reproducer.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable


Regards,

Markus
diff -Nru imlib2-1.10.0/debian/changelog imlib2-1.10.0/debian/changelog
--- imlib2-1.10.0/debian/changelog  2023-01-02 23:10:40.0 +0100
+++ imlib2-1.10.0/debian/changelog  2023-08-22 22:52:24.0 +0200
@@ -1,3 +1,10 @@
+imlib2 (1.10.0-4+deb12u1) bookworm; urgency=medium
+
+  *  Fix imlib_clone_image() no longer preserves the alpha channel flag.
+ (Closes: #1041406)
+
+ -- Markus Koschany   Tue, 22 Aug 2023 22:52:24 +0200
+
 imlib2 (1.10.0-4) unstable; urgency=medium
 
   * Really ignore libjxl-dev on s390x.
diff -Nru imlib2-1.10.0/debian/patches/debian-bug-1041406.patch 
imlib2-1.10.0/debian/patches/debian-bug-1041406.patch
--- imlib2-1.10.0/debian/patches/debian-bug-1041406.patch   1970-01-01 
01:00:00.0 +0100
+++ imlib2-1.10.0/debian/patches/debian-bug-1041406.patch   2023-08-22 
22:52:24.0 +0200
@@ -0,0 +1,38 @@
+From 173edae4bf72e01b0dada41a406d34f976b1fc28 Mon Sep 17 00:00:00 2001
+From: Kim Woelders 
+Date: Wed, 19 Jul 2023 18:11:08 +0200
+Subject: [PATCH] image: Fix preservation of alpha chanel flag in
+ imlib_clone_image()
+
+https://git.enlightenment.org/old/legacy-imlib2/issues/17:
+
+As per subject, the imlib_clone_image() function no longer preserves
+the alpha channel value since imlib2 1.10.0.
+
+This bug report was initially filed by Niko Tyni in Debian's bug tracker.
+If you follow the subsequent link you will also find a test program that
+demonstrates the regression.
+
+https://bugs.debian.org/1041406
+
+This upstream change is most likely the root cause of the problem
+
+b39d33c800
+
+It looks like an oversight where other functions were adapted
+to the new alpha channel implementation, but imlib_clone_image() remains
+unchanged and only copies the flags and not the new alpha byte.
+---
+ src/lib/api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/src/lib/api.c
 b/src/lib/api.c
+@@ -1017,6 +1017,7 @@ imlib_clone_image(void)
+ return NULL;
+  }
+memcpy(im->data, im_old->data, im->w * im->h * sizeof(uint32_t));
++   im->has_alpha = im_old->has_alpha;
+im->flags = im_old->flags;
+IM_FLAG_SET(im, F_UNCACHEABLE);
+im->moddate = im_old->moddate;
diff -Nru imlib2-1.10.0/debian/patches/remove-data-dir.patch 
imlib2-1.10.0/debian/patches/remove-data-dir.patch
--- imlib2-1.10.0/debian/patches/remove-data-dir.patch  2023-01-02 
23:10:40.0 +0100
+++ imlib2-1.10.0/debian/patches/remove-data-dir.patch  2023-08-22 
22:52:24.0 +0200
@@ -10,8 +10,6 @@
  configure.ac | 3 ---
  2 files changed, 1 insertion(+), 4 deletions(-)
 
-diff --git a/Makefile.am b/Makefile.am
-index 3371af3..d93301b 100644
 --- a/Makefile.am
 +++ b/Makefile.am
 @@ -2,7 +2,7 @@ AUTOMAKE_OPTIONS = foreign
@@ -23,8 +21,6 @@
  if BUILD_DOC
  SUBDIRS += doc
  endif
-diff --git a/configure.ac b/configure.ac
-index 791f44d..8df303a 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -280,9 +280,6 @@ src/modules/Makefile
diff -Nru imlib2-1.10.0/debian/patches/series 
imlib2-1.10.0/debian/patches/series
--- imlib2-1.10.0/debian/patches/series 2023-01-02 23:10:40.0 +0100
+++ imlib2-1.10.0/debian/patches/series 2023-08-22 22:52:24.0 +0200
@@ -1 +1,2 @@
 remove-data-dir.patch
+debian-bug-1041406.patch

Bug#1050119: bullseye-pu: package unrar-nonfree/1:6.0.3-1+deb11u1

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org


Hi,

[ Reason ]

unrar-nonfree is affected by CVE-2022-48579 in Bullseye. non-free
packages are not supported by the security team but it makes still
sense to fix this issue via a point update.

[ Impact ]

unrar-nonfree would continue to be affected by CVE-2022-48579.

[ Tests ]

I have manually created a rar archive which includes several symlinks
pointing to each other, files with relative paths and special
characters and in all cases unrar-nonfree seems to do the right thing.
An official reproducer was not available.

[ Risks ]

If I made a mistake there should be an unpack error or something
similar, which is not the case. Command switches didn't change so an
external program like xarchiver continues to work as expected.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable


[ Other info ]

Maintainer approves point update. (#1050080)
diff -Nru unrar-nonfree-6.0.3/debian/changelog 
unrar-nonfree-6.0.3/debian/changelog
--- unrar-nonfree-6.0.3/debian/changelog2022-05-10 13:26:16.0 
+0200
+++ unrar-nonfree-6.0.3/debian/changelog2023-08-20 09:58:26.0 
+0200
@@ -1,3 +1,13 @@
+unrar-nonfree (1:6.0.3-1+deb11u2) bullseye; urgency=high
+
+  * Non maintainer upload.
+  * Fix CVE-2022-48579:
+It was discovered that UnRAR, an unarchiver for rar files, allows
+extraction of files outside of the destination folder via symlink chains.
+(Closes: #1050080)
+
+ -- Markus Koschany   Sun, 20 Aug 2023 09:58:26 +0200
+
 unrar-nonfree (1:6.0.3-1+deb11u1) bullseye; urgency=high
 
   * Fix CVE-2022-30333 (Closes: #1010837)
diff -Nru unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch 
unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
--- unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
1970-01-01 01:00:00.0 +0100
+++ unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
2023-08-20 09:58:26.0 +0200
@@ -0,0 +1,429 @@
+From: Markus Koschany 
+Date: Mon, 14 Aug 2023 15:43:54 +0200
+Subject: CVE-2022-48579
+
+Origin: 
https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f
+---
+ arcread.cpp   |  4 ++-
+ extinfo.cpp   | 89 +++
+ extinfo.hpp   |  3 +-
+ extract.cpp   | 44 +
+ extract.hpp   |  6 
+ hardlinks.cpp |  2 --
+ model.cpp |  6 ++--
+ os.hpp|  1 +
+ pathfn.cpp| 14 +++---
+ timefn.hpp| 11 
+ ulinks.cpp|  6 ++--
+ win32stm.cpp  |  9 --
+ 12 files changed, 170 insertions(+), 25 deletions(-)
+
+diff --git a/arcread.cpp b/arcread.cpp
+index d1df6c0..63858d9 100644
+--- a/arcread.cpp
 b/arcread.cpp
+@@ -1441,7 +1441,9 @@ bool Archive::ReadSubData(Array *UnpData,File 
*DestFile,bool TestMode)
+   {
+ if (SubHead.UnpSize>0x100)
+ {
+-  // So huge allocation must never happen in valid archives.
++  // Prevent the excessive allocation. When reading to memory, normally
++  // this function operates with reasonably small blocks, such as
++  // the archive comment, NTFS ACL or "Zone.Identifier" NTFS stream.
+   uiMsg(UIERROR_SUBHEADERUNKNOWN,FileName);
+   return false;
+ }
+diff --git a/extinfo.cpp b/extinfo.cpp
+index 5cb90a4..0f25f31 100644
+--- a/extinfo.cpp
 b/extinfo.cpp
+@@ -112,6 +112,68 @@ static bool LinkInPath(const wchar *Name)
+ }
+ 
+ 
++// Delete symbolic links in file path, if any, and replace them by 
directories.
++// Prevents extracting files outside of destination folder with symlink 
chains.
++bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,std::wstring 
)
++{
++  // Unlike Unix, Windows doesn't expand lnk1 in symlink targets like
++  // "lnk1/../dir", but converts the path to "dir". In Unix we need to call
++  // this function to prevent placing unpacked files outside of destination
++  // folder if previously we unpacked "dir/lnk1" -> "..",
++  // "dir/lnk2" -> "lnk1/.." and "dir/lnk2/anypath/poc.txt".
++  // We may still need this function to prevent abusing symlink chains
++  // in link source path if we remove detection of such chains
++  // in IsRelativeSymlinkSafe. This function seems to make other symlink
++  // related safety checks redundant, but for now we prefer to keep them too.
++  //
++  // 2022.12.01: the performance impact is minimized after adding the check
++  // against the previous path and enabling this verification only after
++  // extracting a symlink with ".." in target. So we enabled it for Windows
++  // as well for extra safety.
++//#ifde

Bug#1040475: Broken symlinks cause Apache Directory Server to not work at all out-of-the-box

[Markus Koschany]

I believe the symlink problem is fixed in version 2.0.0~M26-2 but I'd like to
test the apacheds server component more before I'm going to close this bug
report.

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1050080: unrar: Fix CVE-2022-48579 for Debian 11

[Markus Koschany]

Hello,

I wanted to prepare a fix for CVE-2022-48579 in Bullseye and release it via a
bullsye point update. Do you want to take care of the upload instead?

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1042757: ublock-origin: embded javascript lib

[Markus Koschany]

Am Samstag, dem 19.08.2023 um 06:13 + schrieb Bastien Roucariès:
> [...]
> No unfortunatly this is transpiled aka compiled by webpack
> see the first line
> export default (function() {
> 
> This is make by webpack or rollup that are automated tools. This means that
> this code is transpiled and I do not know the extend of transpiling.
> 
> it may be only the es6 upstream code:
> https://sources.debian.org/src/node-punycode/2.2.3-2/scripts/prepublish.js/
> or something worst that replace the constant by something else.
> 
> if you see the original code here:
> https://sources.debian.org/src/node-punycode/2.2.3-2/punycode.js/
> 
> you do not see the export default (function() { 
> line
> 
> Javascript is strange you could edit generated file and min.js is not the
> only problem

Ok, I see. I don't think this a problem though. This is still reasonably
modifiable and human readable.

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1042757: ublock-origin: embded javascript lib

[Markus Koschany]

Am Montag, dem 31.07.2023 um 11:56 + schrieb Bastien Roucariès:
> Source: ublock-origin
> Severity: serious
> Justification: not prefered form of modification
> 
> Dear Maintainer,
> 
> src/lib include a few library that are already packaged for debian.
> 
> per se it is not a serious bug, but we should try if possible after testing
> to
> use packaged version
> 
> The serious bug is due that for instance punycode was not in prefered form of
> modification due to being wepackaged (transpiled) in order to be an ES
> module.
> 
> They may be other transpiled package in this subdirectory

Hello Bastien,

thanks for the report. I have reviewed the src/lib directory and replaced the
embedded Javascript libraries of csstree and js-beautify with Debian's system
libraries. I also added the source file of hsluv to debian/missing-sources and
documented the licenses of these three Javascript libraries in
debian/copyright.

I decided against replacing punycode because punycode.js in ublock-origin looks
like the preferred form for me. The file is not minified and can be edited
without problems. I believe you were referring to hsluv instead. I believe this
issue is fixed in version 1.51.0+dfsg-2 soon.

Regards,

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1050044: bullseye-pu: package rar/2:5.5.0-1

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

Hello,

[ Reason ]

I would like to update rar in bullseye because it is affected by
CVE-2022-30333. This issue has been fixed in all other suites already
and it makes sense to address this problem in bullseye too. A backport
is the only sensible approach because rar is closed source.

[ Impact ]

The RAR archiver would continue to be vulnerable.

[ Tests ]

Unfortunately rar is just a non-free binary without source code, so I
had to rely on manual testing. Since there was not enough information
available to reproduce the problem, I created a normal rar archive
with random files and folders and another one which consisted of
several symlinks and files with relative paths. The extract operation
seems to work correctly in both cases.

[ Risks ]

I'm not aware of any major changes like different command switches
etc. but rar is non-free and closed source, so there is always some
kind of risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

I don't attach a debdiff because of the closed source binary of rar.

Bug#1040226: tomcat10: deployment-time Java EE to Jakarta EE migration fails

[Markus Koschany]

Hi,

Am Dienstag, dem 15.08.2023 um 14:52 +0200 schrieb J. Tóth Tamás:
> Hi,
> 
> > Please keep the bug report always in CC.
> 
> I thought my 8 August mail contains no new information, so it makes no 
> sense to spam the BTS with it. But okay, next time (and this time) I’ll 
> use Reply All regardless of the message content.

I'm not the only Debian developer who could help you. There may be other users
too who are interested in this topic and who could provide valuable insight or
suggestions. Hence why it's so important to have a public bug tracker with the
record of our conversation.

> 
> > > We’d like to gradually upgrade
> > > to Bookworm, but I don’t want to make sysops’ lives more complicated by
> > > giving them one WAR file to install on Bookworm and another one to
> > > install on Bullseye.
> > 
> > […] You can just manually run the tomcat-jakartaee-migration tool on
> > your existing war files. All it mainly does is to replace the old
> > occurrences of javax.* with jakarta.*.
> 
> That’s exactly what I meant by “making sysops’ lives more complicated by
> giving them one WAR file to install on Bookworm and another one to 
> install on Bullseye”, so it’s out of question for me in production.

Ok, I'm not familiar with your workflow. Though I would never trust a tool to
do the right thing on the fly. I would instruct my development team to port the
application to Tomcat 10 and test it thoroughly and then my production team
only would take care of the administration and deployment task as usual. 

> 
> > You could also send a patch with your proposed changes to Debian's tomcat10
> > > package and I take a look at it.
> 
> I created https://salsa.debian.org/java-team/tomcat10/-/merge_requests/1 
> – it’s quite likely wrong in its current form, but I hope it can be fixed.

Thank you! I have merged your request and also pushed a new upstream version to
our Git repository but I didn't upload the package yet. Patches should be added
to the debian/patches/series file as well, otherwise they won't be applied. The
rest looked good to me. However I still get a migration warning when I follow
your initial steps with the basic "test" app. There is a
DirectoryNotEmptyException. Initially tomcat migrates the test folder in
webapps-javaee to a newx.tmp folder and then tries to remove the latter,
which fails. What can we do to avoid this warning?

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1040226: tomcat10: deployment-time Java EE to Jakarta EE migration fails

[Markus Koschany]

Hello,

Am Montag, dem 07.08.2023 um 20:22 +0200 schrieb J. Tóth Tamás:
> Hi,
> 
> Did you notice my reply sent on 4 July?

Yes, I did. Please keep the bug report always in CC.

> We’d like to gradually upgrade 
> to Bookworm, but I don’t want to make sysops’ lives more complicated by 
> giving them one WAR file to install on Bookworm and another one to 
> install on Bullseye.

I haven't had the time to investigate this problem yet. You don't have to wait
for a solution of this bug though. You can just manually run the tomcat-
jakartaee-migration tool on your existing war files. All it mainly does is to
replace the old occurrences of javax.* with jakarta.*. You could also send a
patch with your proposed changes to Debian's tomcat10 package and I take a look
at it.

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1041346: RM: https-everywhere -- ROM; obsolete;major browsers offer native support;

[Markus Koschany]

debian-parl and boxer-data have been updated in unstable thus nothing in Debian
references https-everywhere anymore. It should be ready to be removed now.


signature.asc
Description: This is a digitally signed message part

Bug#1041348: RM: https-everywhere/stable -- ROM; obsolete;major browsers offer native support now;

[Markus Koschany]

I have uploaded a new revision of boxer-data and debian-parl to Bookworm now.
This update removes the dependency on webext-https-everywhere. Jonas agreed to
this change.

https://bugs.debian.org/1041350

AFAIK nothing else should prevent the removal of https-everywhere from
Bookworm.

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1041446: bookworm-pu: package boxer-data/10.9.12

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org


[ Reason ]

The https-everywhere browser addon is obsolete and boxer-data (and
thus debian-parl) still references it.

[ Impact ]

We have to update boxer-data in order to fix Debian bug #1041350 in
Bookworm.

[ Risks ]

https only mode is now a standard feature of all major browsers. Users
just don't need the https-everywhere addon anymore which is a good
thing.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
diff -Nru boxer-data-10.9.12/bullseye/classes/Desktop/web/firefox/harden.yml 
boxer-data-10.9.12+deb12u1/bullseye/classes/Desktop/web/firefox/harden.yml
--- boxer-data-10.9.12/bullseye/classes/Desktop/web/firefox/harden.yml  
2020-11-10 13:20:34.0 +0100
+++ boxer-data-10.9.12+deb12u1/bullseye/classes/Desktop/web/firefox/harden.yml  
2023-07-19 00:04:50.0 +0200
@@ -6,6 +6,5 @@
   pkg:
 - include Firefox security plugins
   pkg:
-- webext-https-everywhere
 - webext-privacy-badger
 - webext-ublock-origin-firefox
diff -Nru boxer-data-10.9.12/CHANGELOG.md 
boxer-data-10.9.12+deb12u1/CHANGELOG.md
--- boxer-data-10.9.12/CHANGELOG.md 2022-08-07 18:31:29.0 +0200
+++ boxer-data-10.9.12+deb12u1/CHANGELOG.md 2023-07-19 00:04:50.0 
+0200
@@ -6,6 +6,11 @@
 
 ## [Unreleased]
 
+## [10.9.13] - 2023-07-19
+
+  * Fix class Desktop.web.firefox.harden. No longer install obsolete Firefox
+addon https-everywhere.
+
 ## [10.9.12] - 2022-08-07
 
 ### Fixed
diff -Nru boxer-data-10.9.12/debian/changelog 
boxer-data-10.9.12+deb12u1/debian/changelog
--- boxer-data-10.9.12/debian/changelog 2022-08-07 18:31:45.0 +0200
+++ boxer-data-10.9.12+deb12u1/debian/changelog 2023-07-19 00:04:50.0 
+0200
@@ -1,3 +1,11 @@
+boxer-data (10.9.12+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix class Desktop.web.firefox.harden. No longer install obsolete Firefox
+addon https-everywhere.
+
+ -- Markus Koschany   Wed, 19 Jul 2023 00:04:50 +0200
+
 boxer-data (10.9.12) unstable; urgency=medium
 
   * add class l10n.mythes.pt.BR since bookworm

Bug#1041406: libimlib2: imlib_clone_image() no longer preserves the alpha channel flag

[Markus Koschany]

Control: forwarded -1 https://git.enlightenment.org/old/legacy-imlib2/issues/17

Thanks for the report!


signature.asc
Description: This is a digitally signed message part

Bug#1041346: RM: https-everywhere -- ROM; obsolete;major browsers offer native support;

[Markus Koschany]

I was unaware about one r-dep that references https-everywhere.

https://bugs.debian.org/1041350

I get back to you as soon as this problem has been resolved.

Regards,

Markus






signature.asc
Description: This is a digitally signed message part

Bug#1041348: RM: https-everywhere/stable -- ROM; obsolete;major browsers offer native support now;

[Markus Koschany]

Hi,

Am Montag, dem 17.07.2023 um 20:32 +0100 schrieb Adam D. Barratt:
> # BCC control@
> reassign 1041348 release.debian.org
> retitle 1041348 RM: https-everywhere -- ROM; obsolete;major browsers offer
> native support now
> user release.debian@packages.debian.org
> usertags 1041348 = rm
> tags 1041348 + bookworm moreinfo
> thanks
> 
> On Mon, 2023-07-17 at 21:07 +0200, Markus Koschany wrote:
> > Dear ftp and release team,
> > 
> 
> Just Release. Reassigning and fixing up the metadata.

Perhaps we should change the reportbug template for ftp.debian.org because a
stable removal bug report is a valid choice there.

> 
> > please remove https-everywhere from stable. This addon for Firefox
> > and
> > Chromium has become obsolete because major browsers offer native
> > support for HTTPS only mode now.
> > 
> > https://www.eff.org/https-everywhere/set-https-default-your-browser
> > 
> > See https://bugs.debian.org/1041335
> > 
> > Since there is no need for it anymore and development has stopped, it
> > is safe to remove it from Bookworm.
> > 
> 
> Not quite - it has an r-dep:
> 
> Checking reverse dependencies...
> # Broken Depends:
> debian-parl: parl-desktop

Whoops. I've just filed https://bugs.debian.org/1041350

I guess Jonas won't object against the removal. I get back to you as soon as
possible.

Regards,

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1041350: parl-desktop: dependency on webext-https-everywhere is obsolete

[Markus Koschany]

Package: parl-desktop
Version: 1.9.31
Severity: important
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

the addon https-everywhere has become obsolete. Nowadays all major
browsers offer native support for HTTPS only mode. I have requested the
removal of https-everywhere from Debian and your package is the only
one that still references it.

https://bugs.debian.org/1041346

I would also like to remove the addon from Bookworm because it is no
longer developed.

https://bugs.debian.org/1041348

Let me know if I should just remove the dependency on https-everywhere
and upload a new revision of parl-desktop to Bookworm or if you prefer
another solution.

Regards,

Markus

Bug#1041348: RM: https-everywhere/stable -- ROM; obsolete;major browsers offer native support now;

[Markus Koschany]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: debian-rele...@lists.debian.org, a...@debian.org


Dear ftp and release team,

please remove https-everywhere from stable. This addon for Firefox and
Chromium has become obsolete because major browsers offer native
support for HTTPS only mode now.

https://www.eff.org/https-everywhere/set-https-default-your-browser

See https://bugs.debian.org/1041335

Since there is no need for it anymore and development has stopped, it
is safe to remove it from Bookworm.

Regards,

Markus

Bug#1041346: RM: https-everywhere -- ROM; obsolete;major browsers offer native support;

[Markus Koschany]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: a...@debian.org

Dear ftp team,

please remove https-everywhere from Debian. This addon for Firefox and
Chromium has become obsolete because major browsers offer native
support for HTTPS only mode now.

https://www.eff.org/https-everywhere/set-https-default-your-browser

See https://bugs.debian.org/1041335

Regards,

Markus

Bug#1041335: webext-https-everywhere: obsolete, should be deleted

[Markus Koschany]

Hi,

Am Montag, dem 17.07.2023 um 17:41 +0200 schrieb michel:
> Package: webext-https-everywhere
> Severity: wishlist
> Tags: upstream
> X-Debbugs-Cc: okgomdjgbm...@gmail.com
> 
> Dear Maintainer,
> 
> 
> 
> https-everywhere is obsolete, it was sunset january 2023. It seams you forgot
> about it.

Thanks for the heads-up! Actually I didn't know about that. We can remove it
from Bookworm too. That shouldn't be a problem.

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1040226: tomcat10: deployment-time Java EE to Jakarta EE migration fails

[Markus Koschany]

Am Montag, dem 03.07.2023 um 18:28 +0200 schrieb Tamás J.Tóth:
> 
> 
> The web app doesn't load. The Tomcat log contains the following:
> 
> WARNING [main] org.apache.catalina.startup.HostConfig.migrateLegacyApp
> Migration failure
> java.lang.NoClassDefFoundError: org/apache/tomcat/jakartaee/Migration

Thanks for the report.

You have to install the tomcat-jakartaee-migration package. [1] I guess we
could either suggest or recommend this package to make it more obvious.

https://tracker.debian.org/pkg/tomcat-jakartaee-migration

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1039974: tomcat10: tomcat user has wrong home "/var/lib/tomcat" directory in /etc/passwd

[Markus Koschany]

Control: tags -1 moreinfo

> deploy .war in tomcat10
> got errors from tomcat10 in "journalctl -f"
> 
>    * What exactly did you do that was effective ?
> 
> change tomcat user home in /etc/passwd to /var/lib/tomcat10
> 
>    * What was the outcome of this action?
> 
> Problem solved

You most likely don't have to change the user home of tomcat to solve your
problem (which you did not specify at all)

There is a difference between the operating system user and home directory and
the applications' home directory.

See Debian bug https://bugs.debian.org/926338 for reference.

You have to tell your tomcat applications explicitly if they can write or read
certain file system directories. See /usr/share/doc/tomcat10/README.Debian for
more information. By default Debian's tomcat package is meant to be secure. It
is the task of the system administrator to configure tomcat correctly. 




signature.asc
Description: This is a digitally signed message part

Bug#1038426: renpy: Uncaught exception occurred when attempting to start

[Markus Koschany]

Control: severity -1 grave
Control: tags -1 help

Am Sonntag, dem 18.06.2023 um 04:23 + schrieb Zach:
>  File "/usr/share/games/renpy/renpy/sl2/slast.py", line 84, in compile_expr
>     return compile(expr, filename, "eval", flags, 1)
> ValueError: AST node line range (628, 1) is not valid

Thanks for the report. I can reproduce this problem in stable and unstable but
I don't know what is causing the Python error at the moment. In any case this
makes the game unusable and must be fixed eventually.

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1037304: gnome-control-center: sharing non-accessible after fresh GNOME 3 installation

[Markus Koschany]

Package: gnome-control-center
Version: 1:43.4.1-1
Severity: normal
X-Debbugs-Cc: a...@debian.org

I just installed GNOME 3 on a Lenovo X280 and X230i Thinkpad. I used the most 
recent Debian installer as of 10.06.2023 which was still an RC candidate for 
Bookworm.

Open the gnome-control-center, click on the sharing menu item. Now the 
application starts to freeze and a dialogue opens whether I would like to wait 
or force quit the application. I waited for several minutes and retried the 
process but that didn't help.

After removing gnome-remote-desktop, the menu item "Sharing" became accessible 
again.

I just re-installed gnome-remote-desktop and now clicking on Sharing also works 
as expected which is weird. After rebooting my second Laptop Sharing also works 
again. Here I did not remove gnome-remote-desktop.

So apparently there is something going on in the background which blocks the 
Sharing menu item on a very fresh GNOME 3 installation. I would have expected a 
more descriptive error message or that it just works TM right from the start.

Regards,

Markus



-- System Information:
Debian Release: 12.0
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-control-center depends on:
ii  accountsservice   22.08.8-6
ii  apg   2.2.3.dfsg.1-5+b2
ii  colord1.4.6-2.2
ii  desktop-base  12.0.6
ii  desktop-file-utils0.26-1
ii  gnome-control-center-data 1:43.4.1-1
ii  gnome-desktop3-data   43.2-2
ii  gnome-settings-daemon 43.0-4
ii  gsettings-desktop-schemas 43.0-1
ii  libaccountsservice0   22.08.8-6
ii  libadwaita-1-01.2.2-1
ii  libc6 2.36-9
ii  libcairo2 1.16.0-7
ii  libcolord-gtk4-1  0.3.0-3.1
ii  libcolord21.4.6-2.2
ii  libcups2  2.4.2-3
ii  libepoxy0 1.5.10-1
ii  libfontconfig12.14.1-4
ii  libgcr-base-3-1   3.41.1-1+b1
ii  libgdk-pixbuf-2.0-0   2.42.10+dfsg-1+b1
ii  libglib2.0-0  2.74.6-2
ii  libgnome-bg-4-2   43.2-2
ii  libgnome-bluetooth-ui-3.0-13  42.5-3
ii  libgnome-desktop-4-2  43.2-2
ii  libgnome-rr-4-2   43.2-2
ii  libgnutls30   3.7.9-2
ii  libgoa-1.0-0b 3.46.0-1
ii  libgoa-backend-1.0-1  3.46.0-1
ii  libgsound01.0.3-2
ii  libgtk-3-03.24.37-2
ii  libgtk-4-14.8.3+ds-2
ii  libgtop-2.0-112.40.0-2
ii  libgudev-1.0-0237-2
ii  libibus-1.0-5 1.5.27-5
ii  libkrb5-3 1.20.1-2
ii  libmalcontent-0-0 0.11.0-4
ii  libmm-glib0   1.20.4-1
ii  libnm01.42.4-1
ii  libnma-gtk4-0 1.10.6-1
ii  libpango-1.0-01.50.12+ds-1
ii  libpangocairo-1.0-0   1.50.12+ds-1
ii  libpolkit-gobject-1-0 122-3
ii  libpulse-mainloop-glib0   16.1+dfsg1-2+b1
ii  libpulse0 16.1+dfsg1-2+b1
ii  libpwquality1 1.4.5-1+b1
ii  libsecret-1-0 0.20.5-3
ii  libsmbclient  2:4.17.8+dfsg-2
ii  libsnapd-glib-2-1 1.63-5
ii  libudisks2-0  2.9.4-4
ii  libupower-glib3   0.99.20-2
ii  libwacom9 2.6.0-1
ii  libx11-6  2:1.8.4-2
ii  libxi62:1.8-1+b1
ii  libxml2   2.9.14+dfsg-1.2
ii  webp-pixbuf-loader0.2.1-1

Versions of packages gnome-control-center recommends:
ii  cracklib-runtime  2.9.6-5+b1
ii  cups-pk-helper0.2.6-1+b1
ii  gkbd-capplet  3.28.1-1
ii  gnome-bluetooth-sendto42.5-3
ii  gnome-online-accounts 3.46.0-1
ii  gnome-remote-desktop  43.3-1
ii  gnome-user-docs   43.0-2
ii  gnome-user-share  43.0-1
ii  iso-codes 4.15.0-1
ii  libcanberra-pulse 0.30-10
ii  libnss-myhostname 252.6-1
ii  libspa-0.2-bluetooth  0.3.65-3
ii  malcontent-gui0.11.0-4
ii  network-manager-gnome 1.30.0-2
ii  polkitd   122-3
ii  power-profiles-daemon 0.12-1+b1
ii  realmd0.17.1-1
ii  rygel 0.42.1-1
ii  rygel-tracker 0.42.1-1
ii  system-config-printer-common  1.5.18-1

Versions of packages gnome-control-center suggests:
ii  gnome-software   43.4-1
pn  gstreamer1.0-pulseaudio  
ii  pkexec   122-3
ii  x11-xserver-utils7.7+9+b1

-- no debconf information

Bug#1015157: gnome-control-center: segfaults reproducibly on sharing panel

[Markus Koschany]

> We think this will be fixed in gnome-control-center 42.4 (not released yet).


FTR: This is still a problem in Bookworm (43.4.1). Just did a clean GNOME 3
installation with the Debian installer and as soon as I click on the Sharing
menu item in gnome-control-center, the whole application freezes. Removing
gnome-remote-desktop works around the problem. 


signature.asc
Description: This is a digitally signed message part

Bug#1009879: pypdf2: CVE-2022-24859: Manipulated inline images can cause Infinite Loop

[Markus Koschany]

Hi Andreas,

Am Donnerstag, dem 08.06.2023 um 18:05 +0200 schrieb Andreas Beckmann:
> Hi Markus,
> 
> you took care of fixing this bug in stretch-lts. Can you look into 
> fixing this in buster-lts, too? Right now buster(-lts) has a lower 
> version than stretch-lts.

Thanks! I'll take care of that soon.

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable

[Markus Koschany]

Thanks for your help and explanations Max. I am going to release an updated
version for Buster soon. Apparently I somehow missed the
io_kpse_check_permissions function despite following the "Patching older
versions" paragraph.

Best,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1036967: fig2dev: insufficient Breaks+Replaces against transfig/jessie-elts

[Markus Koschany]

Am Mittwoch, dem 31.05.2023 um 14:41 +0200 schrieb Andreas Beckmann:
> On 31/05/2023 14.26, Markus Koschany wrote:
> > Hello Andreas,
> > 
> > Neither fig2dev or transfig are supported in jessie-elts anymore. I
> > appreciate
> > the report though. Since Stretch is no longer supported by Debian I believe
> > this issue is no longer actionable by the maintainer.
> 
> Is fig2dev supported in stretch-elts? stretch-elts would be the natural 
> dist-upgrade target for jessie-elts.

fig2dev is supported in stretch-elts but I don't think this issue warrants a
separate ELA. Most customers install a certain release and keep it until it
goes EOL and then they upgrade to the latest stable version anyway. 


signature.asc
Description: This is a digitally signed message part

Bug#1036967: fig2dev: insufficient Breaks+Replaces against transfig/jessie-elts

[Markus Koschany]

Hello Andreas,

Neither fig2dev or transfig are supported in jessie-elts anymore. I appreciate
the report though. Since Stretch is no longer supported by Debian I believe
this issue is no longer actionable by the maintainer.

Regards,

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable

[Markus Koschany]

Hi Hilmar,

Am Dienstag, dem 30.05.2023 um 23:32 +0200 schrieb Preuße, Hilmar:
> On 30.05.2023 20:37, Salvatore Bonaccorso wrote:
> 
> Hi Salvatore, hi Markus,
> 
> > No, buster is under LTS support which does not have point releases.
> > But as I understand this is a regression from DLA DLA-3427-1, so a
> > regression update might be worth to be issues for it, once there is a
> > fix known.

I can reproduce the problem on Buster and that it is not present on Bullseye. I
don't see any patch differences though. The latex command appears to work too.
This problem occurs when I install texlive-latex-base texlive-luatex from
src:texlive-base. We only updated texlive-bin but the issue appears to be in
texlive-base now ?

Are there any major differences between those sources packages in Buster and
Bullseye? I had to run mtxrun --script luatex-core.lua in src:texlive-bin to
create luatex-core.c from scratch. I used the tool from Buster. Could this be
the root cause of the problem?

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1036894: unblock: closure-compiler/20130227+rhino-1

[Markus Koschany]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: a...@debian.org

Please unblock package closure-compiler

[ Reason ]

It turned out that closure-compiler would not function correctly with
the latest version of librhino-java in Debian. I had to revert the
previous patch to fix the FTBFS. I bundled the source package of rhino
1.7.7.2 with src:closure-compiler instead. This was the last one that
worked correctly. Please see #1036249 for the full discussion. The
debdiff is huge because of the new rhino sources hence why it is not
attached to this bug report but I made only minimal changes to
debian/rules and the build_xml.patch.

[ Impact ]

Half of closure-compiler's r-deps would FTBFS with a parsing error.

[ Tests ]

I have sucessfully rebuilt all reverse-dependencies twice.

[ Risks ]

Since rhino is now embedded, rebuilds are no longer required. The tool
appears to work again as in February before I had to upgrade the system
library of rhino.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in testing


unblock closure-compiler/20130227+rhino-1

Bug#1036892: unblock: tomcat9/9.0.70-2

[Markus Koschany]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: a...@debian.org

Please unblock package tomcat9

[ Reason ]

We can support only one major Tomcat version per release. I have
dropped all server packages and kept only the libtomcat9-java binary
package for compatibility reasons. It does not require security
support. Please see #1034824 for the full discussion.

[ Impact ]

We would have to support two major Tomcat versions in Bookworm.

[ Tests ]

I have successfully rebuilt all reverse-dependencies of
libtomcat9-java. There is currently no package in testing that
build-depends or depends on other binary packages from src:tomcat9.

[ Risks ]

None, if the test results are correct.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock tomcat9/9.0.70-2
diff -Nru tomcat9-9.0.70/debian/changelog tomcat9-9.0.70/debian/changelog
--- tomcat9-9.0.70/debian/changelog 2022-12-05 18:50:40.0 +0100
+++ tomcat9-9.0.70/debian/changelog 2023-05-27 17:51:32.0 +0200
@@ -1,3 +1,13 @@
+tomcat9 (9.0.70-2) unstable; urgency=medium
+
+  * Team upload.
+  * Drop tomcat9 server packages because only one Tomcat version is supported
+per release. Only retain libtomcat9-java because of compatibility reasons
+for now. Users are strongly encouraged to switch to Tomcat 10 instead.
+(Closes: #1034824)
+
+ -- Markus Koschany   Sat, 27 May 2023 17:51:32 +0200
+
 tomcat9 (9.0.70-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru tomcat9-9.0.70/debian/control tomcat9-9.0.70/debian/control
--- tomcat9-9.0.70/debian/control   2022-12-05 16:29:55.0 +0100
+++ tomcat9-9.0.70/debian/control   2023-05-27 17:51:32.0 +0200
@@ -29,67 +29,6 @@
 Vcs-Browser: https://salsa.debian.org/java-team/tomcat9
 Homepage: http://tomcat.apache.org
 
-Package: tomcat9-common
-Architecture: all
-Depends:
- default-jre-headless | java11-runtime-headless | java11-runtime,
- libtomcat9-java (>= ${source:Version}),
- ${misc:Depends}
-Description: Apache Tomcat 9 - Servlet and JSP engine -- common files
- Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
- specifications from Oracle, and provides a "pure Java" HTTP web
- server environment for Java code to run.
- .
- This package contains common files needed by the tomcat9 and tomcat9-user
- packages (Tomcat 9 scripts and libraries).
-
-Package: tomcat9
-Architecture: all
-Depends:
- lsb-base (>= 3.0-6),
- systemd (>= 238) | systemd-sysusers,
- systemd (>= 238) | systemd-tmpfiles,
- tomcat9-common (>= ${source:Version}),
- ucf,
- ${misc:Depends}
-Recommends:
- libtcnative-1 (>= 1.2.18)
-Suggests:
- tomcat9-admin (>= ${source:Version}),
- tomcat9-docs (>= ${source:Version}),
- tomcat9-examples (>= ${source:Version}),
- tomcat9-user (>= ${source:Version})
-Description: Apache Tomcat 9 - Servlet and JSP engine
- Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
- specifications from Oracle, and provides a "pure Java" HTTP web
- server environment for Java code to run.
- .
- This package contains only the startup scripts for the system-wide daemon.
- No documentation or web applications are included here, please install
- the tomcat9-docs and tomcat9-examples packages if you want them.
- Install tomcat9-user instead of this package if you don't want Tomcat to
- start as a service.
-
-Package: tomcat9-user
-Architecture: all
-Depends:
- netcat-openbsd,
- tomcat9-common (>= ${source:Version}),
- ${misc:Depends}
-Suggests:
- tomcat9 (>= ${source:Version}),
- tomcat9-admin (>= ${source:Version}),
- tomcat9-docs (>= ${source:Version}),
- tomcat9-examples (>= ${source:Version})
-Description: Apache Tomcat 9 - Servlet and JSP engine -- tools to create user 
instances
- Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
- specifications from Oracle, and provides a "pure Java" HTTP web
- server environment for Java code to run.
- .
- This package contains files needed to create a user Tomcat instance.
- This user Tomcat instance can be started and stopped using the scripts
- provided in the Tomcat instance directory.
-
 Package: libtomcat9-java
 Architecture: all
 Depends: libeclipse-jdt-core-java (>= 3.26.0), ${misc:Depends}
@@ -102,48 +41,4 @@
  This package contains the Tomcat core classes which can be used by other
  Java applications to embed Tomcat.
 
-Package: libtomcat9-embed-java
-Architecture: all
-Depends: libeclipse-jdt-core-java (>= 3.26.0), ${misc:Depends}
-Description: Apache Tomcat 9 - Servlet and JSP engine -- embed libraries
- Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
- specifications from Oracle, and provides a "pure Java" HTTP web
- server environment for Jav

Bug#1036890: unblock: jetty9/9.4.50-4

[Markus Koschany]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: a...@debian.org

Please unblock package jetty9

[ Reason ]

It was discovered that jetty9 would throw a ServiceConfigurationError
when running web applications. (#1036798) We couldn't find a targeted
fix to improve our tomcat10-migration.patch from the previous upload.
Time is running out hence why I have reverted back to libtomcat9-java.

[ Impact ]

Web applications will not work when using the jetty9 server package.

[ Tests ]

Confirmed that reverting back to libtomcat9-java fixes the problem.

[ Risks ]

We are back to square one.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock jetty9/9.4.50-4
diff -Nru jetty9-9.4.50/debian/changelog jetty9-9.4.50/debian/changelog
--- jetty9-9.4.50/debian/changelog  2023-02-19 13:41:00.0 +0100
+++ jetty9-9.4.50/debian/changelog  2023-05-27 16:28:19.0 +0200
@@ -1,3 +1,11 @@
+jetty9 (9.4.50-4) unstable; urgency=medium
+
+  * Team upload.
+  * Revert the switch to libtomcat10-java. For now Jetty 9 only works correctly
+with libtomcat9-java. (Closes: #1036798)
+
+ -- Markus Koschany   Sat, 27 May 2023 16:28:19 +0200
+
 jetty9 (9.4.50-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru jetty9-9.4.50/debian/control jetty9-9.4.50/debian/control
--- jetty9-9.4.50/debian/control2023-02-19 13:41:00.0 +0100
+++ jetty9-9.4.50/debian/control2023-05-27 16:28:19.0 +0200
@@ -29,7 +29,7 @@
  libspring-beans-java,
  libtaglibs-standard-impl-java,
  libtaglibs-standard-spec-java,
- libtomcat10-java,
+ libtomcat9-java,
  libwebsocket-api-java,
  maven-debian-helper (>= 2.2.8~),
  maven-repo-helper
@@ -60,7 +60,7 @@
  libspring-beans-java,
  libtaglibs-standard-impl-java,
  libtaglibs-standard-spec-java,
- libtomcat10-java,
+ libtomcat9-java,
  ${misc:Depends}
 Suggests: jetty9
 Description: Java servlet engine and webserver -- extra libraries
diff -Nru jetty9-9.4.50/debian/jetty9.links jetty9-9.4.50/debian/jetty9.links
--- jetty9-9.4.50/debian/jetty9.links   2023-02-19 13:41:00.0 +0100
+++ jetty9-9.4.50/debian/jetty9.links   2023-05-27 16:28:19.0 +0200
@@ -50,22 +50,22 @@
 usr/share/java/jetty9-xml.jar   
usr/share/jetty9/lib/jetty-xml-${VERSION}.jar
 
 usr/share/java/servlet-api.jar  
usr/share/jetty9/lib/servlet-api-3.1.jar
-usr/share/java/tomcat10-annotations-api.jar  
usr/share/jetty9/lib/annotations/javax.annotation.jar
+usr/share/java/tomcat9-annotations-api.jar  
usr/share/jetty9/lib/annotations/javax.annotation.jar
 usr/share/java/asm.jar  
usr/share/jetty9/lib/annotations/asm.jar
 usr/share/java/asm-analysis.jar 
usr/share/jetty9/lib/annotations/asm-analysis.jar
 usr/share/java/asm-commons.jar  
usr/share/jetty9/lib/annotations/asm-commons.jar
 usr/share/java/asm-tree.jar 
usr/share/jetty9/lib/annotations/asm-tree.jar
 usr/share/java/eclipse-jdt-core.jar 
usr/share/jetty9/lib/apache-jsp/jdt-core.jar
-usr/share/java/tomcat10-api.jar  
usr/share/jetty9/lib/apache-jsp/tomcat-api.jar
-usr/share/java/tomcat10-el-api.jar   
usr/share/jetty9/lib/apache-jsp/tomcat-el-api.jar
-usr/share/java/tomcat10-jasper.jar   
usr/share/jetty9/lib/apache-jsp/tomcat-jasper.jar
-usr/share/java/tomcat10-jasper-el.jar
usr/share/jetty9/lib/apache-jsp/tomcat-jasper-el.jar
-usr/share/java/tomcat10-jsp-api.jar  
usr/share/jetty9/lib/apache-jsp/tomcat-jsp-api.jar
-usr/share/java/tomcat10-juli.jar 
usr/share/jetty9/lib/apache-jsp/tomcat-juli.jar
-usr/share/java/tomcat10-util.jar 
usr/share/jetty9/lib/apache-jsp/tomcat-util.jar
-usr/share/java/tomcat10-util-scan.jar
usr/share/jetty9/lib/apache-jsp/tomcat-util-scan.jar
+usr/share/java/tomcat9-api.jar  
usr/share/jetty9/lib/apache-jsp/tomcat-api.jar
+usr/share/java/tomcat9-el-api.jar   
usr/share/jetty9/lib/apache-jsp/tomcat-el-api.jar
+usr/share/java/tomcat9-jasper.jar   
usr/share/jetty9/lib/apache-jsp/tomcat-jasper.jar
+usr/share/java/tomcat9-jasper-el.jar
usr/share/jetty9/lib/apache-jsp/tomcat-jasper-el.jar
+usr/share/java/tomcat9-jsp-api.jar  
usr/share/jetty9/lib/apache-jsp/tomcat-jsp-api.jar
+usr/share/java/tomcat9-juli.jar 
usr/share/jetty9/lib/apache-jsp/tomcat-juli.jar
+usr/share/java/tomcat9-util.jar 
usr/share/jetty9/lib/apache-jsp/tomcat-util.jar
+usr/share/java/tomcat9-util-scan.jar
usr/share/jetty9/lib/apache-jsp/tomcat-util-scan.jar
 usr/share/java/taglibs-standard-spec.jar
usr/share/jetty9/lib/apache-jstl/org.apache.taglibs.taglibs-standard-spec.jar
 usr/share/java/tagl

Bug#1036740: [Pkg-netatalk-devel] Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata

[Markus Koschany]

Am Donnerstag, dem 25.05.2023 um 19:22 -0700 schrieb Daniel Markstedt:
> [...]
> Thank you very much for taking swift action on this!
> Please forgive my ignorance here, but are these patches active already
> if I apt install netatalk (3.1.12~ds-3+deb10u1) on Buster?
> Or do they have to be picked up by some build process that hasn't run yet?

Those patches are already applied. You can download the source package of
netatalk with 

apt source netatalk

They are located in the debian/patches directory and are listed in the
debian/patches/series file.

> 
> I'm asking because I ran a few tests now and while EA metadata works,
> the appledouble v2 metadata functionality is definitely broken, even
> when you create a new shared volume from scratch.
> 
> dmark@buster:~$ apt show netatalk
> Package: netatalk
> Version: 3.1.12~ds-3+deb10u1
> ...
> May 25 18:51:08 buster afpd[7415]: ad->ad_ops->ad_header_read(path,
> ad, pst) failed: Input/output error
> May 25 18:51:08 buster afpd[7415]: getfilparams(Screenshot 2023-05-23
> at 10.36.39 AM.png): bad resource fork
> May 25 18:51:08 buster afpd[7415]: parse_entries: bogus eid: 3, off: 182,
> len: 8
> May 25 18:51:08 buster afpd[7415]:
> ad_header_read(/home/dmark/afp-data): malformed AppleDouble
> 
> So either more patches have to be cherry-picked or I need to be patient. :)

Could you tell me which exact commands were used, so that I can try to
reproduce the problem? 

Regards,

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1034824: tomcat9 should not be released with Bookworm

[Markus Koschany]

Am Freitag, dem 26.05.2023 um 21:44 +0200 schrieb Emmanuel Bourg:
> 
> The changes to jetty9 have to be reverted too, the package is broken 
> (#1036798).
> 
> Sadly we can't do without tomcat9. The path forward implies packaging
> Jetty 11 or 12 first and migrating all the reverse dependencies, but
> that's a task for Trixie.

Thanks for investigating Emmanuel. I'll take care of jetty9 too.

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1036778: ckbuilder: must be rebuilt against rhino 1.7.14

[Markus Koschany]

Hi,

I have just rebuilt all reverse-dependencies of closure-compiler again,
ckbuilder and ckeditor also build fine now. Thus the upload of ckbuilder
2.4.3+dfsg-2 was successful. 

> Should we clone this bug to ensure we have a proper (tracking) solution 
> after the bookworm release. If binaries need rebuilds for new versions 
> of build dependencies, we need to figure out how we can automatically 
> detect that. One way (very unpretty) is to hardcode the version which 
> it's going to be build against, than dose [1] will at least tell us.

That's a good idea. In general the Javascript maintainers should be more
considerate when it comes to packages like rhino or closure-compiler. The
latter has been neglected for ten years but still many Javascript packages
depend on it. It is only a matter of time when other issues in closure-compiler
will surface.

> 
> > The rebuild should be done after #1036249 in closure-compiler has been
> > resolved.
> 
> Which is not the case yet, is the 2.4.3+dfsg-2 upload futile and should 
> this bug be reopened? (To be safe, I'm reopening now).

@yadd

If you haven't done so already, could you please file an unblock request for
ckbuilder? 

Thanks

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1034824: tomcat9 should not be released with Bookworm

[Markus Koschany]

Hi,

> Markus, can you please revert you logback change by tomorrow at the latest?

Sure. I will take care if it.

Do I understand you correctly, that we only ship libtomcat9-java in Bookworm
now? Shall I upload a new revision of tomcat9 too?

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1034824: tomcat9 should not be released with Bookworm

[Markus Koschany]

First of all trapperkeeper-webserver-jetty9-clojure should add a build-
dependency on logback to detect such regressions in advance.

#1036250 is mainly a logback problem, not a tomcat problem. I still would like
to hear Emmanuel's opinion. We still could revert to libtomcat9-java, if we
don't find a solution though.

The tomcatjss / dogtag-pki situation is simple too. If there is no way to make
the application work with Tomcat 10, then there are three options:

1. Embed Tomcat 9 in your application by creating a standalone jar

2. Continue to use the current Tomcat 9 package as is but make sure that nobody
else than dogtag-pki uses it. (Package descriptions should be adjusted, and the
binary tomcat9 package should be probably removed too) Nobody should think that
we support two major Tomcat versions.

In any case the dogtag-pki maintainers must commit to at least three years of
security support, web application + Tomcat 9. Otherwise this is pointless.

3. Remove dogtag-pki and tomcatjss from testing and prepare backports as soon
as dogtag-pki and Co support Tomcat 10.

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1036249: closure-compiler: #1036249

[Markus Koschany]

Sorry, that should have been #1036249.


signature.asc
Description: This is a digitally signed message part

Bug#1036249: closure-compiler: #1036159

[Markus Koschany]

Control: tags -1 patch

Hello,

I have been working on #1036159 and before I go ahead with my solution I would
like to hear your opinion whether this is acceptable.

Apparently closure-compiler embeds rhino classes and thus every time rhino is
updated, closure-compiler must be rebuilt too. I did just that in revision -14
but still half of the reverse-dependencies FTBFS because of a parsing error. I
tried to narrow this issue down and even reverted a commit in rhino which made
closure-compiler FTBFS. We addressed the initial FTBFS in revision -13. Still
that made no difference. Although rhino 1.7.14 and our ten year old closure-
compiler package are seemingly compatible at the source level, there must be
some subtle differences which cause the Javascript parsing errors.

Since I could not find a targeted fix I decided to remove the dependency on
rhino 1.7.14 and embedded rhino 1.7.7.2 instead, the last version that worked
well for closure-compiler. You can find the results here:

https://salsa.debian.org/java-team/closure-compiler/-/tree/bookworm

I have rebuilt all reverse-dependencies and this would resolve the problem.

The only exception is ckbuilder / ckeditor. The solution here is simple though.
ckbuilder must be rebuilt against rhino 1.7.14. This is the original solution
for #1026639 but the rebuilding part was forgotten. I have filed #1036778 as a
reminder.

Regards,

Markus




signature.asc
Description: This is a digitally signed message part

Bug#1036778: ckbuilder: must be rebuilt against rhino 1.7.14

[Markus Koschany]

Source: ckbuilder
Version: 2.4.3+dfsg-1
Severity: serious
X-Debbugs-Cc: a...@debian.org


ckbuilder must be rebuilt against rhino 1.7.14. This is a no-change
rebuild. Otherwise ckeditor will continue to FTBFS. This was already
reported in #1026639. This issue has also been reported upstream as

https://github.com/ckeditor/ckbuilder/issues/34

Back then we decided to upgrade rhino but in fact ckbuilder could have
also added the --add-exports java.desktop/sun.java2d=ALL-UNNAMED flag.

The rebuild should be done after #1036249 in closure-compiler has been
resolved.

Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata

[Markus Koschany]

Hello Daniel,

Am Donnerstag, dem 25.05.2023 um 08:02 +0200 schrieb Salvatore Bonaccorso:
> > 
> > These two commits in upstream addressed this:
> > https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
> > https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98

Both patches have been backported to Buster. You can find them as CVE-2022-
23123_part3.patch and CVE-2022-23123_part4.patch.

Did we miss something else?

Regards,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1036249: reopen #1036249

[Markus Koschany]

I have identified the rhino upstream commit which caused the FTBFS in closure-
compiler. If I revert said commit in rhino, then closure-compiler builds from
source without any additional patches needed. 

https://github.com/mozilla/rhino/commit/fb77164ac4889ffa4be26d5d24cb538a8dbd632b

However I still see the same runtime errors when I compile closure-compiler
against this new rhino version. At the moment I am running out of ideas. Given
that we approach full freeze in a few days, I am inclined to ship the last
rhino version that worked for closure-compiler and bundle it together with
src:closure-compiler. That should ensure all reverse-dependencies can be built
from source again. We also don't have to touch src:rhino again. 

After the Bookworm release I recommend to file an RC bug against closure-
compiler to ensure that someone either maintains it properly or it gets removed
from Debian. Currently src:rhino already ships patches to maintain
compatibility with a 10 year old version of closure-compiler and the burden
should not be placed on other maintainers to keep it in Debian.








signature.asc
Description: This is a digitally signed message part

Bug#1036249: reopen #1036249

[Markus Koschany]

reopen 1036249
thanks

The missing source files have been included with revision -14. Apparently
closure-compiler embeds rhino classes but renames them to avoid conflicts.
There is still a parsing error when closure-compiler tries to optimize
Javascript files at runtime. E.g. ERROR - Parse error. Unsupported syntax:
COMMENT

This is likely related to 

src/com/google/javascript/jscomp/parsing/IRFactory.java

method Node processUnaryExpression

This was the only part of the code that failed to build with rhino 1.7.14. My
patch to fix the FTBFS was incomplete and I am currently looking into a better
solution.


signature.asc
Description: This is a digitally signed message part

Bug#1036250: trapperkeeper-webserver-jetty9-clojure: FTBFS in testing: MDCAccessLogConverter.java:54: error: cannot access HttpServletRequest

[Markus Koschany]

Control: tags -1 patch

Hi,

I am attaching a patch for this issue. Somehow your package fell through the
cracks because it has no dependency on logback. Logback is pulled in by Jetty
though. While Logback and Jetty use the Jakarta servlet API now, your package
still depends on libservlet-api-java. The fix for that was trivial. However the
test failure is caused by my tomcat10-migration.patch 

https://salsa.debian.org/java-team/logback/-/blob/master/debian/patches/tomcat10-migration.patch#L91

Back then I thought it was acceptable to work around a build failure by setting
the accessEvent variable to null since it seemed no package existed in Debian
which would be affected by it. The Logback developers fixed that problem in
newer versions, but a new upstream release of logback would have been too
intrusive. Long story short: please double-check my patch and if we can ignore
the logging problem

Regards,

Markus


diff -Nru trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/changelog trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/changelog
--- trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/changelog	2023-02-10 23:15:30.0 +0100
+++ trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/changelog	2023-05-19 15:19:10.0 +0200
@@ -1,3 +1,14 @@
+trapperkeeper-webserver-jetty9-clojure (4.4.1-5.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Replace libservlet-api-java with libjakarta-servlet-api-java.
+  * Add jakarta.servlet.patch to fix FTBFS with latest Jetty and Logback
+versions in Debian. (Closes: #1036250)
+  * Work around a test failure by disabling request-logging-test.
+(Closes: #1034855)
+
+ -- Markus Koschany   Fri, 19 May 2023 15:19:10 +0200
+
 trapperkeeper-webserver-jetty9-clojure (4.4.1-5) unstable; urgency=medium
 
   * d/control: bump Breaks: on puppetserver
diff -Nru trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/control trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/control
--- trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/control	2023-02-10 23:15:30.0 +0100
+++ trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/control	2023-05-19 15:19:10.0 +0200
@@ -15,7 +15,7 @@
  libtools-logging-clojure,
  libjanino-java,
  libordered-clojure,
- libservlet-api-java,
+ libjakarta-servlet-api-java,
  libjetty9-java,
  libjetty9-extra-java,
  libprismatic-schema-clojure (>= 1.1.12),
diff -Nru trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/libtrapperkeeper-webserver-jetty9-clojure.classpath trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/libtrapperkeeper-webserver-jetty9-clojure.classpath
--- trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/libtrapperkeeper-webserver-jetty9-clojure.classpath	2023-02-10 23:15:30.0 +0100
+++ trapperkeeper-webserver-jetty9-clojure-4.4.1/debian/libtrapperkeeper-webserver-jetty9-clojure.classpath	2023-05-19 15:19:10.0 +0200
@@ -1 +1 @@
-usr/share/java/trapperkeeper-webserver-jetty9.jar /usr/share/java/clojure.jar /usr/share/java/java.jmx.jar /usr/share/java/tools.logging.jar /usr/share/java/janino.jar /usr/share/java/servlet-api.jar /usr/share/java/jetty9-server.jar /usr/share/java/jetty9-io.jar /usr/share/java/jetty9-security.jar /usr/share/java/jetty9-client.jar /usr/share/java/jetty9-servlet.jar /usr/share/java/jetty9-http.jar /usr/share/java/jetty9-util.jar /usr/share/java/jetty9-servlets.jar /usr/share/java/jetty9-webapp.jar /usr/share/java/jetty9-proxy.jar /usr/share/java/jetty9-jmx.jar /usr/share/java/jetty9-websocket-server.jar /usr/share/java/jetty9-websocket-api.jar /usr/share/java/jetty9-websocket-servlet.jar /usr/share/java/schema.jar /usr/share/java/ring-servlet.jar /usr/share/java/ring-codec.jar /usr/share/java/ssl-utils.jar /usr/share/java/kitchensink.jar /usr/share/java/trapperkeeper.jar /usr/share/java/puppetlabs-i18n.jar /usr/share/java/trapperkeeper-filesystem-watcher.jar /usr/share/java/jul-to-slf4j.jar
+usr/share/java/trapperkeeper-webserver-jetty9.jar /usr/share/java/clojure.jar /usr/share/java/java.jmx.jar /usr/share/java/tools.logging.jar /usr/share/java/janino.jar /usr/share/java/jakarta-servlet-api.jar /usr/share/java/jetty9-server.jar /usr/share/java/jetty9-io.jar /usr/share/java/jetty9-security.jar /usr/share/java/jetty9-client.jar /usr/share/java/jetty9-servlet.jar /usr/share/java/jetty9-http.jar /usr/share/java/jetty9-util.jar /usr/share/java/jetty9-servlets.jar /usr/share/java/jetty9-webapp.jar /usr/share/java/jetty9-proxy.jar /usr/share/java/jetty9-jmx.jar /usr/share/java/jetty9-websocket-server.jar /usr/share/java/jetty9-websocket-api.jar /usr/share/java/jetty9-websocket-servlet.jar /usr/share/java/schema.jar /usr/share/java/ring-servlet.jar /usr/share/java/ring-codec.jar /usr/share/java/ssl-utils.jar /usr/share/java/kitchensink.jar /usr/share/java/trapperkeeper.jar /usr/share/java/puppetlabs-i18n.jar /usr/share/java/trapperkeeper-filesystem-watcher.jar /usr/share/java/jul-to-slf4j.jar
diff -Nru trapperkeeper-webserver-jetty9-clojure-4.

Bug#1036244: unblock: noiz2sa/0.51a-13

[Markus Koschany]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: a...@debian.org

Please unblock package noiz2sa

[ Reason ]

A long time ago noiz2sa shipped a symlink from the noiz2sa-data
/usr/share/doc directory to its arch-any /usr/share/doc directories to
save 0.14159265359 KB of disk space.
"This kind of overwriting another package's files cannot be detected
by dpkg." And that's why we have to use dpkg-maintscript-helper to fix
this issue. See also #1035632.

[ Impact ]

noiz2sa will be autoremoved.

[ Tests ]

piuparts agrees, it's all good now

[ Risks ]

A couple of nerds would be not amused to find out, that they cannot
play their favorite game in Bookworm.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock noiz2sa/0.51a-13
diff -Nru noiz2sa-0.51a/debian/changelog noiz2sa-0.51a/debian/changelog
--- noiz2sa-0.51a/debian/changelog  2021-11-02 14:55:01.0 +0100
+++ noiz2sa-0.51a/debian/changelog  2023-05-14 15:10:17.0 +0200
@@ -1,3 +1,10 @@
+noiz2sa (0.51a-13) unstable; urgency=medium
+
+  * Add noiz2sa.maintscript: Handle symlink to directory conversion.
+Thanks to Andreas Beckmann for the report. (Closes: #1035632)
+
+ -- Markus Koschany   Sun, 14 May 2023 15:10:17 +0200
+
 noiz2sa (0.51a-12) unstable; urgency=medium
 
   * d/control: Add Vcs fields.
diff -Nru noiz2sa-0.51a/debian/noiz2sa.maintscript 
noiz2sa-0.51a/debian/noiz2sa.maintscript
--- noiz2sa-0.51a/debian/noiz2sa.maintscript1970-01-01 01:00:00.0 
+0100
+++ noiz2sa-0.51a/debian/noiz2sa.maintscript2023-05-14 15:10:17.0 
+0200
@@ -0,0 +1 @@
+symlink_to_dir /usr/share/doc/noiz2sa noiz2sa-data 0.51a-13~

Bug#1036212: visualvm: Version 2.1.5 doesn't work with Java 17

[Markus Koschany]

Am Mittwoch, dem 17.05.2023 um 12:24 +0200 schrieb david:
> Package: visualvm
> Version: Version 2.1.5 doesn't work with Java 17
> Severity: normal
> 
> Dear Maintainer,
> 
> I have installed visualvm with Java 17 configured. The app doesn't work in
> its
> installed version. Trying 2.1.6, downloaded from visualvm web page, it works
> without problem. Can we have this last version, please?

visualvm 2.1.5 works with Java 17


signature.asc
Description: This is a digitally signed message part

Bug#1036093: unblock: pokerth/1.1.2-2

[Markus Koschany]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: a...@debian.org

Please unblock package pokerth

[ Reason ]

pokerth depends on gsfonts-x11 which has been replaced by
fonts-urw-base35. Some fonts names changed and symlinks pointing to
the old fonts no longer worked as expected. (#1020237) However after
looking into this issue, I discovered that those fonts are no longer
required. They were intended as a fallback solution but upstream
removed them years ago. There is also still DejaVuSans-Bold.ttf which
should suffice as well. Since it made no difference, I simply removed the
dependency on gsfonts-x11.

[ Impact ]

pokerth in testing would be shipped with dangling symlinks.

[ Tests ]

The game looks identical with or without those fonts.

[ Risks ]

None, since gsfonts-x11 is just obsolete

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock pokerth/1.1.2-2
diff -Nru pokerth-1.1.2/debian/changelog pokerth-1.1.2/debian/changelog
--- pokerth-1.1.2/debian/changelog  2020-12-19 19:37:17.0 +0100
+++ pokerth-1.1.2/debian/changelog  2023-05-15 00:44:03.0 +0200
@@ -1,3 +1,14 @@
+pokerth (1.1.2-2) unstable; urgency=medium
+
+  * Team upload.
+  * No longer depend on gsfonts-x11 which is replaced by fonts-urw-base35.
+We don't need these fonts because we still have DejaVuSans which is the
+better alternative. (Closes: #1020237)
+  * Remove the symlinks to gsfonts-x11 fonts.
+  * Rename VeraBd.ttf symlink to DejaVuSans-Bold.ttf.
+
+ -- Markus Koschany   Mon, 15 May 2023 00:44:03 +0200
+
 pokerth (1.1.2-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru pokerth-1.1.2/debian/control pokerth-1.1.2/debian/control
--- pokerth-1.1.2/debian/control2020-12-19 19:33:12.0 +0100
+++ pokerth-1.1.2/debian/control2023-05-15 00:44:03.0 +0200
@@ -65,7 +65,6 @@
 Architecture: all
 Depends:
  fonts-dejavu-core,
- gsfonts-x11,
  ${misc:Depends}
 Description: Texas hold'em game - common data files
  pokerth is a free implementation of the Texas hold'em poker game which is
diff -Nru pokerth-1.1.2/debian/pokerth-data.links 
pokerth-1.1.2/debian/pokerth-data.links
--- pokerth-1.1.2/debian/pokerth-data.links 2018-10-02 15:35:20.0 
+0200
+++ pokerth-1.1.2/debian/pokerth-data.links 2023-05-15 00:44:03.0 
+0200
@@ -1,3 +1 @@
-/usr/share/fonts/X11/Type1/c059013l.pfb 
/usr/share/games/pokerth/fonts/c059013l.pfb
-/usr/share/fonts/X11/Type1/n019003l.pfb 
/usr/share/games/pokerth/fonts/n019003l.pfb
-/usr/share/fonts/truetype/dejavu/DejaVuSans-Bold.ttf 
/usr/share/games/pokerth/fonts/VeraBd.ttf
+/usr/share/fonts/truetype/dejavu/DejaVuSans-Bold.ttf 
/usr/share/games/pokerth/fonts/DejaVuSans-Bold.ttf

Bug#1035995: bazel-bootstrap: Depend on libgeronimo-annotation-1.3-spec-java instead of libtomcat9-java

[Markus Koschany]

Control: tags -1 patch

Hi,


bazel-bootstrap already build-depends on libgeronimo-annotation-1.3-spec-java.
The fix is trivial. Patch is attached.

Regards,

Markus


signature.asc
Description: This is a digitally signed message part