Bug#846548: marked as pending

[Eric Dorland]

* Julien Cristau (jcris...@debian.org) wrote:
> On 05/29/2017 03:15 AM, Eric Dorland wrote:
> > * Julien Cristau (jcris...@debian.org) wrote:
> >> On Mon, May 22, 2017 at 03:42:57 +, Eric Dorland wrote:
> >>
> >>> tag 846548 pending
> >>> thanks
> >>>
> >>> Hello,
> >>>
> >>> Bug #846548 reported by you has been fixed in the Git repository. You can
> >>> see the changelog below, and you can check the diff of the fix at:
> >>>
> >>> 
> >>> https://anonscm.debian.org/cgit/pkg-opensc/libp11.git/commit/?id=e8d6da0
> >>>
> >> So, erm.  This seems like it would break using libengine-pkcs11-openssl
> >> in an application using libssl1.0.2.  As a SONAME bump it also seems
> >> rather inappropriate during the freeze.
> > 
> > That's a good point. I was trying to provide an alternative to the
> > broken NMU that was going to be uploaded, but yes this will break
> > applications built against libssl1.0.2. It does fix using this with
> > the openssl tool however.
> > 
> Right.
> 
> >> I'm very interested in having this fixed in stretch so I can get the
> >> secure-boot stuff working on ftp-master, but this doesn't look like the
> >> way to go.  Not to mention that you'd have to justify the bump from
> >> 0.4.3 to 0.4.4.
> >>
> >> Can you explain your plans here?
> > 
> > As you suggested in your followup, the way forward would appear to be
> > to upload a new libp11 source package that builds against
> > libssl1.0.2. I can also backport all of the changes to 0.4.3 and
> > upload to testing-proposed-updates. Does that sound reasonable?
> > 
> Having read through the 0.4.4 changes I think I'd be ok with getting
> that in if you're confident.  I guess the other question is should
> libp11-dev come from the openssl1.1-using package or the
> openssl1.0.2-using one.  At this late stage I guess it's safer to stay
> with 1.0.2, and have the libp11-openssl1.1 package (or however it's
> called) only provide a libengine-pkcs11-openssl1.1 binary?

OK, I like this plan. We should get the naming right going forward
though for the libengine-pkcs11-openssl1.1 package. Is that how other
packages are handling naming when they depend on a particular version
of openssl?

I should be able to get fixed uploads to unstable in a couple of days.

-- 
Eric Dorland 
43CF 1228 F726 FD5B 474C  E962 C256 FBD5 0022 1E93


signature.asc
Description: PGP signature

Bug#863686: freemat: fails to start with llvm error

[Stuart Prescott]

Package: freemat
Version: 4.2+dfsg1-3+b2
Severity: serious
Justification: package is unusable

Dear Maintainer,

Starting a fresh installation of freemat fails:

$ freemat
: CommandLine Error: Option 'x86-machine-combiner' registered more than once!
LLVM ERROR: inconsistency in registered CommandLine options

By the looks of the buildd logs, the package doesn't seem to run the
tests at build time and they are not enabled as autopkgtest tests
for use on ci.debian.net so I can't easily see what has cause this
situation. (Perhaps it's possible to at least put a smoke test of
freemat into both places even if the entire test suite isn't run?)

cheers
Stuart


-- System Information:
Debian Release: 9.0
  APT prefers testing-proposed-updates
  APT policy: (550, 'testing-proposed-updates'), (500, 'testing-debug'), (500, 
'testing'), (60, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freemat depends on:
ii  freemat-data  4.2+dfsg1-3
ii  libarpack23.4.0-1+b1
ii  libboost-math1.62.0   1.62.0+dfsg-4
ii  libc6 2.24-10
ii  libclang1-3.8 1:3.8.1-23
ii  libffi6   3.2.1-6
ii  libfftw3-double3  3.3.5-3
ii  libfftw3-single3  3.3.5-3
ii  libgcc1   1:6.3.0-18
ii  libgfortran3  6.3.0-18
ii  libgl1-mesa-glx [libgl1]  13.0.6-1+b2
ii  libglu1-mesa [libglu1]9.0.0-2.1
ii  libncurses5   6.0+20161126-1
ii  libpcre3  2:8.39-3
ii  libportaudio2 19.6.0-1
ii  libqt4-network4:4.8.7+dfsg-11
ii  libqt4-opengl 4:4.8.7+dfsg-11
ii  libqt4-svg4:4.8.7+dfsg-11
ii  libqt4-xml4:4.8.7+dfsg-11
ii  libqtcore44:4.8.7+dfsg-11
ii  libqtgui4 4:4.8.7+dfsg-11
ii  libquadmath0  6.3.0-18
ii  libstdc++66.3.0-18
ii  libtinfo5 6.0+20161126-1
ii  zlib1g1:1.2.8.dfsg-5

Versions of packages freemat recommends:
ii  freemat-help  4.2+dfsg1-3

freemat suggests no packages.

-- no debconf information

Processed: found 863671 in 1.7-1, tagging 863671

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 863671 1.7-1
Bug #863671 [picocom] CVE-2015-9059
Marked as found in versions picocom/1.7-1.
> tags 863671 + upstream
Bug #863671 [picocom] CVE-2015-9059
Added tag(s) upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863671: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863671
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 863673

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863673 + upstream
Bug #863673 [freeradius] CVE-2017-9148: FreeRADIUS TLS resumption 
authentication bypass
Added tag(s) upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863673: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863673
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863230: marked as pending

[Balint Reczey]

tag 863230 pending
thanks

Hello,

Bug #863230 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

http://anonscm.debian.org/git/pkg-multimedia/kodi.git/commit/?id=a6d65b0

---
commit a6d65b025d0a6f02b342adc7b3d359ae31c7ea60
Author: Balint Reczey 
Date:   Mon May 29 11:43:21 2017 +0200

Update changelog

diff --git a/debian/changelog b/debian/changelog
index 610765e..0ddadc3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+kodi (16.1+dfsg1-2~bpo8+2) jessie-backports; urgency=medium
+
+  * Fix zip file directory traversal vulnerability (CVE-2017-8314)
+(Closes: #863230)
+  * Add test for CVE-2017-8314 to autotools-based build
+
+ -- Balint Reczey   Mon, 29 May 2017 11:42:30 +0200
+
 kodi (16.1+dfsg1-2~bpo8+1) jessie-backports; urgency=medium
 
   * Rebuild for jessie-backports.

Processed: Bug#863230 marked as pending

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 863230 pending
Bug #863230 {Done: Balint Reczey } [kodi] kodi: 
CVE-2017-8314: malicious subtitle zip files vulnerability
Bug #863236 {Done: Balint Reczey } [kodi] kodi: Kodi 
advising to upgrade to 17.2, due to security flaw
Added tag(s) pending.
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863230: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863230
863236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863236
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: found 857522 in 1:9.10.3.dfsg.P4-12.3, found 857680 in llvm-4.0-examples/1:4.0.1~+rc1-1 ...

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 857522 1:9.10.3.dfsg.P4-12.3
Bug #857522 [libbind-export-dev] libbind-export-dev: broken symlinks: 
/usr/lib/x86_64-linux-gnu/liblwres-export.so -> 
/lib/x86_64-linux-gnu/liblwres-export.so.141, 
/usr/lib/x86_64-linux-gnu/libbind9.so -> libbind9.so.140.0.10
Marked as found in versions bind9/1:9.10.3.dfsg.P4-12.3.
> found 857680 llvm-4.0-examples/1:4.0.1~+rc1-1
Bug #857680 [llvm-3.8-examples] llvm-3.8-examples: broken symlinks: 
/usr/share/doc/llvm-3.8-examples/Makefile.* -> 
../../../lib/llvm-3.8/build/Makefile.*
The source llvm-4.0-examples and version 1:4.0.1~+rc1-1 do not appear to match 
any binary packages
Marked as found in versions llvm-4.0-examples/1:4.0.1~+rc1-1.
> found 859806 1.13.4-2
Bug #859806 [icinga-common] icinga-common: broken symlink: 
/usr/share/doc/icinga-common/README -> README.md
Marked as found in versions icinga/1.13.4-2.
> affects 857659 + gridengine-common
Bug #857659 [gridengine-client] gridengine-client: broken symlink: 
/var/lib/gridengine/jobsbin -> /usr/lib/gridengine/jobsbin
Added indication that 857659 affects gridengine-common
> affects 863676 + libcoarrays-dev
Bug #863676 [libcaf-mpi1] libcaf-mpi1: missing Breaks+Replaces: libcoarrays0d 
(<< 1.8.10)
Added indication that 863676 affects libcoarrays-dev
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
857522: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857522
857659: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857659
857680: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857680
859806: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859806
863676: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863676
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863680: gobby: fails to upgrade squeeze -> wheezy -> jessie -> stretch

[Andreas Beckmann]

Package: gobby
Version: 0.5.0-8
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package fails to upgrade from
'squeeze' to 'wheezy' to 'jessie'.
It installed fine in 'squeeze', and upgraded to 'wheezy' and 'jessie'
successfully, but then the upgrade to 'stretch' failed.

>From the attached log (scroll to the bottom...):

  Unpacking gobby (0.5.0-8) over (0.5.0-4) ...
  dpkg: error processing archive /var/cache/apt/archives/gobby_0.5.0-8_i386.deb 
(--unpack):
   trying to overwrite '/usr/share/pixmaps/gobby.xpm', which is also in package 
gobby-0.4 0.4.13-2

Looks like gobby is missing Breaks+Replaces: gobby-0.4


cheers,

Andreas


gobby_0.5.0-8.log.gz
Description: application/gzip

Processed: Re: [Pkg-puppet-devel] Bug#863632: puppetmaster: The broken compatibility with older agents

[Debian Bug Tracking System]

Processing control commands:

> severity -1 important
Bug #863632 {Done: Salvatore Bonaccorso } [puppetmaster] 
puppetmaster: The broken compatibility with older agents
Severity set to 'important' from 'serious'
> tags -1 wontfix
Bug #863632 {Done: Salvatore Bonaccorso } [puppetmaster] 
puppetmaster: The broken compatibility with older agents
Added tag(s) wontfix.

-- 
863632: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863632
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863632: [Pkg-puppet-devel] Bug#863632: puppetmaster: The broken compatibility with older agents

[Apollon Oikonomopoulos]

Control: severity -1 important
Control: tags -1 wontfix

Dear Martin,

On 15:12 Mon 29 May , Martin Duspiva wrote:
> Dear Maintainer,
> 
> fter install the last security update 3.7.2-4+deb8u1, the puppet 
> master doesn't work with puppet agents ( clients ) on Debian Squeezy 
> and Wheezy.  The error on agent is:

Thank you for the report.

Unfortunately this is a known and well-documented issue. It's documented 
in both the package's debian/NEWS, and the Debian Security 
Announcement[1] on the debian-security-announce mailing list.

[1] https://lists.debian.org/debian-security-announce/2017/msg00122.html

It is (at least currently) impossible to retain compatibility and fix 
the vulnerability at the same time, as the 2.7 agent sends everything 
using YAML while the 3.7 master will reject YAML as unsafe. The 
recommended approach is to use the 3.7 packages from wheezy-backports on 
wheezy agents. I know this is not ideal, but 2.7 is unsupported upstream 
for quite a while now.

Regards,
Apollon

Bug#863679: /usr/sbin/pm-powersave: repeatedly runs until /var/log/pm-powersave.log fills up disk

[Vagrant Cascadian]

Package: pm-utils
Version: 1.4.1-17
Severity: critical
File: /usr/sbin/pm-powersave
Justification: breaks the whole system

In the last few days, pm-powersave is being called roughly once per
second, which is logging to /var/log/pm-powersave.log until there's no
disk space left. I don't think I have any custom configuration of
pm-utils or related software.

I've worked around the issue by installing a script that sleeps 600
seconds into /etc/pm/power.d/zzzsleep, but this obviously isn't a real
solution...

It appears to be getting called by acpid, so maybe the problem really
lies there:

  ├─acpid
  │   └─sh -c /etc/acpi/power.sh
  │   └─power.sh /etc/acpi/power.sh
  │   └─pm-powersave /usr/sbin/pm-powersave false
  │   └─zzzsleep /etc/pm/power.d/zzzsleep false
  │   └─sleep 600

One iteration loop in /var/log/pm-powersave.log looks like this:

  Running hook /usr/lib/pm-utils/power.d/95hdparm-apm false:
  /usr/lib/pm-utils/power.d/95hdparm-apm false: success.

  Running hook /usr/lib/pm-utils/power.d/anacron false:
  /usr/lib/pm-utils/power.d/anacron false: success.

  Running hook /usr/lib/pm-utils/power.d/disable_wol false:
  Setting Wake On Lan for enp2s0 to enable...Done.
  /usr/lib/pm-utils/power.d/disable_wol false: success.

  Running hook /usr/lib/pm-utils/power.d/intel-audio-powersave false:
  Setting power savings for snd_hda_intel to 0...Done.
  /usr/lib/pm-utils/power.d/intel-audio-powersave false: success.

  Running hook /usr/lib/pm-utils/power.d/laptop-mode false:
  Laptop mode disabled.
  /usr/lib/pm-utils/power.d/laptop-mode false: success.

  Running hook /usr/lib/pm-utils/power.d/pci_devices false:
  Setting Host Bridge :00:00.0 to on
  Setting Audio device :00:03.0 to on
  Setting Audio device :00:1b.0 to on
  Setting Ethernet device :02:00.0 to on
  Setting Wireless device :03:00.0 to on
  /usr/lib/pm-utils/power.d/pci_devices false: success.

  Running hook /usr/lib/pm-utils/power.d/pcie_aspm false:
  sh: echo: I/O error
  /usr/lib/pm-utils/power.d/pcie_aspm false: success.

  Running hook /usr/lib/pm-utils/power.d/sata_alpm false:
  Setting SATA ALPM on host0 to max_performance...Done.
  Setting SATA ALPM on host1 to max_performance...Done.
  /usr/lib/pm-utils/power.d/sata_alpm false: success.

  Running hook /usr/lib/pm-utils/power.d/sched-powersave false:
  **sched policy powersave OFF
  /usr/lib/pm-utils/power.d/sched-powersave false: success.

  Running hook /usr/lib/pm-utils/power.d/usb_bluetooth false:
  /usr/lib/pm-utils/power.d/usb_bluetooth false: success.

  Running hook /usr/lib/pm-utils/power.d/wireless false:
  Turning powersave for wlp3s0 off...Error for wireless request "Set Power 
Management" (8B2C) :
  SET failed on device wlp3s0 ; Operation not supported.
  Failed.
  /usr/lib/pm-utils/power.d/wireless false: success.

  Running hook /usr/lib/pm-utils/power.d/xfs_buffer false:
  /usr/lib/pm-utils/power.d/xfs_buffer false: not applicable.

Any sugestions for further debugging appreciated!

live well,
  vagrant

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (120, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: armhf, arm64

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages pm-utils depends on:
ii  powermgmt-base  1.31+nmu1

Versions of packages pm-utils recommends:
ii  ethtool  1:4.8-1+b1
ii  hdparm   9.51+ds-1
ii  kbd  2.0.3-2+b1
ii  procps   2:3.3.12-3
ii  vbetool  1.1-4

Versions of packages pm-utils suggests:
pn  cpufrequtils
pn  radeontool  
ii  wireless-tools  30~pre9-12+b1

-- no debconf information


signature.asc
Description: PGP signature

Bug#863677: spambayes: symlink loop detected in path 'usr/bin/sb_bnfilter.py'

[Andreas Beckmann]

Package: spambayes
Version: 1.1b1-2
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package ships (or creates)
a broken symlink.

>From the attached log (scroll to the bottom...):

0m35.0s ERROR: FAIL: debsums reports modifications inside the chroot:
  debsums: Error: symlink loop detected in path 'usr/bin/sb_bnfilter.py'. 
Please file a bug again spambayes.


cheers,

Andreas


spambayes_1.1b1-2.log.gz
Description: application/gzip

Bug#863676: libcaf-mpi1: missing Breaks+Replaces: libcoarrays0d (<< 1.8.10)

[Andreas Beckmann]

Package: libcaf-mpi1
Version: 1.8.10-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Control: affects -1 + open-coarrays-bin

Hi,

during a test with piuparts I noticed your package fails to upgrade from
'sid' to 'experimental'.
It installed fine in 'sid', then the upgrade to 'experimental' fails
because it tries to overwrite other packages files without declaring a
Breaks+Replaces relation.

See policy 7.6 at
https://www.debian.org/doc/debian-policy/ch-relationships.html#s-replaces

>From the attached log (scroll to the bottom...):

  Selecting previously unselected package libcaf-mpi1:amd64.
  Preparing to unpack .../libcaf-mpi1_1.8.10-1_amd64.deb ...
  Unpacking libcaf-mpi1:amd64 (1.8.10-1) ...
  dpkg: error processing archive 
/var/cache/apt/archives/libcaf-mpi1_1.8.10-1_amd64.deb (--unpack):
   trying to overwrite '/usr/lib/x86_64-linux-gnu/libcaf_mpi.so.1', which is 
also in package libcoarrays0d:amd64 1.8.6-2
  Preparing to unpack .../open-coarrays-bin_1.8.10-1_amd64.deb ...
  Unpacking open-coarrays-bin:amd64 (1.8.10-1) over (1.8.6-2) ...
  Errors were encountered while processing:
   /var/cache/apt/archives/libcaf-mpi1_1.8.10-1_amd64.deb


cheers,

Andreas


open-coarrays-bin_1.8.10-1.log.gz
Description: application/gzip

Processed: libcaf-mpi1: missing Breaks+Replaces: libcoarrays0d (<< 1.8.10)

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + open-coarrays-bin
Bug #863676 [libcaf-mpi1] libcaf-mpi1: missing Breaks+Replaces: libcoarrays0d 
(<< 1.8.10)
Added indication that 863676 affects open-coarrays-bin

-- 
863676: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863676
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863675: libmariadbd-dev: fails to upgrade from 'sid' - trying to overwrite /usr/bin/mysql_config

[Andreas Beckmann]

Package: libmariadbd-dev
Version: 10.3.0-0+exp2
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package fails to upgrade from
'sid' to 'experimental'.
It installed fine in 'sid', then the upgrade to 'experimental' fails
because it tries to overwrite other packages files without declaring a
Breaks+Replaces relation.

See policy 7.6 at
https://www.debian.org/doc/debian-policy/ch-relationships.html#s-replaces

>From the attached log (scroll to the bottom...):

  Selecting previously unselected package libmariadb-dev:amd64.
  Preparing to unpack .../10-libmariadb-dev_10.3.0-0+exp2_amd64.deb ...
  Unpacking libmariadb-dev:amd64 (10.3.0-0+exp2) ...
  dpkg: error processing archive 
/tmp/apt-dpkg-install-vvkKED/10-libmariadb-dev_10.3.0-0+exp2_amd64.deb 
(--unpack):
   trying to overwrite '/usr/bin/mysql_config', which is also in package 
libmariadbclient-dev 10.1.23-8


cheers,

Andreas


libmariadbd-dev_10.3.0-0+exp2.log.gz
Description: application/gzip

Bug#863673: CVE-2017-9148: FreeRADIUS TLS resumption authentication bypass

[Guido Günther]

Package: freeradius
Version: 3.0.12+dfsg-4
severity: grave

Hi,

the following vulnerability was published for freeradius.

CVE-2017-9148[0]: FreeRADIUS TLS resumption authentication bypass

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9148
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9148

Please adjust the affected versions in the BTS as needed.
Cheers,
 -- Guido

Bug#827122: liboasis3-0d: libpsmile.so is a broken symbolic link to libpsmile.MPI1.so.0d

[Andreas Beckmann]

Followup-For: Bug #827122
Control: found -1 3.mct+dfsg.121022-8
Control: affects -1 + liboasis3-doc

Hi,

still present in the latest upload:

0m59.2s ERROR: FAIL: Broken symlinks:
  /usr/lib/i386-linux-gnu/libpsmile.so -> libpsmile.MPI1.so.0d
0m59.5s DEBUG: Starting command: ['umount', '/tmp/piupartss/tmpANSro6/dev/shm']


Andreas

Processed: Re: liboasis3-0d: libpsmile.so is a broken symbolic link to libpsmile.MPI1.so.0d

[Debian Bug Tracking System]

Processing control commands:

> found -1 3.mct+dfsg.121022-8
Bug #827122 {Done: Alastair McKinstry } [liboasis3-dev] 
liboasis3-0d: libpsmile.so is a broken symbolic link to libpsmile.MPI1.so.0d
Marked as found in versions oasis3/3.mct+dfsg.121022-8; no longer marked as 
fixed in versions oasis3/3.mct+dfsg.121022-8 and reopened.
> affects -1 + liboasis3-doc
Bug #827122 [liboasis3-dev] liboasis3-0d: libpsmile.so is a broken symbolic 
link to libpsmile.MPI1.so.0d
Added indication that 827122 affects liboasis3-doc

-- 
827122: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827122
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#861878: marked as done (nvidia-cuda-toolkit: nvcc needs to pass -fpie to compiler)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 21:04:56 +
with message-id 
and subject line Bug#861878: fixed in nvidia-cuda-toolkit 8.0.44-4
has caused the Debian Bug report #861878,
regarding nvidia-cuda-toolkit: nvcc needs to pass -fpie to compiler
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
861878: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861878
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nvidia-cuda-toolkit
Version: 8.0.44-3
Severity: serious
Justification: breaks basic use of nvcc

Hello,

Now that gcc has defaulted to building with pie, we're getting issues
with the binaries produced by nvcc:

cc-c -o test.o test.c
nvcc -ccbin clang-3.8 -c test-cuda.cu -o test-cuda.o
cc   test.o test-cuda.o  -lcudart -o test
/usr/bin/ld: test-cuda.o: relocation R_X86_64_32S against `.bss' can not be 
used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output

The attached archive shows this testcase: it just builds a test.o with
nvcc, and tries to link it with gcc, and that fails with the message
above.  This can be fixed by passing --compiler-options -fpie to nvcc,
but that's something that users will have a hard time understanding,
while it will be basically always needed in Stretch. So I'd tend to
think /usr/bin/nvcc should actually do

exec /usr/lib/nvidia-cuda-toolkit/bin/nvcc --compiler-options -fpie "$@"

to save users big headaches.

Samuel

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 
'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nvidia-cuda-toolkit depends on:
ii  clang1:3.8-36
ii  clang-3.81:3.8.1-23
ii  g++-55.4.1-8
ii  gcc-55.4.1-8
ii  libc62.24-10
ii  libgcc1  1:7-20170407-1
ii  libnvvm3 8.0.44-3
ii  libstdc++6   7-20170407-1
ii  nvidia-cuda-dev  8.0.44-3
ii  nvidia-profiler  8.0.44-3
ii  ocl-icd-opencl-dev [opencl-dev]  2.2.11-1

Versions of packages nvidia-cuda-toolkit recommends:
pn  nvidia-cuda-doc 
ii  nvidia-cuda-gdb 8.0.44-3
ii  nvidia-visual-profiler  8.0.44-3

Versions of packages nvidia-cuda-toolkit suggests:
ii  libcupti-dev   8.0.44-3
pn  nvidia-driver  

-- no debconf information

-- 
Samuel
Fatal Error: Found [MS-Windows] System -> Repartitioning Disk for Linux...
(By cbbr...@io.org, Christopher Browne)


test.tgz
Description: application/gtar-compressed
--- End Message ---
--- Begin Message ---
Source: nvidia-cuda-toolkit
Source-Version: 8.0.44-4

We believe that the bug you reported is fixed in the latest version of
nvidia-cuda-toolkit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Beckmann  (supplier of updated nvidia-cuda-toolkit 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 29 May 2017 20:48:54 +0200
Source: nvidia-cuda-toolkit
Binary: nvidia-cuda-toolkit nvidia-cuda-doc nvidia-cuda-gdb nvidia-profiler 
nvidia-visual-profiler nvidia-nsight nvidia-cuda-dev nvidia-opencl-dev 
libcudart8.0 libcuinj64-8.0 libnvrtc8.0 libnvtoolsext1 libnvvm3 libcupti8.0 
libcupti-dev libcupti-doc libcublas8.0 libnvblas8.0 libcufft8.0 libcufftw8.0 
libcurand8.0 libcusolver8.0 libcusparse8.0 libnppc8.0 libnppi8.0 libnppial8.0 
libnppicc8.0 libnppicom8.0 libnppidei8.0 libnppif8.0 libnppig8.0 libnppim8.0 
libnppist8.0 libnppisu8.0 libnppitc8.0 libnpps8.0 libnvgraph8.0

Bug#852261: upstream patch

[Elena ``of Valhalla'']

I'm attaching a quilt patch that applies to version 0.5.0-0.1 with the
two commits from the upstream repo that solve the issue.

I've tried to build it: it does and it seems to be working fine on my
armhf board.

I'm not attaching a full debdiff because as far as I understand it
upstream is only waiting for confirmation from Jack Henschel that the
code is also working for him before closing the issue, and then it would
be available in the next upstream release, which I expect is probably
worth waiting for (at least for a while) at this stage, since it's going
to end up in buster anyway.

I did build on a machine with an UTF-8 locale, however.
-- 
Elena ``of Valhalla''
Index: profanity-0.5.0/src/common.c
===
--- profanity-0.5.0.orig/src/common.c	2016-09-15 23:53:43.0 +0200
+++ profanity-0.5.0/src/common.c	2017-05-29 22:21:35.722237804 +0200
@@ -509,13 +509,25 @@
 return *result;
 }
 
-if (g_str_has_prefix([offset], needle)) {
+gchar *haystack_curr = g_utf8_offset_to_pointer(haystack, offset);
+if (g_str_has_prefix(haystack_curr, needle)) {
 if (whole_word) {
-char *prev = g_utf8_prev_char([offset]);
-char *next = g_utf8_next_char([offset] + strlen(needle) - 1);
-gunichar prevu = g_utf8_get_char(prev);
-gunichar nextu = g_utf8_get_char(next);
-if (!g_unichar_isalnum(prevu) && !g_unichar_isalnum(nextu)) {
+gchar *needle_last_ch = g_utf8_offset_to_pointer(needle, g_utf8_strlen(needle, -1)- 1);
+int needle_last_ch_len = mblen(needle_last_ch, MB_CUR_MAX);
+
+gunichar before = NULL;
+gchar *haystack_before_ch = g_utf8_find_prev_char(haystack, haystack_curr);
+if (haystack_before_ch) {
+before = g_utf8_get_char(haystack_before_ch);
+}
+
+gunichar after = NULL;
+gchar *haystack_after_ch = g_utf8_find_next_char(haystack_curr + strlen(needle) - needle_last_ch_len, NULL);
+if (haystack_after_ch) {
+after = g_utf8_get_char(haystack_after_ch);
+}
+
+if (!g_unichar_isalnum(before) && !g_unichar_isalnum(after)) {
 *result = g_slist_append(*result, GINT_TO_POINTER(offset));
 }
 } else {
@@ -523,8 +535,9 @@
 }
 }
 
-if (haystack[offset+1] != '\0') {
-*result = prof_occurrences(needle, haystack, offset+1, whole_word, result);
+offset++;
+if (g_strcmp0(g_utf8_offset_to_pointer(haystack, offset), "\0") != 0) {
+*result = prof_occurrences(needle, haystack, offset, whole_word, result);
 }
 
 return *result;
Index: profanity-0.5.0/tests/unittests/test_common.c
===
--- profanity-0.5.0.orig/tests/unittests/test_common.c	2016-09-15 23:53:43.0 +0200
+++ profanity-0.5.0/tests/unittests/test_common.c	2017-05-29 22:21:29.225862420 +0200
@@ -444,6 +444,13 @@
 assert_true(_lists_equal(prof_occurrences("boothj5", "boothj5, hi",  0, TRUE, ), expected)); g_slist_free(actual); actual = NULL;
 g_slist_free(expected); expected = NULL;
 
+expected = g_slist_append(expected, GINT_TO_POINTER(0));
+assert_true(_lists_equal(prof_occurrences("我能吞下玻璃而", "我能吞下玻璃而",  0, TRUE, ), expected)); g_slist_free(actual); actual = NULL;
+assert_true(_lists_equal(prof_occurrences("我能吞下玻璃而", "我能吞下玻璃而 hi",   0, TRUE, ), expected)); g_slist_free(actual); actual = NULL;
+assert_true(_lists_equal(prof_occurrences("我能吞下玻璃而", "我能吞下玻璃而: hi",  0, TRUE, ), expected)); g_slist_free(actual); actual = NULL;
+assert_true(_lists_equal(prof_occurrences("我能吞下玻璃而", "我能吞下玻璃而, hi",  0, TRUE, ), expected)); g_slist_free(actual); actual = NULL;
+g_slist_free(expected); expected = NULL;
+
 expected = g_slist_append(expected, GINT_TO_POINTER(6));
 assert_true(_lists_equal(prof_occurrences("boothj5", "hello boothj5",0, TRUE, ), expected)); g_slist_free(actual); actual = NULL;
 assert_true(_lists_equal(prof_occurrences("boothj5", "hello boothj5 there",  0, TRUE, ), expected)); g_slist_free(actual); actual = NULL;
@@ -451,6 +458,12 @@
 g_slist_free(expected); expected = NULL;
 
 expected = g_slist_append(expected, GINT_TO_POINTER(6));
+assert_true(_lists_equal(prof_occurrences("我能吞下玻璃而", "hello 我能吞下玻璃而",0, TRUE, ), expected)); g_slist_free(actual); actual = NULL;
+assert_true(_lists_equal(prof_occurrences("我能吞下玻璃而", "hello 我能吞下玻璃而 there",  0, TRUE, ), expected)); g_slist_free(actual); actual = NULL;
+assert_true(_lists_equal(prof_occurrences("我能吞下玻璃而", "heyy @我能吞下玻璃而, there", 0, TRUE, ), expected)); g_slist_free(actual); actual = NULL;
+g_slist_free(expected); expected = NULL;
+
+expected = g_slist_append(expected, GINT_TO_POINTER(6));
 expected = g_slist_append(expected, GINT_TO_POINTER(26));
 

Bug#863671: CVE-2015-9059

[Moritz Muehlenhoff]

Package: picocom
Severity: grave
Tags: security

2015 CVE ID, but only recently assigned:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9059

Cheers,
Moritz

Bug#863652: system-config-lvm: crash on stretch, python gtk bug?

[Chris Lamb]

Hi Gregory,

> Severity: critical
> Justification: causes serious data loss

Whilst I see the crash/traceback can you explain how it causes data loss?


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#863669: seqan-apps: broken symlink on i386: /usr/bin/splazers -> ../lib/seqan/bin/splazers

[Andreas Beckmann]

Package: seqan-apps
Version: 2.3.1+dfsg-3
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package ships (or creates)
a broken symlink.

>From the attached log (scroll to the bottom...):

0m29.7s ERROR: FAIL: Broken symlinks:
  /usr/bin/splazers -> ../lib/seqan/bin/splazers

There is a /usr/lib/seqan/bin/splazers on amd64, but not on i386.
I did not check the other architectures.


cheers,

Andreas


seqan-apps_2.3.1+dfsg-3.log.gz
Description: application/gzip

Bug#861878: nvidia-cuda-toolkit: nvcc needs to pass -fpie to compiler

[Andreas Beckmann]

On 2017-05-22 09:58, lumin wrote:
> This patch simply discussed about the way getting NVCC
> working with the compiler in README.Debian.
> 
> Please review.

Thanks, just uploaded.


Andreas

Bug#859655: marked as done (golang-go.crypto: CVE-2017-3204)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 14:56:15 -0500
with message-id <20170529145615.1230c...@arctic.lustfield.net>
and subject line 
has caused the Debian Bug report #859655,
regarding golang-go.crypto: CVE-2017-3204
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
859655: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859655
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-go.crypto
Version: 1:0.0~git20161012.0.5f31782-1
Severity: grave
Tags: upstream patch security
Forwarded: https://github.com/golang/go/issues/19767

Hi,

the following vulnerability was published for golang-go.crypto.

CVE-2017-3204[0]:
| The Go SSH library (x/crypto/ssh) by default does not verify host
| keys, facilitating man-in-the-middle attacks. Default behavior changed
| in commit e4e2799 to require explicitly registering a hostkey
| verification mechanism.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-3204
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3204
[1] https://github.com/golang/go/issues/19767

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Unless I missed something, this has been resolved. Closing.

-- 
Michael Lustfield--- End Message ---

Bug#863652: system-config-lvm: crash on stretch, python gtk bug?

[gregory bahde]

Package: system-config-lvm
Version: 1.1.18-3
Severity: critical
Justification: causes serious data loss

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***


Dear sir, just discovered that sysmtem-config-lvm was crashing on my system:
It didn't occur during an operation as it crashes pretty quickly


Ready to help and provide more info.


Here is the output, running as root:


  scaled_pixbuf = self.pixbuf.scale_simple(pixmap_width, height,
gtk.gdk.INTERP_BILINEAR)
Traceback (most recent call last):
  File "/usr/share/system-config-lvm/Volume_Tab_View.py", line 486, in
on_tree_selection_changed
self.on_best_fit(None)
  File "/usr/share/system-config-lvm/Volume_Tab_View.py", line 555, in
on_best_fit
self.display_view.draw()
  File "/usr/share/system-config-lvm/renderer.py", line 604, in draw
self.display.draw(self.da, self.gc, (10, y_offset))
  File "/usr/share/system-config-lvm/cylinder_items.py", line 513, in draw
self.cyl.draw(pixmap, gc, (x, y))
  File "/usr/share/system-config-lvm/cylinder_items.py", line 305, in draw
CylinderItem.draw(self, dc, gc, (x, y))
  File "/usr/share/system-config-lvm/cylinder_items.py", line 120, in draw
child.draw(dc, gc, (x, y))
  File "/usr/share/system-config-lvm/cylinder_items.py", line 311, in draw
cyl_pix = self.cyl_gen.get_cyl(dc, self.get_width(), self.height)
  File "/usr/share/system-config-lvm/cylinder_items.py", line 1039, in get_cyl
pixmap.draw_pixbuf(gc, scaled_pixbuf, 0, 0, 0, 0, -1, -1)
TypeError: Gdk.Drawable.draw_pixbuf() argument 2 must be gtk.gdk.Pixbuf, not
None
The program 'system-config-lvm.py' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 9424 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)








-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (502, 'testing'), (500, 'testing-proposed-updates'), (500, 
'stable'), (10, 'experimental'), (10, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages system-config-lvm depends on:
ii  gettext0.19.8.1-2
ii  gsfonts1:8.11+urwcyr1.0.7~pre44-4.3
ii  lvm2   2.02.168-2
ii  menu   2.1.47+b1
ii  python-glade2  2.24.0-5.1
ii  python-gnome2  2.28.1+dfsg-1.2
ii  python-gtk22.24.0-5.1
pn  python:any 

system-config-lvm recommends no packages.

system-config-lvm suggests no packages.

-- debconf-show failed

Processed: pcsc-cyberjack: diff for NMU version 3.99.5final.sp09-1.1

[Debian Bug Tracking System]

Processing control commands:

> tags 819555 + patch
Bug #819555 [libifd-cyberjack6] pcscd: cyberJack pp_a2 init failed with 
pcscd_1.8.16-1
Bug #819659 [libifd-cyberjack6] pcscd: readerfactory.c:372:RFAddReader(e-com) 
REINER SCT cyberJack pp_a2 init failed
Bug #862437 [libifd-cyberjack6] pcsc-cyberjack: REINER SCT cyberJack pp_a2 
Failed adding USB device
Added tag(s) patch.
Added tag(s) patch.
Added tag(s) patch.
> tags 819555 + pending
Bug #819555 [libifd-cyberjack6] pcscd: cyberJack pp_a2 init failed with 
pcscd_1.8.16-1
Bug #819659 [libifd-cyberjack6] pcscd: readerfactory.c:372:RFAddReader(e-com) 
REINER SCT cyberJack pp_a2 init failed
Bug #862437 [libifd-cyberjack6] pcsc-cyberjack: REINER SCT cyberJack pp_a2 
Failed adding USB device
Added tag(s) pending.
Added tag(s) pending.
Added tag(s) pending.

-- 
819555: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819555
819659: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819659
862437: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862437
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#819555: pcsc-cyberjack: diff for NMU version 3.99.5final.sp09-1.1

[Adrian Bunk]

Control: tags 819555 + patch
Control: tags 819555 + pending

Dear maintainer,

I've prepared an NMU for pcsc-cyberjack (versioned as 
3.99.5final.sp09-1.1) and uploaded it to DELAYED/3.
Please feel free to tell me if I should delay it longer.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed


diff -Nru pcsc-cyberjack-3.99.5final.sp09/debian/changelog pcsc-cyberjack-3.99.5final.sp09/debian/changelog
--- pcsc-cyberjack-3.99.5final.sp09/debian/changelog	2016-03-23 13:31:31.0 +0200
+++ pcsc-cyberjack-3.99.5final.sp09/debian/changelog	2017-05-29 21:33:13.0 +0300
@@ -1,3 +1,11 @@
+pcsc-cyberjack (3.99.5final.sp09-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add patch from Frank Dietrich to re-enable proper support
+for devices with id 0x400 and 0x401. (Closes: #819555)
+
+ -- Adrian Bunk   Mon, 29 May 2017 21:33:13 +0300
+
 pcsc-cyberjack (3.99.5final.sp09-1) unstable; urgency=medium
 
   * Imported Upstream version 3.99.5final.SP09
diff -Nru pcsc-cyberjack-3.99.5final.sp09/debian/patches/enable_pinpad_ecom.patch pcsc-cyberjack-3.99.5final.sp09/debian/patches/enable_pinpad_ecom.patch
--- pcsc-cyberjack-3.99.5final.sp09/debian/patches/enable_pinpad_ecom.patch	1970-01-01 02:00:00.0 +0200
+++ pcsc-cyberjack-3.99.5final.sp09/debian/patches/enable_pinpad_ecom.patch	2017-05-29 21:31:11.0 +0300
@@ -0,0 +1,20 @@
+--- a/cjeca32/USBUnix.cpp	2016-02-10 11:52:17.0 +0100
 b/cjeca32/USBUnix.cpp	2017-01-05 22:11:09.671117747 +0100
+@@ -287,7 +287,7 @@ int CUSBUnix::Open() {
+ m_bulkIn=0x85;
+ m_intPipe=0x81;
+ break;
+-#if 0
++// #if 0
+   case 0x400:
+ Debug.Out("",
+ 	  DEBUG_MASK_COMMUNICATION_ERROR,
+@@ -309,7 +309,7 @@ int CUSBUnix::Open() {
+ m_bulkIn=0x82;
+ m_intPipe=0x81;
+ break;
+-#endif
++// #endif
+   default:
+ Debug.Out("",
+ 	  DEBUG_MASK_COMMUNICATION_ERROR,
diff -Nru pcsc-cyberjack-3.99.5final.sp09/debian/patches/series pcsc-cyberjack-3.99.5final.sp09/debian/patches/series
--- pcsc-cyberjack-3.99.5final.sp09/debian/patches/series	2016-03-23 05:15:31.0 +0200
+++ pcsc-cyberjack-3.99.5final.sp09/debian/patches/series	2017-05-29 21:33:11.0 +0300
@@ -0,0 +1 @@
+enable_pinpad_ecom.patch

Bug#863065: marked as done (fonty-rg: Recommends removed package, and contains unusable scripts)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 18:33:30 +
with message-id 
and subject line Bug#863065: fixed in fonty-rg 0.7-1
has caused the Debian Bug report #863065,
regarding fonty-rg: Recommends removed package, and contains unusable scripts
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863065: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863065
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: fonty-rg
Version: 0.6
Severity: serious
Justification: Policy 3.6

The 'utf8' and 'iso' scripts included in fonty-rg use 'consolechars'
command which is not provided by any Debian package, even in jessie, as
the 'console-tools' package was removed from Debian in 2013 (see #671342).
Nevertheless in 2015 fonty-rg started recommending the removed package 
as a fix for #487514.  (Another, unreleated, issue is that the suggested 
'fonty' package is not in Debian either, see #474125).

In my opinion both 'utf8' and 'iso' scripts should be:
 - either removed together with their manpages (or maybe replaced 
   with some documentation in README.Debian explaining how to enable
   fonts from the package?),
 - or rewritten to use console utilities from the kbd package.

Regards,
robert

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (200, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

fonty-rg depends on no packages.

Versions of packages fonty-rg recommends:
pn  console-tools  

Versions of packages fonty-rg suggests:
pn  fonty  

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: fonty-rg
Source-Version: 0.7-1

We believe that the bug you reported is fixed in the latest version of
fonty-rg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Radovan Garabík  (supplier of updated 
fonty-rg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 29 May 2017 19:13:14 +0200
Source: fonty-rg
Binary: fonty-rg
Architecture: source all
Version: 0.7-1
Distribution: unstable
Urgency: low
Maintainer: Radovan Garabík 
Changed-By: Radovan Garabík 
Description: 
 fonty-rg   - Linux console fonts in various encodings
Closes: 863065
Changes: 
 fonty-rg (0.7-1) unstable; urgency=low
 .
   * rewrite iso and utf8 scripts using kbd,
 not console-tools (closes: #863065)
   * change into non-native package
Checksums-Sha1: 
 c364acf450ff943e8d0ea51d5ebbce31ed2d4007 1664 fonty-rg_0.7-1.dsc
 ae07104c4ec5b42a6e22a584aad040cffa0de5c6 146066 fonty-rg_0.7.orig.tar.gz
 c1d1b67c0c76ab04c949c7e15b3028f23b39d0ef 2489 fonty-rg_0.7-1.debian.tar.gz
 c8cb099b85737c290188921d9e587143561b1d31 65248 fonty-rg_0.7-1_all.deb
Checksums-Sha256: 
 a3d2e3f19f9bdeeab824eb2453c0f4f0ab5d378d399702ca6568ea29cf19d0ee 1664 
fonty-rg_0.7-1.dsc
 23e45d9af879b30c49fddabaa6ead56828b73506e15a5b422e19ae322ef30853 146066 
fonty-rg_0.7.orig.tar.gz
 f9dbda38603bfa7138223314a37f25cd34d215160acfb14f8106983c3facb292 2489 
fonty-rg_0.7-1.debian.tar.gz
 a5254e619d823e051c90105f3a8caa1c40a0f50d419f90b23d273faeba72369d 65248 
fonty-rg_0.7-1_all.deb
Files: 
 658ac073c9566325190356a8a86084fe 1664 utils optional fonty-rg_0.7-1.dsc
 ef3a1629b652f2311d3f79e3bb0234b1 146066 utils optional fonty-rg_0.7.orig.tar.gz
 76d61f24eebb46270548137d0b6d5dd2 2489 utils optional 
fonty-rg_0.7-1.debian.tar.gz
 27b2b6c91f5cee8bc7dd4f48f6cfdc1e 65248 utils optional fonty-rg_0.7-1_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJZLGSBAAoJEGhWpKZArz/Tt24P/0e1TD1Lvw2PEDxhkSe6z4nr
NdcChRCJFdFM2XnntdNmhyCepL2qeFy57qsL1L+uRE+EfKbSlwKSj2k/FD1a8jVq
5ujgHb5CMrmT6oj93dVr9ArlbtOTM9Fot48eUzeexu8kh+V16fd6BBxVDfGYSiPY
EDccLTpEnBdAyAJDy7WyK8cyMHwzGVlhsAUZJF64ecbi/YGVBQrjmahYj6yU4Mol

Bug#863065: fonty-rg: Recommends removed package, and contains unusable scripts

[Radovan Garabik]

On Sun, May 21, 2017 at 09:36:31AM +0200, Robert Luberda wrote:
 
> In my opinion both 'utf8' and 'iso' scripts should be:
>  - either removed together with their manpages (or maybe replaced 
>with some documentation in README.Debian explaining how to enable
>fonts from the package?),
>  - or rewritten to use console utilities from the kbd package.

Thanks for noticing, I rewrote the package to use kbd. There is a small
regression though, as far as I know it is not possible to specify
fallback for missing characters, but as the text console is marginal
nowadays, I think this will do.

Best,

-- 
 ---
| Radovan Garabík http://kassiopeia.juls.savba.sk/~garabik/ |
| __..--^^^--..__garabik @ kassiopeia.juls.savba.sk |
 ---
Antivirus alert: file .signature infected by signature virus.
Hi! I'm a signature virus! Copy me into your signature file to help me spread!


signature.asc
Description: PGP signature

Bug#863650: libpam-pgsql: SIGSEGV with invalid password stored in the database

[Stefano Merlo]

Package: libpam-pgsql
Version: 0.7.3.2-1
Severity: critical
Tags: patch
Justification: breaks unrelated software

When in the DB the password is "*" (password marked as disabled in the shadow
file convention) the crypt(3) function called at backend_pgsql.c:284 returns
NULL, producing  a segmentation fault because of the call to strdup.



-- System Information:
Debian Release: 8.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-pgsql depends on:
ii  libc62.19-18+deb8u7
ii  libgcrypt20  1.6.3-2+deb8u2
ii  libpam0g 1.1.8-3.1+deb8u2
ii  libpq5   9.4.10-0+deb8u1

libpam-pgsql recommends no packages.

libpam-pgsql suggests no packages.

Bug#863644: cqrlog: Should Depends/Recommends the metapackage default-mysql-*

[Gianfranco Costamagna]

> I'm uploading a debdiff of the two bugs fixed shortly

attached

diff -Nru cqrlog-2.0.2/debian/changelog cqrlog-2.0.2/debian/changelog
--- cqrlog-2.0.2/debian/changelog   2016-09-09 14:58:50.0 +0200
+++ cqrlog-2.0.2/debian/changelog   2017-05-29 19:06:55.0 +0200
@@ -1,3 +1,13 @@
+cqrlog (2.0.2-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Depent on virtual mysql server implementation (Closes: #848430)
+  * Depend on default-libmysqlclient-dev, to have the libmysqlclient.so
+symlink available at runtime (function TdmData.GetMySQLLib
+loads it dynamically Closes: #863644.
+
+ -- Gianfranco Costamagna   Mon, 29 May 2017 
17:29:07 +0200
+
 cqrlog (2.0.2-1) unstable; urgency=medium
 
   * New upstream bugfix release.
diff -Nru cqrlog-2.0.2/debian/control cqrlog-2.0.2/debian/control
--- cqrlog-2.0.2/debian/control 2016-05-03 10:56:29.0 +0200
+++ cqrlog-2.0.2/debian/control 2017-05-29 19:05:57.0 +0200
@@ -13,8 +13,8 @@
 
 Package: cqrlog
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libssl-dev, mysql-client | 
mariadb-client, libhamlib2 (>= 1.2.10), libhamlib-utils (>= 1.2.10)
-Recommends: mysql-server | mariadb-server, xplanet
+Depends: ${shlibs:Depends}, ${misc:Depends}, libssl-dev, default-mysql-client 
| virtual-mysql-client, default-libmysqlclient-dev, libhamlib2 (>= 1.2.10), 
libhamlib-utils (>= 1.2.10)
+Recommends: default-mysql-server | virtual-mysql-server, xplanet
 Description: Advanced logging program for hamradio operators
  CQRLOG is an advanced ham radio logger based on MySQL embedded database. 
  Provides radio control based on hamlib libraries (currently support of 140+ 





signature.asc
Description: OpenPGP digital signature

Processed: Re: cqrlog: Should Depends/Recommends the metapackage default-mysql-*

[Debian Bug Tracking System]

Processing control commands:

> clone -1 -2
Bug #848430 [cqrlog] cqrlog: Should Depends/Recommends the metapackage 
default-mysql-*
Bug 848430 cloned as bug 863644
> severity -1 important
Bug #848430 [cqrlog] cqrlog: Should Depends/Recommends the metapackage 
default-mysql-*
Severity set to 'important' from 'serious'
> retitle -2 "cqrlog: misses runtime libmysqlclient.so.* library, breaking db 
> usage"
Bug #863644 [cqrlog] cqrlog: Should Depends/Recommends the metapackage 
default-mysql-*
Changed Bug title to '"cqrlog: misses runtime libmysqlclient.so.* library, 
breaking db usage"' from 'cqrlog: Should Depends/Recommends the metapackage 
default-mysql-*'.
> tags -1 patch pending
Bug #848430 [cqrlog] cqrlog: Should Depends/Recommends the metapackage 
default-mysql-*
Ignoring request to alter tags of bug #848430 to the same tags previously set

-- 
848430: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848430
863644: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863644
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#848430: cqrlog: Should Depends/Recommends the metapackage default-mysql-*

[Gianfranco Costamagna]

control: clone -1 -2
control: severity -1 important
control: retitle -2 "cqrlog: misses runtime libmysqlclient.so.* library, 
breaking db usage"
control: tags -1 patch pending

I'm uploading a debdiff of the two bugs fixed shortly

G.



signature.asc
Description: OpenPGP digital signature

Bug#744753: anacron: Anacron not triggered when system resumes under systemd

[Michael Biebl]

Hi Peter,

I've just uploaded anacron 2.3-24 to DELAYED/3 with the following changes:


> anacron (2.3-24) unstable; urgency=medium
> 
>   * Team upload.
>   * Reference anacron and anacrontab man page in anacron.service
>   * Use native systemd timer unit to trigger anacron periodically.
> When running under systemd, use a native timer unit which triggers
> anacron.service every hour. If the system was suspended for more then
> one hour, the timer will activate immediately on resume. The timer uses
> a randomized delay of up to 5 minutes. This helps with not overloading
> the system when coming out of suspend.
> Drop anacron-resume.service, as this service is no longer necessary.
> (Closes: #744753)
> 
>  -- Michael Biebl   Mon, 29 May 2017 18:36:12 +0200


I've attached the debdiff as well.

Peter, let me know, if you are not happy with this upload, so we can
cancel it or if you are fine with uploading without DELAY. Once the
upload is made, I will push the changes to Git as well.

I haven't changed the SysV code path (yet), which still relies on hooks
to be triggered on resume as I wanted to keep the changes as minimal as
possible this late into the freeze.

We might eventually consolidate the two approaches and use the patch
from Laurent in [1], which drops all hooks and runs anacron every hour
for SysV as well. Something for buster, I'd say.

Regards,
Michael


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744753#78

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
diff --git a/debian/anacron.anacron-resume.service 
b/debian/anacron.anacron-resume.service
deleted file mode 100644
index 21b840a..000
--- a/debian/anacron.anacron-resume.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Run anacron jobs at resume
-After=suspend.target
-After=hibernate.target
-After=hybrid-sleep.target
-
-[Service]
-ExecStart=/bin/systemctl --no-block --fail start anacron.service
-
-[Install]
-WantedBy=suspend.target
-WantedBy=hibernate.target
-WantedBy=hybrid-sleep.target
-
diff --git a/debian/anacron.preinst b/debian/anacron.preinst
new file mode 100644
index 000..603d3b4
--- /dev/null
+++ b/debian/anacron.preinst
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+if dpkg --compare-versions "$2" lt-nl 2.3-24; then
+   deb-systemd-helper purge anacron-resume.service >/dev/null
+   deb-systemd-helper unmask anacron-resume.service >/dev/null
+fi
+
+#DEBHELPER#
diff --git a/debian/anacron.service b/debian/anacron.service
index 77af569..46450c3 100644
--- a/debian/anacron.service
+++ b/debian/anacron.service
@@ -2,6 +2,7 @@
 Description=Run anacron jobs
 After=time-sync.target
 ConditionACPower=true
+Documentation=man:anacron man:anacrontab
 
 [Service]
 ExecStart=/usr/sbin/anacron -dsq
diff --git a/debian/anacron.timer b/debian/anacron.timer
new file mode 100644
index 000..8a04eb4
--- /dev/null
+++ b/debian/anacron.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Trigger anacron every hour
+
+[Timer]
+OnCalendar=hourly
+RandomizedDelaySec=5m
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/debian/changelog b/debian/changelog
index 997e12e..f223e76 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+anacron (2.3-24) unstable; urgency=medium
+
+  * Team upload.
+  * Reference anacron and anacrontab man page in anacron.service
+  * Use native systemd timer unit to trigger anacron periodically.
+When running under systemd, use a native timer unit which triggers
+anacron.service every hour. If the system was suspended for more then
+one hour, the timer will activate immediately on resume. The timer uses
+a randomized delay of up to 5 minutes. This helps with not overloading
+the system when coming out of suspend.
+Drop anacron-resume.service, as this service is no longer necessary.
+(Closes: #744753)
+
+ -- Michael Biebl   Mon, 29 May 2017 18:36:12 +0200
+
 anacron (2.3-23) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/cron.d b/debian/cron.d
index 1691ffe..505b5c7 100644
--- a/debian/cron.d
+++ b/debian/cron.d
@@ -3,4 +3,4 @@
 SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
-30 7* * *   root   test -x /etc/init.d/anacron && /usr/sbin/invoke-rc.d 
anacron start >/dev/null
+30 7* * *   root   [ -x /etc/init.d/anacron ] && if [ ! -d 
/run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi
diff --git a/debian/rules b/debian/rules
index 0f161df..5d44cc4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -18,14 +18,11 @@ override_dh_auto_install:
install -D -m 755 debian/apm.d debian/anacron/etc/apm/event.d/anacron
install -D -m 755 debian/pm-utils.power.d 
debian/anacron/usr/lib/pm-utils/power.d/anacron
install -D -m 755 debian/pm-utils.sleep.d 
debian/anacron/usr/lib/pm-utils/sleep.d/95anacron
+   install -D -m 

Bug#861536: please do not remove runit

[Jameson Graef Rollins]

Please do not remove runit from Debian.  While I understand that systemd
provides the same functionality that runit does, runit is still
nonetheless a useful system that many things currently depend on.

I see no reason why the entire runit source package needs to be removed
if the only problem is the runit-init binary package.  The rest of the
runit binary packages are still useful even without using runit as init.
I think it should be very straightforward to just remove runit-init and
keep everything else.

Thank you for your consideration.

jamie.


signature.asc
Description: PGP signature

Bug#863337: visualvm: Typos in launcher script - does not start anymore

[tony mancill]

On Thu, May 25, 2017 at 04:50:56PM +0200, Erich Schubert wrote:
> Package: visualvm
> Version: 1.3.9-1
> Severity: grave
> Justification: renders package unusable
> 
> visualvm does not start anymore with the error:
> Unknown option -L-XX:PermSize=32m


 
> Versions of packages visualvm depends on:
> ii  default-jdk [java7-sdk]2:1.8-58
> ii  libnb-platform18-java  8.2+dfsg1-1
> ii  libvisualvm-jni1.3.9-1
> ii  openjdk-8-jdk [java7-sdk]  8u131-b11-2
> ii  openjdk-9-jdk [java7-sdk]  9~b170-2
  ^^^

Hello Erich,

Just as Chris reported, I am also unable to reproduce this behavior on
my stretch or sid systems.  I notice that you have openjdk-9-jdk
installed.  Is it possible that a Java 9 JRE is on your path and being
invoked?  In any event, I'm tagging this +moreinfo.  Please share more
information about your configuration when you can.

Thank you,
tony

Processed: tagging 863337

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863337 + moreinfo
Bug #863337 [visualvm] visualvm: Typos in launcher script - does not start 
anymore
Added tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863337: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863337
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863616: dacs: effectively built with DACS_HOME=/usr => violates FHS

[Christoph Berg]

Control: severity -1 important

Re: Jonas Smedegaard 2017-05-29 
<149605453260.7326.14516673213625304...@auryn.jones.dk>
> Quoting Jonas Smedegaard (2017-05-29 12:35:02)
> > Upstream autoconf oddly ties the --prefix option with a custom - 
> > --dacs_home option which gets hardwired into the installed tools and 
> > is a root directory for both static and variable parts.
> > 
> > dacs 1.4.38a-1 sets --prefix which effectively tells the build 
> > routines to use /usr as the root of both binaries, configuration files 
> > (e.g. debugging hint file debug_dacs_acs), admin-editable web content 
> > (dtds) and variable data (e.g. a sequence file).
> > 
> > In other words, setting --prefix=/usr violates FHS!  Weird, yes.
> 
> It seems like upstream warned about the oddity: When setting --prefix to 
> a short path, the build routines apparently spews this:

Hi Jonas,

I definitely agree that this is pretty weird should likely be fixed,
but I don't think that the bug is RC - the package works if we get the
SSL woes sorted out, so I'm downgrading to important. We can sort this
out for buster.

> > The prefix path ("$prefix") really should specify a"
> > directory name of the form "/blah/blah/.../dacs*",
> > such as /usr/local/dacs or /usr/local/dacs-xxx.
> > If you insist on using this prefix, please rerun configure with
> > the --disable-prefix-check option
> 
> ...except the package silences that warning by use of 
> --disable-prefix-check :-/

To be revisited, yes.

Christoph

Processed: Re: Bug#863616: dacs: effectively built with DACS_HOME=/usr => violates FHS

[Debian Bug Tracking System]

Processing control commands:

> severity -1 important
Bug #863616 [src:dacs] dacs: effectively built with DACS_HOME=/usr => violates 
FHS
Severity set to 'important' from 'serious'

-- 
863616: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863616
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#848430: cqrlog: Should Depends/Recommends the metapackage default-mysql-*

[Gianfranco Costamagna]

control: tags -1 pending

> trivial patch attached:

I forgot to change a recommend, new patch attached and uploaded in DEFERRED/2

diff -Nru cqrlog-2.0.2/debian/control cqrlog-2.0.2/debian/control
--- cqrlog-2.0.2/debian/control 2016-05-03 10:56:29.0 +0200
+++ cqrlog-2.0.2/debian/control 2017-05-29 17:44:04.0 +0200
@@ -13,8 +13,8 @@

 Package: cqrlog
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libssl-dev, mysql-client | 
mariadb-client, libhamlib2 (>= 1.2.10), libhamlib-utils (>= 1.2.10)
-Recommends: mysql-server | mariadb-server, xplanet
+Depends: ${shlibs:Depends}, ${misc:Depends}, libssl-dev, 
libmariadbclient-dev-compat, libhamlib2 (>= 1.2.10), libhamlib-utils (>= 1.2.10)
+Recommends: mariadb-server, xplanet
 Description: Advanced logging program for hamradio operators
  CQRLOG is an advanced ham radio logger based on MySQL embedded database.
  Provides radio control based on hamlib libraries (currently support of 140+


G.



signature.asc
Description: OpenPGP digital signature

Processed: Re: cqrlog: Should Depends/Recommends the metapackage default-mysql-*

[Debian Bug Tracking System]

Processing control commands:

> tags -1 pending
Bug #848430 [cqrlog] cqrlog: Should Depends/Recommends the metapackage 
default-mysql-*
Added tag(s) pending.

-- 
848430: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848430
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: cqrlog: Should Depends/Recommends the metapackage default-mysql-*

[Debian Bug Tracking System]

Processing control commands:

> severity -1 serious
Bug #848430 [cqrlog] cqrlog: Should Depends/Recommends the metapackage 
default-mysql-*
Severity set to 'serious' from 'important'
> tags -1 patch
Bug #848430 [cqrlog] cqrlog: Should Depends/Recommends the metapackage 
default-mysql-*
Added tag(s) patch.

-- 
848430: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848430
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: jessie has jQuery 1.7.2

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 862742 stretch sid
Bug #862742 [filetea] filetea: Wrong version of jQuery gets installed
Added tag(s) stretch and sid.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
862742: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862742
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: A patch is in the bug

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 862742 patch
Bug #862742 [filetea] filetea: Wrong version of jQuery gets installed
Added tag(s) patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
862742: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862742
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862442: marked as done (tnef: CVE-2017-8911: integer underflow in unicode_to_utf8)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 15:24:39 +
with message-id 
and subject line Bug#862442: fixed in tnef 1.4.12-1.2
has caused the Debian Bug report #862442,
regarding tnef: CVE-2017-8911: integer underflow in unicode_to_utf8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862442: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: tnef
Version: 1.4.12-1.1
Severity: important
Tags: security upstream
Forwarded: https://github.com/verdammelt/tnef/issues/23

Hi,

the following vulnerability was published for tnef.

CVE-2017-8911[0]:
| An integer underflow has been identified in the unicode_to_utf8()
| function in tnef 1.4.14. This might lead to invalid write operations,
| controlled by an attacker.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8911
[1] https://github.com/verdammelt/tnef/issues/23

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tnef
Source-Version: 1.4.12-1.2

We believe that the bug you reported is fixed in the latest version of
tnef, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz  (supplier of updated tnef package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 29 May 2017 15:03:02 +0200
Source: tnef
Binary: tnef
Architecture: source amd64
Version: 1.4.12-1.2
Distribution: sid
Urgency: medium
Maintainer: Kevin Coyner 
Changed-By: Thorsten Alteholz 
Description:
 tnef   - Tool to unpack MIME application/ms-tnef attachments
Closes: 862442
Changes:
 tnef (1.4.12-1.2) unstable; urgency=medium
 .
   * Non-maintainer upload by the Wheezy LTS Team. (Closes: #862442)
   * CVE-2017-8911
 An integer underflow has been identified in the unicode_to_utf8()
 function in tnef 1.4.14. This might lead to invalid write
 operations, controlled by an attacker.
Checksums-Sha1:
 fe4e396d1e94ca3e8a22d12ab721f987613f057d 1884 tnef_1.4.12-1.2.dsc
 1e6cb8a267157f9ee7696ef8fc4c602e40cb2902 8463407 tnef_1.4.12.orig.tar.gz
 c27b91e350152dc06d523281ddb39baa261ea22a 7380 tnef_1.4.12-1.2.debian.tar.xz
 f6abe59353af2a36484f05221090e25dd61aeb73 53494 tnef-dbgsym_1.4.12-1.2_amd64.deb
 7bea685667a11ffd0537a41e56d68226de12ccb4 5792 tnef_1.4.12-1.2_amd64.buildinfo
 f7b16a73aa8d68a2f37057f1cfc23813239af110 42432 tnef_1.4.12-1.2_amd64.deb
Checksums-Sha256:
 520449bdf8a10d7e8373df7c6bfa3c10ee0ba23f64fdea0d0ffc9d44435b84ba 1884 
tnef_1.4.12-1.2.dsc
 f7dea4c806d2263948ed027dbb8c593191f321b79c73816bb5608c957bc70254 8463407 
tnef_1.4.12.orig.tar.gz
 203994e6fe84fe1454e8e93e440cfe38bc8615bd78773f2f29883ab65c61c546 7380 
tnef_1.4.12-1.2.debian.tar.xz
 a820062ab3908ac8992595f2c48ba69ea200377bde429258d4cccbd020abff11 53494 
tnef-dbgsym_1.4.12-1.2_amd64.deb
 8d972a35590e4693ba711b7755eda1fe64cdc7683fd70252c1837825f916485e 5792 
tnef_1.4.12-1.2_amd64.buildinfo
 4e59c945851e144efd471a306b81f89f1da1e379a6f8e5244400f4599409e25a 42432 
tnef_1.4.12-1.2_amd64.deb
Files:
 14b2ab5d0c32a43e0dbe094298d71b3c 1884 text optional tnef_1.4.12-1.2.dsc
 59d96464d8aa10349c02ca1edd47f0ac 8463407 text optional tnef_1.4.12.orig.tar.gz
 cd3ca26f77e916f98b45601bd7186988 7380 text optional 
tnef_1.4.12-1.2.debian.tar.xz
 128999d70dd113e20de6a8ef69c55c69 53494 debug extra 
tnef-dbgsym_1.4.12-1.2_amd64.deb
 b4443b62eade10786bffbac6de5ffef7 5792 text optional 
tnef_1.4.12-1.2_amd64.buildinfo
 d7897556350def3eca0810cdd7ec592d 42432 text optional tnef_1.4.12-1.2_amd64.deb

-BEGIN PGP SIGNATURE-

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlksKlRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy

Bug#863267: [Python-modules-team] Bug#863267: Miscalculates MigrationHistory dependencies between multiple django apps - regression from 1.8

[Raphael Hertzog]

On Mon, 29 May 2017, Raphael Hertzog wrote:
> Updated patches attached, I missed to update some tests to account
> for the move of the detect_soft_applied() method.

Third set of patches, this time the package builds fine at least.
Which means you can just test this package and let me know if it fixes
your issue:
$ dget 
https://people.debian.org/~hertzog/packages/python-django_1.10.7-2~test1_amd64.changes

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
>From c6d66195d7f816aeb47a77570bdd3836a99d4183 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= 
Date: Mon, 29 May 2017 15:44:39 +0200
Subject: [PATCH 1/2] Move detect_soft_applied() from
 django.db.migrations.executor to .loader
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We want to be able to use that method in
loader.check_consistent_history() to accept an history where the initial
migration is going to be fake-applied. Since the executor has the
knowledge of the loader (but not the opposite), it makes sens to move
the code around.

Signed-off-by: Raphaël Hertzog 
---
 django/db/migrations/executor.py  | 83 +--
 django/db/migrations/loader.py| 81 ++
 tests/migrations/test_executor.py | 12 +++---
 3 files changed, 88 insertions(+), 88 deletions(-)

diff --git a/django/db/migrations/executor.py b/django/db/migrations/executor.py
index 1a0b6f6322..2ac787b0b2 100644
--- a/django/db/migrations/executor.py
+++ b/django/db/migrations/executor.py
@@ -1,8 +1,5 @@
 from __future__ import unicode_literals
 
-from django.apps.registry import apps as global_apps
-from django.db import migrations, router
-
 from .exceptions import InvalidMigrationPlan
 from .loader import MigrationLoader
 from .recorder import MigrationRecorder
@@ -235,7 +232,7 @@ class MigrationExecutor(object):
 if not fake:
 if fake_initial:
 # Test to see if this is an already-applied initial migration
-applied, state = self.detect_soft_applied(state, migration)
+applied, state = self.loader.detect_soft_applied(state, migration)
 if applied:
 fake = True
 if not fake:
@@ -290,81 +287,3 @@ class MigrationExecutor(object):
 if all_applied and key not in applied:
 self.recorder.record_applied(*key)
 
-def detect_soft_applied(self, project_state, migration):
-"""
-Tests whether a migration has been implicitly applied - that the
-tables or columns it would create exist. This is intended only for use
-on initial migrations (as it only looks for CreateModel and AddField).
-"""
-def should_skip_detecting_model(migration, model):
-"""
-No need to detect tables for proxy models, unmanaged models, or
-models that can't be migrated on the current database.
-"""
-return (
-model._meta.proxy or not model._meta.managed or not
-router.allow_migrate(
-self.connection.alias, migration.app_label,
-model_name=model._meta.model_name,
-)
-)
-
-if migration.initial is None:
-# Bail if the migration isn't the first one in its app
-if any(app == migration.app_label for app, name in migration.dependencies):
-return False, project_state
-elif migration.initial is False:
-# Bail if it's NOT an initial migration
-return False, project_state
-
-if project_state is None:
-after_state = self.loader.project_state((migration.app_label, migration.name), at_end=True)
-else:
-after_state = migration.mutate_state(project_state)
-apps = after_state.apps
-found_create_model_migration = False
-found_add_field_migration = False
-existing_table_names = self.connection.introspection.table_names(self.connection.cursor())
-# Make sure all create model and add field operations are done
-for operation in migration.operations:
-if isinstance(operation, migrations.CreateModel):
-model = apps.get_model(migration.app_label, operation.name)
-if model._meta.swapped:
-# We have to fetch the model to test with from the
-# main app cache, as it's not a direct dependency.
-model = global_apps.get_model(model._meta.swapped)
-if should_skip_detecting_model(migration, model):
-continue
-if model._meta.db_table not in existing_table_names:
-return False, project_state

Bug#862252: marked as done (dns-root-data: FTBFS if /bin/sh is bash)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 15:19:21 +
with message-id 
and subject line Bug#862252: fixed in dns-root-data 2017041101
has caused the Debian Bug report #862252,
regarding dns-root-data: FTBFS if /bin/sh is bash
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862252: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862252
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: dns-root-data
Version: 2017020200
User: reproducible-bui...@lists.alioth.debian.org
Usertags: ftbfs
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
Severity: serious

dns-root-data's parse-root-anchors.sh script contains a dashism:
it does not produce the right output when /bin/sh is bash:

# Create key from validated root-anchors.xml
./parse-root-anchors.sh < root-anchors.xml > root-anchors.ds
# Create key from downloaded root.key
/usr/bin/ldns-key2ds -n -2 root.key > root.ds
# Compare the DS from root.key and from root-anchors.xml
diff root-anchors.ds root.ds
1,2c1,2
< .\t172800\tIN\tDS\t19036 8 2 
49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
< .\t172800\tIN\tDS\t20326 8 2 
e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
---
> . 172800  IN  DS  19036 8 2 
> 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
> . 172800  IN  DS  20326 8 2 
> e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
debian/rules:14: recipe for target 'override_dh_auto_build' failed

Full build log:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/dns-root-data.html
--- End Message ---
--- Begin Message ---
Source: dns-root-data
Source-Version: 2017041101

We believe that the bug you reported is fixed in the latest version of
dns-root-data, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý  (supplier of updated dns-root-data package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 29 May 2017 14:05:37 +0200
Source: dns-root-data
Binary: dns-root-data
Architecture: source
Version: 2017041101
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Maintainers 
Changed-By: Ondřej Surý 
Description:
 dns-root-data - DNS root data including root zone and DNSSEC key
Closes: 862252
Changes:
 dns-root-data (2017041101) unstable; urgency=medium
 .
   * Fix parse-root-anchors.sh in non-dash shells (Closes: #862252)
   * Update to 2017041101 version of root zone
   * Remove timestamps from root.key to make the build reproducible
   * Shell syntax cleanup
Checksums-Sha1:
 22e3448e5f2705b2eb8bce574c64c7690f08b543 1905 dns-root-data_2017041101.dsc
 36bfc25763062a4ccc784ced1d821faf8a3f442e 14316 dns-root-data_2017041101.tar.xz
 4f7dec4a2cd50068b672cfa00397693dbf45aa85 5946 
dns-root-data_2017041101_amd64.buildinfo
Checksums-Sha256:
 1f3c5b391d93da9789e2914671bbc75bfb6853a198ffca45b9d5292a308ab748 1905 
dns-root-data_2017041101.dsc
 c88bb15f1e16dba1a525928e190999fdc70b16d06e40f2aa9c7b81c4740c30d5 14316 
dns-root-data_2017041101.tar.xz
 ce30c74920a986730e746d0e7213afa7b3f5609e86b0adf343b22effd17560fb 5946 
dns-root-data_2017041101_amd64.buildinfo
Files:
 cec66a2e89c12b0f03cca9bdfab5f4e1 1905 misc optional 
dns-root-data_2017041101.dsc
 4982844cb0e3b0223fdc93bf9671adc3 14316 misc optional 
dns-root-data_2017041101.tar.xz
 08531207764c72a7912f969b68174ebd 5946 misc optional 
dns-root-data_2017041101_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksENtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwfgeBAAif/tg873Kwltb3T/N72QfY+0bQoOaq2yPFXPg+8OxW59W0ghXpgsjDLy
bmixSBFALbpcFASEXVKE481zsqiGzvClWwyntLGIqbYeFtbJ7d0/WsRoX/W2HstF
nY5of4vwx6wQRxbRKcEhE7vwC5ePOI8IEMskjYpph3FXJdntEaZ48zARnsInUr2K
nhPxWlqOd0yzWGHk9YhUtfssh7sTjiPlRJkTtsyYzltgiisZiYY0Ykcl0/q72Ppx
Emqxv3xirikjbSBujSEoZcrxtQIyYygngUT8Sm5NFxO+rXFvYMGlkF9z75lWpPLh

Processed: Re: Bug#863201: libpam-ldap not longer installs the file /usr/share/pam-configs/ldap needed for pam-auth-update

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863201 + pending patch
Bug #863201 [libpam-ldap] libpam-ldap not longer installs the file 
/usr/share/pam-configs/ldap needed for pam-auth-update
Added tag(s) pending and patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863201: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863201
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863201: libpam-ldap not longer installs the file /usr/share/pam-configs/ldap needed for pam-auth-update

[Julián Moreno Patiño]

Control: -1 + pending patch

I've uploaded libpam-ldap 186-3.1 to DELAYED/5:
  
libpam-ldap (186-3.1) unstable; urgency=medium
  
  * Non-maintainer upload.
  * Install /usr/share/pam-configs/ldap
needed for pam-auth-update. (Closes: #863201)

The full debdiff is attached.


Regards,

-- 
Julián Moreno Patiño
Debian Developer
 .''`. Debian GNU/{Linux,KfreeBSD}
: :' : Free Operating Systems
`. `'  http://debian.org/
  `-   GPG Fingerprint:
C2C8 904E 314C D8FA 041D 9B00 D5FD FC15 6168 BF60
Registered GNU Linux User ID 488513
diff -Nru libpam-ldap-186/debian/changelog libpam-ldap-186/debian/changelog
--- libpam-ldap-186/debian/changelog2017-02-11 00:03:58.0 -0500
+++ libpam-ldap-186/debian/changelog2017-05-29 09:31:16.0 -0500
@@ -1,3 +1,11 @@
+libpam-ldap (186-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Install /usr/share/pam-configs/ldap
+needed for pam-auth-update. (Closes: #863201)
+
+ -- Julián Moreno Patiño   Mon, 29 May 2017 09:31:16 -0500
+
 libpam-ldap (186-3) unstable; urgency=medium
 
   * Aplied patch for build reproducibility ( Thanks to Chris Lamb)
diff -Nru libpam-ldap-186/debian/rules libpam-ldap-186/debian/rules
--- libpam-ldap-186/debian/rules2016-12-12 11:03:15.0 -0500
+++ libpam-ldap-186/debian/rules2017-05-29 09:31:16.0 -0500
@@ -13,3 +13,7 @@
--with-ldap-conf-file=/etc/pam_ldap.conf \
--with-ldap-secret-file=/etc/pam_ldap.secret
 
+override_dh_install:
+   dh_install
+   install -D -m 644 debian/libpam-ldap.pam-auth-update \
+   debian/libpam-ldap/usr/share/pam-configs/ldap


signature.asc
Description: PGP signature

Bug#863267: [Python-modules-team] Bug#863267: Miscalculates MigrationHistory dependencies between multiple django apps - regression from 1.8

[Raphael Hertzog]

On Mon, 29 May 2017, Raphael Hertzog wrote:
> Option 4. Fix Django 1.10 with the attached patches.

Updated patches attached, I missed to update some tests to account
for the move of the detect_soft_applied() method.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
>From 180e96bfac0647c2b10b11123c7f6147a2518373 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= 
Date: Mon, 29 May 2017 15:44:39 +0200
Subject: [PATCH 1/2] Move detect_soft_applied() from
 django.db.migrations.executor to .loader
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We want to be able to use that method in
loader.check_consistent_history() to accept an history where the initial
migration is going to be fake-applied. Since the executor has the
knowledge of the loader (but not the opposite), it makes sens to move
the code around.

Signed-off-by: Raphaël Hertzog 
---
 django/db/migrations/executor.py  | 81 +--
 django/db/migrations/loader.py| 80 ++
 tests/migrations/test_executor.py | 12 +++---
 3 files changed, 87 insertions(+), 86 deletions(-)

diff --git a/django/db/migrations/executor.py b/django/db/migrations/executor.py
index 1a0b6f6322..ed5b64db60 100644
--- a/django/db/migrations/executor.py
+++ b/django/db/migrations/executor.py
@@ -1,7 +1,6 @@
 from __future__ import unicode_literals
 
 from django.apps.registry import apps as global_apps
-from django.db import migrations, router
 
 from .exceptions import InvalidMigrationPlan
 from .loader import MigrationLoader
@@ -235,7 +234,7 @@ class MigrationExecutor(object):
 if not fake:
 if fake_initial:
 # Test to see if this is an already-applied initial migration
-applied, state = self.detect_soft_applied(state, migration)
+applied, state = self.loader.detect_soft_applied(state, migration)
 if applied:
 fake = True
 if not fake:
@@ -290,81 +289,3 @@ class MigrationExecutor(object):
 if all_applied and key not in applied:
 self.recorder.record_applied(*key)
 
-def detect_soft_applied(self, project_state, migration):
-"""
-Tests whether a migration has been implicitly applied - that the
-tables or columns it would create exist. This is intended only for use
-on initial migrations (as it only looks for CreateModel and AddField).
-"""
-def should_skip_detecting_model(migration, model):
-"""
-No need to detect tables for proxy models, unmanaged models, or
-models that can't be migrated on the current database.
-"""
-return (
-model._meta.proxy or not model._meta.managed or not
-router.allow_migrate(
-self.connection.alias, migration.app_label,
-model_name=model._meta.model_name,
-)
-)
-
-if migration.initial is None:
-# Bail if the migration isn't the first one in its app
-if any(app == migration.app_label for app, name in migration.dependencies):
-return False, project_state
-elif migration.initial is False:
-# Bail if it's NOT an initial migration
-return False, project_state
-
-if project_state is None:
-after_state = self.loader.project_state((migration.app_label, migration.name), at_end=True)
-else:
-after_state = migration.mutate_state(project_state)
-apps = after_state.apps
-found_create_model_migration = False
-found_add_field_migration = False
-existing_table_names = self.connection.introspection.table_names(self.connection.cursor())
-# Make sure all create model and add field operations are done
-for operation in migration.operations:
-if isinstance(operation, migrations.CreateModel):
-model = apps.get_model(migration.app_label, operation.name)
-if model._meta.swapped:
-# We have to fetch the model to test with from the
-# main app cache, as it's not a direct dependency.
-model = global_apps.get_model(model._meta.swapped)
-if should_skip_detecting_model(migration, model):
-continue
-if model._meta.db_table not in existing_table_names:
-return False, project_state
-found_create_model_migration = True
-elif isinstance(operation, migrations.AddField):
-model = apps.get_model(migration.app_label, operation.model_name)
-if 

Bug#859418: non-functional after installation (service fails to start)

[Julien Lesaint]

Package: opendnssec-signer
Version: 1:2.0.4-3
Followup-For: Bug #859418

Hello,

opendnssec-signer is still not starting, right after a fresh install on
unstable.

Thank you.
Julien


Setting up opendnssec-signer (1:2.0.4-3) ...
Created symlink
/etc/systemd/system/multi-user.target.wants/opendnssec-signer.service →
/lib/systemd/system/opendnssec-signer.service.
chown: invalid group: ‘opendnssec:opendnssec - -’
[] Starting OpenDNSSEC Signer: opendnsec-signerstart-stop-daemon:
warning: this system is not able to track process names
longer than 15 characters, please use --exec instead of --name.
start-stop-daemon: warning: this system is not able to track process
names
longer than 15 characters, please use --exec instead of --name.
OpenDNSSEC signer engine version 2.0.4
. ok 


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages opendnssec-signer depends on:
ii  init-system-helpers  1.48
ii  libc62.24-11
ii  libldns2 1.7.0-1
ii  libssl1.11.1.0f-1
ii  libxml2  2.9.4+dfsg1-2.2
ii  opendnssec-common1:2.0.4-3

Versions of packages opendnssec-signer recommends:
ii  opendnssec   1:2.0.4-3
ii  opendnssec-enforcer  1:2.0.4-3
ii  softhsm2 2.2.0-3

opendnssec-signer suggests no packages.

-- debconf-show failed

Bug#859418: (no subject)

[Julien Lesaint]

Same behaviour for opendnssec-enforcer, by the way.

Thanks in advance.
Julien

Setting up opendnssec-enforcer (1:2.0.4-3) ...
Created symlink
/etc/systemd/system/multi-user.target.wants/opendnssec-enforcer.service
→ /lib/systemd/system/opendnssec-enforcer.service.
chown: invalid group: ‘opendnssec:opendnssec - -’
[] Starting OpenDNSSEC Enforcer:
opendnssec-enforcerstart-stop-daemon: warning: this system is not able
to track process names
longer than 15 characters, please use --exec instead of --name.
start-stop-daemon: warning: this system is not able to track process
names
longer than 15 characters, please use --exec instead of --name.
OpenDNSSEC key and signing policy enforcer version 2.0.4
enforcerd stopped with exitcode 3
 failed!

Bug#863267: [Python-modules-team] Bug#863267: Miscalculates MigrationHistory dependencies between multiple django apps - regression from 1.8

[Raphael Hertzog]

On Mon, 29 May 2017, Brian May wrote:
> Otherwise, I think we have three options. I recommend reading the Django
> ticket in full before deciding. 
[…]
> 1. Apply work around from
> https://code.djangoproject.com/ticket/28250#comment:1 by manually
[…]
> 2. Remove migration from postinst, and give instructions for manually
> updating the database. Modify
[…]
> 3. Drop lava-server from testing. 
[…]

Option 4. Fix Django 1.10 with the attached patches.

I don't have time right now to test them, but I would love if someone else
could try them... the idea is to not barf on the inconsistent history if
we detect that the missing migration can be fake-applied.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
>From ee93aeecc298f801b85cd49366e5a431d1867f0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= 
Date: Mon, 29 May 2017 15:44:39 +0200
Subject: [PATCH 1/2] Move detect_soft_applied() from
 django.db.migrations.executor to .loader
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We want to be able to use that method in
loader.check_consistent_history() to accept an history where the initial
migration is going to be fake-applied. Since the executor has the
knowledge of the loader (but not the opposite), it makes sens to move
the code around.

Signed-off-by: Raphaël Hertzog 
---
 django/db/migrations/executor.py | 81 +---
 django/db/migrations/loader.py   | 80 +++
 2 files changed, 81 insertions(+), 80 deletions(-)

diff --git a/django/db/migrations/executor.py b/django/db/migrations/executor.py
index 1a0b6f6322..ed5b64db60 100644
--- a/django/db/migrations/executor.py
+++ b/django/db/migrations/executor.py
@@ -1,7 +1,6 @@
 from __future__ import unicode_literals
 
 from django.apps.registry import apps as global_apps
-from django.db import migrations, router
 
 from .exceptions import InvalidMigrationPlan
 from .loader import MigrationLoader
@@ -235,7 +234,7 @@ class MigrationExecutor(object):
 if not fake:
 if fake_initial:
 # Test to see if this is an already-applied initial migration
-applied, state = self.detect_soft_applied(state, migration)
+applied, state = self.loader.detect_soft_applied(state, migration)
 if applied:
 fake = True
 if not fake:
@@ -290,81 +289,3 @@ class MigrationExecutor(object):
 if all_applied and key not in applied:
 self.recorder.record_applied(*key)
 
-def detect_soft_applied(self, project_state, migration):
-"""
-Tests whether a migration has been implicitly applied - that the
-tables or columns it would create exist. This is intended only for use
-on initial migrations (as it only looks for CreateModel and AddField).
-"""
-def should_skip_detecting_model(migration, model):
-"""
-No need to detect tables for proxy models, unmanaged models, or
-models that can't be migrated on the current database.
-"""
-return (
-model._meta.proxy or not model._meta.managed or not
-router.allow_migrate(
-self.connection.alias, migration.app_label,
-model_name=model._meta.model_name,
-)
-)
-
-if migration.initial is None:
-# Bail if the migration isn't the first one in its app
-if any(app == migration.app_label for app, name in migration.dependencies):
-return False, project_state
-elif migration.initial is False:
-# Bail if it's NOT an initial migration
-return False, project_state
-
-if project_state is None:
-after_state = self.loader.project_state((migration.app_label, migration.name), at_end=True)
-else:
-after_state = migration.mutate_state(project_state)
-apps = after_state.apps
-found_create_model_migration = False
-found_add_field_migration = False
-existing_table_names = self.connection.introspection.table_names(self.connection.cursor())
-# Make sure all create model and add field operations are done
-for operation in migration.operations:
-if isinstance(operation, migrations.CreateModel):
-model = apps.get_model(migration.app_label, operation.name)
-if model._meta.swapped:
-# We have to fetch the model to test with from the
-# main app cache, as it's not a direct dependency.
-model = global_apps.get_model(model._meta.swapped)
-if 

Bug#853034: no patch?

[Adam Borowski]

Control: tags -1 -patch

I see no patch available; if there's a fix upstream it'd have to be
extracted and unentangled from work after 1.10.1.

Processed: no patch?

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -patch
Bug #853034 [unar] unar: Fuzzer-generated crashing testcases for a dozen 
identified file formats
Removed tag(s) patch.

-- 
853034: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853034
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863124: marked as done (imagemagick: CVE-2017-9141: A crafted file revealed an assertion failure in profile.c)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:12 +
with message-id 
and subject line Bug#863124: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #863124,
regarding imagemagick: CVE-2017-9141: A crafted file revealed an assertion 
failure in profile.c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863124: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863124
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: src:imagemagick
Version: 8:6.9.7.4+dfsg-6
Severity: important
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.7.7.10-5+deb7u13
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/489
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
 + CVE-2017-7606: Undefined behavior in rle (Closes: #859771).
 + CVE-2017-7619: Infinite loop due to rounding error (Closes: #859769).
 + CVE-2017-7941 memory 

Bug#860736: marked as done (CVE-2017-7943 Memory leak in svg)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:11 +
with message-id 
and subject line Bug#860736: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #860736,
regarding CVE-2017-7943 Memory leak in svg
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
860736: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860736
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
control: found -1 8:6.8.9.9-5
forwarded: https://github.com/ImageMagick/ImageMagick/issues/427

https://github.com/ImageMagick/ImageMagick/commit/b0e61972ff94e844fbb3ca927e476fc156c240a3
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
 + CVE-2017-7606: Undefined behavior in rle (Closes: #859771).
 + CVE-2017-7619: Infinite loop due to rounding error (Closes: #859769).
 + CVE-2017-7941 memory leak in sgi (Closes: 

Bug#863123: marked as done (imagemagick: CVE-2017-9143: Specially crafted arts file could lead to memory leak)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:12 +
with message-id 
and subject line Bug#863123: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #863123,
regarding imagemagick: CVE-2017-9143: Specially crafted arts file could lead to 
memory leak
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863123: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863123
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: src:imagemagick
Version: 8:6.9.7.4+dfsg-6
Severity: important
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.7.7.10-5+deb7u13
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/456

origin: 
https://github.com/ImageMagick/ImageMagick/commit/7b8c1df65b25d6671f113e2306982eded44ce3b4
bug: https://github.com/ImageMagick/ImageMagick/issues/456
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
 + 

Bug#860734: marked as done (CVE-2017-7941 memory leak in sgi)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:11 +
with message-id 
and subject line Bug#860734: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #860734,
regarding CVE-2017-7941 memory leak in sgi
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
860734: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860734
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
control: found -1 8:6.8.9.9-5
forwarded: https://github.com/ImageMagick/ImageMagick/issues/428

Fixed by
https://github.com/ImageMagick/ImageMagick/commit/721dc1305b2bfff92e5ca605dc1a47c61ce90b9f
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
 + CVE-2017-7606: Undefined behavior in rle (Closes: #859771).
 + CVE-2017-7619: Infinite loop due to rounding error (Closes: #859769).
 + CVE-2017-7941 memory leak in sgi 

Bug#863186: marked as done (libtasn1-6: CVE-2017-6891)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:28 +
with message-id 
and subject line Bug#863186: fixed in libtasn1-6 4.2-3+deb8u3
has caused the Debian Bug report #863186,
regarding libtasn1-6: CVE-2017-6891
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863186: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863186
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libtasn1-6
Version: 4.2-3
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for libtasn1-6.

CVE-2017-6891[0]:
| Two errors in the "asn1_find_node()" function (lib/parser_aux.c)
| within GnuTLS libtasn1 version 4.10 can be exploited to cause a
| stacked-based buffer overflow by tricking a user into processing a
| specially crafted assignments file via the e.g. asn1Coding utility.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-6891
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6891
[1] 
https://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=5520704d075802df25ce4ffccc010ba1641bd484

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libtasn1-6
Source-Version: 4.2-3+deb8u3

We believe that the bug you reported is fixed in the latest version of
libtasn1-6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz  (supplier of updated libtasn1-6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 23 May 2017 19:01:02 +0200
Source: libtasn1-6
Binary: libtasn1-6-dev libtasn1-doc libtasn1-6-dbg libtasn1-6 libtasn1-bin 
libtasn1-3-bin
Architecture: source amd64 all
Version: 4.2-3+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers 
Changed-By: Thorsten Alteholz 
Description:
 libtasn1-3-bin - transitional libtasn1-3-bin package
 libtasn1-6 - Manage ASN.1 structures (runtime)
 libtasn1-6-dbg - Manage ASN.1 structures (debugging symbols)
 libtasn1-6-dev - Manage ASN.1 structures (development)
 libtasn1-bin - Manage ASN.1 structures (binaries)
 libtasn1-doc - Manage ASN.1 structures (documentation)
Closes: 863186
Changes:
 libtasn1-6 (4.2-3+deb8u3) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Wheezy LTS Team.
   * CVE-2017-6891 (Closes: #863186)
 two errors in the "asn1_find_node()" function (lib/parser_aux.c)
 can be exploited to cause a stacked-based buffer overflow.
Checksums-Sha1:
 bd3e7ea36161f91550666aaef4c617032c5211be 2607 libtasn1-6_4.2-3+deb8u3.dsc
 d2fe4bf12dbdc4d6765a04abbf8ddaf7e9163afa 1866192 libtasn1-6_4.2.orig.tar.gz
 90e17e607492c8c508c54c6768dfd2ee68ab8cbb 59144 
libtasn1-6_4.2-3+deb8u3.debian.tar.xz
 4e88435ca76cf3298fd5202d1c6744c5653bdf8f 90824 
libtasn1-6-dev_4.2-3+deb8u3_amd64.deb
 b4495d21fdacea3f3a838f61c2cd450a2852 305278 
libtasn1-doc_4.2-3+deb8u3_all.deb
 27e377eba0abbd1e6b152d07daa06d82794d5f87 109254 
libtasn1-6-dbg_4.2-3+deb8u3_amd64.deb
 44245b5d3fab184f670cda413aee7ceb0729441b 49190 
libtasn1-6_4.2-3+deb8u3_amd64.deb
 80e2b99982d248dafeb03d76ab4f96df0d3257e3 23038 
libtasn1-bin_4.2-3+deb8u3_amd64.deb
 029e4f139e68640ffc80ac072a8876d93b9c086f 10108 
libtasn1-3-bin_4.2-3+deb8u3_all.deb
Checksums-Sha256:
 dee600f7bdacd1fa75d40a13425e6c81d36b979fd23aab468000a1bfc18706ba 2607 
libtasn1-6_4.2-3+deb8u3.dsc
 693b41cb36c2ac02d5990180b0712a79a591168e93d85f7fcbb75a0a0be4cdbb 1866192 
libtasn1-6_4.2.orig.tar.gz
 59ba69bafbe22542f58bc63eab30b70b5ce15673f8b7b8332c21b72e33572d28 59144 
libtasn1-6_4.2-3+deb8u3.debian.tar.xz
 89a2c0ffdf5c11cc2dce44aa4dbe9681d66c7d043d0be93bb461edbea0f77e5d 90824 
libtasn1-6-dev_4.2-3+deb8u3_amd64.deb
 f25d9141287e29e375364adae1bf35762191951117061eb02ea618622dac9007 305278 
libtasn1-doc_4.2-3+deb8u3_all.deb
 

Bug#863126: marked as done (imagemagick: CVE-2017-9144: Check for EOF conditions for RLE image format)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:12 +
with message-id 
and subject line Bug#863126: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #863126,
regarding imagemagick: CVE-2017-9144: Check for EOF conditions for RLE image 
format
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863126: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863126
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: src:imagemagick
Version: 8:6.9.7.4+dfsg-6
Severity: important
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.7.7.10-5+deb7u13
control: found -1 8:6.7.7.10-5+deb7u4


Waiting for CVE

  origin: 
https://github.com/ImageMagick/ImageMagick/commit/7fdf9ea808caa3c81a0eb42656e5fafc59084198
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
 + CVE-2017-7606: Undefined behavior in rle (Closes: #859771).
 + CVE-2017-7619: Infinite loop due to rounding error 

Bug#859772: marked as done (Fix include regression)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:11 +
with message-id 
and subject line Bug#859772: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #859772,
regarding Fix include regression
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
859772: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859772
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
forwarded: 
https://launchpadlibrarian.net/314715229/FixAcquireVirtualMemoryMemleak.patch


Partial patch with problem
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
 + CVE-2017-7606: Undefined behavior in rle (Closes: #859771).
 + CVE-2017-7619: Infinite loop due to rounding error (Closes: #859769).
 + CVE-2017-7941 memory leak in sgi (Closes: #860734).
 + CVE-2017-7943 memory leak in svg (Closes: #860736).
   * 

Bug#863125: marked as done (imagemagick: CVE-2017-9142: A crafted file revealed an assertion failure in blob.c)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:12 +
with message-id 
and subject line Bug#863125: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #863125,
regarding imagemagick: CVE-2017-9142: A crafted file revealed an assertion 
failure in blob.c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863125
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: src:imagemagick
Version: 8:6.9.7.4+dfsg-6
Severity: important
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.7.7.10-5+deb7u13
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/490
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
 + CVE-2017-7606: Undefined behavior in rle (Closes: #859771).
 + CVE-2017-7619: Infinite loop due to rounding error (Closes: #859769).
 + CVE-2017-7941 memory leak 

Bug#859771: marked as done (imagemagick: CVE-2017-7606: Undefined behavoir in rle)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:11 +
with message-id 
and subject line Bug#859771: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #859771,
regarding imagemagick: CVE-2017-7606: Undefined behavoir in rle
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
859771: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859771
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
control: found -1 8:6.8.9.9-5
forwarded: https://github.com/ImageMagick/ImageMagick/issues/415

Undefined behavior in rle coder reading rle file could lead to lack of
validation of rle file...

Could be triggerd by corrupted file depending of compiler.
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
 + CVE-2017-7606: Undefined behavior in rle (Closes: #859771).
 + CVE-2017-7619: Infinite loop due 

Bug#862967: marked as done (imagemagick: CVE-2017-9098: use of uninitialized memory in RLE decoder)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:11 +
with message-id 
and subject line Bug#862967: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #862967,
regarding imagemagick: CVE-2017-9098: use of uninitialized memory in RLE decoder
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862967: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862967
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: imagemagick
Version: 8:6.9.7.4+dfsg-8
Severity: grave
Tags: security upstream patch

Hi

See 

https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html

for details, which has been addressed via

https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
 + CVE-2017-7606: Undefined behavior in rle (Closes: #859771).
 + CVE-2017-7619: Infinite loop due to rounding error (Closes: 

Bug#859769: marked as done (imagemagick: CVE-2017-7619: Infinite loop due to rounding error)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:47:11 +
with message-id 
and subject line Bug#859769: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #859769,
regarding imagemagick: CVE-2017-7619: Infinite loop due to rounding error
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
859769: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
control: found -1 8:6.8.9.9-5
forwarded: 
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3=31506


Fixed by 63757068c803f692bd70304b06ce3406e0b67c7f will open a CVE
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
 + CVE-2017-7606: Undefined behavior in rle (Closes: #859771).
 + CVE-2017-7619: Infinite loop due to rounding error (Closes: #859769).
 + CVE-2017-7941 memory 

Bug#863632: marked as done (puppetmaster: The broken compatibility with older agents)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 15:27:43 +0200
with message-id <20170529132743.ga9...@lorien.valinor.li>
and subject line Re: Bug#863632: puppetmaster: The broken compatibility with 
older agents
has caused the Debian Bug report #863632,
regarding puppetmaster: The broken compatibility with older agents
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863632: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863632
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: puppetmaster
Version: 3.7.2-4+deb8u1
Severity: serious
Justification: must

Dear Maintainer,

fter install the last security update 3.7.2-4+deb8u1, the puppet master doesn't 
work with puppet agents ( clients ) on Debian Squeezy and Wheezy.  The error on 
agent is:

root@snek11:/home/martin# puppet agent --server=puppet.aira.cz --no-daemonize 
--verbose --onetime
err: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Unsupported facts format
info: Not using expired catalog for snek11.aira.cz from cache; expired at Fri 
May 26 07:07:12 +0200 2017
notice: Using cached catalog


The part of debug log from master:

Debug: Received report to process from snek11.aira.cz
Debug: Processing report from snek11.aira.cz with processor 
Puppet::Reports::Store
Debug: Routes Registered:
Debug: Route /^\/v2\.0/
Debug: Route /.*/
Debug: Evaluating match for Route /^\/v2\.0/
Debug: Did not match path ("/production/catalog/snek11.aira.cz")
Debug: Evaluating match for Route /.*/
Error: Unsupported facts format
Debug: Routes Registered:
Debug: Route /^\/v2\.0/
Debug: Route /.*/
Debug: Evaluating match for Route /^\/v2\.0/
Debug: Did not match path ("/production/report/snek11.aira.cz")
Debug: Evaluating match for Route /.*/
Debug: Received report to process from snek11.aira.cz
Debug: Processing report from snek11.aira.cz with processor 
Puppet::Reports::Store

The agents on Debian Jessie work good.  


Have a nice day,

MD.

-- System Information:
Debian Release: 8.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages puppetmaster depends on:
ii  init-system-helpers   1.22
ii  puppetmaster-common   3.7.2-4+deb8u1
ii  ruby  1:2.1.5+deb8u2
ii  ruby1.8 [ruby-interpreter]1.8.7.358-7.1+deb7u3
ii  ruby1.9.1 [ruby-interpreter]  1.9.3.194-8.1+deb7u5
ii  ruby2.1 [ruby-interpreter]2.1.5-2+deb8u3

puppetmaster recommends no packages.

puppetmaster suggests no packages.

-- Configuration Files:
/etc/default/puppetmaster changed:
START=no
DAEMON_OPTS=""
SERVERTYPE=webrick
PUPPETMASTERS=1
PORT=8140
PUPPETQD=no
PUPPETQD_OPTS=""


-- no debconf information
--- End Message ---
--- Begin Message ---
Control: tags -1 + wontfix

Hi Martin,

On Mon, May 29, 2017 at 03:12:44PM +0200, Martin Duspiva wrote:
> Package: puppetmaster
> Version: 3.7.2-4+deb8u1
> Severity: serious
> Justification: must
> 
> Dear Maintainer,
> 
> fter install the last security update 3.7.2-4+deb8u1, the puppet master 
> doesn't work with puppet agents ( clients ) on Debian Squeezy and Wheezy.  
> The error on agent is:
> 
> root@snek11:/home/martin# puppet agent --server=puppet.aira.cz --no-daemonize 
> --verbose --onetime
> err: Could not retrieve catalog from remote server: Error 400 on SERVER: 
> Unsupported facts format
> info: Not using expired catalog for snek11.aira.cz from cache; expired at Fri 
> May 26 07:07:12 +0200 2017
> notice: Using cached catalog

Yes, and that was unfortunate, but there was no safe way to restore the
backward compatibility while fixing the issue. The DSA advisory contains:

> Note that this fix breaks backward compability with Puppet agents older
> than 3.2.2 and there is no safe way to restore it. This affects puppet
> agents running on Debian wheezy; we recommend to update the the
> puppet version shipped in wheezy-backports.

Cf. https://lists.debian.org/debian-security-announce/2017/msg00122.html

(as well the NEWS.Debian file installed on the system).

Regards,
Salvatore--- End Message ---

Bug#848066: more docs breakage expected

[Adam Borowski]

Hi!
The rst transition is ongoing, breaking such scripts with every kernel
version -- ie, this bug will happen again soon.  While it can be done for
4.9 (making kernel-package at least work with the sources in Stretch), it
still won't work with upstream kernels which is the primary purpose people
use kernel-package for.

Thus, kernel packaging would need to live in a place can be held in sync
with the kernel itself.  And since 4.3, it does.

Thus, perhaps it'd be better to tell people to "make bindeb-pkg" instead?
(There's also "make deb-pkg" which is quite a bit older, but it produces
heaps of stuff an ordinary user doesn't need.)


Meow!
-- 
Don't be racist.  White, amber or black, all beers should be judged based
solely on their merits.  Heck, even if occasionally a cider applies for a
beer's job, why not?
On the other hand, corpo lager is not a race.

Bug#863632: puppetmaster: The broken compatibility with older agents

[Martin Duspiva]

Package: puppetmaster
Version: 3.7.2-4+deb8u1
Severity: serious
Justification: must

Dear Maintainer,

fter install the last security update 3.7.2-4+deb8u1, the puppet master doesn't 
work with puppet agents ( clients ) on Debian Squeezy and Wheezy.  The error on 
agent is:

root@snek11:/home/martin# puppet agent --server=puppet.aira.cz --no-daemonize 
--verbose --onetime
err: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Unsupported facts format
info: Not using expired catalog for snek11.aira.cz from cache; expired at Fri 
May 26 07:07:12 +0200 2017
notice: Using cached catalog


The part of debug log from master:

Debug: Received report to process from snek11.aira.cz
Debug: Processing report from snek11.aira.cz with processor 
Puppet::Reports::Store
Debug: Routes Registered:
Debug: Route /^\/v2\.0/
Debug: Route /.*/
Debug: Evaluating match for Route /^\/v2\.0/
Debug: Did not match path ("/production/catalog/snek11.aira.cz")
Debug: Evaluating match for Route /.*/
Error: Unsupported facts format
Debug: Routes Registered:
Debug: Route /^\/v2\.0/
Debug: Route /.*/
Debug: Evaluating match for Route /^\/v2\.0/
Debug: Did not match path ("/production/report/snek11.aira.cz")
Debug: Evaluating match for Route /.*/
Debug: Received report to process from snek11.aira.cz
Debug: Processing report from snek11.aira.cz with processor 
Puppet::Reports::Store

The agents on Debian Jessie work good.  


Have a nice day,

MD.

-- System Information:
Debian Release: 8.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages puppetmaster depends on:
ii  init-system-helpers   1.22
ii  puppetmaster-common   3.7.2-4+deb8u1
ii  ruby  1:2.1.5+deb8u2
ii  ruby1.8 [ruby-interpreter]1.8.7.358-7.1+deb7u3
ii  ruby1.9.1 [ruby-interpreter]  1.9.3.194-8.1+deb7u5
ii  ruby2.1 [ruby-interpreter]2.1.5-2+deb8u3

puppetmaster recommends no packages.

puppetmaster suggests no packages.

-- Configuration Files:
/etc/default/puppetmaster changed:
START=no
DAEMON_OPTS=""
SERVERTYPE=webrick
PUPPETMASTERS=1
PORT=8140
PUPPETQD=no
PUPPETQD_OPTS=""


-- no debconf information

Processed: Re: mytop can't installed

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 863596 mytop can't be installed
Bug #863596 [mytop] mytop can't  installed
Changed Bug title to 'mytop can't be installed' from 'mytop can't  installed'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863596: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863631: sympa: trashes configuration on update without asking

[Dominik George]

Package: sympa
Version: 6.2.16~dfsg-3
Severity: critical
Justification: causes serious data loss

The upgrade to 6.2.16~dfsg-3 from 6.2.16~dfsg-2 in stretch just ditched
SYMPA's config files on my system, leaving it in a broken way, even in
such a broken way that users who tried sending mails did not receive an
error and thought things went through. I think some actions would even
have led to destruction of database data.

I have no idea why the maintainer scripts decided to do that. I
recovered from etckeeper and a system backup.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sympa depends on:
ii  adduser   3.115
ii  ca-certificates   20161130+nmu1
ii  dbconfig-common   2.0.8
ii  debconf [debconf-2.0] 1.5.60
ii  fonts-font-awesome4.7.0~dfsg-1
ii  init-system-helpers   1.48
ii  libarchive-zip-perl   1.59-1
ii  libc6 2.24-10
ii  libcgi-fast-perl  1:2.12-1
ii  libcgi-pm-perl4.35-1
ii  libclass-singleton-perl   1.5-1
ii  libcrypt-openssl-x509-perl1.8.7-3
ii  libcrypt-smime-perl   0.19-2
ii  libdatetime-format-mail-perl  0.4030-1
ii  libdbd-csv-perl   0.4900-1
ii  libdbd-mysql-perl 4.041-2
ii  libdbd-pg-perl3.5.3-1+b2
ii  libdbd-sqlite3-perl   1.54-1
ii  libdbi-perl   1.636-1+b1
ii  libfcgi-perl  0.78-2
ii  libfile-copy-recursive-perl   0.38-1
ii  libfile-nfslock-perl  1.27-1
ii  libhtml-format-perl   2.12-1
ii  libhtml-stripscripts-parser-perl  1.03-1
ii  libhtml-tree-perl 5.03-2
ii  libintl-perl  1.26-2
ii  libio-stringy-perl2.111-2
ii  libjs-jquery  3.1.1-2
ii  libjs-jquery-migrate-11.4.1-1
ii  libjs-jquery-placeholder  2.3.1-2
ii  libjs-jquery-ui   1.12.1+dfsg-4
ii  libjs-modernizr   2.6.2+ds1-1
ii  libjs-twitter-bootstrap   2.0.2+dfsg-10
ii  libmail-dkim-perl 0.40-1
ii  libmailtools-perl 2.18-1
ii  libmime-charset-perl  1.012-2
ii  libmime-encwords-perl 1.014.3-2
ii  libmime-lite-html-perl1.24-2
ii  libmime-tools-perl5.508-1
ii  libmsgcat-perl1.03-6+b3
ii  libnet-cidr-perl  0.18-1
ii  libnet-dns-perl   1.07-1
ii  libnet-ldap-perl  1:0.6500+dfsg-1
ii  libnet-netmask-perl   1.9022-1
ii  libregexp-common-perl 2016060801-1
ii  libsoap-lite-perl 1.20-1
ii  libtemplate-perl  2.24-1.2+b3
ii  libterm-progressbar-perl  2.18-1
ii  libunicode-linebreak-perl 0.0.20160702-1+b1
ii  libxml-libxml-perl2.0128+dfsg-1+b1
ii  lsb-base  9.20161125
ii  mhonarc   2.6.19-2
ii  perl  5.24.1-2
pn  perl:any  
ii  postfix [mail-transport-agent]3.1.4-4
ii  rsyslog [system-log-daemon]   8.24.0-1
ii  sqlite3   3.16.2-3

Versions of packages sympa recommends:
ii  apache2-suexec-pristine [apache2-suexec]  2.4.25-3
ii  doc-base  0.10.7
ii  libapache2-mod-fcgid  1:2.3.9-1+b1
pn  libcrypt-ciphersaber-perl 
ii  libio-socket-ssl-perl 2.044-1
ii  locales   2.24-10
ii  logrotate 3.11.0-0.1
ii  postgresql9.6+181

Versions of packages sympa suggests:
ii  apache2 [httpd-cgi]  2.4.25-3
pn  libauthcas-perl  
pn  libdbd-odbc-perl 
pn  libdbd-oracle-perl   

-- Configuration Files:
/etc/sympa/auth.conf changed [not included]

-- debconf information excluded

Bug#861693: marked as done (swftools: CVE-2017-8400: out-of-bound write of heap data issue can occur in function png_load())

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 12:03:46 +
with message-id 
and subject line Bug#861693: fixed in swftools 0.9.2+git20130725-4.1
has caused the Debian Bug report #861693,
regarding swftools: CVE-2017-8400: out-of-bound write of heap data issue can 
occur in function png_load()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
861693: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861693
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: swftools
Version: 0.9.2+git20130725-2
Severity: important
Tags: patch upstream security

Hi,

the following vulnerabilities were published for swftools, and not
filling two seprate bugs, since common code back to stable. Filled as
severity grave, since for CVE-2017-8400 possibly can cause code
execution, but not ruled out/further analyzed if that is possible.

CVE-2017-8400[0]:
| In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in the
| function png_load() in lib/png.c:755. This issue can be triggered by a
| malformed PNG file that is mishandled by png2swf. Attackers could
| exploit this issue for DoS; it might cause arbitrary code execution.

CVE-2017-8401[1]:
| In SWFTools 0.9.2, an out-of-bounds read of heap data can occur in the
| function png_load() in lib/png.c:724. This issue can be triggered by a
| malformed PNG file that is mishandled by png2swf. Attackers could
| exploit this issue for DoS.

The references to the security tracker contain references to the
upstream issues and respective commits.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8400
[1] https://security-tracker.debian.org/tracker/CVE-2017-8401
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8401

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: swftools
Source-Version: 0.9.2+git20130725-4.1

We believe that the bug you reported is fixed in the latest version of
swftools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated swftools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 13:25:12 +0200
Source: swftools
Binary: swftools swftools-dbg
Architecture: source
Version: 0.9.2+git20130725-4.1
Distribution: unstable
Urgency: high
Maintainer: Christian Welzel 
Changed-By: Salvatore Bonaccorso 
Closes: 861693
Description: 
 swftools   - Collection of utilities for SWF file manipulation/creation
 swftools-dbg - Collection of utilities for SWF file manipulation/creation 
(debug
Changes:
 swftools (0.9.2+git20130725-4.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix an integer overflow issue in png.c (CVE-2017-8400) (Closes: #861693)
Checksums-Sha1: 
 11440aa17a65af4b5f9988862d64e804c7362067 2271 
swftools_0.9.2+git20130725-4.1.dsc
 db4a715fb0a8e90ad8d66ec145dbc4dbc7209ce3 35416 
swftools_0.9.2+git20130725-4.1.debian.tar.xz
Checksums-Sha256: 
 b78e86c74b0a6254c74f9b58b75f8a07ddc3c13eda4bed5dc276aa3b07c942a1 2271 
swftools_0.9.2+git20130725-4.1.dsc
 4350b153a2756a6711131186dec6dc2dbdb6e8c782c45d57d13f3ce62f181448 35416 
swftools_0.9.2+git20130725-4.1.debian.tar.xz
Files: 
 026fdea3966e8ebe22f1b81a285fd262 2271 utils extra 
swftools_0.9.2+git20130725-4.1.dsc
 e80e6d3dc01e700b8b09bfda39f779cb 35416 utils extra 
swftools_0.9.2+git20130725-4.1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkpZwlfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EphsP/1Uh+9X9m/PFpLaYknPA+ZqWRaahTNqV
SnNX5QxLqxc2VQAY9qtiMlEjKHZqJgDmuX84IKjc/Q1Cq67LdoJP/AxGj4BbAZ4w
mpeCJGriyvpJN4IXbjalZWub/r2t+0WsgBgYM/Zv5Q36fGb6rjfHmbxOt5JRjKx+

Bug#863286: marked as done (completely broken in non-US locales)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 12:03:40 +
with message-id 
and subject line Bug#863286: fixed in lua-http 0.1-3
has caused the Debian Bug report #863286,
regarding completely broken in non-US locales
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863286: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863286
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lua-http
Version: 0.1-1
Severity: grave
Tags: upstream

Hi,

lua-http cannot construct legal requests if a non-US locale (or more precisely,
anything using comma as decimal separator) is in use. Example:

  klump:~> cat test.lua
  os.setlocale('nb_NO.UTF-8')
  local http_request = require "http.request"
  local headers, stream = 
assert(http_request.new_from_uri("http://example.com;):go())
  local body = assert(stream:get_body_as_string())
  if headers:get ":status" ~= "200" then
  error(body)
  end
  print(body)
  
  klump:~> lua5.2 test.lua
  lua5.2: test.lua:6: 
  http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
  http://www.w3.org/1999/xhtml; xml:lang="en" lang="en">

505 - HTTP Version Not Supported


505 - HTTP Version Not Supported

  
  
  stack traceback:
[C]: in function 'error'
test.lua:6: in main chunk
[C]: in ?

This is because the request it constructs looks like this:

  GET / HTTP/1,1
  host: example.com
  user-agent: lua-http/0.1

Note the “1,1” in the HTTP version number where it should have been 1.1.

This makes the library completely broken for a large swath of Debian's user 
base;
thus the severity.

-- System Information:
Debian Release: 9.0
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.2 (SMP w/40 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: lua-http
Source-Version: 0.1-3

We believe that the bug you reported is fixed in the latest version of
lua-http, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý  (supplier of updated lua-http package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 29 May 2017 13:39:46 +0200
Source: lua-http
Binary: lua-http
Architecture: source
Version: 0.1-3
Distribution: unstable
Urgency: medium
Maintainer: Ondřej Surý 
Changed-By: Ondřej Surý 
Description:
 lua-http   - HTTP library for Lua
Closes: 863286
Changes:
 lua-http (0.1-3) unstable; urgency=medium
 .
   * Fix request building in locales with comma decimal separator
 (Closes: #863286) (Courtesy of Daurnimator)
Checksums-Sha1:
 0488cfdf6c0767c7bf3f666ff8cafa78307d67f2 1971 lua-http_0.1-3.dsc
 36f72780773ad5752ce33568af9b30de0a582664 3452 lua-http_0.1-3.debian.tar.xz
 092a53285eac04d036fbf7961fb4fcbb666379ef 6416 lua-http_0.1-3_amd64.buildinfo
Checksums-Sha256:
 cb108cf725543714a9a72cbd46acb8513a6704c04acbaf5c654e3b6b982f9426 1971 
lua-http_0.1-3.dsc
 537488d3a5d918be5f5b625ca53582e318e66484f58f4d9cf034744219275696 3452 
lua-http_0.1-3.debian.tar.xz
 33ce34fb5342140dfe5fdafdc27e9666b506de20c2dcb236c0e72f5e3d9cf7cf 6416 
lua-http_0.1-3_amd64.buildinfo
Files:
 2cff88c0e84128f822e6d742f89276b3 1971 interpreters optional lua-http_0.1-3.dsc
 2e5cbfb4a8dca99abf5fb33d5d4569fb 3452 interpreters optional 
lua-http_0.1-3.debian.tar.xz
 6d1a8fa2c4b8188de13e8b0560c7f398 6416 interpreters optional 
lua-http_0.1-3_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksChxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwfKRRAAiRnHnumZyAI2CPmutd1AUdEOcwy/BuqsexR1183tpFFDFzo1L4wz1Y72
agwgrpIOmz5ztXvW1m5+Z/XlXhixOhGHtcvqQNecuCvMUALt4BntONRbRf2pvCr0

Bug#860072: botan1.10: diff for NMU version 1.10.15-1.1

[Salvatore Bonaccorso]

Hi!

On Mon, May 29, 2017 at 01:56:53PM +0200, Ondřej Surý wrote:
> Darn,
> 
> time passes so quickly...
> 
> I have uploaded 1.10.16 to unstable and will fill unblock bug, given
> that the upstream changes from 1.10.15 to 1.10.16 comprises just of this
> bugfix:

Ack, thank you!

Salvatore

Bug#860072: botan1.10: diff for NMU version 1.10.15-1.1

[Ondřej Surý]

Darn,

time passes so quickly...

I have uploaded 1.10.16 to unstable and will fill unblock bug, given
that the upstream changes from 1.10.15 to 1.10.16 comprises just of this
bugfix:

$ git diff upstream/1.10.15..upstream/1.10.16 
diff --git a/botan_version.py b/botan_version.py
index 9002199..28f4823 100644
--- a/botan_version.py
+++ b/botan_version.py
@@ -1,11 +1,11 @@
 
 release_major = 1
 release_minor = 10
-release_patch = 15
+release_patch = 16
 
 release_so_abi_rev = 1
 
 # These are set by the distribution script
-release_vc_rev = 'git:f79e642ab8c09971968abdfe6990df6801711e1f'
-release_datestamp = 20170112
+release_vc_rev = 'git:3756c97d295d06ac19cec6736e05003afb10623e'
+release_datestamp = 20170404
 release_type = 'released'
diff --git a/doc/log.txt b/doc/log.txt
index 9ceaa7d..60b76d0 100644
--- a/doc/log.txt
+++ b/doc/log.txt
@@ -7,6 +7,16 @@ Release Notes
 Series 1.10
 
 
+Version 1.10.16, 2017-04-04
+
+
+* Fix a bug in X509 DN string comparisons that could result in out of
bound
+  reads. This could result in information leakage, denial of service,
or
+  potentially incorrect certificate validation results. (CVE-2017-2801)
+
+* Avoid throwing during a destructor since this is undefined in C++11
+  and rarely a good idea. (GH #930)
+
 Version 1.10.15, 2017-01-12
 
 
diff --git a/src/alloc/alloc_mmap/mmap_mem.cpp
b/src/alloc/alloc_mmap/mmap_mem.cpp
index 17c189e..85edbc4 100644
--- a/src/alloc/alloc_mmap/mmap_mem.cpp
+++ b/src/alloc/alloc_mmap/mmap_mem.cpp
@@ -73,8 +73,7 @@ void* MemoryMapping_Allocator::alloc_block(size_t n)
 * will continue to exist until the mmap is unmapped from
 * our address space upon deallocation (or process exit).
 */
-if(fd != -1 && ::close(fd) == -1)
-   throw MemoryMapping_Failed("Could not close file");
+fd != -1 && ::close(fd);
 }
   private:
  int fd;
diff --git a/src/utils/parsing.cpp b/src/utils/parsing.cpp
index 9ec0004..fc7e963 100644
--- a/src/utils/parsing.cpp
+++ b/src/utils/parsing.cpp
@@ -230,6 +230,8 @@ bool x500_name_cmp(const std::string& name1, const
std::string& name2)
 
  if(p1 == name1.end() && p2 == name2.end())
 return true;
+ if(p1 == name1.end() || p2 == name2.end())
+return false;
  }
 
   if(!Charset::caseless_cmp(*p1, *p2))

Cheers,
-- 
Ondřej Surý 
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Sun, May 28, 2017, at 14:27, Salvatore Bonaccorso wrote:
> Control: tags 860072 + pending
> 
> Dear maintainer, hi Ondrej
> 
> I've prepared an NMU for botan1.10 (versioned as 1.10.15-1.1) and
> uploaded it to DELAYED/3. Please feel free to tell me if I
> should delay it longer.
> 
> Regards,
> Salvatore
> Email had 1 attachment:
> + botan1.10-1.10.15-1.1-nmu.diff
>   2k (text/x-diff)

Bug#852675: #852675: package cfengine3 unusable

[Christoph Martin]

severity 862903 grave
tags #862903 + patch
thanks

ssl1.1 makes cfengine3 crash with cfengine3 3.6 clients from jessie.

reverting the patch in debian/patches fixes the issue.

Christoph

-- 

Christoph Martin, Leiter Unix-Systeme
Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Anselm Franz von Bentzel-Weg 12, 55128 Mainz
 Telefon: +49(6131)3926337
 Instant-Messaging: Jabber: mar...@jabber.uni-mainz.de
  (Siehe http://www.zdv.uni-mainz.de/4010.php)




signature.asc
Description: OpenPGP digital signature

Processed: #852675: package cfengine3 unusable

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 862903 grave
Bug #862903 {Done: Christoph Martin } [cfengine3] 
cfengine3: cf-serverd segfaults if connected from version 3.6 client
Severity set to 'grave' from 'important'
> tags #862903 + patch
Bug #862903 {Done: Christoph Martin } [cfengine3] 
cfengine3: cf-serverd segfaults if connected from version 3.6 client
Added tag(s) patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
862903: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862903
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Merge duplicates

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> reassign 862437 libifd-cyberjack6
Bug #862437 [pcsc-cyberjack] pcsc-cyberjack: REINER SCT cyberJack pp_a2 Failed 
adding USB device
Bug reassigned from package 'pcsc-cyberjack' to 'libifd-cyberjack6'.
No longer marked as found in versions 3.99.5final.sp09-1.
Ignoring request to alter fixed versions of bug #862437 to the same values 
previously set
> forcemerge 862437 819555 819659
Bug #862437 [libifd-cyberjack6] pcsc-cyberjack: REINER SCT cyberJack pp_a2 
Failed adding USB device
Bug #819659 [libifd-cyberjack6] pcscd: readerfactory.c:372:RFAddReader(e-com) 
REINER SCT cyberJack pp_a2 init failed
Severity set to 'critical' from 'important'
Bug #862437 [libifd-cyberjack6] pcsc-cyberjack: REINER SCT cyberJack pp_a2 
Failed adding USB device
Marked as found in versions pcsc-cyberjack/3.99.5final.sp09-1.
Bug #819555 [libifd-cyberjack6] pcscd: cyberJack pp_a2 init failed with 
pcscd_1.8.16-1
Severity set to 'critical' from 'important'
Marked as found in versions pcsc-cyberjack/3.99.5final.sp09-1.
Merged 819555 819659 862437
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
819555: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819555
819659: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819659
862437: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862437
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862008: crashes, segmentation fault

[a11cf0]

Hello.
Unfortunately, this bug is still present on a fully updated Stretch system. I 
have at-spi2-core 2.22.0-6 installed and constantly experience Orca crashes 
with exactly the same segfault. This is especially annoying on Gnome when 
switching windows. With Mate it seems to occur only sometimes when closing some 
apps like Pluma, but it is still noticeable.
Which additional info can I provide to help fixing this bug?
Thanks.

Bug#863616: dacs: effectively built with DACS_HOME=/usr => violates FHS

[Jonas Smedegaard]

Quoting Jonas Smedegaard (2017-05-29 12:35:02)
> Upstream autoconf oddly ties the --prefix option with a custom - 
> --dacs_home option which gets hardwired into the installed tools and 
> is a root directory for both static and variable parts.
> 
> dacs 1.4.38a-1 sets --prefix which effectively tells the build 
> routines to use /usr as the root of both binaries, configuration files 
> (e.g. debugging hint file debug_dacs_acs), admin-editable web content 
> (dtds) and variable data (e.g. a sequence file).
> 
> In other words, setting --prefix=/usr violates FHS!  Weird, yes.

It seems like upstream warned about the oddity: When setting --prefix to 
a short path, the build routines apparently spews this:

> The prefix path ("$prefix") really should specify a"
> directory name of the form "/blah/blah/.../dacs*",
> such as /usr/local/dacs or /usr/local/dacs-xxx.
> If you insist on using this prefix, please rerun configure with
> the --disable-prefix-check option

...except the package silences that warning by use of 
--disable-prefix-check :-/


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Bug#863616: dacs: effectively built with DACS_HOME=/usr => violates FHS

[Jonas Smedegaard]

Source: dacs
Version: 1.4.38a-1
Severity: serious
Justification: Policy 9.1.1

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Upstream autoconf oddly ties the --prefix option with a custom
- --dacs_home option which gets hardwired into the installed tools and is
a root directory for both static and variable parts.

dacs 1.4.38a-1 sets --prefix which effectively tells the build routines
to use /usr as the root of both binaries, configuration files (e.g.
debugging hint file debug_dacs_acs), admin-editable web content (dtds)
and variable data (e.g. a sequence file).

In other words, setting --prefix=/usr violates FHS!  Weird, yes.

It is sort-of possible to setup a working dacs with current package, by
going through the configuration and replace ${Conf::DACS_HOME} when used
for anything else than binaries - i.e. sequence file, logfiles, content
dtds, and (autogenerated concatenations of) acls.  Some parts, however,
remain hardcoded - e.g. debugging without restarting apache by use of a
$DACS_HOME/debug_dacs_acs file as documented in dacs_acs man page, now
possible only by creating /usr/debug_dacs_acs as sysadmin which is BAD.

I have not yet tested, but it seems the solution is to instead set
- --prefix=/usr/lib/dacs and populate that directory with symlinks to the
various places the files are actually getting installed, matching FHS.

In addition to obeying FHS, that should make it possible to setup DACS
by following upstream quickstart - "man dacs.quick", or
https://dacs.dss.ca/man/dacs.quick.7.html

For inspiration, I believe mailman is installed in a similar manner.


 - Jonas

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlkr+VEACgkQLHwxRsGg
ASGGPQ/7BXuoPrXe3xuJ/k0inrGTXXWg6ate8KXp0RjTK8lJ0V59KsXppUk8irnV
Tm6nQ7GRIr7ip/BaW7Lr3uwYEOf9iJw6Vs8wU7TbLkjk8xKqqLBAbs3oCNQnzU8J
uUeFM2xCXV/GkjSwvsTKit9hGnJG0K5FHZGChXXgLK1SKcCI+zkH5NEC9g8xHkWR
HmVoxfwB7H/Plf+g4JCe3//lCTHTgog4SmJ5NtdNpI6V6v2u0z+KN+IhtuFwy+wm
9FmwpzwGNEllbjHYZOPnuMXKfY18CCdEaKbT9MYbIadSI2FnfD8KlrOKemVGgffe
oVxgxvUQnZMVN4WoLlPpL77n+PSmQAqs9uEY7/l4rH35X7JXPYiw7fVpRAbNxVJ1
1c+8GR/L2ZlqAQBZVqM9FhX5l2N1p/GEjJUENyCOu95Q18Ruz7gXzazzZ61lG6ZX
9nqL/7GrafxjnFbVbJa/W4mFF4dp7CAuhLEEVms0AA+qLSrr6Gcxv8GRxVbAMY1e
ysvQWLC9dqs+PE9zZPbItpOBt9X1QQzBzZ2tRYwO1fI37ZYetq0fEi62naSnGRes
LDuesWaXBW/xEAK/OxwDR2ApB+/wI9IKVFE9oDTdOpeDFM+Bei+JKmdc27lDjh/E
RTOm9tKoFQeUdYOR4LRLdbPPU1gcJ8B3Sho3A8x++XpLLcw6aoc=
=cBLQ
-END PGP SIGNATURE-

Bug#846548: [pkg-opensc-maint] Bug#846548: patch for #846548

[Adrian Bunk]

On Thu, May 18, 2017 at 11:33:51AM -0400, Eric Dorland wrote:
>...
> I think the way forward would be to make that bump and
> rebuild the only dependency (pam-p11) against it, but I'm not 100%
> sure pam-p11 compiles with openssl 1.1.
>...

It does not:

pam_p11.c:270:29: error: dereferencing pointer to incomplete type 
‘EVP_PKEY {aka struct evp_pkey_st}’
signature, siglen, pubkey->pkey.rsa);
 ^~

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Bug#862469: marked as done (gnome: Cannot add a Google account using Online Accounts in Gnome)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 11:52:53 +0200
with message-id <20170529095253.6unfjxeem5gcihbb@perseus.local>
and subject line Re: Bug#862156: Bug #862156
has caused the Debian Bug report #862156,
regarding gnome: Cannot add a Google account using Online Accounts in Gnome
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862156: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862156
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gnome
Version: 1:3.22+2
Severity: critical
Tags: patch
Justification: breaks unrelated software

Hello,

Same bug as: https://bugs.launchpad.net/ubuntu/+source/webkit2gtk/+bug/1687019.

Solution already posted here, update webkit2gtk.

Regards,
David



-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnome depends on:
ii  avahi-daemon 0.6.32-2
ii  cheese   3.22.1-1+b1
ii  cups-pk-helper   0.2.6-1+b1
ii  desktop-base 9.0.2
ii  evolution3.22.6-1
ii  evolution-plugins3.22.6-1
ii  file-roller  3.22.3-1
ii  gedit-plugins3.22.0-1
ii  gimp 2.8.18-1
ii  gnome-calendar   3.22.3-1
ii  gnome-clocks 3.22.1-1
ii  gnome-color-manager  3.22.2-1
ii  gnome-core   1:3.22+2
ii  gnome-dictionary 3.20.0-3+b1
ii  gnome-documents  3.22.1-1
ii  gnome-getting-started-docs   3.22.0-1
ii  gnome-maps   3.22.2-1
ii  gnome-music  3.22.2-1
ii  gnome-orca   3.22.2-3
ii  gnome-photos 3.22.5-1
ii  gnome-screenshot 3.22.0-1+b1
ii  gnome-sound-recorder 3.21.92-2
ii  gnome-tweak-tool 3.22.0-1
ii  gnome-weather3.20.2-1
ii  gstreamer1.0-libav   1.10.4-1
ii  gstreamer1.0-plugins-ugly1.10.4-1
ii  inkscape 0.92.1-1
ii  libgsf-bin   1.14.41-1
ii  libgtk2-perl 2:1.2499-1
ii  libproxy1-plugin-networkmanager  0.4.14-2
ii  libreoffice-calc 1:5.2.6-2
ii  libreoffice-evolution1:5.2.6-2
ii  libreoffice-gnome1:5.2.6-2
ii  libreoffice-impress  1:5.2.6-2
ii  libreoffice-writer   1:5.2.6-2
ii  nautilus-sendto  3.8.4-2+b1
ii  network-manager-gnome1.4.4-1
ii  rhythmbox3.4.1-2+b1
ii  rhythmbox-plugin-cdrecorder  3.4.1-2+b1
ii  rhythmbox-plugins3.4.1-2+b1
ii  rygel-playbin0.32.1-3
ii  rygel-tracker0.32.1-3
ii  seahorse 3.20.0-3.1
ii  simple-scan  3.23.2-1
ii  totem-plugins3.22.1-1
ii  vinagre  3.22.0-1+b1
ii  xdg-user-dirs-gtk0.10-1+b1

Versions of packages gnome recommends:
ii  brasero   3.12.1-4
ii  gnome-games   1:3.22+2
ii  polari3.22.2-1
ii  transmission-gtk  2.92-2

Versions of packages gnome suggests:
pn  alacarte 
pn  empathy  
pn  firefox-esr-l10n-all | firefox-l10n-all  
pn  goobox | sound-juicer
pn  xul-ext-gnome-keyring
pn  xul-ext-ublock-origin

Versions of packages gnome-core depends on:
ii  adwaita-icon-theme3.22.0-1
ii  at-spi2-core  2.22.0-5+b1
ii  baobab3.22.1-1
ii  caribou   0.4.21-1+b1
ii  chrome-gnome-shell8-4
ii  chromium  58.0.3029.81-1
ii  dconf-cli 0.26.0-2+b1
ii  dconf-gsettings-backend   0.26.0-2+b1
ii  eog   3.20.5-1+b1
ii  evince3.22.1-3
ii  evolution-data-server 3.22.7-1
ii  fonts-cantarell   0.0.25-2
ii  gdm3  3.22.1-2
ii  gedit 3.22.0-2
ii  gkbd-capplet  3.22.0.1-1+b1
ii  glib-networking   2.50.0-1+b1
ii  gnome-backgrounds 3.22.1-1
ii  gnome-bluetooth 

Bug#862156: marked as done (WebKit can't display Google's new login page)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 11:52:53 +0200
with message-id <20170529095253.6unfjxeem5gcihbb@perseus.local>
and subject line Re: Bug#862156: Bug #862156
has caused the Debian Bug report #862156,
regarding WebKit can't display Google's new login page
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862156: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862156
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gnome-online-accounts
Version: 3.22.5-1
Severity: normal

Dear Maintainer,


  * What led up to the situation?
Add new account or re-login

  * What exactly did you do (or not do) that was effective (or
ineffective)?
online-account, add google, enter login, enter password

  * What was the outcome of this action?
Blank page

  * What outcome did you expect instead?
2fa page

The same error found on redhat:
https://bugzilla.redhat.com/show_bug.cgi?id=1446817
Probably resolved by upstream: http://trac.webkit.org/changeset/216350/webkit


-- System Information:
Debian Release: 9.0
 APT prefers testing-proposed-updates
 APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64
(x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=pl_PL.utf8, LC_CTYPE=pl_PL.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnome-online-accounts depends on:
ii  libc6 2.24-10
ii  libgcr-base-3-1   3.20.0-5
ii  libglib2.0-0  2.50.3-2
ii  libgoa-1.0-0b 3.22.5-1
ii  libgoa-backend-1.0-1  3.22.5-1
ii  libkrb5-3 1.15-1
ii  librest-0.7-0 0.8.0-2
ii  libsoup2.4-1  2.56.0-2
ii  libwebkit2gtk-4.0-37  2.14.6-1

Versions of packages gnome-online-accounts recommends:
ii  dleyna-server 0.4.0-1.1
ii  gnome-control-center  1:3.22.2-1
ii  realmd0.16.3-1

gnome-online-accounts suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
On Wed, May 17, 2017 at 06:07:23PM +0200, Przemysław Świderski wrote:

> > To the bug reporter : once WebKit 2.14.7 lands in Stretch, could
> > you please check if the problem is fixed, so that the package
> > maintainers can close this bug ?
> Yes, I confirm that the problem is fixed.

Closing bug then, thanks!

Berto--- End Message ---

Bug#863414: marked as done (coyim FTBFS: xmpp: failed to verify TLS certificate: x509: certificate signed by unknown authority)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 09:18:43 +
with message-id 
and subject line Bug#863414: fixed in coyim 0.3.7-3
has caused the Debian Bug report #863414,
regarding coyim FTBFS: xmpp: failed to verify TLS certificate: x509: 
certificate signed by unknown authority
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863414: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863414
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: coyim
Version: 0.3.7-2
Severity: serious

https://tests.reproducible-builds.org/debian/rb-pkg/testing/amd64/coyim.html

...
--
FAIL: connection_go16_test.go:50: 
ConnectionXmppSuite.Test_Dial_worksIfTheHandshakeSucceeds

connection_go16_test.go:73:
c.Assert(err, Equals, io.EOF)
... obtained *errors.errorString = {s:"xmpp: failed to 
verify TLS certificate: x509: certificate has expired or is not yet valid"} 
("xmpp: failed to verify TLS certificate: x509: certificate has expired or is 
not yet valid")
... expected *errors.errorString = {s:"EOF"} ("EOF")


--
FAIL: connection_go16_test.go:110: 
ConnectionXmppSuite.Test_Dial_worksIfTheHandshakeSucceedsButSucceedsOnValidCertHash

connection_go16_test.go:133:
c.Assert(err, Equals, io.EOF)
... obtained *errors.errorString = {s:"xmpp: failed to 
verify TLS certificate: x509: certificate has expired or is not yet valid"} 
("xmpp: failed to verify TLS certificate: x509: certificate has expired or is 
not yet valid")
... expected *errors.errorString = {s:"EOF"} ("EOF")

2018/06/28 18:47:23 xmpp: sending closing stream tag
2018/06/28 18:47:23 xmpp: TCP closed
2018/06/28 18:47:23 xmpp: received closing stream tag
OOPS: 126 passed, 2 FAILED
--- FAIL: Test (0.18s)
FAIL
exit status 1
FAILgithub.com/twstrike/coyim/xmpp  0.192s
?   github.com/twstrike/coyim/xmpp/data [no test files]
?   github.com/twstrike/coyim/xmpp/errors   [no test files]
?   github.com/twstrike/coyim/xmpp/interfaces   [no test files]
=== RUN   Test
OK: 3 passed
--- PASS: Test (0.00s)
PASS
ok  github.com/twstrike/coyim/xmpp/utils0.009s
dh_auto_test: go test -v -p 1 github.com/twstrike/coyim 
github.com/twstrike/coyim/cli github.com/twstrike/coyim/cli/terminal 
github.com/twstrike/coyim/cli/terminal/real github.com/twstrike/coyim/client 
github.com/twstrike/coyim/config github.com/twstrike/coyim/config/importer 
github.com/twstrike/coyim/digests github.com/twstrike/coyim/event 
github.com/twstrike/coyim/gui github.com/twstrike/coyim/gui/definitions 
github.com/twstrike/coyim/gui/settings 
github.com/twstrike/coyim/gui/settings/definitions 
github.com/twstrike/coyim/i18n github.com/twstrike/coyim/net 
github.com/twstrike/coyim/roster github.com/twstrike/coyim/sasl 
github.com/twstrike/coyim/sasl/digestmd5 github.com/twstrike/coyim/sasl/plain 
github.com/twstrike/coyim/sasl/scram github.com/twstrike/coyim/servers 
github.com/twstrike/coyim/session github.com/twstrike/coyim/session/access 
github.com/twstrike/coyim/session/events github.com/twstrike/coyim/session/mock 
github.com/twstrike/coyim/tls github.com/twstrike/coyim/ui githu
 b.com/twstrike/coyim/xmpp github.com/twstrike/coyim/xmpp/data 
github.com/twstrike/coyim/xmpp/errors github.com/twstrike/coyim/xmpp/interfaces 
github.com/twstrike/coyim/xmpp/utils returned exit code 1
debian/rules:14: recipe for target 'override_dh_auto_test' failed
make[1]: *** [override_dh_auto_test] Error 1



It failed with the same error when I tried to rebuild it locally.
--- End Message ---
--- Begin Message ---
Source: coyim
Source-Version: 0.3.7-3

We believe that the bug you reported is fixed in the latest version of
coyim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sascha Steinbiss  (supplier of updated coyim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 29 May 2017 10:31:46 +0200
Source: coyim
Binary: coyim
Architecture: 

Bug#863584: CVE-2017-2824

[Alexei Vladishev]

Hey all,

Upstream here. Both issues has already been fixed under 
https://support.zabbix.com/browse/ZBX-12075 
.

Kind regards,
Alexei

> On 28 May 2017, at 23:42, Moritz Muehlenhoff  wrote:
> 
> Source: zabbix
> Severity: grave
> Tags: security
> 
> Please see
> http://www.talosintelligence.com/reports/TALOS-2017-0325/
> http://www.talosintelligence.com/reports/TALOS-2017-0326/
> 
> Cheers,
>Moritz
> 
> 

Processed: severity of 862442 is serious

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # should be fixed for stretch
> severity 862442 serious
Bug #862442 [src:tnef] tnef: CVE-2017-8911: integer underflow in unicode_to_utf8
Severity set to 'serious' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
862442: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863414: coyim FTBFS: xmpp: failed to verify TLS certificate: x509: certificate signed by unknown authority

[Chris Lamb]

Hi Sascha,

> Many thanks for taking care of this! I was unfortunately not able to
> respond to the bug in time due to traveling :/

No problem; and feel free to upload your own version now to avoid the
ickiness of having to incorporate an NMU into your packaging repo. :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#863414: coyim FTBFS: xmpp: failed to verify TLS certificate: x509: certificate signed by unknown authority

[Sascha Steinbiss]

Hi Chris,

[...]
> I've uploaded coyim 0.3.7-2.1 to DELAYED/5:

Many thanks for taking care of this! I was unfortunately not able to
respond to the bug in time due to traveling :/

Cheers
Sascha



signature.asc
Description: OpenPGP digital signature

Bug#861913: mariadb-client-10.1: trying to overwrite '/usr/bin/mytop', which is also in package mytop 1.9.1-4

[Ondřej Surý]

The old one uses "MySQL" name everywhere, the new one write "MariaDB"
everywhere.

So they are compatible, but it's kind of "Pope in Avignon" situation...

Cheers,
-- 
Ondřej Surý 
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Mon, May 29, 2017, at 10:15, Olaf van der Spek wrote:
> 2017-05-29 10:12 GMT+02:00 Ondřej Surý :
> > I am not sure about that. We still live in the strange dichotomy where
> > we consider that MySQL server might get installed from different
> > repository (or unstable) and the original "mytop" is meant to be used
> > with MySQL server (from Oracle).
> 
> Is the one included with mariadb not fully compatible with the other one?

Bug#861913: mariadb-client-10.1: trying to overwrite '/usr/bin/mytop', which is also in package mytop 1.9.1-4

[Olaf van der Spek]

2017-05-29 10:12 GMT+02:00 Ondřej Surý :
> I am not sure about that. We still live in the strange dichotomy where
> we consider that MySQL server might get installed from different
> repository (or unstable) and the original "mytop" is meant to be used
> with MySQL server (from Oracle).

Is the one included with mariadb not fully compatible with the other one?

Bug#861913: mariadb-client-10.1: trying to overwrite '/usr/bin/mytop', which is also in package mytop 1.9.1-4

[Ondřej Surý]

I am not sure about that. We still live in the strange dichotomy where
we consider that MySQL server might get installed from different
repository (or unstable) and the original "mytop" is meant to be used
with MySQL server (from Oracle).

Maybe there should be some clear naming split in the future (like what
happened with libmariadb C library), but that would be a buster
material, because that would need:

1) walk through all the commands and replace all "my" and "mysql" with
"maria"
2) make a compatibility package on top of that that would decide what
command to use based on the default "MySQL" provider in the system

Definitely lot of careful work.

Cheers,
-- 
Ondřej Surý 
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Mon, May 29, 2017, at 10:04, Olaf van der Spek wrote:
> Thanks!
> 
> I was thinking, wouldn't it make sense to just update the original
> mytop package?
> 
> 2017-05-08 12:10 GMT+02:00 Ondřej Surý :
> > https://anonscm.debian.org/git/pkg-mysql/mariadb-10.1.git/commit/?id=2a17c70476de768f1e166b65f4a1b3865ac9757f
> >
> > --
> > Ondřej Surý 
> > Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
> > Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
> > fast DNS(SEC) resolver
> > Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
> > pečení chleba všeho druhu
> >
> > On Mon, May 8, 2017, at 12:08, Olaf van der Spek wrote:
> >> 2017-05-08 11:42 GMT+02:00 Ondřej Surý :
> >> > Definitely, I am just building the fixed version. I did a cleanup of
> >> > upstream files not being installed in the last bigger mariadb update,
> >> > and I was just not aware mytop was already packaged. Sorry for the
> >> > troubles.
> >>
> >> Shouldn't it also declare a Replaces?
> 
> 
> 
> -- 
> Olaf

Bug#846548: marked as pending

[Julien Cristau]

On 05/29/2017 03:15 AM, Eric Dorland wrote:
> * Julien Cristau (jcris...@debian.org) wrote:
>> On Mon, May 22, 2017 at 03:42:57 +, Eric Dorland wrote:
>>
>>> tag 846548 pending
>>> thanks
>>>
>>> Hello,
>>>
>>> Bug #846548 reported by you has been fixed in the Git repository. You can
>>> see the changelog below, and you can check the diff of the fix at:
>>>
>>> https://anonscm.debian.org/cgit/pkg-opensc/libp11.git/commit/?id=e8d6da0
>>>
>> So, erm.  This seems like it would break using libengine-pkcs11-openssl
>> in an application using libssl1.0.2.  As a SONAME bump it also seems
>> rather inappropriate during the freeze.
> 
> That's a good point. I was trying to provide an alternative to the
> broken NMU that was going to be uploaded, but yes this will break
> applications built against libssl1.0.2. It does fix using this with
> the openssl tool however.
> 
Right.

>> I'm very interested in having this fixed in stretch so I can get the
>> secure-boot stuff working on ftp-master, but this doesn't look like the
>> way to go.  Not to mention that you'd have to justify the bump from
>> 0.4.3 to 0.4.4.
>>
>> Can you explain your plans here?
> 
> As you suggested in your followup, the way forward would appear to be
> to upload a new libp11 source package that builds against
> libssl1.0.2. I can also backport all of the changes to 0.4.3 and
> upload to testing-proposed-updates. Does that sound reasonable?
> 
Having read through the 0.4.4 changes I think I'd be ok with getting
that in if you're confident.  I guess the other question is should
libp11-dev come from the openssl1.1-using package or the
openssl1.0.2-using one.  At this late stage I guess it's safer to stay
with 1.0.2, and have the libp11-openssl1.1 package (or however it's
called) only provide a libengine-pkcs11-openssl1.1 binary?

Cheers,
Julien

Bug#861913: mariadb-client-10.1: trying to overwrite '/usr/bin/mytop', which is also in package mytop 1.9.1-4

[Olaf van der Spek]

Thanks!

I was thinking, wouldn't it make sense to just update the original
mytop package?

2017-05-08 12:10 GMT+02:00 Ondřej Surý :
> https://anonscm.debian.org/git/pkg-mysql/mariadb-10.1.git/commit/?id=2a17c70476de768f1e166b65f4a1b3865ac9757f
>
> --
> Ondřej Surý 
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
> Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
> fast DNS(SEC) resolver
> Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
> pečení chleba všeho druhu
>
> On Mon, May 8, 2017, at 12:08, Olaf van der Spek wrote:
>> 2017-05-08 11:42 GMT+02:00 Ondřej Surý :
>> > Definitely, I am just building the fixed version. I did a cleanup of
>> > upstream files not being installed in the last bigger mariadb update,
>> > and I was just not aware mytop was already packaged. Sorry for the
>> > troubles.
>>
>> Shouldn't it also declare a Replaces?



-- 
Olaf

Bug#863596: mytop can't installed

[Adrian Bunk]

On Mon, May 29, 2017 at 05:38:38AM +0200, Jörg Frings-Fürst wrote:
> Package: mytop
> Version: 1.9.1-4
> Severity: grave
> 
> Hi,
> 
> with the last mariadb upgrade I get:
> 
> ~ > apt-get install mytop
> Paketlisten werden gelesen... Fertig
> Abhängigkeitsbaum wird aufgebaut.
> Statusinformationen werden eingelesen Fertig
> Einige Pakete konnten nicht installiert werden. Das kann bedeuten, dass
> Sie eine unmögliche Situation angefordert haben oder, wenn Sie die
> Unstable-Distribution verwenden, dass einige erforderliche Pakete noch
> nicht erstellt wurden oder Incoming noch nicht verlassen haben.
> Die folgenden Informationen helfen Ihnen vielleicht, die Situation zu lösen:
> 
> Die folgenden Pakete haben unerfüllte Abhängigkeiten:
>  mariadb-client-10.1 : Kollidiert mit: mytop aber 1.9.1-4 soll installiert
> werden
> E: Fehler: Unterbrechungen durch pkgProblemResolver::Resolve hervorgerufen;
> dies könnte durch zurückgehaltene Pakete verursacht worden sein.

Thanks for your report.

mytop is now part of mariadb-client-10.1, therefore the mytop package 
doesn't seem to make much sense in stretch.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Processed: retitle 863584 to zabbix: CVE-2017-2824 CVE-2017-2825

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 863584 zabbix: CVE-2017-2824 CVE-2017-2825
Bug #863584 [src:zabbix] CVE-2017-2824
Changed Bug title to 'zabbix: CVE-2017-2824 CVE-2017-2825' from 'CVE-2017-2824'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863584: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863584
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems