Bug#899485: marked as done (docker-runc: Invalid maintainer address docker-ma...@lists.alioth.debian.org)

[Debian Bug Tracking System]

Your message dated Fri, 08 Jun 2018 04:04:27 +
with message-id 
and subject line Bug#899485: fixed in docker-runc 
1.0.0~rc2+git+docker1.13.1~ds1-5
has caused the Debian Bug report #899485,
regarding docker-runc: Invalid maintainer address 
docker-ma...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899485: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899485
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:docker-runc
Version: 1.0.0~rc2+git+docker1.13.1~ds1-4
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of docker-runc,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package docker-runc since the list address
docker-ma...@lists.alioth.debian.org used in the Maintainer: field was
not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
docker-ma...@lists.alioth.debian.org is 5.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: docker-runc
Source-Version: 1.0.0~rc2+git+docker1.13.1~ds1-5

We believe that the bug you reported is fixed in the latest version of
docker-runc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Smirnov  (supplier of updated docker-runc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 08 Jun 2018 13:34:54 +1000
Source: docker-runc
Binary: docker-runc golang-github-opencontainers-docker-runc-dev
Architecture: source amd64 all
Version: 1.0.0~rc2+git+docker1.13.1~ds1-5
Distribution: unstable
Urgency: medium
Maintainer: Tim Potter 
Changed-By: Dmitry Smirnov 
Description:
 docker-runc - Open Container Project - runtime (Docker's version)
 golang-github-opencontainers-docker-runc-dev - Open Container Project - 
development files (Docker's version)
Closes: 899485
Changes:
 docker-runc (1.0.0~rc2+git+docker1.13.1~ds1-5) unstable; urgency=medium
 .
   * Tim Potter is Maintainer (Closes: #899485).
   * Vcs URLs to Salsa.
   * Standards-Version: 4.1.4; Priority: optional.
Checksums-Sha1:
 a859310b5103e3537d2d82d0fd1f278afaa49880 2779 
docker-runc_1.0.0~rc2+git+docker1.13.1~ds1-5.dsc
 ec9c52bc6402b30e094f8da6dcc6c7d39a6600c4 11396 
docker-runc_1.0.0~rc2+git+docker1.13.1~ds1-5.debian.tar.xz
 cf9f53de7100548a0d796a00fb679940ad015b87 1014624 
docker-runc-dbgsym_1.0.0~rc2+git+docker1.13.1~ds1-5_amd64.deb
 ace98d71076bde7a0c18a58e4c31063e877730f8 8668 
docker-runc_1.0.0~rc2+git+docker1.13.1~ds1-5_amd64.buildinfo
 

Processed: found 901017 in 1:2.1+dfsg-11

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 901017 1:2.1+dfsg-11
Bug #901017 [src:qemu] qemu: CVE-2018-11806: slirp: heap buffer overflow while 
reassembling fragmented datagrams
Marked as found in versions qemu/1:2.1+dfsg-11.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
901017: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901017
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901017: qemu: CVE-2018-11806: slirp: heap buffer overflow while reassembling fragmented datagrams

[Salvatore Bonaccorso]

Source: qemu
Version: 1:2.12+dfsg-3
Severity: grave
Tags: patch security upstream
Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html

Hi,

The following vulnerability was published for qemu.

CVE-2018-11806[0]:
slirp: heap buffer overflow while reassembling fragmented datagrams

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-11806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806
[1] https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#899884: marked as done (ltsp: Invalid maintainer address pkg-ltsp-de...@lists.alioth.debian.org)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 19:25:14 -0700
with message-id <87vaauaub9@aikidev.net>
and subject line Re: Bug#899884: ltsp: Invalid maintainer address 
pkg-ltsp-de...@lists.alioth.debian.org
has caused the Debian Bug report #899884,
regarding ltsp: Invalid maintainer address 
pkg-ltsp-de...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899884: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899884
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:ltsp
Version: 5.18.04-1
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of ltsp,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package ltsp since the list address
pkg-ltsp-de...@lists.alioth.debian.org used in the Maintainer: field
was not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
pkg-ltsp-de...@lists.alioth.debian.org is 6.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 5.18.04-2

ltsp (5.18.04-2) unstable; urgency=medium

  * Update Maintainer address.
  * Add patch from upstream to use POSIX awk exponent operator "^".

 -- Vagrant Cascadian   Thu, 07 Jun 2018 19:12:44 -0700

Neglected to mark the bug number of the changelog, but it is updated to
a new working address.


live well,
  vagrant


signature.asc
Description: PGP signature
--- End Message ---

Processed: Re: Bug#900533: chromium 67.0.3396.62-1: youtube video, gif's, html5, and movies no longer work

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed, help
Bug #900533 [chromium] chromium 67.0.3396.62-1: youtube video, gif's, html5, 
and movies no longer work
Bug #900539 [chromium] Can no longer watch any YouTube movie
Added tag(s) confirmed and help.
Added tag(s) help and confirmed.

-- 
900533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900533
900539: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900539
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900533: chromium 67.0.3396.62-1: youtube video, gif's, html5, and movies no longer work

[Michael Gilbert]

control: tag -1 confirmed, help

On Wed, Jun 6, 2018 at 11:37 AM, jim_p wrote:
> Is there any info on when this issue could be fixed? It has been a week since
> this bug report was opened and there are no official comments here regarding
> any progress, neither some newer source package suggesting there is a patch 
> for
> it or a fix.

It's pretty clearly an issue with the ffmpeg demuxer.  I'll debug it
when I find free time.  Others willing to help might move things a bit
faster.

Best wishes,
Mike

Processed: Bug #898943 in smplayer marked as pending

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #898943 [src:smplayer] Multiple vulnerabiliities in Mongoose
Added tag(s) pending.

-- 
898943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898943
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#898943: Bug #898943 in smplayer marked as pending

[mati75]

Control: tag -1 pending

Hello,

Bug #898943 in smplayer reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/multimedia-team/smplayer/commit/d1f3aaeda717076c1761f0aebb56681a5c4ce435


Add debian/patches/03-update-mongoose-to-6.11.patch:
- Fix CVE-2017-2891, CVE-2017-2892, CVE-2017-2893, CVE-2017-2894,
  CVE-2017-2895, CVE-2017-2909, CVE-2017-2921, CVE-2017-2922. (Closes: 
#898943)
  * Add debian/patches/07-fix-ftbfs-gcc8.patch:
- Fix FTBFS with gcc-8. (Closes: #897863)



(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/898943

Bug#899626: marked as done (ltspfs: Invalid maintainer address pkg-ltsp-de...@lists.alioth.debian.org)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 23:49:32 +
with message-id 
and subject line Bug#899626: fixed in ltspfs 1.5-2
has caused the Debian Bug report #899626,
regarding ltspfs: Invalid maintainer address 
pkg-ltsp-de...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899626: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899626
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:ltspfs
Version: 1.5-1
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of ltspfs,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package ltspfs since the list address
pkg-ltsp-de...@lists.alioth.debian.org used in the Maintainer: field
was not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
pkg-ltsp-de...@lists.alioth.debian.org is 6.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: ltspfs
Source-Version: 1.5-2

We believe that the bug you reported is fixed in the latest version of
ltspfs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian  (supplier of updated ltspfs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 07 Jun 2018 16:26:02 -0700
Source: ltspfs
Binary: ltspfs ltspfsd ltspfsd-core
Architecture: source
Version: 1.5-2
Distribution: unstable
Urgency: medium
Maintainer: Debian LTSP Maintainers 
Changed-By: Vagrant Cascadian 
Description:
 ltspfs - Fuse based remote filesystem for LTSP thin clients
 ltspfsd- Fuse based remote filesystem hooks for LTSP thin clients
 ltspfsd-core - Fuse based remote filesystem daemon for LTSP thin clients
Closes: 899626
Changes:
 ltspfs (1.5-2) unstable; urgency=medium
 .
   * debian/control:
 - Update Maintainer address (Closes: #899626).
 - Update Standards-Version to 4.1.4, no changes needed.
   * Add debian/watch checking for new git tags.
   * Update to debhelper compatibility level 11:
 - Drop Build-Depends on dh-autoreconf and autotools-dev.
 - debian/rules: Remove dh call to use autoreconf, as it is enabled by
   default.
Checksums-Sha1:
 3d905fd70333ce604bde03ed47be17574b64dfb5 2029 ltspfs_1.5-2.dsc
 0ed46a897079384ea8a6d7bbbdbe5e85b6521cb2 8820 ltspfs_1.5-2.debian.tar.xz
 c4b61300d608fd3113f574423f9effe642fa2cd5 7692 ltspfs_1.5-2_amd64.buildinfo
Checksums-Sha256:
 80432acd02184fcfdb6443c9cc150b35c980865b39ab0a9883b0e128e7ca5fe5 2029 
ltspfs_1.5-2.dsc
 

Bug#896302: marked as done (Missing python3-lib2to3 dependency)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 23:07:29 +
with message-id 
and subject line Bug#893697: fixed in python-networkx 2.1-1
has caused the Debian Bug report #893697,
regarding Missing python3-lib2to3 dependency
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
893697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893697
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-setools
Version: 4.1.1-3
Severity: serious
User: helm...@debian.org
Usertags: python-import

After installing python3-setools importing the module setools
into a python interpreter fails with the following error:

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python3/dist-packages/setools/__init__.py", line 77, in 

from .infoflow import InfoFlowAnalysis
  File "/usr/lib/python3/dist-packages/setools/infoflow.py", line 22, in 

import networkx as nx
  File "/usr/lib/python3/dist-packages/networkx/__init__.py", line 87, in 

import networkx.readwrite
  File "/usr/lib/python3/dist-packages/networkx/readwrite/__init__.py", line 
14, in 
from networkx.readwrite.gml import *
  File "/usr/lib/python3/dist-packages/networkx/readwrite/gml.py", line 44, in 

from lib2to3.pgen2.parse import ParseError
ModuleNotFoundError: No module named 'lib2to3'

The vast majority of import failures is attributed to missing dependencies.
Often times that manifests as an ImportError or ModuleNotFoundError.
Typically, dependencies should be inserted by dh-python via ${python:Depends}
or ${python3:Depends}. Thus a missing dependency can be caused by incomplete
install_requires in setup.py. Sometimes a missing dependency of a dependency
is the cause, in such cases this bug should be reassigned.

Helmut
--- End Message ---
--- Begin Message ---
Source: python-networkx
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
python-networkx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Tosi  (supplier of updated python-networkx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 18:18:28 -0400
Source: python-networkx
Binary: python-networkx python3-networkx python-networkx-doc
Architecture: source all
Version: 2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi 
Changed-By: Sandro Tosi 
Description:
 python-networkx - tool to create, manipulate and study complex networks
 python-networkx-doc - tool to create, manipulate and study complex networks - 
documenta
 python3-networkx - tool to create, manipulate and study complex networks 
(Python3)
Closes: 872241 888458 893697
Changes:
 python-networkx (2.1-1) unstable; urgency=medium
 .
   [ Sandro Tosi ]
   * New upstream release; Closes: #888458
 - references to lib2to3 have been removed upstream; Closes: #893697
   * debian/control
 - revert useless changes performed without any kind of coordination,
   preserving only the bump to Standard-Version: 3.9.8, which was not
   metioned in the changelog (and not formally released)
 - add gdal to b-d and d
 - add latexmk to b-d, needed to build doc and fix a FTBFS with sphinx 1.6;
   Closes: #872241
 - bump Standards-Version to 4.1.4 (no changes needed)
 - add ipykernel, nb2plots, nbformat, nbconvert, sphinx-gallery, traitlets
   to b-d-i, needed to build doc
   * debian/copyright
 - extend packaging copyright years
 - update upstream copyright years
   * refresh patches
   * 
debian/patches/0003-README.txt-to-examples-needed-by-sphinx-while-buildi.patch
 - add the missing README.txt to the examples directory
   * debian/rules
 - delete files removals line no longer needed
 - update location for upstream changelog
   * debian/patches/0004-add-copybutton.js.patch
 - add required copybutton.js file
   * debian/python.org_objects.inv,debian/scipy.org_numpy_objects.inv
 - update intersphinx doc
   * debian/patches/0005-use-debian-mathjax.js.patch
 - use MathJax.js as provided by libjs-mathjax in 

Bug#896342: marked as done (python3-tldp: tldp fails to import)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 23:07:29 +
with message-id 
and subject line Bug#893697: fixed in python-networkx 2.1-1
has caused the Debian Bug report #893697,
regarding python3-tldp: tldp fails to import
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
893697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893697
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-tldp
Version: 0.7.13-1
Severity: serious
User: helm...@debian.org
Usertags: python-import

After installing python3-tldp importing the module tldp
into a python interpreter fails with the following error:

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python3/dist-packages/tldp/__init__.py", line 7, in 
import tldp.config
  File "/usr/lib/python3/dist-packages/tldp/config.py", line 18, in 
import tldp.typeguesser
  File "/usr/lib/python3/dist-packages/tldp/typeguesser.py", line 13, in 

import tldp.doctypes
  File "/usr/lib/python3/dist-packages/tldp/doctypes/__init__.py", line 7, in 

from tldp.doctypes.asciidoc import Asciidoc
  File "/usr/lib/python3/dist-packages/tldp/doctypes/asciidoc.py", line 13, in 

from tldp.doctypes.common import depends
  File "/usr/lib/python3/dist-packages/tldp/doctypes/common.py", line 20, in 

import networkx as nx
  File "/usr/lib/python3/dist-packages/networkx/__init__.py", line 87, in 

import networkx.readwrite
  File "/usr/lib/python3/dist-packages/networkx/readwrite/__init__.py", line 
14, in 
from networkx.readwrite.gml import *
  File "/usr/lib/python3/dist-packages/networkx/readwrite/gml.py", line 44, in 

from lib2to3.pgen2.parse import ParseError
ModuleNotFoundError: No module named 'lib2to3'

The vast majority of import failures is attributed to missing dependencies.
Often times that manifests as an ImportError or ModuleNotFoundError.
Typically, dependencies should be inserted by dh-python via ${python:Depends}
or ${python3:Depends}. Thus a missing dependency can be caused by incomplete
install_requires in setup.py. Sometimes a missing dependency of a dependency
is the cause, in such cases this bug should be reassigned.

Helmut
--- End Message ---
--- Begin Message ---
Source: python-networkx
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
python-networkx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Tosi  (supplier of updated python-networkx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 18:18:28 -0400
Source: python-networkx
Binary: python-networkx python3-networkx python-networkx-doc
Architecture: source all
Version: 2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi 
Changed-By: Sandro Tosi 
Description:
 python-networkx - tool to create, manipulate and study complex networks
 python-networkx-doc - tool to create, manipulate and study complex networks - 
documenta
 python3-networkx - tool to create, manipulate and study complex networks 
(Python3)
Closes: 872241 888458 893697
Changes:
 python-networkx (2.1-1) unstable; urgency=medium
 .
   [ Sandro Tosi ]
   * New upstream release; Closes: #888458
 - references to lib2to3 have been removed upstream; Closes: #893697
   * debian/control
 - revert useless changes performed without any kind of coordination,
   preserving only the bump to Standard-Version: 3.9.8, which was not
   metioned in the changelog (and not formally released)
 - add gdal to b-d and d
 - add latexmk to b-d, needed to build doc and fix a FTBFS with sphinx 1.6;
   Closes: #872241
 - bump Standards-Version to 4.1.4 (no changes needed)
 - add ipykernel, nb2plots, nbformat, nbconvert, sphinx-gallery, traitlets
   to b-d-i, needed to build doc
   * debian/copyright
 - extend packaging copyright years
 - update upstream copyright years
   * refresh patches
   * 
debian/patches/0003-README.txt-to-examples-needed-by-sphinx-while-buildi.patch
 - add the missing README.txt to the examples 

Bug#896212: marked as done (Missing python3-lib2to3 dependency)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 23:07:29 +
with message-id 
and subject line Bug#893697: fixed in python-networkx 2.1-1
has caused the Debian Bug report #893697,
regarding Missing python3-lib2to3 dependency
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
893697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893697
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-sepolicy
Version: 2.7-2
Severity: serious
User: helm...@debian.org
Usertags: python-import

After installing python3-sepolicy importing the module sepolicy
into a python interpreter fails with the following error:

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python3/dist-packages/sepolicy/__init__.py", line 8, in 

import setools
  File "/usr/lib/python3/dist-packages/setools/__init__.py", line 77, in 

from .infoflow import InfoFlowAnalysis
  File "/usr/lib/python3/dist-packages/setools/infoflow.py", line 22, in 

import networkx as nx
  File "/usr/lib/python3/dist-packages/networkx/__init__.py", line 87, in 

import networkx.readwrite
  File "/usr/lib/python3/dist-packages/networkx/readwrite/__init__.py", line 
14, in 
from networkx.readwrite.gml import *
  File "/usr/lib/python3/dist-packages/networkx/readwrite/gml.py", line 44, in 

from lib2to3.pgen2.parse import ParseError
ModuleNotFoundError: No module named 'lib2to3'

The vast majority of import failures is attributed to missing dependencies.
Often times that manifests as an ImportError or ModuleNotFoundError.
Typically, dependencies should be inserted by dh-python via ${python:Depends}
or ${python3:Depends}. Thus a missing dependency can be caused by incomplete
install_requires in setup.py. Sometimes a missing dependency of a dependency
is the cause, in such cases this bug should be reassigned.

Helmut
--- End Message ---
--- Begin Message ---
Source: python-networkx
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
python-networkx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Tosi  (supplier of updated python-networkx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 18:18:28 -0400
Source: python-networkx
Binary: python-networkx python3-networkx python-networkx-doc
Architecture: source all
Version: 2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi 
Changed-By: Sandro Tosi 
Description:
 python-networkx - tool to create, manipulate and study complex networks
 python-networkx-doc - tool to create, manipulate and study complex networks - 
documenta
 python3-networkx - tool to create, manipulate and study complex networks 
(Python3)
Closes: 872241 888458 893697
Changes:
 python-networkx (2.1-1) unstable; urgency=medium
 .
   [ Sandro Tosi ]
   * New upstream release; Closes: #888458
 - references to lib2to3 have been removed upstream; Closes: #893697
   * debian/control
 - revert useless changes performed without any kind of coordination,
   preserving only the bump to Standard-Version: 3.9.8, which was not
   metioned in the changelog (and not formally released)
 - add gdal to b-d and d
 - add latexmk to b-d, needed to build doc and fix a FTBFS with sphinx 1.6;
   Closes: #872241
 - bump Standards-Version to 4.1.4 (no changes needed)
 - add ipykernel, nb2plots, nbformat, nbconvert, sphinx-gallery, traitlets
   to b-d-i, needed to build doc
   * debian/copyright
 - extend packaging copyright years
 - update upstream copyright years
   * refresh patches
   * 
debian/patches/0003-README.txt-to-examples-needed-by-sphinx-while-buildi.patch
 - add the missing README.txt to the examples directory
   * debian/rules
 - delete files removals line no longer needed
 - update location for upstream changelog
   * debian/patches/0004-add-copybutton.js.patch
 - add required copybutton.js file
   * debian/python.org_objects.inv,debian/scipy.org_numpy_objects.inv
 - update intersphinx doc
   * 

Bug#896233: marked as done (Missing python3-lib2to3 dependency)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 23:07:29 +
with message-id 
and subject line Bug#893697: fixed in python-networkx 2.1-1
has caused the Debian Bug report #893697,
regarding Missing python3-lib2to3 dependency
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
893697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893697
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-networkx
Version: 1.11-2
Severity: serious
User: helm...@debian.org
Usertags: python-import

After installing python3-networkx importing the module networkx
into a python interpreter fails with the following error:

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python3/dist-packages/networkx/__init__.py", line 87, in 

import networkx.readwrite
  File "/usr/lib/python3/dist-packages/networkx/readwrite/__init__.py", line 
14, in 
from networkx.readwrite.gml import *
  File "/usr/lib/python3/dist-packages/networkx/readwrite/gml.py", line 44, in 

from lib2to3.pgen2.parse import ParseError
ModuleNotFoundError: No module named 'lib2to3'

The vast majority of import failures is attributed to missing dependencies.
Often times that manifests as an ImportError or ModuleNotFoundError.
Typically, dependencies should be inserted by dh-python via ${python:Depends}
or ${python3:Depends}. Thus a missing dependency can be caused by incomplete
install_requires in setup.py. Sometimes a missing dependency of a dependency
is the cause, in such cases this bug should be reassigned.

Helmut
--- End Message ---
--- Begin Message ---
Source: python-networkx
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
python-networkx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Tosi  (supplier of updated python-networkx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 18:18:28 -0400
Source: python-networkx
Binary: python-networkx python3-networkx python-networkx-doc
Architecture: source all
Version: 2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi 
Changed-By: Sandro Tosi 
Description:
 python-networkx - tool to create, manipulate and study complex networks
 python-networkx-doc - tool to create, manipulate and study complex networks - 
documenta
 python3-networkx - tool to create, manipulate and study complex networks 
(Python3)
Closes: 872241 888458 893697
Changes:
 python-networkx (2.1-1) unstable; urgency=medium
 .
   [ Sandro Tosi ]
   * New upstream release; Closes: #888458
 - references to lib2to3 have been removed upstream; Closes: #893697
   * debian/control
 - revert useless changes performed without any kind of coordination,
   preserving only the bump to Standard-Version: 3.9.8, which was not
   metioned in the changelog (and not formally released)
 - add gdal to b-d and d
 - add latexmk to b-d, needed to build doc and fix a FTBFS with sphinx 1.6;
   Closes: #872241
 - bump Standards-Version to 4.1.4 (no changes needed)
 - add ipykernel, nb2plots, nbformat, nbconvert, sphinx-gallery, traitlets
   to b-d-i, needed to build doc
   * debian/copyright
 - extend packaging copyright years
 - update upstream copyright years
   * refresh patches
   * 
debian/patches/0003-README.txt-to-examples-needed-by-sphinx-while-buildi.patch
 - add the missing README.txt to the examples directory
   * debian/rules
 - delete files removals line no longer needed
 - update location for upstream changelog
   * debian/patches/0004-add-copybutton.js.patch
 - add required copybutton.js file
   * debian/python.org_objects.inv,debian/scipy.org_numpy_objects.inv
 - update intersphinx doc
   * debian/patches/0005-use-debian-mathjax.js.patch
 - use MathJax.js as provided by libjs-mathjax in Debian
   * debian/python-networkx-doc.doc-base
 - update doc-base to refer to index.html as doc entry point
   * 
debian/patches/0006-skip-plot_football-from-sphinx-gallery-requires-netw.patch
 - plot_football.py 

Bug#893697: marked as done (Missing python3-lib2to3 dependency)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 23:07:29 +
with message-id 
and subject line Bug#893697: fixed in python-networkx 2.1-1
has caused the Debian Bug report #893697,
regarding Missing python3-lib2to3 dependency
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
893697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893697
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: setools
Version: 4.1.1-3
Severity: Important

sesearch needs the python module lib2to3 or it fails:


Traceback (most recent call last):
  File "/usr/bin/sesearch", line 21, in 
import setools
  File "/usr/lib/python3/dist-packages/setools/__init__.py", line 77,
in 
from .infoflow import InfoFlowAnalysis
  File "/usr/lib/python3/dist-packages/setools/infoflow.py", line 22,
in 
import networkx as nx
  File "/usr/lib/python3/dist-packages/networkx/__init__.py", line 87,
in 
import networkx.readwrite
  File "/usr/lib/python3/dist-packages/networkx/readwrite/__init__.py",
line 14, in 
from networkx.readwrite.gml import *
  File "/usr/lib/python3/dist-packages/networkx/readwrite/gml.py",
line 44, in 
from lib2to3.pgen2.parse import ParseError
ModuleNotFoundError: No module named 'lib2to3'
--- End Message ---
--- Begin Message ---
Source: python-networkx
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
python-networkx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Tosi  (supplier of updated python-networkx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 18:18:28 -0400
Source: python-networkx
Binary: python-networkx python3-networkx python-networkx-doc
Architecture: source all
Version: 2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi 
Changed-By: Sandro Tosi 
Description:
 python-networkx - tool to create, manipulate and study complex networks
 python-networkx-doc - tool to create, manipulate and study complex networks - 
documenta
 python3-networkx - tool to create, manipulate and study complex networks 
(Python3)
Closes: 872241 888458 893697
Changes:
 python-networkx (2.1-1) unstable; urgency=medium
 .
   [ Sandro Tosi ]
   * New upstream release; Closes: #888458
 - references to lib2to3 have been removed upstream; Closes: #893697
   * debian/control
 - revert useless changes performed without any kind of coordination,
   preserving only the bump to Standard-Version: 3.9.8, which was not
   metioned in the changelog (and not formally released)
 - add gdal to b-d and d
 - add latexmk to b-d, needed to build doc and fix a FTBFS with sphinx 1.6;
   Closes: #872241
 - bump Standards-Version to 4.1.4 (no changes needed)
 - add ipykernel, nb2plots, nbformat, nbconvert, sphinx-gallery, traitlets
   to b-d-i, needed to build doc
   * debian/copyright
 - extend packaging copyright years
 - update upstream copyright years
   * refresh patches
   * 
debian/patches/0003-README.txt-to-examples-needed-by-sphinx-while-buildi.patch
 - add the missing README.txt to the examples directory
   * debian/rules
 - delete files removals line no longer needed
 - update location for upstream changelog
   * debian/patches/0004-add-copybutton.js.patch
 - add required copybutton.js file
   * debian/python.org_objects.inv,debian/scipy.org_numpy_objects.inv
 - update intersphinx doc
   * debian/patches/0005-use-debian-mathjax.js.patch
 - use MathJax.js as provided by libjs-mathjax in Debian
   * debian/python-networkx-doc.doc-base
 - update doc-base to refer to index.html as doc entry point
   * 
debian/patches/0006-skip-plot_football-from-sphinx-gallery-requires-netw.patch
 - plot_football.py requires network access, so skip it
 .
   [ Ondřej Nový ]
   * d/control: Set Vcs-* to salsa.debian.org
   * d/copyright: Use https protocol in Format field
   * d/watch: Use https protocol
   * d/changelog: Remove trailing whitespaces
Checksums-Sha1:
 2a8c0a6c9fddd752eedc6b18566b89d8e52dd11d 2779 

Bug#872241: marked as done (python-networkx: FTBFS with Sphinx 1.6: Needs build-dep on latexmk)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 23:07:29 +
with message-id 
and subject line Bug#872241: fixed in python-networkx 2.1-1
has caused the Debian Bug report #872241,
regarding python-networkx: FTBFS with Sphinx 1.6: Needs build-dep on latexmk
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
872241: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872241
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-networkx
Version: 1.11-2
Severity: important
User: python-modules-t...@lists.alioth.debian.org
Usertags: sphinx1.6

Dear maintainer,

python-networkx fails to build with Sphinx 1.6, currently available in
experimental:

  make -C build/latex all-pdf
  make[3]: Entering directory '/<>/doc/build/latex'
  latexmk -pdf -dvi- -ps-  'networkx_tutorial.tex'
  make[3]: latexmk: Command not found
  Makefile:33: recipe for target 'networkx_tutorial.pdf' failed
  make[3]: *** [networkx_tutorial.pdf] Error 127

Since Sphinx 1.6, latexmk is required to build the LaTeX documentation [1].
Adding a build-dependency on latexmk should help.

[1]: https://github.com/sphinx-doc/sphinx/pull/3082

--
Dmitry Shachnev


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: python-networkx
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
python-networkx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 872...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Tosi  (supplier of updated python-networkx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 18:18:28 -0400
Source: python-networkx
Binary: python-networkx python3-networkx python-networkx-doc
Architecture: source all
Version: 2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi 
Changed-By: Sandro Tosi 
Description:
 python-networkx - tool to create, manipulate and study complex networks
 python-networkx-doc - tool to create, manipulate and study complex networks - 
documenta
 python3-networkx - tool to create, manipulate and study complex networks 
(Python3)
Closes: 872241 888458 893697
Changes:
 python-networkx (2.1-1) unstable; urgency=medium
 .
   [ Sandro Tosi ]
   * New upstream release; Closes: #888458
 - references to lib2to3 have been removed upstream; Closes: #893697
   * debian/control
 - revert useless changes performed without any kind of coordination,
   preserving only the bump to Standard-Version: 3.9.8, which was not
   metioned in the changelog (and not formally released)
 - add gdal to b-d and d
 - add latexmk to b-d, needed to build doc and fix a FTBFS with sphinx 1.6;
   Closes: #872241
 - bump Standards-Version to 4.1.4 (no changes needed)
 - add ipykernel, nb2plots, nbformat, nbconvert, sphinx-gallery, traitlets
   to b-d-i, needed to build doc
   * debian/copyright
 - extend packaging copyright years
 - update upstream copyright years
   * refresh patches
   * 
debian/patches/0003-README.txt-to-examples-needed-by-sphinx-while-buildi.patch
 - add the missing README.txt to the examples directory
   * debian/rules
 - delete files removals line no longer needed
 - update location for upstream changelog
   * debian/patches/0004-add-copybutton.js.patch
 - add required copybutton.js file
   * debian/python.org_objects.inv,debian/scipy.org_numpy_objects.inv
 - update intersphinx doc
   * debian/patches/0005-use-debian-mathjax.js.patch
 - use MathJax.js as provided by libjs-mathjax in Debian
   * debian/python-networkx-doc.doc-base
 - update doc-base to refer to index.html as doc entry point
   * 
debian/patches/0006-skip-plot_football-from-sphinx-gallery-requires-netw.patch
 - plot_football.py requires network access, so skip it
 .
   [ Ondřej Nový ]
   * d/control: Set Vcs-* to salsa.debian.org
   * d/copyright: Use https protocol in Format field
   * d/watch: Use https protocol
   * d/changelog: Remove trailing whitespaces
Checksums-Sha1:
 2a8c0a6c9fddd752eedc6b18566b89d8e52dd11d 2779 python-networkx_2.1-1.dsc
 

Bug#896235: marked as done (Missing python3-lib2to3 dependency)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 23:07:29 +
with message-id 
and subject line Bug#893697: fixed in python-networkx 2.1-1
has caused the Debian Bug report #893697,
regarding Missing python3-lib2to3 dependency
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
893697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893697
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-setoolsgui
Version: 4.1.1-3
Severity: serious
User: helm...@debian.org
Usertags: python-import

After installing python3-setoolsgui importing the module setoolsgui
into a python interpreter fails with the following error:

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python3/dist-packages/setoolsgui/__init__.py", line 20, in 

from .apol import ApolMainWindow
  File "/usr/lib/python3/dist-packages/setoolsgui/apol/__init__.py", line 20, 
in 
from .mainwindow import ApolMainWindow
  File "/usr/lib/python3/dist-packages/setoolsgui/apol/mainwindow.py", line 30, 
in 
from setools import __version__, PermissionMap, SELinuxPolicy
  File "/usr/lib/python3/dist-packages/setools/__init__.py", line 77, in 

from .infoflow import InfoFlowAnalysis
  File "/usr/lib/python3/dist-packages/setools/infoflow.py", line 22, in 

import networkx as nx
  File "/usr/lib/python3/dist-packages/networkx/__init__.py", line 87, in 

import networkx.readwrite
  File "/usr/lib/python3/dist-packages/networkx/readwrite/__init__.py", line 
14, in 
from networkx.readwrite.gml import *
  File "/usr/lib/python3/dist-packages/networkx/readwrite/gml.py", line 44, in 

from lib2to3.pgen2.parse import ParseError
ModuleNotFoundError: No module named 'lib2to3'

The vast majority of import failures is attributed to missing dependencies.
Often times that manifests as an ImportError or ModuleNotFoundError.
Typically, dependencies should be inserted by dh-python via ${python:Depends}
or ${python3:Depends}. Thus a missing dependency can be caused by incomplete
install_requires in setup.py. Sometimes a missing dependency of a dependency
is the cause, in such cases this bug should be reassigned.

Helmut
--- End Message ---
--- Begin Message ---
Source: python-networkx
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
python-networkx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Tosi  (supplier of updated python-networkx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 18:18:28 -0400
Source: python-networkx
Binary: python-networkx python3-networkx python-networkx-doc
Architecture: source all
Version: 2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi 
Changed-By: Sandro Tosi 
Description:
 python-networkx - tool to create, manipulate and study complex networks
 python-networkx-doc - tool to create, manipulate and study complex networks - 
documenta
 python3-networkx - tool to create, manipulate and study complex networks 
(Python3)
Closes: 872241 888458 893697
Changes:
 python-networkx (2.1-1) unstable; urgency=medium
 .
   [ Sandro Tosi ]
   * New upstream release; Closes: #888458
 - references to lib2to3 have been removed upstream; Closes: #893697
   * debian/control
 - revert useless changes performed without any kind of coordination,
   preserving only the bump to Standard-Version: 3.9.8, which was not
   metioned in the changelog (and not formally released)
 - add gdal to b-d and d
 - add latexmk to b-d, needed to build doc and fix a FTBFS with sphinx 1.6;
   Closes: #872241
 - bump Standards-Version to 4.1.4 (no changes needed)
 - add ipykernel, nb2plots, nbformat, nbconvert, sphinx-gallery, traitlets
   to b-d-i, needed to build doc
   * debian/copyright
 - extend packaging copyright years
 - update upstream copyright years
   * refresh patches
   * 
debian/patches/0003-README.txt-to-examples-needed-by-sphinx-while-buildi.patch
 - add the missing README.txt to the examples directory
   * 

Bug#899563: marked as done (ldm: Invalid maintainer address pkg-ltsp-de...@lists.alioth.debian.org)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 22:49:30 +
with message-id 
and subject line Bug#899563: fixed in ldm 2:2.18.06-1
has caused the Debian Bug report #899563,
regarding ldm: Invalid maintainer address pkg-ltsp-de...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899563: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899563
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:ldm
Version: 2:2.2.19-1
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of ldm,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package ldm since the list address
pkg-ltsp-de...@lists.alioth.debian.org used in the Maintainer: field
was not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
pkg-ltsp-de...@lists.alioth.debian.org is 6.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: ldm
Source-Version: 2:2.18.06-1

We believe that the bug you reported is fixed in the latest version of
ldm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian  (supplier of updated ldm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 07 Jun 2018 15:09:48 -0700
Source: ldm
Binary: ldm ldm-server
Architecture: source
Version: 2:2.18.06-1
Distribution: unstable
Urgency: medium
Maintainer: Debian LTSP Maintainers 
Changed-By: Vagrant Cascadian 
Description:
 ldm- LTSP display manager
 ldm-server - server components for LTSP display manager
Closes: 899563
Changes:
 ldm (2:2.18.06-1) unstable; urgency=medium
 .
   * New upstream version.
 .
   [ Kim B. Heino ]
   * Flush log file after each write.
   * Fix gcc warnings.
   * Makefile: use same ldmplugdir value as in src/plugins/.
   * screen.d/ldm: make sure nc's input is null, hide "Connection refused"
 error.
   * Fixes for LDM_PASSWORD_HASH.
 .
   [ Vagrant Cascadian ]
   * debian/control:
 - Update Maintainer address (Closes: #899563).
 - Update Standards-Version to 4.1.4, no changes needed.
   * Remove un-used kfreebsd patch.
Checksums-Sha1:
 10a5c496d8cfd2e5b3c69e7236a9b162426b24c3 2060 ldm_2.18.06-1.dsc
 3e738dbe9bb787a6b49d40c7078d0e1118259ad8 128512 ldm_2.18.06.orig.tar.xz
 2a23f2a3fa0f7a1cb0fe3e771587759821231b5c 14780 ldm_2.18.06-1.debian.tar.xz
 7c07dc8780f0a26bbb9b8dd285a2cfa845d844b0 11600 ldm_2.18.06-1_amd64.buildinfo
Checksums-Sha256:
 2eb5a07a094d82d05eea3ba67921e6d1918f2baec86bf7ecb43818218f3b39bc 2060 
ldm_2.18.06-1.dsc
 

Bug#901001: python3-minimal should Pre-Depend on python3.N-minimal

[Matthias Klose]

Control: reassign -1 src:python3-defaults,src:dh-python

I'm not sure, if the pre-dependency is the correct solution (or the only 
solution).  To run py3clean/py3compile, you need any python3.X package unpacked. 
 So a possible solution could be to make py3clean/py3compile shell scripts, 
which try to find a valid python3 interpreter first. Using python3, if it's not 
a dangling link, or else any python3.X else.

Processed: Re: python3-minimal should Pre-Depend on python3.N-minimal

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 src:python3-defaults,src:dh-python
Bug #901001 [python3-defaults] python3-minimal should Pre-Depend on 
python3.N-minimal
Bug reassigned from package 'python3-defaults' to 
'src:python3-defaults,src:dh-python'.
Ignoring request to alter found versions of bug #901001 to the same values 
previously set
Ignoring request to alter fixed versions of bug #901001 to the same values 
previously set

-- 
901001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901001
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: reassign 901001 to python3-defaults, reassign 900803 to lists.debian.org

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> reassign 901001 python3-defaults
Bug #901001 [python3-default] python3-minimal should Pre-Depend on 
python3.N-minimal
Warning: Unknown package 'python3-default'
Bug reassigned from package 'python3-default' to 'python3-defaults'.
Ignoring request to alter found versions of bug #901001 to the same values 
previously set
Ignoring request to alter fixed versions of bug #901001 to the same values 
previously set
> reassign 900803 lists.debian.org
Bug #900803 [list.debian.org] lists.debian.org: new list: debian-l10n-fongbe
Warning: Unknown package 'list.debian.org'
Bug reassigned from package 'list.debian.org' to 'lists.debian.org'.
Ignoring request to alter found versions of bug #900803 to the same values 
previously set
Ignoring request to alter fixed versions of bug #900803 to the same values 
previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
900803: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900803
901001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901001
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901001: python3-minimal should Pre-Depend on python3.N-minimal

[Julian Andres Klode]

Package: python3-default
Severity: serious

When python3 default version changes, and a new python3-minimal is unpacked 
before its
python3.N-minimal, we end up with a system without a working python3 symlink. 
This breaks
upgrades because prerm scripts of python3 packages use:

if which py3clean >/dev/null 2>&1; then
py3clean -p PKGNAME 

the which succeeds, as py3clean exists, but since the python3 symlink will be 
broken,
py3clean will be run and fail with Not Found.

(originally reported at https://bugs.launchpad.net/bugs/1768379)
(CCing debian-devel)

-- System Information:
Debian Release: buster/sid
  APT prefers cosmic
  APT policy: (500, 'cosmic'), (100, 'cosmic-proposed')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-20-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer  i speak de, en

Bug#900984: fails with latest ssl

[Tatsuya Kinoshita]

Control: severity -1 important

On June 8, 2018 at 12:45AM +0800, jidanni (at jidanni.org) wrote:
> Package: w3m
> Version: 0.5.3-36+b1
> Severity: grave
>
> $ w3m -dump https://wiki.debconf.org
> SSL error: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong 
> signature type
> w3m: Can't load https://wiki.debconf.org.
>
> Workaround:
>  Downgrade the following packages:
> 1) openssl [1.1.1~~pre7-1 (experimental, now) -> 1.1.0h-4 (unstable)]

This bug will become release-critical when this experimental
package is uploaded to unstable and the problem appears.

Thanks,
--
Tatsuya Kinoshita


pgpmmxRFUEn5M.pgp
Description: PGP signature

Bug#870233: smplayer: executes javascript code downloaded from insecure URL

[Reinhard Tartler]

​Sorry, I messed up Ricardo's email address in my previous follow-up, so
his reply went to me only. I'm quoting his input with his permission:

​Older versions of SMPlayer downloaded a javascript function from
> http://updates.smplayer.info/yt.js in order to decrypt a signature,
> which it's necessary to play some Youtube videos (mostly music
> videos). Newer versions don't do it anymore because now SMPlayer
> downloads the original function from a Youtube page. If you consider
> this to be also insecure, you can disable it by commenting the line
> DEFINES += YT_USE_SIG in smplayer.pro.


It seems that I confused the define YT_USE_SIG (which is still enabled)
with the define YT_USE_*YT*SIG (which is currently commented out in
smplayer.pro). My bad, sorry. I'll add a patch to the debian packaging that
disables that shortly.

I'm also happy to upload it as soon as I hear back from Mateusz regarding
my question(s) about mongoose.

Thanks everyone!

-- 
regards,
Reinhard

Processed: Re: Bug#900984: fails with latest ssl

[Debian Bug Tracking System]

Processing control commands:

> severity -1 important
Bug #900984 [w3m] fails with latest ssl
Severity set to 'important' from 'grave'

-- 
900984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900984
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900967: Security vulnerability: Stack overflow in BGP mask expressions

[Ondrej Zajicek]

On Thu, Jun 07, 2018 at 10:48:10PM +0200, Moritz Muehlenhoff wrote:
> > Hi
> > 
> > It is an security bugfix, but perhaps not so critical, it can be
> > exploited in very specific circumstances and probably only as a DoS,
> > not as a privilege escalation.
> 
> I'm not familiar with bird, so we could use help insight to assess the
> scope of the issue:
> 
> Could you please elaborate what these circumstances are? Like, who's
> able to trigger a crash, does it affect only specific setups/conditions?

The crash could be triggered from bird CLI tool (birdc), which is usually
accessible only to administrator. But the birdc has 'restricted' mode
(when called with -r option) when the CLI is restricted to 'safe'
commands, just for inspecting BIRD state, but the crash could be
triggered even in the restricted mode. But even the restricted mode is
accessible only to administrator.

But if administrator would allow nonprivileged users to run birdc in
restricted mode (say using 'sudo' rules) assuming than it is safe, then
such assumption is broken by the bug.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

Bug#900942: marked as done (CVE-2018-9246)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 21:34:40 +
with message-id 
and subject line Bug#900942: fixed in libpgobject-util-dbadmin-perl 0.130.1-1
has caused the Debian Bug report #900942,
regarding CVE-2018-9246
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900942: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900942
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libpgobject-util-dbadmin-perl
Severity: grave
Tags: security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9246

-- Forwarded message -
From: Erik Huelsmann 
Date: Wed, Jun 6, 2018 at 6:36 PM
Subject: [ledgersmb-announce] Security announcement for CVE-2018-9246
/ PGObject::Util::DBAdmin
To: 


This mail is sent to this mailing list because PGObject::Util::DBAdmin
itself doesn't have a mailing list to send the disclosure to. We'll
update its repository to reflect the announcement below.


Please take note of the security advisory below, known as CVE-2018-9246

   Nick Prater discovered that the PGObject::Util::DBAdmin insufficiently
sanitizes or escapes variable values used as part of shell command
execution, resulting in shell code injection.
   The vulnerability allows an attacker to execute arbitrary code with the
same privileges as the running application through the create(), run_file(),
backup() and restore() functions.

Affected versions:
  PGObject::Util::DBAdmin versions 0.110.0 and lower.

Vulnerability type:
  Insufficiently sanitized arguments in external program invocation

Discoverer:
  Nick Prater (NP Broadcast LTD)

Resolution:
  Upgrade to PGObject::Util::DBAdmin 0.120.0 or newer. (0.130.0
available on CPAN).
--- End Message ---
--- Begin Message ---
Source: libpgobject-util-dbadmin-perl
Source-Version: 0.130.1-1

We believe that the bug you reported is fixed in the latest version of
libpgobject-util-dbadmin-perl, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert James Clay  (supplier of updated 
libpgobject-util-dbadmin-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 07 Jun 2018 10:55:23 -0400
Source: libpgobject-util-dbadmin-perl
Binary: libpgobject-util-dbadmin-perl
Architecture: source
Version: 0.130.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group 
Changed-By: Robert James Clay 
Closes: 900942
Description: 
 libpgobject-util-dbadmin-perl - PostgreSQL Database Management Facilities for 
PGObject
Changes:
 libpgobject-util-dbadmin-perl (0.130.1-1) unstable; urgency=medium
 .
   [ Salvatore Bonaccorso ]
   * Update Vcs-* headers for switch to salsa.debian.org
 .
   [ gregor herrmann ]
   * Update years of upstream and packaging copyright.
   * Don't run new perlcritic test during build and autopkgtest.
   * Add (build) dependency on libnamespace-clean-perl.
   * Declare compliance with Debian Policy 4.1.4.
   * Bump debhelper compatibility level to 10.
 .
   [ Robert James Clay ]
   * Update my copyright years in debian/copyright.
   * Import upstream version 0.130.1, resolving CVE-2018-9246. (Closes: #900942)
   * Correct the upstream URL metadata in debian/upstream/metadata.
   * Add 't/boilerplate.t' to the debian/tests/pkg-perl/smoke-skip file.
Checksums-Sha1: 
 fa378b9bd7e1661f7ed689e77a6715196ba4ac51 2491 
libpgobject-util-dbadmin-perl_0.130.1-1.dsc
 2eae41cb3f42cf006136beafe9ed5277557520d3 14844 
libpgobject-util-dbadmin-perl_0.130.1.orig.tar.gz
 7d2cd75d1b3e8cbfeb41bea2bfb95240be04702b 2784 
libpgobject-util-dbadmin-perl_0.130.1-1.debian.tar.xz
Checksums-Sha256: 
 7675ea2459f998f53ae1c1230d9b355bbcb4967d7868f2ce8d73b12a3323e14f 2491 
libpgobject-util-dbadmin-perl_0.130.1-1.dsc
 4042d6d19941ec2429540287f926218c94ef93eb9997b1dfeffb390abf08e053 14844 
libpgobject-util-dbadmin-perl_0.130.1.orig.tar.gz
 ae5674781a14a017222ac5bfc47b3f45105544948a7bdb013695791c9b413bc0 2784 
libpgobject-util-dbadmin-perl_0.130.1-1.debian.tar.xz
Files: 
 2947da490ce2845e2aa4a87ea9a818b4 2491 perl optional 
libpgobject-util-dbadmin-perl_0.130.1-1.dsc
 3fa8dc7802156505aabb9467dff02744 14844 perl 

Bug#900998: gambas3: FTBFS w/SDL2 2.0.7+: MIX_INIT_FLUIDSYNTH undeclared

[Aaron M. Ucko]

Source: gambas3
Version: 3.9.2-2
Severity: serious
Tags: upstream
Justification: fails to build from source (but built successfully in the past)

Builds (binNMUs, for the most part) of gambas3 have been failing for
months:

CC   gb_sdl2_audio_la-main.lo
  main.c: In function 'AUDIO_init':
  main.c:61:13: error: 'MIX_INIT_FLUIDSYNTH' undeclared (first use in this 
function); did you mean 'MIX_INIT_MID'?
init_mixer(MIX_INIT_FLUIDSYNTH, "FLUIDSYNTH");
   ^~~
   MIX_INIT_MID
  main.c:61:13: note: each undeclared identifier is reported only once for each 
function it appears in
  Makefile:512: recipe for target 'gb_sdl2_audio_la-main.lo' failed

This problem first showed up on buildd.debian.org with December's
binNMU for libpoppler72 (subsequently superseded by libpoppler73 and
libpoppler74), and has continued to affect subsequent binNMU attempts,
first for libncurses6 and most recently for libcurl4.  This latest
round of failures is particularly problematic because it interferes
with a *hard* transition, in which libcurl4 conflicts with libcurl3 to
avoid skew in some scenarios (as detailed in #858398).

Could you please take a look?

Thanks!

-- 
Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
http://www.mit.edu/~amu/ | http://stuff.mit.edu/cgi/finger/?a...@monk.mit.edu

Processed: found 900953 in 1.2-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 900953 1.2-1
Bug #900953 {Done: Emmanuel Bourg } [src:plexus-archiver] 
plexus-archiver: CVE-2018-1002200
Marked as found in versions plexus-archiver/1.2-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
900953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900676: marked as done (reportbug fails to start; unimplemented optparse subclass)

[Debian Bug Tracking System]

Your message dated Thu, 7 Jun 2018 16:52:54 -0400
with message-id 

and subject line Re: reportbug fails to start; unimplemented optparse subclass
has caused the Debian Bug report #900676,
regarding reportbug fails to start; unimplemented optparse subclass
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900676: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900676
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rebportbug
Version: 7.1.7
Severity: grave

When trying to start reportbug it instantly crashes with following
message:

––
$
reportbug   

Traceback (most recent call last): File
"/usr/bin/reportbug", line 32, in  import optparse
  File "/usr/lib/python2.7/optparse.py", line 250
raise NotImplementedError, "subclasses must implement"
 ^
SyntaxError: invalid syntax
––
$ dpkg -S /usr/lib/python2.7/optparse.py 
libpython2.7-minimal:amd64: /usr/lib/python2.7/optparse.py
$ apt show libpython2.7-minimal:amd64
Package: libpython2.7-minimal
Version: 2.7.13-2+deb9u1

Thx for fixing
--- End Message ---
--- Begin Message ---
On Sun, 3 Jun 2018 10:42:05 +0200 reportbug_dead-addr...@jalsti.de wrote:

reportbug_dead-address? not even wasting time investigating this report

> When trying to start reportbug it instantly crashes with following
> message:
>
> ––
> $
> reportbug
> Traceback (most recent call last): File
> "/usr/bin/reportbug", line 32, in  import optparse
>   File "/usr/lib/python2.7/optparse.py", line 250
> raise NotImplementedError, "subclasses must implement"
>  ^
> SyntaxError: invalid syntax
> ––
> $ dpkg -S /usr/lib/python2.7/optparse.py
> libpython2.7-minimal:amd64: /usr/lib/python2.7/optparse.py
> $ apt show libpython2.7-minimal:amd64
> Package: libpython2.7-minimal
> Version: 2.7.13-2+deb9u1

if anyone reads this and thinks it's an actual bug, then it's
something belonging to libpython2.7-minimal, where the failing code is--- End Message ---

Bug#900967: Security vulnerability: Stack overflow in BGP mask expressions

[Moritz Muehlenhoff]

B0;115;0cOn Thu, Jun 07, 2018 at 08:27:22PM +0200, Ondrej Zajicek wrote:
> On Thu, Jun 07, 2018 at 01:37:04PM +0200, Jonas Meurer wrote:
> > Source: bird
> > Version: 1.6.3-2
> > Severity: critical
> > Tags: security
> > 
> > According to the upstream website[1] and changelog[2], bird release 1.6.4
> > includes an "important security bugfix".
> 
> Hi
> 
> It is an security bugfix, but perhaps not so critical, it can be
> exploited in very specific circumstances and probably only as a DoS,
> not as a privilege escalation.

I'm not familiar with bird, so we could use help insight to assess the
scope of the issue:

Could you please elaborate what these circumstances are? Like, who's
able to trigger a crash, does it affect only specific setups/conditions?

Cheers,
Moritz

Bug#900997: [print-manager] sends password to remote cups server

[Antonio Russo]

Package: print-manager
Version: 4:18.04.1-1
Severity: critical
Tags: security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org

--- Please enter the report below this line. ---

When on a (possibly untrusted) network with a cups server, opening the KDE 
configuration panel,
and going to the Printers kcm causes a dialog with the current user name filled 
in, asking for
that user's password.

This prompt does not express whether the password is being sent to sudo (which 
a cursory
inspection of the code suggests it does not), to a local cups server, or to a 
remote cups
server.

Moreover, the certificate that is being used by the server is completely 
unavailable
for inspection---and worse still does not appear to be rejected if it is 
invalid.

A print-manager user that is on a network with a hostile cups server could 
easily be tricked into
sending their password to that cups server.

Bug#889281: dokuwiki: CVE-2017-18123: reflected file download vulnerability

[anarcat]

Hi,

I have tested an update of the jessie package and things seem to work
fine after merging the patch from upstream during a smoketest of a clean
jessie VM.

Attached is the debdiff to complete the update.

A.
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/changelog 
dokuwiki-0.0.20140505.a+dfsg/debian/changelog
--- dokuwiki-0.0.20140505.a+dfsg/debian/changelog   2015-03-22 
13:50:07.0 -0400
+++ dokuwiki-0.0.20140505.a+dfsg/debian/changelog   2018-06-07 
15:25:55.0 -0400
@@ -1,3 +1,11 @@
+dokuwiki (0.0.20140505.a+dfsg-4+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2017-18123: fix remote code execution through reflected file
+download
+
+ -- Antoine Beaupré   Thu, 07 Jun 2018 15:25:55 -0400
+
 dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
 
   * debian/patches: security fix, from upstream hotfix release
diff -Nru 
dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123-2f65d86.patch 
dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123-2f65d86.patch
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123-2f65d86.patch
1969-12-31 19:00:00.0 -0500
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123-2f65d86.patch
2018-06-07 15:25:35.0 -0400
@@ -0,0 +1,25 @@
+From 238b8e878ad48f370903465192b57c2072f65d86 Mon Sep 17 00:00:00 2001
+From: Andreas Gohr 
+Date: Tue, 27 Jun 2017 15:04:23 +0200
+Subject: [PATCH] filter special chars from ajax call parameter. fixes #2019
+
+---
+ lib/exe/ajax.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php
+index b3e9a618f5..9f9db5391a 100644
+--- a/lib/exe/ajax.php
 b/lib/exe/ajax.php
+@@ -15,9 +15,9 @@
+ 
+ //call the requested function
+ if($INPUT->post->has('call')){
+-$call = $INPUT->post->str('call');
++$call = $INPUT->post->filter('utf8_stripspecials')->str('call');
+ }else if($INPUT->get->has('call')){
+-$call = $INPUT->get->str('call');
++$call = $INPUT->get->filter('utf8_stripspecials')->str('call');
+ }else{
+ exit;
+ }
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/series 
dokuwiki-0.0.20140505.a+dfsg/debian/patches/series
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/series  2015-03-22 
13:48:40.0 -0400
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/series  2018-06-07 
15:25:35.0 -0400
@@ -5,3 +5,4 @@
 soften_email_validator.diff
 use_packaged_jquery.diff
 cve-2015-2172_check_permissions_in_rpc.patch
+CVE-2017-18123-2f65d86.patch


signature.asc
Description: PGP signature

Bug#900971: marked as done (lava: FTBFS when built with dpkg-buildpackage -A)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 19:50:06 +
with message-id 
and subject line Bug#900971: fixed in lava 2018.5-3
has caused the Debian Bug report #900971,
regarding lava: FTBFS when built with dpkg-buildpackage -A
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900971
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lava
Version: 2018.5-2
Severity: serious

Dear maintainer:

I tried to build this package with dpkg-buildpackage -A and it failed:

[...]
 dpkg-source --before-build lava-2018.5
 fakeroot debian/rules clean
dh clean --with sphinxdoc,systemd,python3
dh: unable to load addon sphinxdoc: Can't locate 
Debian/Debhelper/Sequence/sphinxdoc.pm in @INC (you may need to install the 
Debian::Debhelper::Sequence::sphinxdoc module) (@INC contains: /etc/perl 
/usr/local/lib/x86_64-linux-gnu/perl/5.26.2 /usr/local/share/perl/5.26.2 
/usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 
/usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 
/usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at (eval 7) line 
1.
BEGIN failed--compilation aborted at (eval 7) line 1.

make: *** [debian/rules:36: clean] Error 2
dpkg-buildpackage: error: fakeroot debian/rules clean subprocess returned exit 
status 2


I have not tried several times because the error message suggests some
kind of missing build-dependency.

To reproduce please try building with dpkg-buildpackage -A on a
chroot having only the essential packages (plus those required
for "dpkg-buildpackage -A" to work).

Full build log available here:

https://people.debian.org/~sanvila/build-logs/lava/

Thanks.
--- End Message ---
--- Begin Message ---
Source: lava
Source-Version: 2018.5-3

We believe that the bug you reported is fixed in the latest version of
lava, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Neil Williams  (supplier of updated lava package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 15:22:15 +0100
Source: lava
Binary: lava-dispatcher lava-server lava-common lava lava-lxc-mocker lava-dev 
lava-server-doc
Architecture: source all amd64
Version: 2018.5-3
Distribution: unstable
Urgency: medium
Maintainer: Debian LAVA team 
Changed-By: Neil Williams 
Description:
 lava   - Linaro Automated Validation Architecture metapackage
 lava-common - Linaro Automated Validation Architecture common
 lava-dev   - Linaro Automated Validation Architecture developer support
 lava-dispatcher - Linaro Automated Validation Architecture dispatcher
 lava-lxc-mocker - Linaro Automated Validation Architecture LXC Mocker
 lava-server - Linaro Automated Validation Architecture server
 lava-server-doc - Linaro Automated Validation Architecture documentation
Closes: 900971
Changes:
 lava (2018.5-3) unstable; urgency=medium
 .
   * Drop Build-Depends-Arch and add
 override_dh_fixperms-arch (Closes: #900971)
Checksums-Sha1:
 4566404be2664b71c40a81b43aeed400d1af21f5 2928 lava_2018.5-3.dsc
 34aff66c824fd5ddaa0c59d9daeff1701f84c0b8 64460 lava_2018.5-3.debian.tar.xz
 3a5497d0e264b2041c63815893e18de97ed49908 65448 lava-common_2018.5-3_all.deb
 a42a0c48dc7c7c2dffa7a61735fadfea0c6ae81f 65824 lava-dev_2018.5-3_all.deb
 bcf615ff5ac9e99197c947d09fe5713ba4a9b323 312204 
lava-dispatcher_2018.5-3_amd64.deb
 ec8a79e3f8156ec2ad9457042cc4bed9728baa4a 70984 lava-lxc-mocker_2018.5-3_all.deb
 c0a075b8d23c769b8d6ab7302d1ae8130b48dad3 2230184 
lava-server-doc_2018.5-3_all.deb
 96d9a56b98ca31c20db8f3fa4da8b970eed5fbbc 608468 lava-server_2018.5-3_all.deb
 e266ba02cd6c918b2245a59c9a8eeb56740f0795 61112 lava_2018.5-3_all.deb
 5152d4d31909085e1ac29efee8d0548f142ebb74 10218 lava_2018.5-3_amd64.buildinfo
Checksums-Sha256:
 e3809c0f6f8d9ffcd32533d9e41e9ddb54ef47cbae31d8e1a7d0c4b66d60d503 2928 
lava_2018.5-3.dsc
 984e8df88669b7f9bae96ccac7701df5d954603162921fb8ba6b8e94b13d37c7 64460 
lava_2018.5-3.debian.tar.xz
 

Bug#899442: marked as done (amule: Invalid maintainer address pkg-amule-de...@lists.alioth.debian.org)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 19:49:40 +
with message-id 
and subject line Bug#899442: fixed in amule 1:2.3.2-3
has caused the Debian Bug report #899442,
regarding amule: Invalid maintainer address 
pkg-amule-de...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:amule
Version: 1:2.3.2-2
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of amule,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package amule since the list address
pkg-amule-de...@lists.alioth.debian.org used in the Maintainer: field
was not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
pkg-amule-de...@lists.alioth.debian.org is 1.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: amule
Source-Version: 1:2.3.2-3

We believe that the bug you reported is fixed in the latest version of
amule, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Tosi  (supplier of updated amule package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 15:27:17 -0400
Source: amule
Binary: amule amule-common amule-utils amule-utils-gui amule-daemon 
amule-gnome-support
Architecture: source all amd64
Version: 1:2.3.2-3
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi 
Changed-By: Sandro Tosi 
Description:
 amule  - client for the eD2k and Kad networks, like eMule
 amule-common - common files for the rest of aMule packages
 amule-daemon - non-graphic version of aMule, a client for the eD2k and Kad 
netwo
 amule-gnome-support - ed2k links handling support for GNOME web browsers
 amule-utils - utilities for aMule (command-line version)
 amule-utils-gui - graphic utilities for aMule
Closes: 806827 899442
Changes:
 amule (1:2.3.2-3) unstable; urgency=medium
 .
   * [7b5bf67] set myself as Maintainer; Closes: #899442
   * [1b6f14e] enable parallel build; patch by Pino Toscano; Closes: #806827
   * [d3da013] install a bug presubj script to instruct how to generate a 
backtrace
   * [217be7b] point Vcs-* field to salsa.d.o
   * [58cdd8e] bump Standard-Version to 4.1.4 (no changes needed)
Checksums-Sha1:
 a98ee7199f2c421e104fc7fc3218e3e8647c6bed 2349 amule_2.3.2-3.dsc
 03657df8171bcfe6aaca1b827868f9de1a9fb088 26256 amule_2.3.2-3.debian.tar.xz
 f735f01082f31732aba6045cb40915e9a42d1110 1242460 

Bug#899780: marked as done (ldm-themes: Invalid maintainer address pkg-ltsp-de...@lists.alioth.debian.org)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 19:50:11 +
with message-id 
and subject line Bug#899780: fixed in ldm-themes 17.01.1
has caused the Debian Bug report #899780,
regarding ldm-themes: Invalid maintainer address 
pkg-ltsp-de...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899780: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899780
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:ldm-themes
Version: 17.01
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of ldm-themes,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package ldm-themes since the list address
pkg-ltsp-de...@lists.alioth.debian.org used in the Maintainer: field
was not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
pkg-ltsp-de...@lists.alioth.debian.org is 6.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: ldm-themes
Source-Version: 17.01.1

We believe that the bug you reported is fixed in the latest version of
ldm-themes, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian  (supplier of updated ldm-themes package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 07 Jun 2018 12:30:17 -0700
Source: ldm-themes
Binary: ldm-themes
Architecture: source
Version: 17.01.1
Distribution: unstable
Urgency: medium
Maintainer: Debian LTSP Maintainers 
Changed-By: Vagrant Cascadian 
Description:
 ldm-themes - Collection of themes for the LTSP login manager
Closes: 899780
Changes:
 ldm-themes (17.01.1) unstable; urgency=medium
 .
   * debian/control:
 - Update Maintainer field (Closes: #899780).
 - Update Vcs-* urls.
 - Update email address for Jonathan Carter.
 - Update Standards-Version to 4.1.4, a few minor changes needed.
   * debian/copyright:
 - Update to use https URL for copyright-format.
 - Update Source URLs for themes.
Checksums-Sha1:
 3a950a309acfd1e423db27a0d33809b55c2e1187 1682 ldm-themes_17.01.1.dsc
 1829323a9c835c2bd29507e9ccb07421c575bf68 206192 ldm-themes_17.01.1.tar.xz
 68f0bb1187e619b8a511337a8d0bbad60829d810 9297 
ldm-themes_17.01.1_amd64.buildinfo
Checksums-Sha256:
 a6f3c40a9fbf08f5ccacbb26e2bfe515a66a5d04a6c34060c7fe149c8e8957f6 1682 
ldm-themes_17.01.1.dsc
 cae378548bcb9eddd5caf8a86c17bb4062c56d13abbb4d6f9d3fb7f4596bce62 206192 
ldm-themes_17.01.1.tar.xz
 da11bf988f85456f812b6fbc745bf31e747db21b22e08f6274a6bcba9e4b4b44 9297 

Bug#898943: Multiple vulnerabiliities in Mongoose

[Ricardo Villalba]

I'm already using mongoose 6.11 in the svn of SMPlayer. So far it
seems to work fine for me.

https://app.assembla.com/spaces/smplayer/subversion/commits/9030

2018-06-07 15:08 GMT+02:00 Reinhard Tartler :
> On Thu, Jun 7, 2018 at 6:20 AM Mateusz Łukasik  wrote:
>
>> This is not fixed for me. I made patch with add latest Mongoose version
>> which included fixed for all of this cve's.
>> It pushed now to salsa.
>>
>> --
>
> Thank you!
>
> I see that you've added
> https://salsa.debian.org/multimedia-team/smplayer/blob/master/debian/patches/03-update-mongoose-to-6.11.patch
> - which is a pretty big patch. I wouldn't know how to test it (I don't
> use that feature) or even verify that the patch work. Matteusz, can
> you please elaborate how you verified the patch  and how confident are
> you that it doesn't introduce unwanted side-effects?
>
> Ricardo, would that patch be acceptable for upstream inclusion? - Your
> opinion is highly valued and would be helpful in forming an opinion on
> Mateusz' patch.
>
> Mateusz, I also see that you prepared a new upstream version. That's
> great, in fact, I've also prepared it locally to see if the issue
> happened to be fixed upstream, but determined mongosse was not updated
> and concluded the problem still persists. I've therefore decided to
> not upload the new upstream version and focus on the existing issues
> instead. Hence, I've applied the patch to disable the build of
> mongoose in the present package version. I see that you disabled it in
> https://salsa.debian.org/multimedia-team/smplayer/commit/5d780999b6ee7a84d737fdb5dbc07ea9a25e4cde
> (the commit message didn't help with finding that SHA1, I'd appreciate
> more accurate messages in the future) - which is fine by me *if* we
> are confident that the mongoose update actually fixes the problem (see
> my question above).
>
> Also, did you verify that the new mongoose patch builds with GCC-8? My
> patch to disable mongoose takes care of that as well, it would be a
> shame to reintroduce #897863 again.
>
> --
> regards,
> Reinhard



-- 
RVM

Bug#881481: tarantool FTBFS with recent debhelper: dh_systemd_enable: Requested unit "tarantool.service" but it was not found in any package acted on

[Alexander Turenko]

On Sun, 12 Nov 2017 11:15:19 +0200 Adrian Bunk  wrote:
> Source: tarantool
> Version: 1.7.5.46.gd98815384-1
> Severity: serious
>
>
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/tarantool.html
>
> ...
> dh_systemd_enable -ptarantool --name=tarantool tarantool.service
> dh_systemd_enable: Requested unit "tarantool.service" but it was not
found in any package acted on.
> dh_systemd_enable: Could not handle all of the requested services
> /usr/share/cdbs/1/rules/debhelper.mk:233: recipe for target
'binary-install/tarantool' failed
> make: *** [binary-install/tarantool] Error 2
>
>
> < nthykier> tarantool:  Tries to enable the service in a package that
does not ship the service => bug in tarantool
> < nthykier> Failing call "dh_systemd_enable -ptarantool --name=tarantool
tarantool.service" - a bit further up, there is a successful call
> "dh_systemd_enable -ptarantool-common --name=tarantool
tarantool.service"
> < nthykier> (note the -p argument differs)
>
>

Fixed in mainstream tarantool 1.9 and 1.10.

https://github.com/tarantool/tarantool/commit/8925b8622f381378684de633e917229051e3482f

Don't know how to proceed with 1.7 package Debian has. It seems to be out of
the scope of my responsibility.

WBR, Alexander Turenko.

Bug#900967: Security vulnerability: Stack overflow in BGP mask expressions

[Ondrej Zajicek]

On Thu, Jun 07, 2018 at 01:37:04PM +0200, Jonas Meurer wrote:
> Source: bird
> Version: 1.6.3-2
> Severity: critical
> Tags: security
> 
> According to the upstream website[1] and changelog[2], bird release 1.6.4
> includes an "important security bugfix".

Hi

It is an security bugfix, but perhaps not so critical, it can be
exploited in very specific circumstances and probably only as a DoS,
not as a privilege escalation.


> The changelog mentions "Filter: Fixed stack overflow in BGP mask
> expressions". A quick scan through the git history revealed a few
> commits that mention overflow and use after free fixes:
> 
> e8bc64e308586b6502090da2775af84cd760ed0d
>   Filter: make bgpmask literals real constructors

This is the relevant commit. It would not cleanly apply to 1.6.3, but i
can prepare patch for 1.6.3. But i don't know Debian processes, i.e.
what should be done to make security release.

> 30c734fc73648e4c43af4f45e68ac2de3d7ddea1
>   Static: Fix bug in static route filter expressions

This is not security related, but it is important bugfix and trivial to be
sure it does not cause further problems, so could be probably added too.
I could probably find some more similar bugfixes.

> Probably the best is to ask upstream about security relevant commits and
> consider to either backport them to stretch-backports. Another option
> would be to upload 1.6.4 to stretch-security as 1.6.4-0+deb9u1.

Packing 1.6.4 to stretch-security is probably not a good idea, there are
too many changes and new features.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."


signature.asc
Description: PGP signature

Processed: fixed 900967 in 1.6.4-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> fixed 900967 1.6.4-1
Bug #900967 [src:bird] Security vulnerability: Stack overflow in BGP mask 
expressions
Marked as fixed in versions bird/1.6.4-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
900967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900967
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: found 900967 in 1.6.3-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 900967 1.6.3-1
Bug #900967 [src:bird] Security vulnerability: Stack overflow in BGP mask 
expressions
Marked as found in versions bird/1.6.3-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
900967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900967
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 900967

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 900967 + upstream
Bug #900967 [src:bird] Security vulnerability: Stack overflow in BGP mask 
expressions
Added tag(s) upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
900967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900967
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900983: marked as done (python-minimal: pyversions: /usr/bin/python does not match the python default version. It must be reset to point to python2.7)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 17:19:36 +
with message-id 
and subject line Bug#900983: fixed in python-defaults 2.7.15-3
has caused the Debian Bug report #900983,
regarding python-minimal: pyversions: /usr/bin/python does not match the python 
default version. It must be reset to point to python2.7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900983
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-minimal
Version: 2.7.14-4
Severity: critical

Hello,
this happened after the recently introduced python2-* packages:

dpkg-source: info: using options from 
python-networkx-2.1/debian/source/options: 
--extend-diff-ignore=^[^/]*[.]egg-info/
 fakeroot debian/rules clean
pyversions: missing X(S)-Python-Version in control file, fall back to 
debian/pyversions
pyversions: missing debian/pyversions file, fall back to supported versions
py3versions: no X-Python3-Version in control file, using supported versions
dh clean --with sphinxdoc,python2,python3
   debian/rules override_dh_auto_clean
make[1]: Entering directory '/build/python-networkx-2.1'
pyversions: missing X(S)-Python-Version in control file, fall back to 
debian/pyversions
pyversions: missing debian/pyversions file, fall back to supported versions
py3versions: no X-Python3-Version in control file, using supported versions
dh_auto_clean
dh_auto_clean: Please use the third-party "pybuild" build system instead of 
python-distutils
dh_auto_clean: This feature will be removed in compat 12.
dh_auto_clean: pyversions -d failed [1]
make[1]: *** [debian/rules:13: override_dh_auto_clean] Error 1
make[1]: Leaving directory '/build/python-networkx-2.1'
make: *** [debian/rules:10: clean] Error 2


root@zion:/build/python-networkx-2.1# pyversions -d
pyversions: /usr/bin/python does not match the python default version. It must 
be reset to point to python2.7
root@zion:/build/python-networkx-2.1# ls -l /usr/bin/python
lrwxrwxrwx 1 root root 7 Jun  6 21:25 /usr/bin/python -> python2
root@zion:/build/python-networkx-2.1# dpkg -S /usr/bin/python
python-minimal: /usr/bin/python
root@zion:/build/python-networkx-2.1# dpkg -l python-minimal | grep ^ii
ii  python-minimal 2.7.15-2 
amd64minimal subset of 
the Python2 language
root@zion:/build/python-networkx-2.1# dpkg -S `which pyversions`
python2-minimal: /usr/bin/pyversions
root@zion:/build/python-networkx-2.1#


this prevents python modules packages to be built, and it's a regression.


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python-minimal depends on:
ii  dpkg   1.19.0.4
ii  python2.7-minimal  2.7.14-4

Versions of packages python-minimal recommends:
ii  python  2.7.14-4

python-minimal suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: python-defaults
Source-Version: 2.7.15-3

We believe that the bug you reported is fixed in the latest version of
python-defaults, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose  (supplier of updated python-defaults package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 18:57:11 +0200
Source: python-defaults
Binary: python python-minimal python-dev libpython-dev libpython-stdlib 
python-doc python-dbg libpython-dbg python-all python-all-dev python-all-dbg 
libpython-all-dev libpython-all-dbg python2 python2-minimal python2-dev 
libpython2-dev libpython2-stdlib python2-doc python2-dbg libpython2-dbg
Architecture: source
Version: 2.7.15-3
Distribution: 

Bug#900984: fails with latest ssl

[積丹尼 Dan Jacobson]

Package: w3m
Version: 0.5.3-36+b1
Severity: grave

No problem with wget. Problem with w3m.

$ w3m -dump https://wiki.debconf.org
SSL error: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature 
type
w3m: Can't load https://wiki.debconf.org.

$ wget https://wiki.debconf.org/
--2018-06-08 00:30:42--  https://wiki.debconf.org/
Resolving wiki.debconf.org (wiki.debconf.org)... 46.43.39.193, 
2001:41c8:134:193::42
Connecting to wiki.debconf.org (wiki.debconf.org)|46.43.39.193|:443... 
connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html  [  <=>  ]  
14.71K  45.6KB/sin 0.3s

2018-06-08 00:30:44 (45.6 KB/s) - ‘index.html’ saved [15068]

Workaround:


 Downgrade the following packages:
1) openssl [1.1.1~~pre7-1 (experimental, now) -> 1.1.0h-4 (unstable)]

Processed: downgrade

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # only in experimental
> severity 900982 important
Bug #900982 [libwww-perl] fails with latest ssl
Severity set to 'important' from 'grave'
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
900982: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900982
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900983: python-minimal: pyversions: /usr/bin/python does not match the python default version. It must be reset to point to python2.7

[Sandro Tosi]

Package: python-minimal
Version: 2.7.14-4
Severity: critical

Hello,
this happened after the recently introduced python2-* packages:

dpkg-source: info: using options from 
python-networkx-2.1/debian/source/options: 
--extend-diff-ignore=^[^/]*[.]egg-info/
 fakeroot debian/rules clean
pyversions: missing X(S)-Python-Version in control file, fall back to 
debian/pyversions
pyversions: missing debian/pyversions file, fall back to supported versions
py3versions: no X-Python3-Version in control file, using supported versions
dh clean --with sphinxdoc,python2,python3
   debian/rules override_dh_auto_clean
make[1]: Entering directory '/build/python-networkx-2.1'
pyversions: missing X(S)-Python-Version in control file, fall back to 
debian/pyversions
pyversions: missing debian/pyversions file, fall back to supported versions
py3versions: no X-Python3-Version in control file, using supported versions
dh_auto_clean
dh_auto_clean: Please use the third-party "pybuild" build system instead of 
python-distutils
dh_auto_clean: This feature will be removed in compat 12.
dh_auto_clean: pyversions -d failed [1]
make[1]: *** [debian/rules:13: override_dh_auto_clean] Error 1
make[1]: Leaving directory '/build/python-networkx-2.1'
make: *** [debian/rules:10: clean] Error 2


root@zion:/build/python-networkx-2.1# pyversions -d
pyversions: /usr/bin/python does not match the python default version. It must 
be reset to point to python2.7
root@zion:/build/python-networkx-2.1# ls -l /usr/bin/python
lrwxrwxrwx 1 root root 7 Jun  6 21:25 /usr/bin/python -> python2
root@zion:/build/python-networkx-2.1# dpkg -S /usr/bin/python
python-minimal: /usr/bin/python
root@zion:/build/python-networkx-2.1# dpkg -l python-minimal | grep ^ii
ii  python-minimal 2.7.15-2 
amd64minimal subset of 
the Python2 language
root@zion:/build/python-networkx-2.1# dpkg -S `which pyversions`
python2-minimal: /usr/bin/pyversions
root@zion:/build/python-networkx-2.1#


this prevents python modules packages to be built, and it's a regression.


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python-minimal depends on:
ii  dpkg   1.19.0.4
ii  python2.7-minimal  2.7.14-4

Versions of packages python-minimal recommends:
ii  python  2.7.14-4

python-minimal suggests no packages.

-- no debconf information

Bug#894910: marked as done (python-xlwt-doc: missing Breaks+Replaces: python-xlwt (<< 1.3.0))

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 16:34:53 +
with message-id 
and subject line Bug#894910: fixed in xlwt 1.3.0-2
has caused the Debian Bug report #894910,
regarding python-xlwt-doc: missing Breaks+Replaces: python-xlwt (<< 1.3.0)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
894910: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894910
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-xlwt-doc
Version: 1.3.0-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package fails to upgrade from
'testing'.
It installed fine in 'testing', then the upgrade to 'sid' fails
because it tries to overwrite other packages files without declaring a
Breaks+Replaces relation.

See policy 7.6 at
https://www.debian.org/doc/debian-policy/#overwriting-files-and-replacing-packages-replaces

>From the attached log (scroll to the bottom...):

  Selecting previously unselected package python-xlwt-doc.
  Preparing to unpack .../python-xlwt-doc_1.3.0-1_all.deb ...
  Unpacking python-xlwt-doc (1.3.0-1) ...
  dpkg: error processing archive 
/var/cache/apt/archives/python-xlwt-doc_1.3.0-1_all.deb (--unpack):
   trying to overwrite '/usr/share/doc/python-xlwt/examples/big-16Mb.py', which 
is also in package python-xlwt 0.7.5+debian1-1
  Errors were encountered while processing:
   /var/cache/apt/archives/python-xlwt-doc_1.3.0-1_all.deb


cheers,

Andreas


python-xlwt=0.7.5+debian1-1_python-xlwt-doc=1.3.0-1.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: xlwt
Source-Version: 1.3.0-2

We believe that the bug you reported is fixed in the latest version of
xlwt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 894...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sophie Brun  (supplier of updated xlwt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 07 Jun 2018 17:32:38 +0200
Source: xlwt
Binary: python-xlwt python3-xlwt python-xlwt-doc
Architecture: source
Version: 1.3.0-2
Distribution: unstable
Urgency: medium
Maintainer: Jan Dittberner 
Changed-By: Sophie Brun 
Description:
 python-xlwt - module for writing Microsoft Excel spreadsheet files - Python 2.7
 python-xlwt-doc - module for writing Microsoft Excel spreadsheet files - doc
 python3-xlwt - module for writing Microsoft Excel spreadsheet files - Python 
3.x
Closes: 894910
Changes:
 xlwt (1.3.0-2) unstable; urgency=medium
 .
   * Team upload.
   * Add missing Breaks+Replaces: python-xlwt (<< 1.3.0) for python-xlwt-doc
 (Closes: #894910)
Checksums-Sha1:
 6a5647ac5a2f57463d455e4f455cda62c96546d1 1935 xlwt_1.3.0-2.dsc
 e38eddcb8d2257b92d373f0409c49fb87bd122c7 7028 xlwt_1.3.0-2.debian.tar.xz
 5ed18039e898e46357a38baaef1da1f6b0275c95 7541 xlwt_1.3.0-2_source.buildinfo
Checksums-Sha256:
 0b99957564afea0c987f116e7b455747e8faecfe01a23522033ddc76177d0d2d 1935 
xlwt_1.3.0-2.dsc
 d0441409998c32f30e9d7de3cf13a71c29e14c76709e9d2fa1762eec623fc9da 7028 
xlwt_1.3.0-2.debian.tar.xz
 64064be1685882573b1e88ec0c0c4cf0fa9b89d2268afb232951760b3776ea99 7541 
xlwt_1.3.0-2_source.buildinfo
Files:
 ebde9ee478fa5bb3e6176908dfe2a28c 1935 python optional xlwt_1.3.0-2.dsc
 c9d58e77568b148a98afa94e56ec3590 7028 python optional 
xlwt_1.3.0-2.debian.tar.xz
 aeef2dc86d3cd0901db121845185f031 7541 python optional 
xlwt_1.3.0-2_source.buildinfo

-BEGIN PGP SIGNATURE-
Comment: Signed by Raphael Hertzog

iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlsZWMcACgkQA4gdq+vC
mrklpQf/QU6hE16A/QT4VBtGdxs/BLeT1rdATsrfDNpQq9/TBZIfhcDSXWOwrZig
WwAW9AEZGAMrqHcp4xEFekqdWSrIW92uVZ15hS0Gc8ZJPsnqJe83w5neoz9grlL2
o3XhcQQTT3ho2zdl8OQp4ylX7DTkZ+5F46DLLFSUZnOxO/Zd4NuKCFEvR+qZP5d+
lLiW/oQcubt0B2BHlyAagJl+j/A6nms1b2fl2LOkCnQ4+OYIFjb13GxU/hYz7R2U
lKhA3ecWW3Jx6cKWPSlkSvGW5cF21gtVOHfbj5KnDM009h8BrWkMUonjArYlZBef
OINJ9EUKU6KXSPKIVflZfMYCs+tN0Q==
=VWh4
-END PGP SIGNATURE End Message ---

Bug#900982: fails with latest ssl

[積丹尼 Dan Jacobson]

Package: libwww-perl
Version: 6.33-1
Severity: grave
File: /usr/bin/lwp-request

No problem with wget. Problem with GET.

$ GET https://wiki.debconf.org/
Can't connect to wiki.debconf.org:443 (SSL connect attempt failed 
error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type)

SSL connect attempt failed error:1414D172:SSL 
routines:tls12_check_peer_sigalg:wrong signature type at 
/usr/share/perl5/LWP/Protocol/http.pm line 50.
$ wget https://wiki.debconf.org/
--2018-06-08 00:30:42--  https://wiki.debconf.org/
Resolving wiki.debconf.org (wiki.debconf.org)... 46.43.39.193, 
2001:41c8:134:193::42
Connecting to wiki.debconf.org (wiki.debconf.org)|46.43.39.193|:443... 
connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html  [  <=>  ]  
14.71K  45.6KB/sin 0.3s

2018-06-08 00:30:44 (45.6 KB/s) - ‘index.html’ saved [15068]



Workaround:


 Downgrade the following packages:
1) openssl [1.1.1~~pre7-1 (experimental, now) -> 1.1.0h-4 (unstable)]

Bug#900937: marked as done (python3-minimal: python3/debian_defaults causes install failure)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 16:22:35 +
with message-id 
and subject line Bug#900937: fixed in python3-defaults 3.6.5-5
has caused the Debian Bug report #900937,
regarding python3-minimal: python3/debian_defaults causes install failure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900937
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-minimal
Version: 3.6.5-4
Severity: important

Dear Maintainer,

I saw this upgrading python3, and py3compile fails because there is
a typo in /usr/share/python3/debian_defaults

The list of supported versions should have had a comma

 4  # all supported python3 versions
 5  supported-versions = python3.6 python3.7

  ^^^ missing comma here.

causes this:

cannot read debian_defaults
Traceback (most recent call last):
  File "/usr/share/python3/debpython/version.py", line 60, in 
for i in _supported.split(','))
  File "/usr/share/python3/debpython/version.py", line 60, in 
for i in _supported.split(','))
  File "/usr/share/python3/debpython/version.py", line 59, in 
SUPPORTED = tuple(tuple(int(j) for j in i.strip().split('.'))
ValueError: invalid literal for int() with base 10: '6  3'

-Abhijit

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.16.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-minimal depends on:
ii  dpkg   1.19.0.5+b1
ii  python3.6-minimal  3.6.5-9

python3-minimal recommends no packages.

python3-minimal suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: python3-defaults
Source-Version: 3.6.5-5

We believe that the bug you reported is fixed in the latest version of
python3-defaults, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose  (supplier of updated python3-defaults package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 17:57:53 +0200
Source: python3-defaults
Binary: python3 python3-venv python3-minimal python3-examples python3-dev 
libpython3-dev libpython3-stdlib idle idle3 python3-doc python3-dbg 
libpython3-dbg python3-all python3-all-dev python3-all-dbg libpython3-all-dev 
libpython3-all-dbg 2to3
Architecture: source all amd64
Version: 3.6.5-5
Distribution: experimental
Urgency: medium
Maintainer: Matthias Klose 
Changed-By: Matthias Klose 
Description:
 2to3   - 2to3 binary using python3
 idle   - IDE for Python using Tkinter (default version)
 idle3  - IDE for Python using Tkinter (transitional package)
 libpython3-all-dbg - package depending on all supported Python 3 debugging 
packages
 libpython3-all-dev - package depending on all supported Python 3 development 
packages
 libpython3-dbg - debug build of the Python 3 Interpreter (version 3.6)
 libpython3-dev - header files and a static library for Python (default)
 libpython3-stdlib - interactive high-level object-oriented language (default 
python3
 python3- interactive high-level object-oriented language (default python3
 python3-all - package depending on all supported Python 3 runtime versions
 python3-all-dbg - package depending on all supported Python 3 debugging 
packages
 python3-all-dev - package depending on all supported Python 3 development 
packages
 python3-dbg - debug build of the Python 3 Interpreter (version 3.6)
 python3-dev - header files and a static library for Python (default)
 python3-doc - documentation for the high-level object-oriented language Python
 python3-examples - examples for the Python language (default version)
 

Bug#900974: r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet

[Andreas Tille]

Dear Dirk,


On Thu, Jun 07, 2018 at 09:53:25AM -0500, Dirk Eddelbuettel wrote:
> [ offense deleted ]

I've really thought about whether I should answer your mail at all.  The
fact that I'm doing so is due my continuous respect of the work you did
for the R packaging.

The package you uploaded contains a manually edited list of dependencies
which is redundant when using ${R:Depends}.  I'd recommend to drop this
manual list as I suggested in my autogenerated patch.  BTW,
autogeneration:  I explicitly gave a hint that the patch also contains
a fix for lintian

  I: hmisc source: testsuite-autopkgtest-missing

which would prevent that this kind of bugs would be left un-noticed for
a long time.  In addition it would help to speed up the testing
migration - IMHO some extra sugar for adding that single line.

I'd also consider

  I: hmisc source: debian-watch-uses-insecure-uri 
http://cran.r-project.org/src/contrib/Hmisc_([-\d\.]*)\.tar.gz

worth fixing (I assume you read the debian-r list where I have
advertised a tool which is doing this for you).

Finally I interpretet your last mail about specifying versioned
Build-Depends on r-base-dev[1] somehow in a sense that you would not
continue with this habit (also suggested by my patch).  Either
I misinterpreted your mail or this was an oversight of yours.  It
would clearly help if you would not hide your technical statements
into personal attacks.

Thanks for considering

   Andreas.


[1] https://lists.debian.org/debian-r/2018/05/msg00030.html

-- 
http://fam-tille.de

Processed: limit source to lava, tagging 900971

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> limit source lava
Limiting to bugs with field 'source' containing at least one of 'lava'
Limit currently set to 'source':'lava'

> tags 900971 + pending
Bug #900971 [lava] lava: FTBFS when built with dpkg-buildpackage -A
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
900971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900971
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900974: r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet

[Dirk Eddelbuettel]

On 7 June 2018 at 16:39, Andreas Tille wrote:
| out speculations about common sense.  Please be so kind and upload a
| fixed package instead of defending your inappropriate decrease of the
| bug severity.

You are a few units of time measurement behind the chain of events as the
updated package is already in unstable.

But keep arguing, and chasing mindmills.

Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#900974: marked as done (r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 14:44:07 +
with message-id 
and subject line Bug#900974: fixed in hmisc 4.1-1-3
has caused the Debian Bug report #900974,
regarding r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900974: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900974
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: r-cran-hmisc
Severity: grave
Tags: patch
Justification: renders package unusable

Hi,

the package is lacking

   Depends: r-cran-foreign, r-cran-nnet

I've attached a debdiff which I created using dh-update-R which fixes
the issue.  Please note that the debdiff contains

   Testsuite: autopkgtest-pkg-r

An activated autopkgtest easily uncovers missing Depends.

Kind regards

 Andreas.


-- System Information:
Debian Release: 9.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages r-cran-hmisc depends on:
ii  libc62.24-11+deb9u1
pn  libgfortran3 
ii  libquadmath0 6.3.0-18+deb9u1
pn  r-api-3  
pn  r-base-core  
pn  r-cran-acepack   
pn  r-cran-base64enc 
pn  r-cran-chron 
pn  r-cran-cluster   
pn  r-cran-data.table
pn  r-cran-formula   
pn  r-cran-ggplot2   
pn  r-cran-gridextra 
pn  r-cran-gtable
pn  r-cran-htmltable 
pn  r-cran-htmltools 
pn  r-cran-lattice   
pn  r-cran-latticeextra  
pn  r-cran-rpart 
pn  r-cran-survival  
pn  r-cran-viridis   

r-cran-hmisc recommends no packages.

r-cran-hmisc suggests no packages.
diff -u hmisc-4.1-1/debian/changelog hmisc-4.1-1/debian/changelog
--- hmisc-4.1-1/debian/changelog
+++ hmisc-4.1-1/debian/changelog
@@ -1,3 +1,11 @@
+hmisc (4.1-1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * d/control: Fixing dependencies by using dh-upgrade-R
+  * d/rules: use dh-r
+
+ -- Andreas Tille   Thu, 07 Jun 2018 13:51:56 +0200
+
 hmisc (4.1-1-1) unstable; urgency=medium
 
   * New upstream release
diff -u hmisc-4.1-1/debian/control hmisc-4.1-1/debian/control
--- hmisc-4.1-1/debian/control
+++ hmisc-4.1-1/debian/control
@@ -1,18 +1,43 @@
 Source: hmisc
+Maintainer: Dirk Eddelbuettel 
 Section: gnu-r
+Testsuite: autopkgtest-pkg-r
 Priority: optional
-Maintainer: Dirk Eddelbuettel 
-Build-Depends: debhelper (>= 7.0), r-base-dev (>= 3.4.3), cdbs, r-cran-chron, 
r-cran-lattice, r-cran-cluster, r-cran-survival, r-cran-rpart, r-cran-formula, 
r-cran-latticeextra, r-cran-nnet, r-cran-foreign, r-cran-acepack, 
r-cran-ggplot2 (>= 2.0.0), r-cran-gridextra, r-cran-data.table, 
r-cran-htmltools, r-cran-gtable, r-cran-viridis, r-cran-htmltable, 
r-cran-base64enc
-Standards-Version: 4.1.1
+Build-Depends: debhelper (>= 11~),
+   dh-r,
+   r-base-dev,
+   r-cran-chron,
+   r-cran-lattice,
+   r-cran-cluster,
+   r-cran-survival,
+   r-cran-rpart,
+   r-cran-formula,
+   r-cran-latticeextra,
+   r-cran-nnet,
+   r-cran-foreign,
+   r-cran-acepack,
+   r-cran-ggplot2 (>= 2.0.0),
+   r-cran-gridextra,
+   r-cran-data.table,
+   r-cran-htmltools,
+   r-cran-gtable,
+   r-cran-viridis,
+   r-cran-htmltable,
+   r-cran-base64enc
+Standards-Version: 4.1.4
 Homepage: http://biostat.mc.vanderbilt.edu/s/Hmisc
 
 Package: r-cran-hmisc
 Architecture: any
-Replaces: r-noncran-hmisc
+Depends: ${R:Depends},
+ ${shlibs:Depends},
+ ${misc:Depends}
+Recommends: ${R:Recommends}
+Suggests: ${R:Suggests}
 Conflicts: r-noncran-hmisc
 Provides: r-noncran-hmisc
-Depends: ${shlibs:Depends}, ${misc:Depends}, ${R:Depends}, r-cran-chron, 
r-cran-lattice, r-cran-cluster, r-cran-survival, r-cran-formula, r-cran-rpart, 
r-cran-latticeextra, r-cran-acepack, r-cran-ggplot2, r-cran-gridextra, 
r-cran-data.table, r-cran-htmltools, r-cran-gtable, r-cran-viridis, 
r-cran-htmltable, r-cran-base64enc
-Description: GNU R miscellaneous functions by Frank Harrell 
+Replaces: r-noncran-hmisc
+Description: GNU R miscellaneous functions by Frank Harrell
  The Hmisc library contains many functions useful for data
  analysis, 

Bug#900974: r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet

[Andreas Tille]

On Thu, Jun 07, 2018 at 09:01:41AM -0500, Dirk Eddelbuettel wrote:
> 
> Consider the following thought experiment:
> 
> - the change was made in 2014
> - nobody noticed

There is no need for a thought experiment.  I was working around this
bug several times (last time here[1]).  The problem simply became
obvious since dh-update-R tries to create a sensible set of dependencies
- formerly the set was manually craftet and it did not became obvious
that its just a bug in r-cran-hmisc.

If you need another proof that somebody noticed and also worked around
feel free to inspect Graham's commit[2].

> - the bug is filed 'grave'

grave
makes the package in question unusable or mostly so

If you install r-cran-hmisc on a fresh installation it is unusable.

> So either nobody uses the package, or it doesn't matter in practical
> use. Both ot these cannot be true at the same.

There is no definition if "practical use".  A package should work out of
the box on a fresh installation.  R-cran-hmisc does not fulfill this
criterion.  Moreover it took me only a couple of minutes to prove that
the issue caused work for at least two fellow developers.
 
> I am not interested in theoretical consideration quote reference manual or
> policy. I have been here long enough to understand that you are correct in
> the narrow (and here, irrelevant) sense.  I simply still have not given up
> hope that you may have some common sense left. I could be wrong.

I would love if we could settle with technical argumentation and leave
out speculations about common sense.  Please be so kind and upload a
fixed package instead of defending your inappropriate decrease of the
bug severity.

Thank you

   Andreas.

[1] 
https://salsa.debian.org/r-pkg-team/r-bioc-biovizbase/commit/c2aab7de43f385fc20ec966861ca3aaa374c3fcc
[2] 
https://salsa.debian.org/r-pkg-team/r-bioc-cummerbund/commit/367f89148e51f37188480d17f3f12f3dfa7a77e1

-- 
http://fam-tille.de

Bug#900181: [Debian-med-packaging] Bug#900181: camp: FTBFS on mips: check metaclass->function("f4").call(object, camp::Args(1, 4, 15)).to() == 20 has failed

[Flavien Bridault]

Hi guys,

I CC the debian-mips mailing list for a porter box access request.

As mentioned below, I would need to fix the build of camp package on
mips. I am the upstream maintainer of camp, that would really help me to
be able to run this on a real mips hardware. Would it be possible to get
an access ? My GPG key is signed by a debian developer if you want to
transmit the credentials in a encrypted email.

Thanks for your help,

Cheers,


Le 31/05/2018 à 09:44, Flavien Bridault a écrit :
> Hi,
>
> Thanks for the report. I am afraid this is the same king of bug that I
> tried to fix few weeks ago (#876147).
>
> mips is 32bits only right ?
>
> Would that be possible to have access to a mips porterbox (my GPG key is
> signed by a debian developer) ? That would really be of great help in
> order to fix this.
>
> Cheers,
>
>
> Le 27/05/2018 à 09:50, Emilio Pozuelo Monfort a écrit :
>> Source: camp
>> Version: 0.8.2-1
>> Severity: serious
>>
>> Hi,
>>
>> Your package failed to build on mips:
>>
>> 1/2 Test #2: camptest-qt ..***Failed0.05 sec
>> Running 11 test cases...
>> /<>/test/qt/functionmapping.cpp(95): error: in 
>> "FUNCTIONMAPPING/call": check metaclass->function("f4").call(object, 
>> camp::Args(1, 4, 15)).to() == 20 has failed [0 != 20]
>>
>> *** 1 failure is detected in the test module "CAMP testqt"
>>
>> 2/2 Test #1: camptest .   Passed0.09 sec
>>
>> 50% tests passed, 1 tests failed out of 2
>>
>> Full logs at 
>> https://buildd.debian.org/status/package.php?p=camp=unstable
>>
>> Emilio
>>
>> ___
>> Debian-med-packaging mailing list
>> debian-med-packag...@alioth-lists.debian.net
>> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-packaging
>
>
> ___
> Debian-med-packaging mailing list
> debian-med-packag...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-packaging

-- 
*Flavien BRIDAULT*
Ingénieur de Recherche

fbrida...@ircad.fr

*IRCAD France*
1, place de l'Hôpital - 67091 Strasbourg Cedex - FRANCE

http://www.ircad.fr/ 



signature.asc
Description: OpenPGP digital signature

Bug#900974: r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet

[Dirk Eddelbuettel]

On 7 June 2018 at 15:32, Andreas Tille wrote:
| Hi Dirk,
| 
| On Thu, Jun 07, 2018 at 07:38:36AM -0500, Dirk Eddelbuettel wrote:
| > 
| > severity -1 normal
| > quit
| > 
| > On 7 June 2018 at 14:25, Andreas Tille wrote:
| > | Package: r-cran-hmisc
| > | Severity: grave
| > | Tags: patch
| > | Justification: renders package unusable
| > 
| > Not really. Those two are "Recommended" package. Any normal R installation 
has them.
| 
| I will not entertain severity ping-pong but your arguing is wrong.
| Pbuilder is creating a minimum installation and the missing Dependency
| simply breaks other packages.

Consider the following thought experiment:

- the change was made in 2014
- nobody noticed
- the bug is filed 'grave'

So either nobody uses the package, or it doesn't matter in practical
use. Both ot these cannot be true at the same.

I am not interested in theoretical consideration quote reference manual or
policy. I have been here long enough to understand that you are correct in
the narrow (and here, irrelevant) sense.  I simply still have not given up
hope that you may have some common sense left. I could be wrong.

Dirk
 
| > Looks like an editing oversight when the Build-Depends got expanded. Given
| > the near-official status of those two "Recommended" package, it does hardly
| > matter every R installation will have them -- particularly an expanded one
| > that could have CRAN package Hmisc.
| > 
| > Fixing it regardless.  
| 
| Thank you
| 
|   Andreas. 
| 
| -- 
| http://fam-tille.de

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#896496: marked as done (ganeti FTBFS with sphinx 1.7.2)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 13:50:24 +
with message-id 
and subject line Bug#896496: fixed in ganeti 2.16.0~rc2-4
has caused the Debian Bug report #896496,
regarding ganeti FTBFS with sphinx 1.7.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
896496: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896496
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ganeti
Version: 2.16.0~rc2-3
Severity: serious

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/ganeti.html

...
checking for ip... /sbin/ip
checking for pandoc... /usr/bin/pandoc
checking for sphinx-build... /usr/bin/sphinx-build
configure: error: Unable to determine Sphinx version
make[1]: *** [debian/rules:62: override_dh_auto_configure] Error 1
--- End Message ---
--- Begin Message ---
Source: ganeti
Source-Version: 2.16.0~rc2-4

We believe that the bug you reported is fixed in the latest version of
ganeti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 896...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Apollon Oikonomopoulos  (supplier of updated ganeti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 16:21:00 +0300
Source: ganeti
Binary: ganeti ganeti-2.16 ganeti-haskell-2.16 ganeti-htools ganeti-htools-2.16 
ganeti-doc python-ganeti-rapi ganeti-testsuite
Architecture: source all amd64
Version: 2.16.0~rc2-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Ganeti Team 
Changed-By: Apollon Oikonomopoulos 
Description:
 ganeti - cluster virtualization manager
 ganeti-2.16 - cluster virtualization manager - Python components
 ganeti-doc - cluster virtualization manager - documentation
 ganeti-haskell-2.16 - cluster virtualization manager - Haskell components
 ganeti-htools - cluster virtualization manager - tools (stand-alone)
 ganeti-htools-2.16 - cluster virtualization manager - tools for Ganeti 2.16
 ganeti-testsuite - cluster virtualization manager - test suite
 python-ganeti-rapi - cluster virtualization manager - RAPI client library
Closes: 896496 899518
Changes:
 ganeti (2.16.0~rc2-4) unstable; urgency=medium
 .
   * Change maintainer address to ganeti@p.d.o (Closes: #899518)
   * Sphinx 1.7 compatibility
 + Relax sphinx version check regex (Closes: #896496)
 + Fix FTBFS with Sphinx 1.7
   * Patch upstream source to fix FTBFS with GHC 8.2
 + template-haskell 2.12 compatibility
 + cabal 2.0 compatibility
   * Disable dbgsym generation, GHC's -g is currently broken
   * Bump Standards-Version to 4.1.4; no changes needed
   * d/control: drop obsolete X-Python-Version field
Checksums-Sha1:
 fe3004512b2818f3f5846c713426326e917150d3 3386 ganeti_2.16.0~rc2-4.dsc
 f44292d04bdff956b0de3657f4aa2a8692241053 56404 
ganeti_2.16.0~rc2-4.debian.tar.xz
 1d9c1c056d0c268d2d097f501826d24ae0ac94a1 873788 
ganeti-2.16_2.16.0~rc2-4_all.deb
 39b0347588c9e25f20d5427473f1231cd2c43cbc 1004280 
ganeti-doc_2.16.0~rc2-4_all.deb
 c72c3af3a2188b450a12e0df3e2c0ccb59d8ce5b 14146232 
ganeti-haskell-2.16_2.16.0~rc2-4_amd64.deb
 54f977923fffd5cda9cfc54b715214fa159db059 2796172 
ganeti-htools-2.16_2.16.0~rc2-4_amd64.deb
 24f112243e5a3832b63b31fd592e8d4994181a86 22448 
ganeti-htools_2.16.0~rc2-4_all.deb
 04f31e930dacabe0e79152cf1050aeab7b9b9502 378296 
ganeti-testsuite_2.16.0~rc2-4_all.deb
 d7d24b3c277f44344e3e7ef4fb45799bd9ce1d8e 102948 ganeti_2.16.0~rc2-4_all.deb
 57831a98976ddcfaf697ed25bfc935dc36f651e2 15302 
ganeti_2.16.0~rc2-4_amd64.buildinfo
 ad22a4b0304a32bbdf9a5919e409b32da0540d13 34988 
python-ganeti-rapi_2.16.0~rc2-4_all.deb
Checksums-Sha256:
 d00f15e0343e4ac3977473ecd9fce6e8e3212a8165c41e02220acf4877df6f3d 3386 
ganeti_2.16.0~rc2-4.dsc
 85f580c59efce2945fe26d8e531c80c3e5a3dbab99270e976106a50bf51de360 56404 
ganeti_2.16.0~rc2-4.debian.tar.xz
 85625d21774301058ebe72386abd01be73758655ebc120ed95cfaa3ea9fce5a5 873788 
ganeti-2.16_2.16.0~rc2-4_all.deb
 ae3a0b9c5650e042f2356e0b4420a48b91228a31b66562af680730598349b695 1004280 
ganeti-doc_2.16.0~rc2-4_all.deb
 d8e00322be60df5fd578c3fe8f7d8b9e80c485fecb2dda4a6347b2387ffe45ab 14146232 
ganeti-haskell-2.16_2.16.0~rc2-4_amd64.deb
 

Bug#899482: marked as done (docker-containerd: Invalid maintainer address docker-ma...@lists.alioth.debian.org)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 13:50:01 +
with message-id 
and subject line Bug#899482: fixed in docker-containerd 
0.2.3+git+docker1.13.1~ds1-2
has caused the Debian Bug report #899482,
regarding docker-containerd: Invalid maintainer address 
docker-ma...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899482: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899482
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:docker-containerd
Version: 0.2.3+git+docker1.13.1~ds1-1
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of docker-containerd,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package docker-containerd since the list address
docker-ma...@lists.alioth.debian.org used in the Maintainer: field was
not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
docker-ma...@lists.alioth.debian.org is 5.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: docker-containerd
Source-Version: 0.2.3+git+docker1.13.1~ds1-2

We believe that the bug you reported is fixed in the latest version of
docker-containerd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Smirnov  (supplier of updated docker-containerd 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 23:17:42 +1000
Source: docker-containerd
Binary: docker-containerd golang-github-containerd-docker-containerd-dev
Architecture: source amd64 all
Version: 0.2.3+git+docker1.13.1~ds1-2
Distribution: unstable
Urgency: medium
Maintainer: Tim Potter 
Changed-By: Dmitry Smirnov 
Description:
 docker-containerd - daemon to control runC (Docker's version)
 golang-github-containerd-docker-containerd-dev - Containerd develpoment files 
(Docker's version)
Closes: 899482
Changes:
 docker-containerd (0.2.3+git+docker1.13.1~ds1-2) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Tianon Gravi ]
   * Remove unused/unnecessary lintian-overrides
   * Update Standards-Version to 4.1.1 (no changes)
 .
   [ Christos Trochalakis ]
   * Depend on golang-github-rcrowley-go-metrics-dev.
 This is a part of the ongoing migration from golang-metrics-dev
 to golang-github-rcrowley-go-metrics-dev.
 For more info see the discussion in #824628.
 .
   [ Dmitry Smirnov ]
   * Set Tim Potter as Maintainer (Closes: #899482).
   * New "logrus-lowercase.patch" to use canonical import path.
Checksums-Sha1:
 

Bug#899518: marked as done (ganeti: Invalid maintainer address pkg-ganeti-de...@lists.alioth.debian.org)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 13:50:24 +
with message-id 
and subject line Bug#899518: fixed in ganeti 2.16.0~rc2-4
has caused the Debian Bug report #899518,
regarding ganeti: Invalid maintainer address 
pkg-ganeti-de...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899518: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899518
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:ganeti
Version: 2.16.0~rc2-3
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of ganeti,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package ganeti since the list address
pkg-ganeti-de...@lists.alioth.debian.org used in the Maintainer: field
was not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
pkg-ganeti-de...@lists.alioth.debian.org is 3.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: ganeti
Source-Version: 2.16.0~rc2-4

We believe that the bug you reported is fixed in the latest version of
ganeti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Apollon Oikonomopoulos  (supplier of updated ganeti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jun 2018 16:21:00 +0300
Source: ganeti
Binary: ganeti ganeti-2.16 ganeti-haskell-2.16 ganeti-htools ganeti-htools-2.16 
ganeti-doc python-ganeti-rapi ganeti-testsuite
Architecture: source all amd64
Version: 2.16.0~rc2-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Ganeti Team 
Changed-By: Apollon Oikonomopoulos 
Description:
 ganeti - cluster virtualization manager
 ganeti-2.16 - cluster virtualization manager - Python components
 ganeti-doc - cluster virtualization manager - documentation
 ganeti-haskell-2.16 - cluster virtualization manager - Haskell components
 ganeti-htools - cluster virtualization manager - tools (stand-alone)
 ganeti-htools-2.16 - cluster virtualization manager - tools for Ganeti 2.16
 ganeti-testsuite - cluster virtualization manager - test suite
 python-ganeti-rapi - cluster virtualization manager - RAPI client library
Closes: 896496 899518
Changes:
 ganeti (2.16.0~rc2-4) unstable; urgency=medium
 .
   * Change maintainer address to ganeti@p.d.o (Closes: #899518)
   * Sphinx 1.7 compatibility
 + Relax sphinx version check regex (Closes: #896496)
 + Fix FTBFS with Sphinx 1.7
   * Patch upstream source to fix FTBFS with GHC 8.2
 + template-haskell 2.12 compatibility
 + cabal 

Bug#851317: these tests are disabled in last upload

[Santiago Vila]

found 851317 0.6.3-4
thanks

Hi.

Sorry for the reopening but this issue does not seem to be fixed in
version 0.6.3-4. See this for example:

https://tests.reproducible-builds.org/debian/rbuild/buster/amd64/ruby-sidekiq-cron_0.6.3-4.rbuild.log.gz

(And I also still get the same error randomly in my own autobuilders).

Thanks.

Bug#900974: r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet

[Dirk Eddelbuettel]

And of course in the rush before getting out of the house I did the R 3.5.0
and package update, but not the bug fix. A -3 revision coming up shortly
which truly fixes it.

Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Processed: Re: these tests are disabled in last upload

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 851317 0.6.3-4
Bug #851317 {Done: Pirate Praveen } [src:ruby-sidekiq-cron] 
ruby-sidekiq-cron: FTBFS randomly (failing tests)
Marked as found in versions ruby-sidekiq-cron/0.6.3-4; no longer marked as 
fixed in versions ruby-sidekiq-cron/0.6.3-4 and reopened.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
851317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851317
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900974: r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet

[Andreas Tille]

Hi Dirk,

On Thu, Jun 07, 2018 at 07:38:36AM -0500, Dirk Eddelbuettel wrote:
> 
> severity -1 normal
> quit
> 
> On 7 June 2018 at 14:25, Andreas Tille wrote:
> | Package: r-cran-hmisc
> | Severity: grave
> | Tags: patch
> | Justification: renders package unusable
> 
> Not really. Those two are "Recommended" package. Any normal R installation 
> has them.

I will not entertain severity ping-pong but your arguing is wrong.
Pbuilder is creating a minimum installation and the missing Dependency
simply breaks other packages.

> Looks like an editing oversight when the Build-Depends got expanded. Given
> the near-official status of those two "Recommended" package, it does hardly
> matter every R installation will have them -- particularly an expanded one
> that could have CRAN package Hmisc.
> 
> Fixing it regardless.  

Thank you

  Andreas. 

-- 
http://fam-tille.de

Bug#900399: More good news

[Сергей Коган]

Hi!

Let's lower the severity of this bug and flag it as unverified.

Given the datasheet for the TB62501 and actual board layout of the T500 
- the described scenario (short from the VCC3SW to GND caused by a stray 
write to the PMH register) is highly improbable:


- The LDO inside the RINKAN has an over-current protection set as low as 
55mA and should prevent any damage even if the VCC3SW is shorted. After 
the single over-current/under-voltage event, RINKAN LDO is locked in the 
OFF state and requires a complete power-off to restart.


- Unused pins of the PMH are in fact floating

- Some RINKAN batches do show tendency to malfunction with no apparent 
reasons. The main board temperature could be a contributing factor.


So, we have to seriously consider the possibility that two laptops died 
at the same time just by a coincidence.


We do plan to run a memtest on the restored laptop using a current 
measuring/limiting circuit on the VCC3SW bus. If no excessive current 
consumption would be detected - the memtest has nothing to do with the 
issue. If an excessive current during the test would be observed, it 
would get us a direction to resume the investigation.


---
Sincerely yours,
Sergey Kogan

Bug#870233: smplayer: executes javascript code downloaded from insecure URL

[Reinhard Tartler]

On Sun, Jun 3, 2018 at 9:36 PM Jonas Smedegaard  wrote:
>
> Hi Reinhard,
>
> Excerpts from Reinhard Tartler's message of juni 3, 2018 10:48 pm:
> > On Mon, Jul 31, 2017 at 1:48 AM Jonas Smedegaard  wrote:
> >> smplayer includes code in src/basegui.cpp to download and (I guess)
> >> execute javascript code for parsing youtube paths.  The download URL
> >> is http://updates.smplayer.info/yt.js which is insecure and therefore
> >> I suspect easy to replace with evil code.
> >
> > Apparently, this was already fixed upstream quite some time ago in
> > package version 17.11.2~ds0-1 without mentioning this in
> > debian/changelog. I'm therefore closing this bug manually.
>
> Sorry, but I don't see any such change, and it seems the problematic
> code is still there:
>
>
> $ git grep updates.smplayer.info
> src/links.h:#define URL_YT_CODE "http://updates.smplayer.info/yt.js;
> src/links.h:#define URL_VERSION_INFO
> "http://updates.smplayer.info/version_info.ini;
>
>
> $ grep -C5 URL_YT_CODE src/basegui.cpp
> void BaseGui::YTUpdateScript() {
> static CodeDownloader * downloader = 0;
> if (!downloader) downloader = new CodeDownloader(this);
> downloader->saveAs(Paths::configPath() + "/yt.js");
> downloader->show();
> downloader->download(QUrl(URL_YT_CODE));
> }
> #endif // YT_USE_YTSIG
> #endif //YOUTUBE_SUPPORT
>
> void BaseGui::gotForbidden() {
>
>
> Could you perhaps reference the git commit you believe fixed this?

>From Matteusz' patch 2831d03e5e7cbb9328469ad92e0fea8ec19ee943 in the
'stretch' branch (unfortunately not uploaded to salsa yet, Matteusz,
do you happen to have the jessie and stretch branches available on
your computer? If so, please kindly upload them to salsa - I found it
in my mail archive), I conclude that in order to solve the issue, we
need to make sure that the define YT_USE_YTSIG is not set:


diff --git a/debian/patches/07-fixyoutube.patch
b/debian/patches/07-fixyoutube.patch
index b968a03..78d3fe5 100644
--- a/debian/patches/07-fixyoutube.patch
+++ b/debian/patches/07-fixyoutube.patch
@@ -1,5 +1,6 @@
 Description: Fix connections to youtube.
 Bug-Debian: http://bugs.debian.org/869411
+Author: Ricardo Villalba 

 --- a/src/youtube/sig.cpp
 +++ b/src/youtube/sig.cpp
diff --git a/debian/patches/08-870233.patch b/debian/patches/08-870233.patch
new file mode 100644
index 000..d6a0975
--- /dev/null
+++ b/debian/patches/08-870233.patch
@@ -0,0 +1,16 @@
+Description: Disable executes javascript code downloaded from insecure URL
+Author: Mateusz Łukasik 
+Bug-Debian: https://bugs.debian.org/870233
+Last-Update: 2017-07-31
+
+--- a/src/smplayer.pro
 b/src/smplayer.pro
+@@ -439,7 +439,7 @@ contains( DEFINES, YOUTUBE_SUPPORT ) {
+
+   contains( DEFINES, YT_USE_SCRIPT ) {
+   DEFINES += YT_USE_SIG
+-  DEFINES += YT_USE_YTSIG
++  #DEFINES += YT_USE_YTSIG
+   QT += script
+   }
+


This is done as per upstream version 17.11.2 and that's why I have
closed the bug with that version. It appears to me that undefining
URL_YT_CODE disables more functionality than strictly necessary, but I
may be misreading the code. In any case, comments on this are more
than welcome. I'd also appreciate comments from Richardo, who is
listed as the author of the patch.

Jonas, do you have reason to believe that the bug is still present in
the 18.2.2 (the version that is currently in unstable)? If so, please
elaborate.

Best,
Reinhard

Bug#898943: Multiple vulnerabiliities in Mongoose

[Reinhard Tartler]

On Thu, Jun 7, 2018 at 6:20 AM Mateusz Łukasik  wrote:

> This is not fixed for me. I made patch with add latest Mongoose version
> which included fixed for all of this cve's.
> It pushed now to salsa.
>
> --

Thank you!

I see that you've added
https://salsa.debian.org/multimedia-team/smplayer/blob/master/debian/patches/03-update-mongoose-to-6.11.patch
- which is a pretty big patch. I wouldn't know how to test it (I don't
use that feature) or even verify that the patch work. Matteusz, can
you please elaborate how you verified the patch  and how confident are
you that it doesn't introduce unwanted side-effects?

Ricardo, would that patch be acceptable for upstream inclusion? - Your
opinion is highly valued and would be helpful in forming an opinion on
Mateusz' patch.

Mateusz, I also see that you prepared a new upstream version. That's
great, in fact, I've also prepared it locally to see if the issue
happened to be fixed upstream, but determined mongosse was not updated
and concluded the problem still persists. I've therefore decided to
not upload the new upstream version and focus on the existing issues
instead. Hence, I've applied the patch to disable the build of
mongoose in the present package version. I see that you disabled it in
https://salsa.debian.org/multimedia-team/smplayer/commit/5d780999b6ee7a84d737fdb5dbc07ea9a25e4cde
(the commit message didn't help with finding that SHA1, I'd appreciate
more accurate messages in the future) - which is fine by me *if* we
are confident that the mongoose update actually fixes the problem (see
my question above).

Also, did you verify that the new mongoose patch builds with GCC-8? My
patch to disable mongoose takes care of that as well, it would be a
shame to reintroduce #897863 again.

-- 
regards,
Reinhard

Bug#900974: marked as done (r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 13:04:30 +
with message-id 
and subject line Bug#900974: fixed in hmisc 4.1-1-2
has caused the Debian Bug report #900974,
regarding r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900974: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900974
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: r-cran-hmisc
Severity: grave
Tags: patch
Justification: renders package unusable

Hi,

the package is lacking

   Depends: r-cran-foreign, r-cran-nnet

I've attached a debdiff which I created using dh-update-R which fixes
the issue.  Please note that the debdiff contains

   Testsuite: autopkgtest-pkg-r

An activated autopkgtest easily uncovers missing Depends.

Kind regards

 Andreas.


-- System Information:
Debian Release: 9.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages r-cran-hmisc depends on:
ii  libc62.24-11+deb9u1
pn  libgfortran3 
ii  libquadmath0 6.3.0-18+deb9u1
pn  r-api-3  
pn  r-base-core  
pn  r-cran-acepack   
pn  r-cran-base64enc 
pn  r-cran-chron 
pn  r-cran-cluster   
pn  r-cran-data.table
pn  r-cran-formula   
pn  r-cran-ggplot2   
pn  r-cran-gridextra 
pn  r-cran-gtable
pn  r-cran-htmltable 
pn  r-cran-htmltools 
pn  r-cran-lattice   
pn  r-cran-latticeextra  
pn  r-cran-rpart 
pn  r-cran-survival  
pn  r-cran-viridis   

r-cran-hmisc recommends no packages.

r-cran-hmisc suggests no packages.
diff -u hmisc-4.1-1/debian/changelog hmisc-4.1-1/debian/changelog
--- hmisc-4.1-1/debian/changelog
+++ hmisc-4.1-1/debian/changelog
@@ -1,3 +1,11 @@
+hmisc (4.1-1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * d/control: Fixing dependencies by using dh-upgrade-R
+  * d/rules: use dh-r
+
+ -- Andreas Tille   Thu, 07 Jun 2018 13:51:56 +0200
+
 hmisc (4.1-1-1) unstable; urgency=medium
 
   * New upstream release
diff -u hmisc-4.1-1/debian/control hmisc-4.1-1/debian/control
--- hmisc-4.1-1/debian/control
+++ hmisc-4.1-1/debian/control
@@ -1,18 +1,43 @@
 Source: hmisc
+Maintainer: Dirk Eddelbuettel 
 Section: gnu-r
+Testsuite: autopkgtest-pkg-r
 Priority: optional
-Maintainer: Dirk Eddelbuettel 
-Build-Depends: debhelper (>= 7.0), r-base-dev (>= 3.4.3), cdbs, r-cran-chron, 
r-cran-lattice, r-cran-cluster, r-cran-survival, r-cran-rpart, r-cran-formula, 
r-cran-latticeextra, r-cran-nnet, r-cran-foreign, r-cran-acepack, 
r-cran-ggplot2 (>= 2.0.0), r-cran-gridextra, r-cran-data.table, 
r-cran-htmltools, r-cran-gtable, r-cran-viridis, r-cran-htmltable, 
r-cran-base64enc
-Standards-Version: 4.1.1
+Build-Depends: debhelper (>= 11~),
+   dh-r,
+   r-base-dev,
+   r-cran-chron,
+   r-cran-lattice,
+   r-cran-cluster,
+   r-cran-survival,
+   r-cran-rpart,
+   r-cran-formula,
+   r-cran-latticeextra,
+   r-cran-nnet,
+   r-cran-foreign,
+   r-cran-acepack,
+   r-cran-ggplot2 (>= 2.0.0),
+   r-cran-gridextra,
+   r-cran-data.table,
+   r-cran-htmltools,
+   r-cran-gtable,
+   r-cran-viridis,
+   r-cran-htmltable,
+   r-cran-base64enc
+Standards-Version: 4.1.4
 Homepage: http://biostat.mc.vanderbilt.edu/s/Hmisc
 
 Package: r-cran-hmisc
 Architecture: any
-Replaces: r-noncran-hmisc
+Depends: ${R:Depends},
+ ${shlibs:Depends},
+ ${misc:Depends}
+Recommends: ${R:Recommends}
+Suggests: ${R:Suggests}
 Conflicts: r-noncran-hmisc
 Provides: r-noncran-hmisc
-Depends: ${shlibs:Depends}, ${misc:Depends}, ${R:Depends}, r-cran-chron, 
r-cran-lattice, r-cran-cluster, r-cran-survival, r-cran-formula, r-cran-rpart, 
r-cran-latticeextra, r-cran-acepack, r-cran-ggplot2, r-cran-gridextra, 
r-cran-data.table, r-cran-htmltools, r-cran-gtable, r-cran-viridis, 
r-cran-htmltable, r-cran-base64enc
-Description: GNU R miscellaneous functions by Frank Harrell 
+Replaces: r-noncran-hmisc
+Description: GNU R miscellaneous functions by Frank Harrell
  The Hmisc library contains many functions useful for data
  analysis, 

Bug#900974: r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet

[Dirk Eddelbuettel]

severity -1 normal
quit

On 7 June 2018 at 14:25, Andreas Tille wrote:
| Package: r-cran-hmisc
| Severity: grave
| Tags: patch
| Justification: renders package unusable

Not really. Those two are "Recommended" package. Any normal R installation has 
them.
 
| Hi,
| 
| the package is lacking
| 
|Depends: r-cran-foreign, r-cran-nnet

Looks like an editing oversight when the Build-Depends got expanded. Given
the near-official status of those two "Recommended" package, it does hardly
matter every R installation will have them -- particularly an expanded one
that could have CRAN package Hmisc.

Fixing it regardless.  

Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#900269: ifupdown: last version breaks upgrade

[Martin Hradil]

This is caused by systemd-tty-ask-password-agent:

rxvt-unicode(28371)-+-bash(28373)---sudo(14210)---dpkg(14211)---ifupdown.postin(14214)---systemctl(15338)---systemd-tty-ask(15342)

(from pstree)

But it seems like the systemd helper is trying to talk to tty1, while
the terminal I've ran dpkg --configure -a from is a rxvt-unicode on
/dev/pts/1.



So, it seems this is a systemd issue where systemd-tty-ask is failing
to detect X properly and trying to ask for something on tty1 instead.
(Which is unavailable because that's what X is using.)


That said, I don't think systemd should be asking anything during ifup
restart, so possibly a second bug somewhere..?


Hope it helps :)
Regards,
Martin Hradil

Bug#900974: r-cran-hmisc: Missing Depends: r-cran-foreign, r-cran-nnet

[Andreas Tille]

Package: r-cran-hmisc
Severity: grave
Tags: patch
Justification: renders package unusable

Hi,

the package is lacking

   Depends: r-cran-foreign, r-cran-nnet

I've attached a debdiff which I created using dh-update-R which fixes
the issue.  Please note that the debdiff contains

   Testsuite: autopkgtest-pkg-r

An activated autopkgtest easily uncovers missing Depends.

Kind regards

 Andreas.


-- System Information:
Debian Release: 9.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages r-cran-hmisc depends on:
ii  libc62.24-11+deb9u1
pn  libgfortran3 
ii  libquadmath0 6.3.0-18+deb9u1
pn  r-api-3  
pn  r-base-core  
pn  r-cran-acepack   
pn  r-cran-base64enc 
pn  r-cran-chron 
pn  r-cran-cluster   
pn  r-cran-data.table
pn  r-cran-formula   
pn  r-cran-ggplot2   
pn  r-cran-gridextra 
pn  r-cran-gtable
pn  r-cran-htmltable 
pn  r-cran-htmltools 
pn  r-cran-lattice   
pn  r-cran-latticeextra  
pn  r-cran-rpart 
pn  r-cran-survival  
pn  r-cran-viridis   

r-cran-hmisc recommends no packages.

r-cran-hmisc suggests no packages.
diff -u hmisc-4.1-1/debian/changelog hmisc-4.1-1/debian/changelog
--- hmisc-4.1-1/debian/changelog
+++ hmisc-4.1-1/debian/changelog
@@ -1,3 +1,11 @@
+hmisc (4.1-1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * d/control: Fixing dependencies by using dh-upgrade-R
+  * d/rules: use dh-r
+
+ -- Andreas Tille   Thu, 07 Jun 2018 13:51:56 +0200
+
 hmisc (4.1-1-1) unstable; urgency=medium
 
   * New upstream release
diff -u hmisc-4.1-1/debian/control hmisc-4.1-1/debian/control
--- hmisc-4.1-1/debian/control
+++ hmisc-4.1-1/debian/control
@@ -1,18 +1,43 @@
 Source: hmisc
+Maintainer: Dirk Eddelbuettel 
 Section: gnu-r
+Testsuite: autopkgtest-pkg-r
 Priority: optional
-Maintainer: Dirk Eddelbuettel 
-Build-Depends: debhelper (>= 7.0), r-base-dev (>= 3.4.3), cdbs, r-cran-chron, 
r-cran-lattice, r-cran-cluster, r-cran-survival, r-cran-rpart, r-cran-formula, 
r-cran-latticeextra, r-cran-nnet, r-cran-foreign, r-cran-acepack, 
r-cran-ggplot2 (>= 2.0.0), r-cran-gridextra, r-cran-data.table, 
r-cran-htmltools, r-cran-gtable, r-cran-viridis, r-cran-htmltable, 
r-cran-base64enc
-Standards-Version: 4.1.1
+Build-Depends: debhelper (>= 11~),
+   dh-r,
+   r-base-dev,
+   r-cran-chron,
+   r-cran-lattice,
+   r-cran-cluster,
+   r-cran-survival,
+   r-cran-rpart,
+   r-cran-formula,
+   r-cran-latticeextra,
+   r-cran-nnet,
+   r-cran-foreign,
+   r-cran-acepack,
+   r-cran-ggplot2 (>= 2.0.0),
+   r-cran-gridextra,
+   r-cran-data.table,
+   r-cran-htmltools,
+   r-cran-gtable,
+   r-cran-viridis,
+   r-cran-htmltable,
+   r-cran-base64enc
+Standards-Version: 4.1.4
 Homepage: http://biostat.mc.vanderbilt.edu/s/Hmisc
 
 Package: r-cran-hmisc
 Architecture: any
-Replaces: r-noncran-hmisc
+Depends: ${R:Depends},
+ ${shlibs:Depends},
+ ${misc:Depends}
+Recommends: ${R:Recommends}
+Suggests: ${R:Suggests}
 Conflicts: r-noncran-hmisc
 Provides: r-noncran-hmisc
-Depends: ${shlibs:Depends}, ${misc:Depends}, ${R:Depends}, r-cran-chron, 
r-cran-lattice, r-cran-cluster, r-cran-survival, r-cran-formula, r-cran-rpart, 
r-cran-latticeextra, r-cran-acepack, r-cran-ggplot2, r-cran-gridextra, 
r-cran-data.table, r-cran-htmltools, r-cran-gtable, r-cran-viridis, 
r-cran-htmltable, r-cran-base64enc
-Description: GNU R miscellaneous functions by Frank Harrell 
+Replaces: r-noncran-hmisc
+Description: GNU R miscellaneous functions by Frank Harrell
  The Hmisc library contains many functions useful for data
  analysis, high-level graphics, utility operations, functions for
  computing sample size and power, translating SAS datasets,
diff -u hmisc-4.1-1/debian/rules hmisc-4.1-1/debian/rules
--- hmisc-4.1-1/debian/rules
+++ hmisc-4.1-1/debian/rules
@@ -2,6 +2,3 @@
-#  -*- makefile -*-
-# debian/rules file for the Debian/GNU Linux r-cran-hmisc package
-# Copyright 2003 - 2017 by Dirk Eddelbuettel 
-
-include /usr/share/R/debian/r-cran.mk
 
+%:
+   dh $@ --buildsystem R

Bug#900936: geoclue: Update to 2.4.10 breaks redshift

[James Tocknell]

On 7 June 2018 at 18:41, Laurent Bigonville  wrote:
> Le 07/06/18 à 02:46, James Tocknell a écrit :
>>
>> Dear Maintainer,
>>
>> The update to 2.4.10-1 causes redshift to immediately crash, with the
>> error:
>>
>> Failed to connect to GeoClue2 service:
>> GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: 'redshift' disallowed,
>> no agent for UID 1000
>
>
> Which desktop environment are you using? Because it's usually the DE that is
> supposed to implement this.

None, I start up the necessary programs via my WM (awesome). I was planning
on adding the agent to my startup, but it fails to work.

>
>> Starting the agent in the demo package manually appears to make no
>> difference.
>> Additionally, I tried to use the where-am-i demo, which produced the same
>> error
>> (again with the agent started).
>>
>> I think the cause is this change referred to in the upstream changelog:
>> "Refuse location access if no app-auth agent is registered. This fixes a
>> security hole where an app requests location access before the agent gets
>> to
>> register itself and we end up giving out locaiton access even though user
>> has
>> disabled it."
>>
>> Can the change be reverted until the agent works?
>
>
> Well, I don't know to be honest, the demo agent is a demo, that should be
> implemented in the DE itself. Only GNOME (and I think enlightenment) are
> implementing this ATM and it could take a long time to be implemented in the
> others. (Don't know if there are even feature requests open)
>
> Couldn't the geolocation feature be disabled in redshift? Or couldn't the
> geoclue config file be adjusted to allow redshift to work without asking the
> agent?

The geolocation can be disabled, but that loses a far bit of the
functionality of
redshift (and doesn't solve the actual problem of programs being unable to get
the current location due to a non-working agent). I've tried adding
redshift (and
the where-am-i demo) to the config (which would have been a nice workaround,
preferable to just downgrading), but that didn't appear to work either
(both with
and without the agent running). The agent is added to the xdg startup dir, so
presumably it's supposed to function when there's no other agent?

Should I create a bug on the upstream tracker about the agent appearing not
to work, and post the url here?

>
>
>> FYI, I make the report critical so that the change doesn't migrate to
>> testing,
>> feel free to drop the severity if you think that's appropriate.
>
>
>



-- 
Don't send me files in proprietary formats (.doc(x), .xls, .ppt etc.).
It isn't good enough for Tim Berners-Lee, and it isn't good enough for
me either. For more information visit
http://www.gnu.org/philosophy/no-word-attachments.html.

Truly great madness cannot be achieved without significant intelligence.
 - Henrik Tikkanen

If you're not messing with your sanity, you're not having fun.
 - James Tocknell

In theory, there is no difference between theory and practice; In
practice, there is.

Bug#893098: marked as done (axis FTBFS with openjdk-9)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 12:19:27 +
with message-id 
and subject line Bug#893098: fixed in axis 1.4-26
has caused the Debian Bug report #893098,
regarding axis FTBFS with openjdk-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
893098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893098
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: axis
Version: 1.4-25
Severity: serious
Tags: buster sid

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/axis.html

...
compile:
[javac] /build/1st/axis-1.4/build.xml:99: warning: 'includeantruntime' was 
not set, defaulting to build.sysclasspath=last; set to false for repeatable 
builds
[javac] Using javac -source 1.3 is no longer supported, switching to 1.6
[javac] Using javac -target 1.3 is no longer supported, switching to 1.6
[javac] Compiling 633 source files to /build/1st/axis-1.4/build/classes
[javac] warning: [options] bootstrap class path not set in conjunction with 
-source 1.6
[javac] warning: [options] source value 1.6 is obsolete and will be removed 
in a future release
[javac] warning: [options] target value 1.6 is obsolete and will be removed 
in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use 
-Xlint:-options.
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/attachments/DimeAttachmentStreams.java:14:
 error: unmappable character (0x92) for encoding US-ASCII
[javac]  * use of Axis? DimeDelimitedInputStream to parse the data in the 
HTTP stream
[javac]   ^
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/attachments/MultipartAttachmentStreams.java:27:
 error: unmappable character (0x92) for encoding US-ASCII
[javac]  * the root part of the multipart-related message). Our DIME 
counterpart didn?t
[javac] 
 ^
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java:419:
 error: unmappable character (0xE2) for encoding US-ASCII
[javac] // server???
[javac]  ^
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java:419:
 error: unmappable character (0x88) for encoding US-ASCII
[javac] // server???
[javac]   ^
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java:419:
 error: unmappable character (0x97) for encoding US-ASCII
[javac] // server???
[javac]^
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java:431:
 error: unmappable character (0xE2) for encoding US-ASCII
[javac] // I f we ??? r e i n s t r i c t mode ,
[javac]   ^
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java:431:
 error: unmappable character (0x80) for encoding US-ASCII
[javac] // I f we ??? r e i n s t r i c t mode ,
[javac]^
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java:431:
 error: unmappable character (0x99) for encoding US-ASCII
[javac] // I f we ??? r e i n s t r i c t mode ,
[javac] ^
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java:432:
 error: unmappable character (0xE2) for encoding US-ASCII
[javac] // [ ???.foo.com] is not allowed to match 
[a.b.foo.com]
[javac]  ^
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java:432:
 error: unmappable character (0x88) for encoding US-ASCII
[javac] // [ ???.foo.com] is not allowed to match 
[a.b.foo.com]
[javac]   ^
[javac] 
/build/1st/axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java:432:
 error: unmappable character (0x97) for encoding US-ASCII
[javac] // [ ???.foo.com] is not allowed to match 
[a.b.foo.com]
[javac]^
[javac] /build/1st/axis-1.4/src/org/apache/axis/enum/Scope.java:17: error: 
as of release 5, 'enum' is a keyword, and may not be used as an identifier
[javac] package org.apache.axis.enum;
[javac] ^
[javac] 

Bug#900971: lava: FTBFS when built with dpkg-buildpackage -A

[Santiago Vila]

Package: lava
Version: 2018.5-2
Severity: serious

Dear maintainer:

I tried to build this package with dpkg-buildpackage -A and it failed:

[...]
 dpkg-source --before-build lava-2018.5
 fakeroot debian/rules clean
dh clean --with sphinxdoc,systemd,python3
dh: unable to load addon sphinxdoc: Can't locate 
Debian/Debhelper/Sequence/sphinxdoc.pm in @INC (you may need to install the 
Debian::Debhelper::Sequence::sphinxdoc module) (@INC contains: /etc/perl 
/usr/local/lib/x86_64-linux-gnu/perl/5.26.2 /usr/local/share/perl/5.26.2 
/usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 
/usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 
/usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at (eval 7) line 
1.
BEGIN failed--compilation aborted at (eval 7) line 1.

make: *** [debian/rules:36: clean] Error 2
dpkg-buildpackage: error: fakeroot debian/rules clean subprocess returned exit 
status 2


I have not tried several times because the error message suggests some
kind of missing build-dependency.

To reproduce please try building with dpkg-buildpackage -A on a
chroot having only the essential packages (plus those required
for "dpkg-buildpackage -A" to work).

Full build log available here:

https://people.debian.org/~sanvila/build-logs/lava/

Thanks.

Bug#900967: Security vulnerability: Stack overflow in BGP mask expressions

[Jonas Meurer]

Source: bird
Version: 1.6.3-2
Severity: critical
Tags: security

According to the upstream website[1] and changelog[2], bird release 1.6.4
includes an "important security bugfix".

The changelog mentions "Filter: Fixed stack overflow in BGP mask
expressions". A quick scan through the git history revealed a few
commits that mention overflow and use after free fixes:

e8bc64e308586b6502090da2775af84cd760ed0d
Filter: make bgpmask literals real constructors
30c734fc73648e4c43af4f45e68ac2de3d7ddea1
Static: Fix bug in static route filter expressions

Probably the best is to ask upstream about security relevant commits and
consider to either backport them to stretch-backports. Another option
would be to upload 1.6.4 to stretch-security as 1.6.4-0+deb9u1.

Cheers
 jonas

[1] http://bird.network.cz/
[2] https://gitlab.labs.nic.cz/labs/bird/blob/v1.6.4/NEWS#L11

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#900924: [Pkg-utopia-maintainers] Bug#900924: Bug#900924: [network-manager-gnome] segfault after upgrade to 1.8.12-1

[Michael Biebl]

Control: forcemerge 900869 -1

Am 07.06.2018 um 13:36 schrieb Shin Ice:
> Hi,
> 
> On Wed, Jun 06, 2018 at 09:43:12PM +0200, Michael Biebl wrote:
>>
>> Please test 1.8.12-2 and report back. It was uploaded a couple of
>> minutes ago and should hit the mirrors soon.
>>
> 
> ticket could be closed: after the update all works fine as designed =)

Thanks for reporting back.

Merging with 900869 then.

Regards,
Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Processed: Re: [Pkg-utopia-maintainers] Bug#900924: Bug#900924: [network-manager-gnome] segfault after upgrade to 1.8.12-1

[Debian Bug Tracking System]

Processing control commands:

> forcemerge 900869 -1
Bug #900869 {Done: Michael Biebl } [network-manager-gnome] 
segfault when updating list of wireless networks
Bug #900924 [network-manager-gnome] [network-manager-gnome] segfault after 
upgrade to 1.8.12-1
Severity set to 'serious' from 'grave'
Marked Bug as done
Marked as fixed in versions network-manager-applet/1.8.12-2.
Merged 900869 900924

-- 
900869: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900869
900924: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900924
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900924: [Pkg-utopia-maintainers] Bug#900924: [network-manager-gnome] segfault after upgrade to 1.8.12-1

[Shin Ice]

Hi,

On Wed, Jun 06, 2018 at 09:43:12PM +0200, Michael Biebl wrote:
>
> Please test 1.8.12-2 and report back. It was uploaded a couple of
> minutes ago and should hit the mirrors soon.
>

ticket could be closed: after the update all works fine as designed =)

Thanks and greetings
Shin

--

I'm just a placeholder for a really awesome signature...
...that is still missing *sob*


signature.asc
Description: PGP signature

Processed: Re: Bug#900317: debian-installer: black screen and no answer from X server

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #900317 [debian-installer] debian-installer: black screen and no answer 
from X server
Added tag(s) pending.

-- 
900317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900317
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900317: debian-installer: black screen and no answer from X server

[Cyril Brulebois]

Control: tag -1 pending

Hi,

Cyril Brulebois  (2018-05-29):
> Going back to the previous linux ABI shows the same behaviour (so both
> 4.16.0-1 and 4.16.0-2 are affected), so I suppose it could be due to the
> new X server. It seems to start at least, since I'm briefly seeing its
> startup logs.
> 
> Interested people could look at images from the last few days and check
> the differences in build logs for further suspects:
>   https://d-i.debian.org/daily-images/amd64/
> 
> For this bug:
>  - OK = ctrl-alt-fN can switch ttys. You'll likely see messages about
> “random” things (see #898468).
>  - KO = ctrl-alt-fN doesn't seem to have any effects.

Using a serial console I was able to get a shell, and to try and start
Xorg manually, which resulted in a symbol error:
| Xorg: symbol lookup error: /usr/lib/xorg/modules/drivers/fbdev_drv.so: 
undefined symbol: shadowUpdatePackedWeak

Michel Dänzer kindly pointed to this bug report against the fbdev
driver, which is fixed upstream in 0.5.0:
  https://bugs.debian.org/900613

I've merged the new upstream release locally and rebuilt d-i against it,
and I've verified the bug fix is OK; meanwhile, Julien uploaded the new
upstream release:
  
https://tracker.debian.org/news/963445/accepted-xserver-xorg-video-fbdev-1050-1-source-into-unstable/

Keeping this bug report open for the time being, until the fbdev driver
migrates to testing, so that I don't try to upload d-i too soon…


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#891957: netbeans "loading module" modules.netbinox NullPointerException

[Markus Koschany]

Control: reopen -1

It seems there is another issue with libequinox-osgi-java. Building
Netbeans from source works again but I still get the NullPointerException.



signature.asc
Description: OpenPGP digital signature

Processed: Re: Bug#891957: netbeans "loading module" modules.netbinox NullPointerException

[Debian Bug Tracking System]

Processing control commands:

> reopen -1
Bug #891957 {Done: Markus Koschany } [netbeans] netbeans no 
starting "loading module" modules.netbinox NullPointerException
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions netbeans/8.1+dfsg3-5.

-- 
891957: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891957
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#897556: facter: FTBFS: dh_install: missing files, aborting

[Juhani Numminen]

Control: tags -1 moreinfo

On Wed, 2 May 2018 22:58:19 +0200 Lucas Nussbaum  wrote:
> Source: facter
> Version: 3.11.0-1
> Severity: serious
> Tags: buster sid
> User: debian...@lists.debian.org
> Usertags: qa-ftbfs-20180502 qa-ftbfs
> Justification: FTBFS on amd64

> > dh_install: Cannot find (any matches for) "usr/lib/ruby" (tried in ., 
> > debian/tmp)
> > 
> > dh_install: facter missing files: usr/lib/ruby
> > dh_install: missing files, aborting
> > make: *** [debian/rules:10: binary] Error 25
> 
> The full build log is available from:
>http://aws-logs.debian.net/2018/05/02/facter_3.11.0-1_unstable.log

The build log also contains:
> -- Could NOT find Ruby (missing: RUBY_EXECUTABLE RUBY_INCLUDE_DIR 
> RUBY_LIBRARY) (Required is at least version "1.9")

However, my local rebuild succeeds, and there's currently no FTBFS at
Reproducible Builds either, so I added the moreinfo tag.

https://tests.reproducible-builds.org/debian/history/facter.html


Regards,
Juhani

Processed: Re: Bug#897556: facter: FTBFS: dh_install: missing files, aborting

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #897556 [src:facter] facter: FTBFS: dh_install: missing files, aborting
Ignoring request to alter tags of bug #897556 to the same tags previously set

-- 
897556: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897556
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#897556: facter: FTBFS: dh_install: missing files, aborting

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #897556 [src:facter] facter: FTBFS: dh_install: missing files, aborting
Added tag(s) moreinfo.

-- 
897556: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897556
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#898943: Multiple vulnerabiliities in Mongoose

[Mateusz Łukasik]

On 04.06.2018 18:47 +0100, Reinhard Tartler wrote:

Ok, thanks. That sounds like a good plan!

Reinhard

On Sun, Jun 3, 2018, 19:49 Ricardo Villalba > wrote:


I don't know yet. I guess I'll have to look for another simple web
server.


2018-06-03 23:15 GMT+02:00 Reinhard Tartler mailto:siret...@gmail.com>>:
 > Thanks for the tip, Ricardo!
 >
 > It appears that disabling that define still compiles (and installs)
 > the vulnerable program. I'll upload a new package that not only
 > disables that define, but also modifies the top-level Makefile to no
 > longer build and install mongoose:
 >
 >

https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch
 >
 > Let me know what you think and what do you intend to do upstream to
 > resolve this issue.
 >
 > Thanks,
 > Reinhard
 > On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba
mailto:smplayer@gmail.com>> wrote:
 >>
 >> Hello.
 >>
 >> I wasn't aware of those vulnerabilities in mongoose.
 >> It's possible to disable the support for chromecast in smplayer
 >> commenting the line DEFINES += CHROMECAST_SUPPORT in
src/smplayer.pro 
 >>
 >> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler mailto:siret...@gmail.com>>:
 >> > Hi Richardo,
 >> >
 >> > I'm not sure if you have seen this email, Moritz from the debian
 >> > security team is reporting a release-critical bug in smplayer.
More
 >> > specifically, smplayer appears to be using the mongoose webserver
 >> > implementation as in implementation detail of the chromecast
 >> > component.
 >> >
 >> > Having to remove smplayer would be most unfortunate. I checked the
 >> > upstream commits at
 >> > https://github.com/cesanta/mongoose/commits/master, but apparently
 >> > there is no fix available yet. Maybe I'm missing something but
if not,
 >> > my question to you is whether we can easily disable the chromecast
 >> > component from the smplayer build?
 >> >
 >> > Please let me know your thoughts on this.
 >> >
 >> > Best,
 >> > Reinhard
 >> >
 >> > -- Forwarded message -
 >> > From: Moritz Muehlenhoff mailto:j...@debian.org>>
 >> > Date: Thu, May 17, 2018 at 12:51 PM
 >> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
 >> > To: Debian Bug Tracking System mailto:sub...@bugs.debian.org>>
 >> >
 >> >
 >> > Source: smplayer
 >> > Severity: grave
 >> > Tags: security
 >> >
 >> > smplayer seems to embed Cesenta Mongoose:
 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
 >> >
 >> > Cheers,
 >> >         Moritz
 >> >
 >> > ___
 >> > pkg-multimedia-maintainers mailing list
 >> > pkg-multimedia-maintain...@alioth-lists.debian.net

 >> >

https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
 >> >
 >> >
 >> > --
 >> > regards,
 >> >     Reinhard
 >>
 >>
 >>
 >> --
 >> RVM
 >
 >
 >
 > --
 > regards,
 >     Reinhard



-- 
RVM






Hi,

This is not fixed for me. I made patch with add latest Mongoose version
which included fixed for all of this cve's.
It pushed now to salsa.

--
 .''`.  Mateusz Łukasik
: :' :  https://l0calh0st.pl
`. `'   Debian Member - mat...@linuxmint.pl
  `-GPG: D93B 0C12 C8D0 4D7A AFBC  FA27 CCD9 1D61 11A0 6851

Bug#899955: marked as done (libkkc: Invalid maintainer address pkg-ime-de...@lists.alioth.debian.org)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 10:34:28 +
with message-id 
and subject line Bug#899955: fixed in libkkc 0.3.5-3
has caused the Debian Bug report #899955,
regarding libkkc: Invalid maintainer address 
pkg-ime-de...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899955: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899955
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:libkkc
Version: 0.3.5-2
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of libkkc,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package libkkc since the list address
pkg-ime-de...@lists.alioth.debian.org used in the Maintainer: field was
not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
pkg-ime-de...@lists.alioth.debian.org is 68.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: libkkc
Source-Version: 0.3.5-3

We believe that the bug you reported is fixed in the latest version of
libkkc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Boyuan Yang <073p...@gmail.com> (supplier of updated libkkc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 07 Jun 2018 15:05:56 +0800
Source: libkkc
Binary: libkkc-common libkkc-dev libkkc-utils libkkc2
Architecture: source
Version: 0.3.5-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Input Method Team 
Changed-By: Boyuan Yang <073p...@gmail.com>
Description:
 libkkc-common - Japanese Kana Kanji input library - common data
 libkkc-dev - Japanese Kana Kanji input library - development files
 libkkc-utils - Japanese Kana Kanji input library - testing utility
 libkkc2- Japanese Kana Kanji input library
Closes: 886513 899955
Changes:
 libkkc (0.3.5-3) unstable; urgency=medium
 .
   * Team upload.
   * debian: Apply "wrap-and-sort" for unified format.
   * debian/control:
 - Use debian-input-method@lists.d.o in maintainer field.
   Closes: #899955.
 - Use "Optional" priority instead of deprecated "Extra".
 - Use GitHub project for homepage field.
 - Use Salsa repo for Vcs fields. Closes: #886513.
 - Bump debhelper compat to v11.
 - Bump Standards-Version to 4.1.4.
 - Drop old -dbg package entries.
 - Limit Build-dep libmarisa version to ensure rebuild against
   new version of marisa.
   * debian/copyright:
 - Add info about my contribution.
 - Update homepage information.
   * debian/patches:
   

Bug#900853: [request-tracker-maintainers] Bug#900853: [request-tracker4] FTBFS: missing fonts in ckeditor

[Dominic Hargreaves]

Control: severity -1 normal
Control: tags -1 + moreinfo

On Wed, Jun 06, 2018 at 12:01:59AM +0200, Bastien ROUCARIÈS wrote:
> Package: request-tracker4
> Severity: serious
> 
> Hi,
> 
> third-party-source/devel/third-party/ckeditor-4.5.3/samples/toolbarconfigurator/font/fontello*
> 
> Does not build from source
> 
> Time to use ckeditor package ?
> 
> Will upload this font ASAP

I don't understand this bug report, please could you
clarify what you think the problem is? The file you referred to is not
used in the package build.

We don't use the ckeditor package because of compatibility concerns.

Dominic.

Processed: Re: [request-tracker-maintainers] Bug#900853: [request-tracker4] FTBFS: missing fonts in ckeditor

[Debian Bug Tracking System]

Processing control commands:

> severity -1 normal
Bug #900853 [request-tracker4] [request-tracker4] FTBFS: missing fonts in 
ckeditor
Severity set to 'normal' from 'serious'
> tags -1 + moreinfo
Bug #900853 [request-tracker4] [request-tracker4] FTBFS: missing fonts in 
ckeditor
Added tag(s) moreinfo.

-- 
900853: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900853
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900953: marked as done (plexus-archiver: CVE-2018-1002200)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 10:19:49 +
with message-id 
and subject line Bug#900953: fixed in plexus-archiver 3.6.0-1
has caused the Debian Bug report #900953,
regarding plexus-archiver: CVE-2018-1002200
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: plexus-archiver
Version: 3.5-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://github.com/codehaus-plexus/plexus-archiver/pull/87

Hi,

The following vulnerability was published for plexus-archiver.

CVE-2018-1002200[0]:
| arbitrary file write vulnerability / arbitrary code execution using a
| specially crafted zip file

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1002200
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200
[1] https://github.com/codehaus-plexus/plexus-archiver/pull/87

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: plexus-archiver
Source-Version: 3.6.0-1

We believe that the bug you reported is fixed in the latest version of
plexus-archiver, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated plexus-archiver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 07 Jun 2018 11:50:41 +0200
Source: plexus-archiver
Binary: libplexus-archiver-java
Architecture: source
Version: 3.6.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Description:
 libplexus-archiver-java - Archiver plugin for the Plexus compiler system
Closes: 889426 900953
Changes:
 plexus-archiver (3.6.0-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
 - Fixes CVE-2018-1002200: Arbitrary file write vulnerability using
   a specially crafted zip file (Closes: #900953)
   * Removed Damien Raude-Morvan from the uploaders (Closes: #889426)
   * Standards-Version updated to 4.1.4
   * Switch to debhelper level 11
   * Use salsa.debian.org Vcs-* URLs
Checksums-Sha1:
 c2eaeefbe692980ed505875578e070b495d84067 2323 plexus-archiver_3.6.0-1.dsc
 fd15074c740a551877bc30b94ad5c46d0567ee70 425988 
plexus-archiver_3.6.0.orig.tar.xz
 49731591269037da5098d87f0891f4e87abb466c 4552 
plexus-archiver_3.6.0-1.debian.tar.xz
 a3edb759bfe596b867f5b3c14b38c1e3067cf81a 14873 
plexus-archiver_3.6.0-1_source.buildinfo
Checksums-Sha256:
 950b9dfe30783cc67ac6c53ec950c13ac0230fce0a0a81358e9ac382822a7611 2323 
plexus-archiver_3.6.0-1.dsc
 ffe914d89c386cc092c999056d761fc50e8d91bc272bde88717f601ded43c476 425988 
plexus-archiver_3.6.0.orig.tar.xz
 34e118bb95960fc413aa27a481071ea08df68472fac2bdf6421a92c7b6deef2c 4552 
plexus-archiver_3.6.0-1.debian.tar.xz
 5a39f16a8d2494f7dd1dbc8dd20235cb80dfaee22ccf357346df61b0f1c46afd 14873 
plexus-archiver_3.6.0-1_source.buildinfo
Files:
 e82a8902044bc8e2305785b5e94921b2 2323 java optional plexus-archiver_3.6.0-1.dsc
 5ad9a01cdfb2ff0d35070ae580e691f6 425988 java optional 
plexus-archiver_3.6.0.orig.tar.xz
 d81948f576146dab21ea0810ac01bd59 4552 java optional 
plexus-archiver_3.6.0-1.debian.tar.xz
 c97a04a95806b3401160a5c5c0c01ad5 14873 java optional 
plexus-archiver_3.6.0-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlsZAkgSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsn4wP/jKamEPg7A7gZbV53mOWhowce2FsxuSB
xIDyZ7kg0apRs7fB4d0UYMZZqcS01/BN3oepI/xSS6H75bUUMMw4o+XN7sIJAxu7
Oz3EVHGS14iqLaeQoVbBOBokC6kbBDQ36cR/GMNwqxeIDmPPSBpxzLNC3a6v7DTd
Wsc1QMXg0045vOkaKiynw3xwl4Crhcwn1tHIRRb1toDqD2QNAbKrfJUNusNr/rXg
4ol+rXTbNAZd3O65G05g1YoHFCCeGYA6LxqpDrnRebYOPs33c1VzLSxzwPAybosD
t1P+2Q8+j62AGVYZ2HxGMA5wtuXbtmZz2tDJYs7xb/Qzcj1Vi5IDPtg9IvVazes/
6EqJ2C/tACeLIaRHJ75tIOtMMEgtom5ZzEISRt/UgXtfNBmvtcb224YHgLvgUr/h

Bug#899873: marked as done (mousepad: Invalid maintainer address pkg-xfce-de...@lists.alioth.debian.org)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 10:19:41 +
with message-id 
and subject line Bug#899873: fixed in mousepad 0.4.1-1
has caused the Debian Bug report #899873,
regarding mousepad: Invalid maintainer address 
pkg-xfce-de...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899873: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899873
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:mousepad
Version: 0.4.0-4
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of mousepad,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package mousepad since the list address
pkg-xfce-de...@lists.alioth.debian.org used in the Maintainer: field
was not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
pkg-xfce-de...@lists.alioth.debian.org is 55.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: mousepad
Source-Version: 0.4.1-1

We believe that the bug you reported is fixed in the latest version of
mousepad, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez  (supplier of updated mousepad package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 07 Jun 2018 11:53:34 +0200
Source: mousepad
Binary: mousepad
Architecture: source
Version: 0.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Xfce Maintainers 
Changed-By: Yves-Alexis Perez 
Description:
 mousepad   - simple Xfce oriented text editor
Closes: 849768 885684 899873
Changes:
 mousepad (0.4.1-1) unstable; urgency=medium
 .
   [ Yves-Alexis Perez ]
   * Moved the package to git on salsa.debian.org
   * Update maintainer address to debian-x...@lists.debian.org   closes: #899873
   * d/gbp.conf added, following DEP-14
 .
   [ Unit 193 ]
   * New upstream version 0.4.1.
 - Drop upstream patches.
   * Run wrap-and-sort.
   * d/compat, d/control: Bump dh compat to 11.
   * d/control: Drop build-depend on dh-autoreconf.
   * d/rules:
 - Drop override on configure, --disable-silent-rules is default.
 - Drop dh options of --with autoreconf and parallel as they are default.
 - Use dh_missing instead of dh_install for --fail-missing.
 - autoreconf is Xfce aware, don't explicitly call xdt-autogen.
   * d/mousepad.1 d/watch: Use https where possible.
   * Remove trailing whitespace from old changelog entries.
   * Bump Standards-Version to 4.1.4.
 .
   [ Yves-Alexis Perez ]
   * use gtksourceview 3.0 (Closes: 

Processed: Bug #900953 in plexus-archiver marked as pending

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #900953 [src:plexus-archiver] plexus-archiver: CVE-2018-1002200
Added tag(s) pending.

-- 
900953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900953: Bug #900953 in plexus-archiver marked as pending

[ebourg]

Control: tag -1 pending

Hello,

Bug #900953 in plexus-archiver reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/java-team/plexus-archiver/commit/35f70760eb10ddde30dbdb337546cc09e533183f


New upstream release (3.6.0)
Fixes CVE-2018-1002200: Arbitrary file write vulnerability using a specially 
crafted zip file (Closes: #900953)



(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/900953

Bug#865975: #865975 docker.io breaks (bridged) network for VMs

[Dmitry Smirnov]

I'm lowering severity of this bug since it is not clear how to reproduce the 
problem and because networking is not broken for everyone...


signature.asc
Description: This is a digitally signed message part.

Processed: severity of 865975 is important

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 865975 important
Bug #865975 [docker.io] docker.io breaks (bridged) network for VMs
Severity set to 'important' from 'critical'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
865975: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865975
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#853248: marked as done (docker.io: cannot be purged (at least not on first try))

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 19:27:30 +1000
with message-id <2523330.Jf5r39N18M@deblab>
and subject line Done: docker.io: cannot be purged (at least not on first try)
has caused the Debian Bug report #853248,
regarding docker.io: cannot be purged (at least not on first try)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
853248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853248
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: docker.io
Version: 1.11.2~ds1-6
Severity: grave
Justification: renders package unusable

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I installed docker.io, installed one container, then tried to purge it,
and it threw a ton of errors:

Nuking /var/lib/docker ...
  (if this is wrong, press Ctrl+C NOW!)

+ sleep 10

+ rm -rf /var/lib/docker
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/17bd2058e0c6500de157d98d3acd24c2033a5e235334f6c722f27de9726f24b5'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/f854eed3f31f47134fef808751b83e208f95c4713b1de46865eb6a04d8d39a0b'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/45dcb011776a42fec68ff77e92ef62fcebb136e763e55f581283bfe2569885cd'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/cff61050f95cf10dfd417e3d16db15904475761c2ac680514600ce60debfc418'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/32bfc43e8cd071561ebfd18759a1ba0a6537588d78560ae3eeb9780bdbf78449'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/7d0f8d237cfac29c1bf6f6c59b383c8cddfd3a023fe7a6399addfb730db870e9'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/5e56d9aa249a35a3c0e80c20ed350e101222dd581ffaf753b647aeee8384a057'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/565ab17724c2e6864440eac46c0051057b4eaeddc1e50186151c7e5b3f1aa49f'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/5463bb1e44b7c9947094f55bc6a57f010cadd88d3ff18c85b5bf91ac6e4e161c'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/1ae32dcf02f3df40c2c4c00db37b4c1a97bd102f360384f331a9987a0deb4372-init'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/1ae32dcf02f3df40c2c4c00db37b4c1a97bd102f360384f331a9987a0deb4372'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/4a5d314da2f1afddf4b273ba1aa0f96e5cba71c1db3a0849c39ee249ba88cfe3-init'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/4a5d314da2f1afddf4b273ba1aa0f96e5cba71c1db3a0849c39ee249ba88cfe3'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/2f77df1fc8fb25a943b8239a4cf23978fc2a925e4064f4fb34f29550ac6b5cec'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/6c014eb5592de9fc5c761369114f243f265d1a4301abe28dd967b6899a6ad32a'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/3ec8ac286040fdbe70b1d82bbc2262220af18f25cbb3f1e536cf2b5ccb6ad59e'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/e9613fa25d1f2c84590a942fbba2a5a8ca73616d1f23964509fbf643fe7af9c2'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/05ff0430528877b3fa5d0d0bb4e170947c96b1bb894fd932716f8d37206beee5'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/0b7503d21eb2c3074bb7b2e53ab5b267732636cc8883f620fdb19fed60705fae-init'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/0b7503d21eb2c3074bb7b2e53ab5b267732636cc8883f620fdb19fed60705fae'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 
'/var/lib/docker/btrfs/subvolumes/3f0d3d140ce1aca1e2877e6efded1031f015be66bb82add6dece45230022abe1'
 ist nicht möglich: Die Operation ist nicht erlaubt
rm: das Entfernen von 

Bug#900953: plexus-archiver: CVE-2018-1002200

[Salvatore Bonaccorso]

Source: plexus-archiver
Version: 3.5-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://github.com/codehaus-plexus/plexus-archiver/pull/87

Hi,

The following vulnerability was published for plexus-archiver.

CVE-2018-1002200[0]:
| arbitrary file write vulnerability / arbitrary code execution using a
| specially crafted zip file

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1002200
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200
[1] https://github.com/codehaus-plexus/plexus-archiver/pull/87

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#881480: marked as done (docker build fails to run citing runc extraneous option "-console")

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 19:23:50 +1000
with message-id <5624416.f1vgtIN3kY@deblab>
and subject line Done: docker build fails to run citing runc extraneous option 
"-console"
has caused the Debian Bug report #881480,
regarding docker build fails to run citing runc extraneous option "-console"
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
881480: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881480
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: docker.io
Version: 1.13.1~ds2-3
Severity: grave

I dist-upgraded my system today and tried to do a docker build, it
fails with the error:

Incorrect Usage: flag provided but not defined: -console
... (mostly runc help message)
flag provided but not defined: -console
oci runtime error: flag provided but not defined: -console

I've seen in the past a similar issue that said to downgrade parts but
I can't see in the NEW queue anything else related to docker.io that
is not yet pushed through or I would have manually upgraded that.

As it is now it seems that docker.io is broken in unstable.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages docker.io depends on:
ii  adduser 3.116
ii  docker-containerd   0.2.3+git+docker1.13.1~ds1-1
ii  docker-runc 1.0.0~rc2+git+docker1.13.1~ds1-2
ii  golang-libnetwork   0.8.0-dev.2+git20170202.599.45b4086-3
ii  iptables1.6.1-2+b1
ii  libapparmor12.11.1-3
ii  libc6   2.24-17
ii  libdevmapper1.02.1  2:1.02.145-4
ii  libsqlite3-03.21.0-1
ii  libsystemd0 235-2
ii  lsb-base9.20170808

Versions of packages docker.io recommends:
ii  ca-certificates  20170717
ic  cgroupfs-mount   1.4
ii  git  1:2.15.0-1
ii  xz-utils 5.2.2-1.3

Versions of packages docker.io suggests:
pn  aufs-tools   
pn  btrfs-progs  
pn  debootstrap  
pn  docker-doc   
pn  rinse
pn  zfs-fuse | zfsutils  

-- no debconf information
--- End Message ---
--- Begin Message ---
I'm closing this bug report as I don't recognize an actionable task for 
maintainer to do. Docker don't restart daemon automatically as it may disrupt 
running containers. This practical annoyance is design flaw (which "rkt" 
doesn't have). Manual restart of docker may be required on upgrade.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 881...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

-- 
Best wishes,
 Dmitry Smirnov


signature.asc
Description: This is a digitally signed message part.
--- End Message ---

Processed: tag bug with version where it was fixed

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> fixed 893604 1.2.19-2
Bug #893604 {Done: Chris Knadle } [src:mumble] 
mumble: Add support to build with upcoming Ice 3.7.0 release
Marked as fixed in versions mumble/1.2.19-2.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
893604: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893604
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> block 874655 by 873213
Bug #874655 [src:libspring-java] FTBFS with Java 9: The type java.lang.String 
cannot be resolved.
874655 was not blocked by any bugs.
874655 was not blocking any bugs.
Added blocking bug(s) of 874655: 873213
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
874655: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874655
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#893198: marked as done (jets3t FTBFS with openjdk-9)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 09:04:23 +
with message-id 
and subject line Bug#893198: fixed in jets3t 0.8.1+dfsg-4
has caused the Debian Bug report #893198,
regarding jets3t FTBFS with openjdk-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
893198: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893198
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: jets3t
Version: 0.8.1+dfsg-3
Severity: serious
Tags: buster sid

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/jets3t.html

...
compile:
[javac] Using javac -source 5 is no longer supported, switching to 1.6
[javac] Using javac -target 5 is no longer supported, switching to 1.6
[javac] Compiling 251 source files to /build/1st/jets3t-0.8.1+dfsg/build
[javac] warning: [options] bootstrap class path not set in conjunction with 
-source 1.6
[javac] warning: [options] source value 1.6 is obsolete and will be removed 
in a future release
[javac] warning: [options] target value 1.6 is obsolete and will be removed 
in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use 
-Xlint:-options.
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xC3) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac]   ^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xAE) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac]^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xC3) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac]   ^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xBC) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac]^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xC3) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac] ^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xA1) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac]  ^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xCF) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac] ^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0x80) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac]  ^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xC3) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac]   ^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xA5) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac]^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xE2) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac] ^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0x80) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac]  ^
[javac] 
/build/1st/jets3t-0.8.1+dfsg/src/org/jets3t/tests/BaseStorageServiceTests.java:509:
 error: unmappable character (0xA0) for encoding US-ASCII
[javac] "v??rtl-???h/t??s???ing.txt"
[javac]   ^
[javac] 

Bug#890107: marked as done (docker-runc FTBFS on s390x: kill.go:42:20: error: reference to undefined identifier 'syscall.SIGUNUSED')

[Debian Bug Tracking System]

Your message dated Thu, 07 Jun 2018 19:04:52 +1000
with message-id <4204230.vdgRMNco7k@deblab>
and subject line Done: docker-runc FTBFS on s390x: kill.go:42:20: error: 
reference to undefined identifier 'syscall.SIGUNUSED'
has caused the Debian Bug report #890107,
regarding docker-runc FTBFS on s390x: kill.go:42:20: error: reference to 
undefined identifier 'syscall.SIGUNUSED'
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
890107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890107
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: docker-runc
Version: 1.0.0~rc2+git+docker1.13.1~ds1-2
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=docker-runc=s390x=1.0.0~rc2%2Bgit%2Bdocker1.13.1~ds1-3=1518260100=0

...
github.com/urfave/cli
github.com/opencontainers/runc
# github.com/opencontainers/runc
src/github.com/opencontainers/runc/kill.go:42:20: error: reference to undefined 
identifier 'syscall.SIGUNUSED'
  "UNUSED": syscall.SIGUNUSED,
^
github.com/opencontainers/runc/libcontainer/devices
github.com/opencontainers/runc/libcontainer/xattr
github.com/opencontainers/runc/vendor/github.com/docker/docker/pkg/term/winconsole
dh_auto_build: cd _build && go install 
-gcflags=\"-trimpath=/<>/docker-runc-1.0.0\~rc2\+git\+docker1.13.1\~ds1/_build/src\"
 
-asmflags=\"-trimpath=/<>/docker-runc-1.0.0\~rc2\+git\+docker1.13.1\~ds1/_build/src\"
 -v -p 1 -tags "apparmor seccomp" github.com/opencontainers/runc 
github.com/opencontainers/runc/libcontainer 
github.com/opencontainers/runc/libcontainer/apparmor 
github.com/opencontainers/runc/libcontainer/cgroups 
github.com/opencontainers/runc/libcontainer/cgroups/fs 
github.com/opencontainers/runc/libcontainer/cgroups/systemd 
github.com/opencontainers/runc/libcontainer/configs 
github.com/opencontainers/runc/libcontainer/configs/validate 
github.com/opencontainers/runc/libcontainer/criurpc 
github.com/opencontainers/runc/libcontainer/devices 
github.com/opencontainers/runc/libcontainer/keys 
github.com/opencontainers/runc/libcontainer/label 
github.com/opencontainers/runc/libcontainer/nsenter 
github.com/opencontainers/runc/libcontainer/seccomp github.com/openconta
 iners/runc/libcontainer/selinux 
github.com/opencontainers/runc/libcontainer/specconv 
github.com/opencontainers/runc/libcontainer/stacktrace 
github.com/opencontainers/runc/libcontainer/system 
github.com/opencontainers/runc/libcontainer/user 
github.com/opencontainers/runc/libcontainer/utils 
github.com/opencontainers/runc/libcontainer/xattr 
github.com/opencontainers/runc/vendor/github.com/docker/docker/pkg/mount 
github.com/opencontainers/runc/vendor/github.com/docker/docker/pkg/symlink 
github.com/opencontainers/runc/vendor/github.com/docker/docker/pkg/term 
github.com/opencontainers/runc/vendor/github.com/docker/docker/pkg/term/winconsole
 
github.com/opencontainers/runc/vendor/github.com/opencontainers/runtime-spec/specs-go
 returned exit code 2
debian/rules:34: recipe for target 'override_dh_auto_build' failed
make[1]: *** [override_dh_auto_build] Error 2


I've also reproduced this with 1.0.0~rc2+git+docker1.13.1~ds1-2.
--- End Message ---
--- Begin Message ---
Source: docker-runc
Version: 1.0.0~rc2+git+docker1.13.1~ds1-4

Fixed. :)

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.


signature.asc
Description: This is a digitally signed message part.
--- End Message ---