Processed: Re: Bug#855124: geis-tools: geisview segfaults when run

[Debian Bug Tracking System]

Processing control commands:

> found 855124 2.2.17-1.1+b1
Bug #855124 [geis-tools] geis-tools: geisview segfaults when run
Ignoring request to alter found versions of bug #855124 to the same values 
previously set
> fixed 855124 2.2.17-1.2+b1
Bug #855124 [geis-tools] geis-tools: geisview segfaults when run
Marked as fixed in versions geis/2.2.17-1.2.

-- 
855124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855124
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855124: geis-tools: geisview segfaults when run

[Bernhard Übelacker]

Control: found 855124 2.2.17-1.1+b1
Control: fixed 855124 2.2.17-1.2+b1


Dear Maintainer,
this issue seems to be a problem with the default python
pointer/int sizes which seem to default
to 32 bit in stretch on amd64.
Attached patch tries to declare these to avoid the crashes.

For some reason this issue does not show up with a system
running with packages from unstable.

Kind regards,
Bernhard
From fb93de8120eafbe47e37038fbcdfb1232e8daee0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= 
Date: Wed, 8 May 2019 05:19:11 +0200
Subject: [PATCH] Add parameter and return type sizes for 64 bit systems.

https://bugs.debian.org/855124
---
 python/geis/geis_v2.py | 39 ---
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/python/geis/geis_v2.py b/python/geis/geis_v2.py
index edd8063..793355f 100644
--- a/python/geis/geis_v2.py
+++ b/python/geis/geis_v2.py
@@ -62,24 +62,40 @@ try:
 _geis_new.errcheck = _check_null
 _geis_delete = _geis_lib.geis_delete
 _geis_get_configuration = _geis_lib.geis_get_configuration
+_geis_get_configuration.argtypes = [ ctypes.c_void_p, ctypes.c_char_p ]
 _geis_dispatch_events = _geis_lib.geis_dispatch_events
+_geis_dispatch_events.argtypes = [ ctypes.c_void_p ]
 _geis_register_class_callback = _geis_lib.geis_register_class_callback
 _geis_register_device_callback = _geis_lib.geis_register_device_callback
 _geis_register_event_callback = _geis_lib.geis_register_event_callback
 _geis_next_event = _geis_lib.geis_next_event
+_geis_next_event.argtypes = [ ctypes.c_void_p, ctypes.c_void_p ]
 
 _geis_subscription_new = _geis_lib.geis_subscription_new
 _geis_subscription_new.restype = ctypes.c_void_p
+_geis_subscription_new.argtypes = [ ctypes.c_void_p, ctypes.c_char_p, ctypes.c_int ]
 _geis_subscription_new.errcheck = _check_null
 _geis_subscription_delete = _geis_lib.geis_subscription_delete
 _geis_subscription_activate = _geis_lib.geis_subscription_activate
+_geis_subscription_activate.argtypes = [ ctypes.c_void_p ]
 _geis_subscription_deactivate = _geis_lib.geis_subscription_deactivate
 _geis_subscription_name = _geis_lib.geis_subscription_name
+_geis_subscription_add_filter = _geis_lib.geis_subscription_add_filter
+_geis_subscription_add_filter.argtypes = [ ctypes.c_void_p, ctypes.c_void_p ]
 
 _geis_attr_name = _geis_lib.geis_attr_name
 _geis_attr_name.restype = ctypes.c_char_p
+_geis_attr_name.argtypes = [ ctypes.c_void_p ]
 _geis_attr_type = _geis_lib.geis_attr_type
+_geis_attr_type.argtypes = [ ctypes.c_void_p ]
 _geis_attr_value_to_pointer = _geis_lib.geis_attr_value_to_pointer
+_geis_attr_value_to_pointer.restype = ctypes.c_void_p
+_geis_attr_value_to_pointer.argtypes = [ ctypes.c_void_p ]
+_geis_attr_value_to_string = _geis_lib.geis_attr_value_to_string
+_geis_attr_value_to_string.restype = ctypes.c_char_p
+_geis_attr_value_to_string.argtypes = [ ctypes.c_void_p ]
+_geis_attr_value_to_integer = _geis_lib.geis_attr_value_to_integer
+_geis_attr_value_to_integer.argtypes = [ ctypes.c_void_p ]
 
 _geis_event_type = _geis_lib.geis_event_type
 _geis_event_attr_count = _geis_lib.geis_event_attr_count
@@ -89,10 +105,14 @@ try:
 _geis_gesture_class_unref = _geis_lib.geis_gesture_class_unref
 _geis_gesture_class_name = _geis_lib.geis_gesture_class_name
 _geis_gesture_class_name.restype = ctypes.c_char_p
+_geis_gesture_class_name.argtypes = [ ctypes.c_void_p ]
 _geis_gesture_class_id = _geis_lib.geis_gesture_class_id
+_geis_gesture_class_id.argtypes = [ ctypes.c_void_p ]
 _geis_gesture_class_attr_count = _geis_lib.geis_gesture_class_attr_count
+_geis_gesture_class_attr_count.argtypes = [ ctypes.c_void_p ]
 _geis_gesture_class_attr = _geis_lib.geis_gesture_class_attr
 _geis_gesture_class_attr.restype = ctypes.c_void_p
+_geis_gesture_class_attr.argtypes = [ ctypes.c_void_p ]
 
 _geis_device_ref = _geis_lib.geis_device_ref
 _geis_device_unref = _geis_lib.geis_device_unref
@@ -125,6 +145,13 @@ try:
 _geis_frame_is_class = _geis_lib.geis_frame_is_class
 _geis_frame_touchid_count = _geis_lib.geis_frame_touchid_count
 _geis_frame_touchid = _geis_lib.geis_frame_touchid
+
+_geis_filter_new = _geis_lib.geis_filter_new
+_geis_filter_new.restype = ctypes.c_void_p
+_geis_filter_new.argtypes = [ ctypes.c_void_p, ctypes.c_char_p ]
+_geis_filter_add_term = _geis_lib.geis_filter_add_term
+_geis_filter_add_term.argtypes = [ ctypes.c_void_p, ctypes.c_int ]
+
 
 except AttributeError as ex:
 print(ex)
@@ -399,7 +426,7 @@ def _attr_type_float(attr):
 def _attr_type_integer(attr):
 """ Extracts an attribute value as a integer.
 """
-return _geis_lib.geis_attr_value_to_integer(attr)
+return _geis_attr_value_to_integer(attr)
 
 
 def _attr_type_pointer(attr):
@@ -412,9 +439,7 @@ def 

Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate

[Hideki Yamane]

Hi Salvatore,

 Can you follow his question? I guess debian revision should be
 6.1.5-1+deb9u1, but others are okay.


On Tue, 7 May 2019 23:15:58 +0900
Kentaro Hayashi  wrote:
> I maintain Groonga package as a DM, so I want to fix #928304.
> But I've never uploaded package to stable before, so I need help
>  to do it in a good manner.
> 
> I've attached debdiff against current version.
> Is it ok to upload stretch-security?



diff -Nru groonga-6.1.5/debian/changelog groonga-6.1.5/debian/changelog
--- groonga-6.1.5/debian/changelog  2017-01-23 19:14:09.0 +0900
+++ groonga-6.1.5/debian/changelog  2019-05-07 22:33:11.0 +0900
@@ -1,3 +1,13 @@
+groonga (6.1.5-2) stretch-security; urgency=medium
+
+  * debian/groonga-httpd.logrotate
+debian/groonga-server-gqtp.logrotate
+- Mitigate privilege escalation by changing the owner and group of logs
+  with "su" option. Reported by Wolfgang Hotwagner.
+  (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi   Tue, 07 May 2019 22:33:11 +0900
+
 groonga (6.1.5-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru groonga-6.1.5/debian/groonga-httpd.logrotate 
groonga-6.1.5/debian/groonga-httpd.logrotate
--- groonga-6.1.5/debian/groonga-httpd.logrotate2016-12-10 
15:18:50.0 +0900
+++ groonga-6.1.5/debian/groonga-httpd.logrotate2019-05-07 
22:33:11.0 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/httpd/*.log {
+su groonga groonga
 daily
 missingok
 rotate 30
 compress
 delaycompress
 notifempty
-create 640 groonga groonga
 sharedscripts
 postrotate
 . /etc/default/groonga-httpd
diff -Nru groonga-6.1.5/debian/groonga-server-gqtp.logrotate 
groonga-6.1.5/debian/groonga-server-gqtp.logrotate
--- groonga-6.1.5/debian/groonga-server-gqtp.logrotate  2016-12-10 
15:18:50.0 +0900
+++ groonga-6.1.5/debian/groonga-server-gqtp.logrotate  2019-05-07 
22:33:11.0 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/*-gqtp.log {
+su groonga groonga
 daily
 missingok
 rotate 30
 compress
 delaycompress
 notifempty
-create 640 groonga groonga
 sharedscripts
 postrotate
 . /etc/default/groonga-server-gqtp

Bug#928631: firmware-amd-graphics: Update to 20190502-1 causus hang of system directly after grub

[Diederik de Haas]

Package: firmware-amd-graphics
Version: 20190502-1
Severity: critical
Justification: breaks the whole system

Today's Sid update brought in new kernel and various firmware updates, 
after which I rebooted the system. Saw Grub loading, but after it 
started kernel 4.19.0-5-amd64, it stopped loading the system.

My Asus Crosshair VII system gave Q-code 8 as error, which stands for 
"System Agent initialization after microcode loading".
Also tried booting with 4.19.0-4-amd64, but got the same error

Started up my LiveRescueCD stick, downloaded 
firmware-amd-graphics_20190114-1_all.deb, copied it to /root/ of my
normal system, chrooted into it and did 
"dpkg -i firmware-amd-graphics_20190114-1_all.deb" and then rebooted my
system, which now did start as normally.

As this is the only change I did, I'm quite sure I'm reporting it
against the correct package (in contrast to what reportbug tried to tell
me).

I have reported another bug against amd64-microcode which may be
relevant: 924895. 
Slight addition: I do sometimes get the spontanous reboots.

System info:
MB: Asus ROG CROSSHAIR VII HERO (BIOS: 2203)
CPU: AMD Ryzen 7 1800X Eight-Core Processor (family: 0x17, model: 0x1, 
stepping: 0x1)
GPU: Asus ROG Strix RX VEGA64 OC edition 8GB
# lspci -vv -s 0c:00.0
0c:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Vega 
10 XL/XT [Radeon RX Vega 56/64] (rev c1) (prog-if 00 [VGA controller])
Subsystem: ASUSTeK Computer Inc. Vega 10 XL/XT [Radeon RX Vega 56/64]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- 
Capabilities: [50] Power Management version 3
Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA 
PME(D0-,D1+,D2+,D3hot+,D3cold+)
Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [64] Express (v2) Legacy Endpoint, MSI 00
DevCap: MaxPayload 256 bytes, PhantFunc 0, Latency L0s <4us, L1 
unlimited
ExtTag+ AttnBtn- AttnInd- PwrInd- RBE+ FLReset-
DevCtl: Report errors: Correctable- Non-Fatal- Fatal- 
Unsupported-
RlxdOrd+ ExtTag+ PhantFunc- AuxPwr- NoSnoop+
MaxPayload 256 bytes, MaxReadReq 512 bytes
DevSta: CorrErr+ UncorrErr- FatalErr- UnsuppReq+ AuxPwr- 
TransPend-
LnkCap: Port #0, Speed 8GT/s, Width x16, ASPM L0s L1, Exit 
Latency L0s <64ns, L1 <1us
ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+
LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- CommClk+
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 8GT/s, Width x16, TrErr- Train- SlotClk+ 
DLActive- BWMgmt- ABWMgmt-
DevCap2: Completion Timeout: Not Supported, TimeoutDis-, LTR+, 
OBFF Not Supported
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-, 
OBFF Disabled
LnkCtl2: Target Link Speed: 8GT/s, EnterCompliance- SpeedDis-
 Transmit Margin: Normal Operating Range, 
EnterModifiedCompliance- ComplianceSOS-
 Compliance De-emphasis: -6dB
LnkSta2: Current De-emphasis Level: -3.5dB, 
EqualizationComplete+, EqualizationPhase1+
 EqualizationPhase2+, EqualizationPhase3+, 
LinkEqualizationRequest-
Capabilities: [a0] MSI: Enable+ Count=1/1 Maskable- 64bit+
Address: fee0  Data: 
Capabilities: [100 v1] Vendor Specific Information: ID=0001 Rev=1 
Len=010 
Capabilities: [150 v2] Advanced Error Reporting
UESta:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- 
RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UEMsk:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- 
RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- 
RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
CESta:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
CEMsk:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
AERCap: First Error Pointer: 00, GenCap+ CGenEn- ChkCap+ ChkEn-
Capabilities: [200 v1] #15
Capabilities: [270 v1] #19
Capabilities: [2a0 v1] Access Control Services
ACSCap: SrcValid- TransBlk- ReqRedir- CmpltRedir- UpstreamFwd- 
EgressCtrl- DirectTrans-
ACSCtl: SrcValid- TransBlk- ReqRedir- CmpltRedir- UpstreamFwd- 
EgressCtrl- DirectTrans-
Capabilities: [2b0 v1] Address Translation Service (ATS)
ATSCap: Invalidate Queue Depth: 00
ATSCtl: Enable+, Smallest Translation Unit: 00
Capabilities: [2c0 v1] Page Request Interface (PRI)
PRICtl: Enable- Reset-
PRISta: RF- UPRGI- Stopped+
   

Bug#907348: fixed in dateutils 0.4.5-1

[Bernhard Übelacker]

Control: tags 907348 + patch upstream


Dear Maintainer,
I tried to have a look and tracked it down into the file
lib/leap-seconds.def which is generated by ltrcc.

Unfortunately this generator seems not prepared for at least i386.

With attached patch the generated file is equal to one
generated at amd64, and the tests pass on both architectures.

Could not find an matching upstream bug.

Kind regards,
Bernhard
>From 6f653805ee528e9068d3108af7227dea685f88ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= 
Date: Tue, 7 May 2019 19:13:21 +0200
Subject: [PATCH] Use unsigned type for leap second conversion.

https://bugs.debian.org/907348
---
 lib/ltrcc.c | 40 
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/lib/ltrcc.c b/lib/ltrcc.c
index 20c0e38..11c8a74 100644
--- a/lib/ltrcc.c
+++ b/lib/ltrcc.c
@@ -55,10 +55,10 @@
 #include "version.c"
 
 
-static __attribute__((pure, const)) long int
-ntp_to_unix_epoch(long int x)
+static __attribute__((pure, const)) unsigned long int
+ntp_to_unix_epoch(unsigned long int x)
 {
-	return x - 25567L * 86400L;
+	return x - 25567U * 86400U;
 }
 
 
@@ -68,7 +68,7 @@ ntp_to_unix_epoch(long int x)
 static int
 pr_line_corr(const char *line, size_t llen, va_list UNUSED(vap))
 {
-	static long int cor;
+	static unsigned long int cor;
 	char *sp, *ep;
 
 	if (llen == PROLOGUE) {
@@ -96,7 +96,7 @@ const int32_t %s[] = {\n\
 	/* otherwise process */
 	if ((sp = memchr(line, '\t', llen)) == NULL) {
 		return -1;
-	} else if ((ep = NULL, cor = strtol(++sp, , 10), ep == NULL)) {
+	} else if ((ep = NULL, cor = strtoul(++sp, , 10), ep == NULL || cor == ULONG_MAX)) {
 		return -1;
 	}
 
@@ -108,10 +108,10 @@ const int32_t %s[] = {\n\
 static int
 pr_line_d(const char *line, size_t llen, va_list vap)
 {
-	static long int cor;
+	static unsigned long int cor;
 	struct dt_d_s d;
 	dt_dtyp_t typ;
-	long int val;
+	unsigned long int val;
 	int colp;
 	char *ep;
 
@@ -155,7 +155,7 @@ const uint32_t %s[] = {\n\
 		return 0;
 	}
 	/* otherwise process */
-	if ((ep = NULL, val = strtol(line, , 10), ep == NULL)) {
+	if ((ep = NULL, val = strtoul(line, , 10), ep == NULL || val == ULONG_MAX)) {
 		return -1;
 	}
 
@@ -164,7 +164,7 @@ const uint32_t %s[] = {\n\
 	d = dt_dconv(typ, d);
 
 	if (!colp) {
-		if ((cor = strtol(ep, , 10), ep == NULL)) {
+		if ((cor = strtoul(ep, , 10), ep == NULL || val == ULONG_MAX)) {
 			return -1;
 		}
 		/* just output the line then */
@@ -179,9 +179,9 @@ const uint32_t %s[] = {\n\
 static int
 pr_line_dt(const char *line, size_t llen, va_list vap)
 {
-	static long int cor;
+	static unsigned long int cor;
 	dt_dtyp_t __attribute__((unused)) typ;
-	long int val;
+	unsigned long int val;
 	int colp;
 	char *ep;
 
@@ -225,7 +225,7 @@ const int32_t %s[] = {\n\
 		return 0;
 	}
 	/* otherwise process */
-	if ((ep = NULL, val = strtol(line, , 10), ep == NULL)) {
+	if ((ep = NULL, val = strtoul(line, , 10), ep == NULL || val == ULONG_MAX)) {
 		return -1;
 	}
 
@@ -234,15 +234,15 @@ const int32_t %s[] = {\n\
 	val = ntp_to_unix_epoch(val);
 
 	if (!colp) {
-		if ((cor = strtol(ep, , 10), ep == NULL)) {
+		if ((cor = strtoul(ep, , 10), ep == NULL || cor == ULONG_MAX)) {
 			return -1;
 		}
 		/* just output the line then */
-		fprintf(stdout, "\t{0x%xU/* %li */, %li},\n",
-			(uint32_t)val, val, cor);
+		fprintf(stdout, "\t{0x%lxU/* %li */, %li},\n",
+			val, val, cor);
 	} else {
 		/* column-oriented mode */
-		fprintf(stdout, "\t0x%xU/* %li */,\n", (uint32_t)val, val);
+		fprintf(stdout, "\t0x%lxU/* %li */,\n", val, val);
 	}
 	return 0;
 }
@@ -250,12 +250,12 @@ const int32_t %s[] = {\n\
 static int
 pr_line_t(const char *line, size_t llen, va_list vap)
 {
-	static long int cor;
+	static unsigned long int cor;
 	struct dt_t_s t = dt_t_initialiser();
 	dt_dtyp_t typ;
 	int colp;
 	char *ep;
-	long int val;
+	unsigned long int val;
 
 	/* extract type from inner list */
 	typ = va_arg(vap, dt_dtyp_t);
@@ -292,7 +292,7 @@ const uint32_t %s[] = {\n\
 		return 0;
 	}
 	/* otherwise process */
-	if ((ep = NULL, val = strtol(line, , 10), ep == NULL)) {
+	if ((ep = NULL, val = strtoul(line, , 10), ep == NULL || val == ULONG_MAX)) {
 		return -1;
 	}
 	val--;
@@ -303,7 +303,7 @@ const uint32_t %s[] = {\n\
 	t.hms.h = val % 24L;
 
 	/* read correction */
-	if ((val = strtol(ep, , 10), ep == NULL)) {
+	if ((val = strtoul(ep, , 10), ep == NULL || val == ULONG_MAX)) {
 		return -1;
 	}
 
-- 
2.20.1



# Unstable i386 qemu VM 2019-05-07
# Unstable amd64 qemu VM 2019-05-07


apt update
apt dist-upgrade


apt install systemd-coredump fakeroot gdb git strace
apt build-dep dateutils


mkdir /home/benutzer/source/dateutils/orig -p
cd/home/benutzer/source/dateutils/orig
apt source dateutils
cd


cd /home/benutzer/source/dateutils
cp orig try1 -a
cd try1/dateutils-0.4.5
dpkg-buildpackage


i386:
# TOTAL: 855
# PASS:  841
# SKIP:  0
# XFAIL: 0
# FAIL:  14
# XPASS: 0
  

Processed: Re: Bug#907348: fixed in dateutils 0.4.5-1

[Debian Bug Tracking System]

Processing control commands:

> tags 907348 + patch upstream
Bug #907348 [src:dateutils] dateutils FTBFS on 32bit: test failures
Added tag(s) patch and upstream.

-- 
907348: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907348
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#926180: scilab: FTBFS on all - New trouble

[Alexis Murzeau]

Le 03/05/2019 à 18:39, Sylvestre Ledru a écrit :
> What about starting a xvfb during the build?
> 
> Does it fix the issue?
> 
> S
> 
> 
> Le 03/05/2019 à 16:50, Alexis Murzeau a écrit :
>> Hi,
>>
>> Indeed, I tried in a virtual machine:
>>   - install scilab
>>   - run `LANG=en_US.UTF-8 LC_ALL=C SCI_DISABLE_TK=1
>> SCI_JAVA_ENABLE_HEADLESS=1 _JAVA_OPTIONS='-Djava.awt.headless=true'
>> HOME=/tmp scilab-adv-cli -noatomsautoload -nb -l en_US -nouserstartup -e
>> "try xmltojar([],[],'en_US');catch disp(lasterror());
>> exit(-1);end;exit(0);"`
>>
>> And, while connected via ssh using Putty, I got this:
>> ```
>> [snip]
>>
>>  [6]:
>> jogamp.opengl.SharedResourceRunner.run(SharedResourceRunner.java:353)
>>  [7]: java.base/java.lang.Thread.run(Thread.java:834)
>> commons module not found.
>> graphic_objects module not found.
>> ui_data module not found.
>> graph module not found.
>> history_browser module not found.
>> slint module not found.
>> coverage module not found.
>> ```
>>
> 

Despite having *almost* the same output when calling manually the
command line outside of a build context, when I do a sbuild, I do not
have errors as x86-bm-01 have. So I think the manual run has unrelated
issues to this bug.

Actually, the build that doesn't fail (on x86-csail-02) also has the
GLException exception (search for "-- Building documentation (en_US) --"
in the logs).

The difference starts here:
```
A fatal error has been detected by Scilab.
Please check your user-defined functions (or external module ones)
should they appear in the stack trace.
Otherwise you can report a bug on http://bugzilla.scilab.org/ with:
 * a sample code which reproduces the issue
 * the result of [a, b] = getdebuginfo()
 * the following information:
[x86-bm-01:08312] Signal: Illegal instruction (4)
[x86-bm-01:08312] Signal code: Illegal operand (2)
[x86-bm-01:08312] Failing at address: 0x7ff0c87e3dcf

Call stack:
   1: 0xb2d791 
(/usr/lib/jvm/default-java/lib/server/libjvm.so)
   2: 0xb222b8 < >
(/usr/lib/jvm/default-java/lib/server/libjvm.so)
   3: 0x12730  < >
(/lib/x86_64-linux-gnu/libpthread.so.0)
   4: ??(?)
End of stack

```

Where the working log has a java.lang.IllegalStateException
 exception instead. Maybe there is a memory corruption somewhere in
native code that doesn't always cause a jvm crash.

I fear the crash happen in java code, this stacktrace is not very good :(

I'm trying to run that command with valgrind, but this is very slow.

-- 
Alexis Murzeau
PGP: B7E6 0EBB 9293 7B06 BDBC  2787 E7BD 1904 F480 937F



signature.asc
Description: OpenPGP digital signature

Bug#928624: marked as done (node-axios: CVE-2019-10742)

[Debian Bug Tracking System]

Your message dated Tue, 07 May 2019 21:18:26 +
with message-id 
and subject line Bug#928624: fixed in node-axios 0.17.1+dfsg-2
has caused the Debian Bug report #928624,
regarding node-axios: CVE-2019-10742
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928624: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928624
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-axios
Version: 0.17.1+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/axios/axios/issues/1098

Hi,

The following vulnerability was published for node-axios.

CVE-2019-10742[0]:
| Axios up to and including 0.18.0 allows attackers to cause a denial of
| service (application crash) by continuing to accepting content after
| maxContentLength is exceeded.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10742
[1] https://github.com/axios/axios/issues/1098

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-axios
Source-Version: 0.17.1+dfsg-2

We believe that the bug you reported is fixed in the latest version of
node-axios, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard  (supplier of updated node-axios package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 07 May 2019 22:59:58 +0200
Source: node-axios
Architecture: source
Version: 0.17.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 

Changed-By: Xavier Guimard 
Closes: 928624
Changes:
 node-axios (0.17.1+dfsg-2) unstable; urgency=medium
 .
   * Team upload
   * Declare compliance with policy 4.3.0
   * Add upstream/metadata
   * Add patch to destroy stream on exceeding maxContentLength
 (Closes: #928624, CVE-2019-10742)
   * Fix debian/copyright format URL
Checksums-Sha1: 
 c79bb062fa6faba6ded1ffbc9a478c6e2fbce699 2247 node-axios_0.17.1+dfsg-2.dsc
 67018b26a2d9dd5a8340d07d7f19826644f3a52f 3912 
node-axios_0.17.1+dfsg-2.debian.tar.xz
Checksums-Sha256: 
 ab1bbf8ef57ffd48bc1ae338825121ebb3f73157d41aa838ca516fd29b73bf25 2247 
node-axios_0.17.1+dfsg-2.dsc
 1a2d12755810749c29dbdd432702583424b7a4aa01142a3a105d2e7eb5c12f4d 3912 
node-axios_0.17.1+dfsg-2.debian.tar.xz
Files: 
 48b7115fd2a999e639f12c4237c00308 2247 javascript optional 
node-axios_0.17.1+dfsg-2.dsc
 8b4dedef3e4a03e5258af43127ebb1f0 3912 javascript optional 
node-axios_0.17.1+dfsg-2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlzR8vAACgkQ9tdMp8mZ
7ukjpxAAkRT+8O8oRihxqlY90Hsq/3x/Rb+q0zIYzdOyPc56QwKpkvwrVeXNkc0W
XVyamoXbFHGfWfdFKdxpvmhyvJ6+MddezANbG/akTGLBoQHm38JE/XZ8P+XxCuXK
/GBDUEnTSvrBOglAX3xBKTybleHijYLb2bQQ0ElA2sreeAuNXFchWYw2XjteXg/g
TpaWhBpXfpKL6iWH5X9VLCvRHkT4vQc7z0BIsXQDkaavnivHBmLQCmnNLk8yk/Od
+Z3n5GRAvyQwyqA0uJpftvLPKPvr0juRIbxcim3hec6U84DVZYO/lyz9Q79mr0v2
T/O6/39lglDsTyu2+aiPh2rGVALU0hnwSnmn7pzrTDRWnO3KXTusUlTpFBwk0fnh
M3vk/8vEhy0obj5abuijtdRM8RLqhRQN6aMXuEhmFxHX6KYPm6c9/4l8LW/yOn/H
ON87/bGfZTWET7gonoRTWA27W4LoalN8cvkaxYcLwfuO+RV/mxqxOTWbcXLfFU3w
ugTtkJgAPvMIVd4LD1OEoRsgClMxZorsfTxf+GtM8SOsWLRdcWHtIbH9LFiD3EEP
AnMelbDrvkIXS4hvXZcYZJuF2oC+SVtP7e8LZIPyz/anvGYQjhmd7ZPQpULYa3Lw
BNM6giwQW49BWAoGCWZEPnV3jKXJ5f/6DxY+dlDIjSwFUkQE4X8=
=tDlX
-END PGP SIGNATURE End Message ---

Processed: Bug#928624 marked as pending in node-axios

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #928624 [src:node-axios] node-axios: CVE-2019-10742
Added tag(s) pending.

-- 
928624: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928624
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#928624: marked as pending in node-axios

[Xavier Guimard]

Control: tag -1 pending

Hello,

Bug #928624 in node-axios reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-axios/commit/9d57cce23335862309d0341d9e0a2a1b204b7adc


Add patch to destroy stream on exceeding maxContentLength (Closes: #928624, 
CVE-2019-10742)


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/928624

Bug#928624: node-axios: CVE-2019-10742

[Salvatore Bonaccorso]

Source: node-axios
Version: 0.17.1+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/axios/axios/issues/1098

Hi,

The following vulnerability was published for node-axios.

CVE-2019-10742[0]:
| Axios up to and including 0.18.0 allows attackers to cause a denial of
| service (application crash) by continuing to accepting content after
| maxContentLength is exceeded.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10742
[1] https://github.com/axios/axios/issues/1098

Regards,
Salvatore

Bug#928495: marked as done (nzbget: Gui missing all graphical elements due to missing symlink)

[Debian Bug Tracking System]

Your message dated Tue, 07 May 2019 18:18:43 +
with message-id 
and subject line Bug#928495: fixed in nzbget 21.0+dfsg-2
has caused the Debian Bug report #928495,
regarding nzbget: Gui missing all graphical elements due to missing symlink
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928495: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928495
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nzbget
Version: 21.0+dfsg-1
Severity: serious
Tags: patch
Justification: 908427

Dear Maintainer,

The following symlinks are missing from this release:
/usr/share/nzbget/webui/lib/bootstrap.min.js -> ../../../javascript/twitter-
bootstrap/js/bootstrap.min.js
/usr/share/nzbget/webui/lib/bootstrap.js -> ../../../javascript/twitter-
bootstrap/js/bootstrap.js
/usr/share/nzbget/webui/lib/bootstrap.css -> ../../../javascript/twitter-
bootstrap/css/bootstrap.css


The workaround is to recreate them:

cd /usr/share/nzbget/webui/lib
ln -s ../../../javascript/twitter-bootstrap/css/bootstrap.css bootstrap.css
ln -s ../../../javascript/twitter-bootstrap/js/bootstrap.js bootstrap.js
ln -s ../../../javascript/twitter-bootstrap/js/bootstrap.min.js
bootstrap.min.js



-- System Information:
Debian Release: 10.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_NZ:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nzbget depends on:
ii  libc62.28-10
ii  libgcc1  1:8.3.0-2
ii  libjs-elycharts  2.1.5+ds-3
ii  libjs-raphael2.1.0-1
ii  libncurses6  6.1+20181013-2
ii  libssl1.11.1.1b-2
ii  libstdc++6   8.3.0-2
ii  libtinfo66.1+20181013-2
ii  libxml2  2.9.4+dfsg1-7+b3
ii  zlib1g   1:1.2.11.dfsg-1

Versions of packages nzbget recommends:
ii  python3  3.7.3-1
ii  unrar1:5.6.6-2

Versions of packages nzbget suggests:
ii  par2  0.8.0-1

-- Configuration Files:
/etc/nzbget.conf changed [not included]

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: nzbget
Source-Version: 21.0+dfsg-2

We believe that the bug you reported is fixed in the latest version of
nzbget, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Moog  (supplier of updated nzbget package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 06 May 2019 19:28:58 +0200
Source: nzbget
Architecture: source
Version: 21.0+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Andreas Moog 
Changed-By: Andreas Moog 
Closes: 928495
Changes:
 nzbget (21.0+dfsg-2) unstable; urgency=medium
 .
   * Install webui libs (Closes: #928495)
Checksums-Sha1:
 a668a9c74fda8bad39989b736e7eb927920c46f9 1968 nzbget_21.0+dfsg-2.dsc
 0b657eebc31f31034d2bcf5e3b83901819cde1d9 27504 nzbget_21.0+dfsg-2.debian.tar.xz
 81241a6287a95243cf39d52134d60300b0f05699 6720 
nzbget_21.0+dfsg-2_source.buildinfo
Checksums-Sha256:
 0c05ec41da0184328cf7c870bde051a466268e1c7e1e52826394d2a8c59836d8 1968 
nzbget_21.0+dfsg-2.dsc
 25209f04eae5139df956d8b28388abbd91639d14bb6fdd59805e5db3442fd07f 27504 
nzbget_21.0+dfsg-2.debian.tar.xz
 412e112920fa9f151723784599204c026f012b592b11806ce0e7aa48a75e7f26 6720 
nzbget_21.0+dfsg-2_source.buildinfo
Files:
 9833d40063212b538f26e83af3064956 1968 net optional nzbget_21.0+dfsg-2.dsc
 f8f541904459f44f45abc1c9c96e5d67 27504 net optional 
nzbget_21.0+dfsg-2.debian.tar.xz
 fb3ff18399d97a3dd5e30c4083d98582 6720 net optional 
nzbget_21.0+dfsg-2_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJOBAEBCgA4FiEEdM3Z/lvL/g0T7o7qYfNEJnTeZiQFAlzRrbgaHGFuZHJlYXMu
bW9vZ0B3YXJwZXJiYnMuZGUACgkQYfNEJnTeZiSRUw/+OenHCyD8Vib7f5POHmZs
j2yVx+2sc7Nbsu43Ejdu3AgdtJZYEEKq+vallxx/IFBPrNiFEHe2epmQYivzh5ej
BP/zsrJqUUaRKyCS+uHGCTm4G21BUh7Bcj+tfzSBFXeqjl+KQYauEX5++JYOtOXG

Bug#926952: marked as done (sa-exim: Unbuildable/uninstallable in sid)

[Debian Bug Tracking System]

Your message dated Tue, 7 May 2019 20:02:38 +0200
with message-id <20190507180238.gd1...@argenau.bebt.de>
and subject line Re: Bug#926952: sa-exim: Unbuildable/uninstallable in sid
has caused the Debian Bug report #926952,
regarding sa-exim: Unbuildable/uninstallable in sid
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
926952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926952
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sa-exim
Version: 4.2.1-16
Severity: serious
Control: block -1 by 879687

Hello,

with exim4/4.92-5 I have dropped support for sa-exim:

The dlopen localscan patch in exim4 has been nonfunctional in unstable
for quite some time (4.92~RC2-1/experimental/18 Dec, 4.92~RC3-1
unstable/26 Dec and buster/03 Jan). The issue only popped up end of
March on the upstream user support ML.

At this time I opened a tracking bug in exim #925982 and looked at
sa-exim. It is dead upstream since 2006 and buggy:
* https://lists.exim.org/lurker/message/20180726.113354.6d03efde.en.html
* #879687

(This might be same issue, I just do not know. Chunking is
enabled by (upstream) default.)

At this point we (exim4) decided that this was a good time to finally
drop the dlopen localscan patch. We did that and adopted exim
accordingly:

- improve the example/docs for content-scanning in exim without sa-exim
- drop the abovementioned patch and the virtual Provides for
  exim4-localscanapi-2.0 and also drop the exim-dev package (only
  needed for sa-exim). Exim now also Conflicts with sa-exim.

However, what I did *not* do was consult you before I did this. I am
sorry for that. It is still possible to reinstate exim-dev and try to
fix exim to make sa-exim work again. But imho only if sa-exim is fixed
in the first place and is tested and found to be working with current
exim.

What are your thoughts on this?

TIA, cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On 2019-05-04 Magnus Holmgren  wrote:
[...]
> which handles CRLF line endings when scanning headers. Do you think that you 
> can then re-enable local_scan for the release?

Thanks for looking into this in detail. I gather that stuff is (now)
a lot less broken than I thought it was.

I have just uploaded -6 unchanged to unstable and am therefore closing
this report.

cu Andreas
PS: Sorry for the delay, I was basically offline last week.
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


signature.asc
Description: PGP signature
--- End Message ---

Bug#914034: Bug#911938: libhttp-daemon-ssl-perl FTBFS: tests fail: Connection refused

[Guilhem Moulin]

Hi Dimitri,

On Tue, 07 May 2019 at 15:46:25 +0100, Dimitri John Ledkov wrote:
> On Tue, 7 May 2019 14:16:43 +0100 Dimitri John Ledkov  wrote:
>> This issue concerns me a lot at the moment. I am currently trying to
>> upgrade OpenSSL from 1.1.0 to 1.1.1 in Ubuntu 18.04 LTS (bionic). And
>> as far as I understand all the comment on this debian bug report,
>> current application are potentially broken and brokeness happens more
>> often with TLSv1.3 and the new OpenSSL 1.1.1 defaults
>> (SSL_MODE_AUTO_RETRY).
>>
>> As far as I understand we do not have a fixed LWP that works correctly
>> in blocking, non-blocking, tls 1.2 and tls 1.3. To prevent regressing
>> existing users further, does it make sense for me to make updates in
>> bionic that:
>>
>> 1) limit SSL_new and SSL_CTX_new to TLS v1.2 max
>> and
>> 2) disable SSL_MODE_AUTO_RETRY by default for TLS v1.2 connections?
>>
>> My goal is to keep existing breakages as is, without introducing new
>> ones, whilst getting OpenSSL 1.1.1 into bionic. Granted this will not
>> get TLS v1.3 enabled for perl server/clients without code changes, but
>> oh well. Those who want it, will be able to force / start using it.

It's IMHO unfortunate to change the default in Net::SSLeay, as TLSv1.3
brings quite a few improvements (in terms of security as well as
performance).  OpenSSL 1.1.1 was released on 11 Sep 2018 and uploaded to
sid the day after, breaking programs using select()/poll() with blocking
I/O; this is not specific to Perl bindings — other languages are also
affected — yet no one is suggesting to disable TLSv1.3 globally in
libssl :-)

If TLSv1.3 should be disabled (and the SSL_MODE_AUTO_RETRY flag cleared)
then IMHO I think it should be done as close at possible to the leaf
application (LWP in this case), not in the library itself.  After all we
have only one RC bug about this, so I guess other programs (in any
language) 1/ have workarounds; 2/ aren't using select()/poll() with
blocking I/O; or 3/ aren't affected because they never used SSL_read()
as documented.  IHMO the libssl change shouldn't be reason to penalize
all applications, given most seems unaffected.

I still think the right fix is to make SSL_MODE_AUTO_RETRY (or even the
whole mode bitmask mode?) configurable in IO::Socket::SSL, and clear it
in programs and libraries using select()/poll() with blocking I/O, such
as LWP in this case.  AFAICT that follows the intention of OpenSSL's
development team, unlike global library changes.  AFAICT the attached
patch (to sid's IO::Socket::SSL and LWP::Protocol::https, respectively
2.060-3 and 6.36-1) fixes the problem for me, while preserving TLSv1.3
support and default.
 
> I proposed the following patch upstream / request for comments
> https://github.com/radiator-software/p5-net-ssleay/pull/139

I personally don't like this change as I hope Buster's Net::SSLeay and
other SSL libraries will default to TLSv1.3 on capable servers :-)  2
comments anyway:

  * OpenSSL <1.1.0 has no SSL_CTX_set_max_proto_version(), so an OpenSSL
version test is lacking (nothing more as <1.1.0 has no TLSv1.3
support and SSL_MODE_AUTO_RETRY is unset by default).
 
  * Disabling TLSv1.3 won't always prevent hangs, you also need to clear
SSL_MODE_AUTO_RETRY to revert to the pre-1.1.1 defaults.  With
TLSv1.2, SSL_read() returns SSL_ERROR_WANT_READ upon renegotiation,
causing applications using select()/poll() with blocking I/O to hang
if SSL_MODE_AUTO_RETRY is set.

Cheers,
-- 
Guilhem, who isn't not in the Debian Perl team, but who would be quite
sad to have to wait one full release cycle for out-of-the-box TLSv1.3
support.
--- a/IO/Socket/SSL.pm
+++ b/IO/Socket/SSL.pm
@@ -260,6 +260,14 @@
 	INIT { init() }
 	init();
 }
+
+if (!defined ::SSLeay::CTX_clear_mode) {
+	# assume SSL_CTRL_CLEAR_MODE being 78 since it was always this way
+	*Net::SSLeay::CTX_clear_mode = sub {
+	my ($ctx,$opt) = @_;
+	Net::SSLeay::CTX_ctrl($ctx,78,$opt,0);
+	};
+}
 }
 
 # global defaults which can be changed using set_defaults
@@ -2433,6 +2441,11 @@
 	# cannot guarantee, that the location of the buffer stays constant
 	Net::SSLeay::CTX_set_mode( $ctx,
 	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|SSL_MODE_ENABLE_PARTIAL_WRITE);
+	# Clear SSL_MODE_AUTO_RETRY on request; useful for applications using select/poll
+	# with blocking I/O. (Since OpenSSL 1.1.1 SSL_MODE_AUTO_RETRY is enabled by
+	# default, making such applications hang.)
+	Net::SSLeay::CTX_clear_mode( $ctx, Net::SSLeay::MODE_AUTO_RETRY() )
+		if $arg_hash->{SSL_mode_auto_no_retry};
 
 	if ( my $proto_list = $arg_hash->{SSL_npn_protocols} ) {
 	return IO::Socket::SSL->_internal_error("NPN not supported in Net::SSLeay",9)
--- a/LWP/Protocol/https.pm
+++ b/LWP/Protocol/https.pm
@@ -32,6 +32,11 @@
 $ssl_opts{SSL_ca_file} = '/etc/ssl/certs/ca-certificates.crt';
 	}
 }
+# Clear SSL_MODE_AUTO_RETRY as LWP uses select with blocking I/O.
+# (Since OpenSSL 1.1.1 SSL_MODE_AUTO_RETRY is enabled 

Bug#927944: marked as done (node-unicode-data: FTBFS with unicode-data >= 12.0.0)

[Debian Bug Tracking System]

Your message dated Tue, 7 May 2019 17:15:11 +0200
with message-id 
and subject line Fixed in version 0~20190414+gitbf518e99-2
has caused the Debian Bug report #927944,
regarding node-unicode-data: FTBFS with unicode-data >= 12.0.0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
927944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927944
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-unicode-data
Version: 0~20181101+gitaddfb440-1
Severity: serious
Justification: Policy 4.2

node-unicode-data FTBFS with unicode-data 12.0.0 and needs to be updated.


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_IE.UTF-8), LANGUAGE=en_IE:en (charmap=UTF-8) (ignored: LC_ALL set to 
en_IE.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
fixed 927944 0~20190414+gitbf518e99-2

stop--- End Message ---

Processed: Fixed in version 0~20190414+gitbf518e99-2

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> fixed 927944 0~20190414+gitbf518e99-2
Bug #927944 [src:node-unicode-data] node-unicode-data: FTBFS with unicode-data 
>= 12.0.0
Marked as fixed in versions node-unicode-data/0~20190414+gitbf518e99-2.
> stop
Stopping processing here.

Please contact me if you need assistance.
-- 
927944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927944
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#928440: marked as done (dhcpcd5: CVE-2019-11766: DHCPv6: Potential read overflow with D6_OPTION_PD_EXCLUDE)

[Debian Bug Tracking System]

Your message dated Tue, 07 May 2019 15:48:35 +
with message-id 
and subject line Bug#928440: fixed in dhcpcd5 7.1.0-2
has caused the Debian Bug report #928440,
regarding dhcpcd5: CVE-2019-11766: DHCPv6: Potential read overflow with 
D6_OPTION_PD_EXCLUDE
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928440: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928440
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dhcpcd5
Version: 7.1.0-1
Severity: serious
Tags: security upstream fixed-upstream

Dear Maintainer,

another week - another bug ;) Upstream released version 7.2.2 of dhcpcd5 fixing 
another potential security issue in DHCPv6. All versions currently supported in 
Debian (jessie, stretch, buster, sid) seem to be vulnerable [1].

The following issue has been fixed (copied from upstream's announcement):
  *  DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE


Upstream provides two patches for version 7 which would be relevant for buster 
and sid [2][3]. In addition, version 6.10.7 was released addressing the same 
issue. The patches from this release might be useful for backporting to stretch 
and jessie [4][5].

Please consider applying/backporting those patches in your next round of 
uploads.

Thanks and regards,

Timo

[1] https://roy.marples.name/archives/dhcpcd-discuss/0002428.html
[2] 
https://roy.marples.name/cgit/dhcpcd.git/commit/?h=dhcpcd-7=c1ebeaafeb324bac997984abdcee2d4e8b61a8a8
[3] 
https://roy.marples.name/cgit/dhcpcd.git/commit/?h=dhcpcd-7=896ef4a54b0578985e5e1360b141593f1d62837b
[4] 
https://roy.marples.name/cgit/dhcpcd.git/commit/?h=dhcpcd-6=c8887c666aacd01bc8f420d617d538cb9fef54f3
[5] 
https://roy.marples.name/cgit/dhcpcd.git/commit/?h=dhcpcd-6=eb7aee47581bea64a93080abbde06bd6714321e6
--- End Message ---
--- Begin Message ---
Source: dhcpcd5
Source-Version: 7.1.0-2

We believe that the bug you reported is fixed in the latest version of
dhcpcd5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Leggett  (supplier of updated dhcpcd5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 05 May 2019 21:55:14 +0800
Source: dhcpcd5
Binary: dhcpcd5 dhcpcd5-dbgsym
Architecture: source amd64
Version: 7.1.0-2
Distribution: unstable
Urgency: high
Maintainer: Scott Leggett 
Changed-By: Scott Leggett 
Description:
 dhcpcd5- DHCPv4, IPv6RA and DHCPv6 client with IPv4LL support
Closes: 928056 928104 928105 928440
Changes:
 dhcpcd5 (7.1.0-2) unstable; urgency=high
 .
   * Apply upstream patches to fix potential security vulnerabilities:
 CVE-2019-11578, CVE-2019-11579, CVE-2019-11577, and CVE-2019-11766.
 (Closes: #928056, #928104, #928105, #928440)
   * Add lintian override for upstream patch spelling
Checksums-Sha1:
 6d7058d48b9456da69d0fb7370ff27567aa4b83a 1932 dhcpcd5_7.1.0-2.dsc
 3a3fd4013fb0a21097319713b3af168190f26ae4 13524 dhcpcd5_7.1.0-2.debian.tar.xz
 75f83a28ce2e103a274ae7c8157adaaee1bb362a 425436 
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
 d64151559e91dc2b36ba530f869d1abbd988b2cf 5500 dhcpcd5_7.1.0-2_amd64.buildinfo
 eaeb6d6ac60b03b5578397bfa9978d5570f88993 163448 dhcpcd5_7.1.0-2_amd64.deb
Checksums-Sha256:
 6defc54426e666561d850792d903ed3136a435021ed35219883823317f91fbfd 1932 
dhcpcd5_7.1.0-2.dsc
 5cd77586c7fe16207828ce23df70638f4a0d46040eefe0237299394802d11890 13524 
dhcpcd5_7.1.0-2.debian.tar.xz
 1387dd61520f487be36a08b540861d97897739842a24933616d83e69279b3089 425436 
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
 5e69c2fcfb29319364654de3dba1e267d43d0e42fffb3aa1d2a2b05adcf23a01 5500 
dhcpcd5_7.1.0-2_amd64.buildinfo
 7b7d4dd0416616232df3add2cc4d462adae9206e0e56ac2ee29134fb76d86f24 163448 
dhcpcd5_7.1.0-2_amd64.deb
Files:
 8f5f652f1a080f00a97909b30f99614a 1932 net optional dhcpcd5_7.1.0-2.dsc
 9fd8b0b0731d3b6acd9130559673ce50 13524 net optional 
dhcpcd5_7.1.0-2.debian.tar.xz
 1364ae4b938da32dfbc3aab67eeed050 425436 debug optional 
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
 8de3c768961cda5d1c2cc1f37f872888 5500 net optional 
dhcpcd5_7.1.0-2_amd64.buildinfo
 4914574c4a470c0e4823b440a311e6de 163448 net optional 

Bug#928105: marked as done (dhcpcd5: CVE-2019-11577: DHCPv6: Fix a potential buffer overflow reading NA/TA addresses)

[Debian Bug Tracking System]

Your message dated Tue, 07 May 2019 15:48:35 +
with message-id 
and subject line Bug#928105: fixed in dhcpcd5 7.1.0-2
has caused the Debian Bug report #928105,
regarding dhcpcd5: CVE-2019-11577: DHCPv6: Fix a potential buffer overflow 
reading NA/TA addresses
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928105: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928105
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dhcpcd5
Version: any
Severity: serious

Dear Maintainer,

upstream released a new version of dhcpcd5 fixing three security issues. All 
versions currently found in Debian (jessie, stretch, buster, sid) are 
vulnerable to at least two of these issues, according to the announcement on 
upstreams's mailinglist [1].

The fixed issues are (copied from upstream's announcement):
  *  auth: Use consttime_memequal to avoid latency attack consttime_memequal is 
supplied if libc does not support it
 dhcpcd >=6.2 <7.2.1 are vulnerable

  *  DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
 dhcpcd >=4 <7.2.1 are vulnerable

  *  DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
 dhcpcd >=7 <7.2.1 are vulnerable


Upstream provides a patch series for version 7 which would be relevant for 
buster and sid [2]. In addition, version 6.10.6 was released with backported 
fixes for the first two issues [3][4]. These might be useful for backporting to 
stretch and wheezy as they ship versions 6.10.1 and 6.0.5.

Please consider applying/backporting those patches to the dhcpcd versions found 
in Debian. I have not checked the exploitability of these issues, so the 
severity might not be as serious. But I marked it serious anyway to make sure 
this issue doesn't fly under the radar.


Thanks and regards,

Timo

[1] https://roy.marples.name/archives/dhcpcd-discuss/0002415.html
[2] 
https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68
[3] 
https://roy.marples.name/git/dhcpcd.git/patch/?id=3ad25d3b306c890df8a15250f5ded70764075aa8
[4] 
https://roy.marples.name/git/dhcpcd.git/patch/?id=b6605465e1ab8f9cb82bf6707c517505991f18a4
--- End Message ---
--- Begin Message ---
Source: dhcpcd5
Source-Version: 7.1.0-2

We believe that the bug you reported is fixed in the latest version of
dhcpcd5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Leggett  (supplier of updated dhcpcd5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 05 May 2019 21:55:14 +0800
Source: dhcpcd5
Binary: dhcpcd5 dhcpcd5-dbgsym
Architecture: source amd64
Version: 7.1.0-2
Distribution: unstable
Urgency: high
Maintainer: Scott Leggett 
Changed-By: Scott Leggett 
Description:
 dhcpcd5- DHCPv4, IPv6RA and DHCPv6 client with IPv4LL support
Closes: 928056 928104 928105 928440
Changes:
 dhcpcd5 (7.1.0-2) unstable; urgency=high
 .
   * Apply upstream patches to fix potential security vulnerabilities:
 CVE-2019-11578, CVE-2019-11579, CVE-2019-11577, and CVE-2019-11766.
 (Closes: #928056, #928104, #928105, #928440)
   * Add lintian override for upstream patch spelling
Checksums-Sha1:
 6d7058d48b9456da69d0fb7370ff27567aa4b83a 1932 dhcpcd5_7.1.0-2.dsc
 3a3fd4013fb0a21097319713b3af168190f26ae4 13524 dhcpcd5_7.1.0-2.debian.tar.xz
 75f83a28ce2e103a274ae7c8157adaaee1bb362a 425436 
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
 d64151559e91dc2b36ba530f869d1abbd988b2cf 5500 dhcpcd5_7.1.0-2_amd64.buildinfo
 eaeb6d6ac60b03b5578397bfa9978d5570f88993 163448 dhcpcd5_7.1.0-2_amd64.deb
Checksums-Sha256:
 6defc54426e666561d850792d903ed3136a435021ed35219883823317f91fbfd 1932 
dhcpcd5_7.1.0-2.dsc
 5cd77586c7fe16207828ce23df70638f4a0d46040eefe0237299394802d11890 13524 
dhcpcd5_7.1.0-2.debian.tar.xz
 1387dd61520f487be36a08b540861d97897739842a24933616d83e69279b3089 425436 
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
 5e69c2fcfb29319364654de3dba1e267d43d0e42fffb3aa1d2a2b05adcf23a01 5500 
dhcpcd5_7.1.0-2_amd64.buildinfo
 7b7d4dd0416616232df3add2cc4d462adae9206e0e56ac2ee29134fb76d86f24 163448 
dhcpcd5_7.1.0-2_amd64.deb
Files:
 

Bug#928056: marked as done (dhcpcd5: CVE-2019-11578: auth: Use consttime_memequal to avoid latency attack)

[Debian Bug Tracking System]

Your message dated Tue, 07 May 2019 15:48:35 +
with message-id 
and subject line Bug#928056: fixed in dhcpcd5 7.1.0-2
has caused the Debian Bug report #928056,
regarding dhcpcd5: CVE-2019-11578: auth: Use consttime_memequal to avoid 
latency attack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928056
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dhcpcd5
Version: any
Severity: serious

Dear Maintainer,

upstream released a new version of dhcpcd5 fixing three security issues. All 
versions currently found in Debian (jessie, stretch, buster, sid) are 
vulnerable to at least two of these issues, according to the announcement on 
upstreams's mailinglist [1].

The fixed issues are (copied from upstream's announcement):
  *  auth: Use consttime_memequal to avoid latency attack consttime_memequal is 
supplied if libc does not support it
 dhcpcd >=6.2 <7.2.1 are vulnerable

  *  DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
 dhcpcd >=4 <7.2.1 are vulnerable

  *  DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
 dhcpcd >=7 <7.2.1 are vulnerable


Upstream provides a patch series for version 7 which would be relevant for 
buster and sid [2]. In addition, version 6.10.6 was released with backported 
fixes for the first two issues [3][4]. These might be useful for backporting to 
stretch and wheezy as they ship versions 6.10.1 and 6.0.5.

Please consider applying/backporting those patches to the dhcpcd versions found 
in Debian. I have not checked the exploitability of these issues, so the 
severity might not be as serious. But I marked it serious anyway to make sure 
this issue doesn't fly under the radar.


Thanks and regards,

Timo

[1] https://roy.marples.name/archives/dhcpcd-discuss/0002415.html
[2] 
https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68
[3] 
https://roy.marples.name/git/dhcpcd.git/patch/?id=3ad25d3b306c890df8a15250f5ded70764075aa8
[4] 
https://roy.marples.name/git/dhcpcd.git/patch/?id=b6605465e1ab8f9cb82bf6707c517505991f18a4
--- End Message ---
--- Begin Message ---
Source: dhcpcd5
Source-Version: 7.1.0-2

We believe that the bug you reported is fixed in the latest version of
dhcpcd5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Leggett  (supplier of updated dhcpcd5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 05 May 2019 21:55:14 +0800
Source: dhcpcd5
Binary: dhcpcd5 dhcpcd5-dbgsym
Architecture: source amd64
Version: 7.1.0-2
Distribution: unstable
Urgency: high
Maintainer: Scott Leggett 
Changed-By: Scott Leggett 
Description:
 dhcpcd5- DHCPv4, IPv6RA and DHCPv6 client with IPv4LL support
Closes: 928056 928104 928105 928440
Changes:
 dhcpcd5 (7.1.0-2) unstable; urgency=high
 .
   * Apply upstream patches to fix potential security vulnerabilities:
 CVE-2019-11578, CVE-2019-11579, CVE-2019-11577, and CVE-2019-11766.
 (Closes: #928056, #928104, #928105, #928440)
   * Add lintian override for upstream patch spelling
Checksums-Sha1:
 6d7058d48b9456da69d0fb7370ff27567aa4b83a 1932 dhcpcd5_7.1.0-2.dsc
 3a3fd4013fb0a21097319713b3af168190f26ae4 13524 dhcpcd5_7.1.0-2.debian.tar.xz
 75f83a28ce2e103a274ae7c8157adaaee1bb362a 425436 
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
 d64151559e91dc2b36ba530f869d1abbd988b2cf 5500 dhcpcd5_7.1.0-2_amd64.buildinfo
 eaeb6d6ac60b03b5578397bfa9978d5570f88993 163448 dhcpcd5_7.1.0-2_amd64.deb
Checksums-Sha256:
 6defc54426e666561d850792d903ed3136a435021ed35219883823317f91fbfd 1932 
dhcpcd5_7.1.0-2.dsc
 5cd77586c7fe16207828ce23df70638f4a0d46040eefe0237299394802d11890 13524 
dhcpcd5_7.1.0-2.debian.tar.xz
 1387dd61520f487be36a08b540861d97897739842a24933616d83e69279b3089 425436 
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
 5e69c2fcfb29319364654de3dba1e267d43d0e42fffb3aa1d2a2b05adcf23a01 5500 
dhcpcd5_7.1.0-2_amd64.buildinfo
 7b7d4dd0416616232df3add2cc4d462adae9206e0e56ac2ee29134fb76d86f24 163448 
dhcpcd5_7.1.0-2_amd64.deb
Files:
 

Bug#928104: marked as done (dhcpcd5: CVE-2019-11579: DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED)

[Debian Bug Tracking System]

Your message dated Tue, 07 May 2019 15:48:35 +
with message-id 
and subject line Bug#928104: fixed in dhcpcd5 7.1.0-2
has caused the Debian Bug report #928104,
regarding dhcpcd5: CVE-2019-11579: DHCP: Fix a potential 1 byte read overflow 
with DHO_OPTSOVERLOADED
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928104: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928104
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dhcpcd5
Version: any
Severity: serious

Dear Maintainer,

upstream released a new version of dhcpcd5 fixing three security issues. All 
versions currently found in Debian (jessie, stretch, buster, sid) are 
vulnerable to at least two of these issues, according to the announcement on 
upstreams's mailinglist [1].

The fixed issues are (copied from upstream's announcement):
  *  auth: Use consttime_memequal to avoid latency attack consttime_memequal is 
supplied if libc does not support it
 dhcpcd >=6.2 <7.2.1 are vulnerable

  *  DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
 dhcpcd >=4 <7.2.1 are vulnerable

  *  DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
 dhcpcd >=7 <7.2.1 are vulnerable


Upstream provides a patch series for version 7 which would be relevant for 
buster and sid [2]. In addition, version 6.10.6 was released with backported 
fixes for the first two issues [3][4]. These might be useful for backporting to 
stretch and wheezy as they ship versions 6.10.1 and 6.0.5.

Please consider applying/backporting those patches to the dhcpcd versions found 
in Debian. I have not checked the exploitability of these issues, so the 
severity might not be as serious. But I marked it serious anyway to make sure 
this issue doesn't fly under the radar.


Thanks and regards,

Timo

[1] https://roy.marples.name/archives/dhcpcd-discuss/0002415.html
[2] 
https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68
[3] 
https://roy.marples.name/git/dhcpcd.git/patch/?id=3ad25d3b306c890df8a15250f5ded70764075aa8
[4] 
https://roy.marples.name/git/dhcpcd.git/patch/?id=b6605465e1ab8f9cb82bf6707c517505991f18a4
--- End Message ---
--- Begin Message ---
Source: dhcpcd5
Source-Version: 7.1.0-2

We believe that the bug you reported is fixed in the latest version of
dhcpcd5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Leggett  (supplier of updated dhcpcd5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 05 May 2019 21:55:14 +0800
Source: dhcpcd5
Binary: dhcpcd5 dhcpcd5-dbgsym
Architecture: source amd64
Version: 7.1.0-2
Distribution: unstable
Urgency: high
Maintainer: Scott Leggett 
Changed-By: Scott Leggett 
Description:
 dhcpcd5- DHCPv4, IPv6RA and DHCPv6 client with IPv4LL support
Closes: 928056 928104 928105 928440
Changes:
 dhcpcd5 (7.1.0-2) unstable; urgency=high
 .
   * Apply upstream patches to fix potential security vulnerabilities:
 CVE-2019-11578, CVE-2019-11579, CVE-2019-11577, and CVE-2019-11766.
 (Closes: #928056, #928104, #928105, #928440)
   * Add lintian override for upstream patch spelling
Checksums-Sha1:
 6d7058d48b9456da69d0fb7370ff27567aa4b83a 1932 dhcpcd5_7.1.0-2.dsc
 3a3fd4013fb0a21097319713b3af168190f26ae4 13524 dhcpcd5_7.1.0-2.debian.tar.xz
 75f83a28ce2e103a274ae7c8157adaaee1bb362a 425436 
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
 d64151559e91dc2b36ba530f869d1abbd988b2cf 5500 dhcpcd5_7.1.0-2_amd64.buildinfo
 eaeb6d6ac60b03b5578397bfa9978d5570f88993 163448 dhcpcd5_7.1.0-2_amd64.deb
Checksums-Sha256:
 6defc54426e666561d850792d903ed3136a435021ed35219883823317f91fbfd 1932 
dhcpcd5_7.1.0-2.dsc
 5cd77586c7fe16207828ce23df70638f4a0d46040eefe0237299394802d11890 13524 
dhcpcd5_7.1.0-2.debian.tar.xz
 1387dd61520f487be36a08b540861d97897739842a24933616d83e69279b3089 425436 
dhcpcd5-dbgsym_7.1.0-2_amd64.deb
 5e69c2fcfb29319364654de3dba1e267d43d0e42fffb3aa1d2a2b05adcf23a01 5500 
dhcpcd5_7.1.0-2_amd64.buildinfo
 7b7d4dd0416616232df3add2cc4d462adae9206e0e56ac2ee29134fb76d86f24 163448 
dhcpcd5_7.1.0-2_amd64.deb
Files:
 

Bug#928552: marked as done (texlive-fonts-extra-links: missing Breaks+Replaces: texlive-fonts-extra (<< 2019))

[Debian Bug Tracking System]

Your message dated Tue, 07 May 2019 15:11:44 +
with message-id 
and subject line Bug#928552: fixed in texlive-extra 2019.20190507-1
has caused the Debian Bug report #928552,
regarding texlive-fonts-extra-links: missing Breaks+Replaces: 
texlive-fonts-extra (<< 2019)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928552: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928552
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: texlive-fonts-extra-links
Version: 2019.20190506-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package fails to upgrade from
'sid' to 'experimental'.
It installed fine in 'sid', then the upgrade to 'experimental' fails
because it tries to overwrite other packages files without declaring a
Breaks+Replaces relation.

See policy 7.6 at
https://www.debian.org/doc/debian-policy/ch-relationships.html#overwriting-files-and-replacing-packages-replaces

>From the attached log (scroll to the bottom...):

  Preparing to unpack .../texlive-fonts-extra-links_2019.20190506-1_all.deb ...
  Unpacking texlive-fonts-extra-links (2019.20190506-1) ...
  dpkg: error processing archive 
/var/cache/apt/archives/texlive-fonts-extra-links_2019.20190506-1_all.deb 
(--unpack):
   trying to overwrite 
'/usr/share/texlive/texmf-dist/fonts/opentype/public/ebgaramond/EBGaramond-Initials.otf',
 which is also in package texlive-fonts-extra 2018.20190227-2
  Errors were encountered while processing:
   /var/cache/apt/archives/texlive-fonts-extra-links_2019.20190506-1_all.deb


cheers,

Andreas


texlive-fonts-extra=2018.20190227-2_texlive-fonts-extra-links=2019.20190506-1.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: texlive-extra
Source-Version: 2019.20190507-1

We believe that the bug you reported is fixed in the latest version of
texlive-extra, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining  (supplier of updated texlive-extra 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 07 May 2019 14:41:03 +0900
Source: texlive-extra
Binary: texlive-bibtex-extra texlive-extra-utils texlive-font-utils 
texlive-fonts-extra texlive-fonts-extra-doc texlive-fonts-extra-links 
texlive-formats-extra texlive-games texlive-humanities texlive-humanities-doc 
texlive-latex-extra texlive-latex-extra-doc texlive-music texlive-plain-generic 
texlive-pstricks texlive-pstricks-doc texlive-publishers texlive-publishers-doc 
texlive-science texlive-science-doc
Architecture: source all
Version: 2019.20190507-1
Distribution: experimental
Urgency: medium
Maintainer: Debian TeX Maintainers 
Changed-By: Norbert Preining 
Description:
 texlive-bibtex-extra - TeX Live: BibTeX additional styles
 texlive-extra-utils - TeX Live: TeX auxiliary programs
 texlive-font-utils - TeX Live: Graphics and font utilities
 texlive-fonts-extra - TeX Live: Additional fonts
 texlive-fonts-extra-doc - TeX Live: Documentation files for texlive-fonts-extra
 texlive-fonts-extra-links - TeX Live:
 texlive-formats-extra - TeX Live: Additional formats
 texlive-games - TeX Live: Games typesetting
 texlive-humanities - TeX Live: Humanities packages
 texlive-humanities-doc - TeX Live: Documentation files for texlive-humanities
 texlive-latex-extra - TeX Live: LaTeX additional packages
 texlive-latex-extra-doc - TeX Live: Documentation files for texlive-latex-extra
 texlive-music - TeX Live: Music packages
 texlive-plain-generic - TeX Live: Plain (La)TeX packages
 texlive-pstricks - TeX Live: PSTricks
 texlive-pstricks-doc - TeX Live: Documentation files for texlive-pstricks
 texlive-publishers - TeX Live: Publisher styles, theses, etc.
 texlive-publishers-doc - TeX Live: Documentation files for texlive-publishers
 texlive-science - TeX Live: Mathematics, natural sciences, computer science 
package
 texlive-science-doc - TeX Live: Documentation files for texlive-science
Closes: 928552
Changes:
 texlive-extra (2019.20190507-1) experimental; urgency=medium
 .
   * 

Bug#914034: Bug#911938: libhttp-daemon-ssl-perl FTBFS: tests fail: Connection refused

[Dimitri John Ledkov]

On Tue, 7 May 2019 14:16:43 +0100 Dimitri John Ledkov  wrote:
> Hi,
>
> On Wed, 10 Apr 2019 15:22:09 +0200 Guilhem Moulin  wrote:
> >
> > Not setting the SSL_MODE_AUTO_RETRY flag back after removing O_NONBLOCK
> > (ie commenting out `Net::SSLeay::set_mode($ssl, $mode_auto_retry);` in
> > the patch) solves the problem with blocking I/O and select/poll, but
> > breaks programs expecting SSL_read() to block until application data
> > comes in.  (That is, programs not conforming to SSL_read()'s documented
> > behavior — hence which would break on renegotiation with TLS <1.3; or
> > programs relying on SSL_MODE_AUTO_RETRY being set, as in OpenSSL ≥1.1.1's
> > default context flags.)
> >
>
> This issue concerns me a lot at the moment. I am currently trying to
> upgrade OpenSSL from 1.1.0 to 1.1.1 in Ubuntu 18.04 LTS (bionic). And
> as far as I understand all the comment on this debian bug report,
> current application are potentially broken and brokeness happens more
> often with TLSv1.3 and the new OpenSSL 1.1.1 defaults
> (SSL_MODE_AUTO_RETRY).
>
> As far as I understand we do not have a fixed LWP that works correctly
> in blocking, non-blocking, tls 1.2 and tls 1.3. To prevent regressing
> existing users further, does it make sense for me to make updates in
> bionic that:
>
> 1) limit SSL_new and SSL_CTX_new to TLS v1.2 max
> and
> 2) disable SSL_MODE_AUTO_RETRY by default for TLS v1.2 connections?
>
> My goal is to keep existing breakages as is, without introducing new
> ones, whilst getting OpenSSL 1.1.1 into bionic. Granted this will not
> get TLS v1.3 enabled for perl server/clients without code changes, but
> oh well. Those who want it, will be able to force / start using it.

I proposed the following patch upstream / request for comments
https://github.com/radiator-software/p5-net-ssleay/pull/139

Regards,

Dimitri.

Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate

[Kentaro Hayashi]

Hi, 

I maintain Groonga package as a DM, so I want to fix #928304.
But I've never uploaded package to stable before, so I need help
 to do it in a good manner.

I've attached debdiff against current version.
Is it ok to upload stretch-security?
diff -Nru groonga-6.1.5/debian/changelog groonga-6.1.5/debian/changelog
--- groonga-6.1.5/debian/changelog	2017-01-23 19:14:09.0 +0900
+++ groonga-6.1.5/debian/changelog	2019-05-07 22:33:11.0 +0900
@@ -1,3 +1,13 @@
+groonga (6.1.5-2) stretch-security; urgency=medium
+
+  * debian/groonga-httpd.logrotate
+debian/groonga-server-gqtp.logrotate
+- Mitigate privilege escalation by changing the owner and group of logs
+  with "su" option. Reported by Wolfgang Hotwagner.
+  (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi   Tue, 07 May 2019 22:33:11 +0900
+
 groonga (6.1.5-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru groonga-6.1.5/debian/groonga-httpd.logrotate groonga-6.1.5/debian/groonga-httpd.logrotate
--- groonga-6.1.5/debian/groonga-httpd.logrotate	2016-12-10 15:18:50.0 +0900
+++ groonga-6.1.5/debian/groonga-httpd.logrotate	2019-05-07 22:33:11.0 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/httpd/*.log {
+su groonga groonga
 daily
 missingok
 rotate 30
 compress
 delaycompress
 notifempty
-create 640 groonga groonga
 sharedscripts
 postrotate
 . /etc/default/groonga-httpd
diff -Nru groonga-6.1.5/debian/groonga-server-gqtp.logrotate groonga-6.1.5/debian/groonga-server-gqtp.logrotate
--- groonga-6.1.5/debian/groonga-server-gqtp.logrotate	2016-12-10 15:18:50.0 +0900
+++ groonga-6.1.5/debian/groonga-server-gqtp.logrotate	2019-05-07 22:33:11.0 +0900
@@ -1,11 +1,11 @@
 /var/log/groonga/*-gqtp.log {
+su groonga groonga
 daily
 missingok
 rotate 30
 compress
 delaycompress
 notifempty
-create 640 groonga groonga
 sharedscripts
 postrotate
 . /etc/default/groonga-server-gqtp

Bug#926872: evolution: Spaces in mail view disappeared with recent updates

[Alberto Garcia]

On Thu, Apr 11, 2019 at 11:22:46AM -0400, Boyuan Yang wrote:

> I'm using the broken evolution to report bugs to you now. With the
> updates recently (within 1 week), evolution no longer shows spaces
> when displaying email.

I cannot confirm it 100%, but it seems that this is a bug in
WebKitGTK. I reported it upstream here:

   https://bugs.webkit.org/show_bug.cgi?id=197658

And there's also Debian #928399, which should probably be merged with
this one once we confirm that this is indeed the root cause.

Berto

Processed: Re: Bug#928399: libwebkit2gtk-4.0-37: White spaces are always skipped in redinering of text plain.

[Debian Bug Tracking System]

Processing control commands:

> forwarded -1 https://bugs.webkit.org/show_bug.cgi?id=197658
Bug #928399 [libwebkit2gtk-4.0-37] libwebkit2gtk-4.0-37: White spaces are 
always skipped  in redinering of text plain.
Set Bug forwarded-to-address to 
'https://bugs.webkit.org/show_bug.cgi?id=197658'.

-- 
928399: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928399
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#928399: libwebkit2gtk-4.0-37: White spaces are always skipped in redinering of text plain.

[Alberto Garcia]

Control: forwarded -1 https://bugs.webkit.org/show_bug.cgi?id=197658

On Sat, May 04, 2019 at 02:03:22AM +0900, nozzy123no...@gmail.com wrote:

>  I find a problem of libwebkit2gtk-4.0-37, which doesn't show all white
> spaces in rendering text plain document under the locales except for
> "C" locale. 

Thanks, I cannot reproduce this with the Spanish locale (es_ES.UTF-8)
but it does happen with ja_JP.UTF-8 and the fonts-noto-cjk package
installed.

I reported it upstream.

Berto

Bug#914034: Bug#911938: libhttp-daemon-ssl-perl FTBFS: tests fail: Connection refused

[Dimitri John Ledkov]

Hi,

On Wed, 10 Apr 2019 15:22:09 +0200 Guilhem Moulin  wrote:
>
> Not setting the SSL_MODE_AUTO_RETRY flag back after removing O_NONBLOCK
> (ie commenting out `Net::SSLeay::set_mode($ssl, $mode_auto_retry);` in
> the patch) solves the problem with blocking I/O and select/poll, but
> breaks programs expecting SSL_read() to block until application data
> comes in.  (That is, programs not conforming to SSL_read()'s documented
> behavior — hence which would break on renegotiation with TLS <1.3; or
> programs relying on SSL_MODE_AUTO_RETRY being set, as in OpenSSL ≥1.1.1's
> default context flags.)
>

This issue concerns me a lot at the moment. I am currently trying to
upgrade OpenSSL from 1.1.0 to 1.1.1 in Ubuntu 18.04 LTS (bionic). And
as far as I understand all the comment on this debian bug report,
current application are potentially broken and brokeness happens more
often with TLSv1.3 and the new OpenSSL 1.1.1 defaults
(SSL_MODE_AUTO_RETRY).

As far as I understand we do not have a fixed LWP that works correctly
in blocking, non-blocking, tls 1.2 and tls 1.3. To prevent regressing
existing users further, does it make sense for me to make updates in
bionic that:

1) limit SSL_new and SSL_CTX_new to TLS v1.2 max
and
2) disable SSL_MODE_AUTO_RETRY by default for TLS v1.2 connections?

My goal is to keep existing breakages as is, without introducing new
ones, whilst getting OpenSSL 1.1.1 into bionic. Granted this will not
get TLS v1.3 enabled for perl server/clients without code changes, but
oh well. Those who want it, will be able to force / start using it.

Regards,

Dimitri.

Bug#927471: curl: Regression that fails to exhaust socket data

[Guillem Jover]

Hi!

On Sat, 2019-05-04 at 13:02:13 +0100, Alessandro Ghedini wrote:
> On Sat, Apr 20, 2019 at 01:39:36PM +0200, Guillem Jover wrote:
> > Source: curl
> > Source-Version: 7.64.0-2
> > Severity: serious
> > Control: affects -1 rtorrent

> > I've started noticing rtorrent busy-looping at some points after
> > finishing a torrent. stracing and gdb'ing the process it was doing
> > that in its main loop, spamming on gettimeofday() and epoll_wait().
> > 
> > Checking the rtorrent dependencies I've not seen much suspicious
> > updated recently, except for curl. I checked then the upstream bug
> > trackers and noticed quite many instances of "100% cpu usage" reports,
> > such as . And that
> > one points to old and new curl issue. The last instance of it appears
> > to have been fixed with 
> > in 7.64.1.
> > 
> > So I think curl should be either upgraded to that release, or the
> > relevant commits cherry-picked.
> 
> I prepared an update for the curl package with the two upstream patches 
> applied
> (38d8e1b and 4015fae), and uploaded the result for amd64 at:
> https://people.debian.org/~ghedo/libcurl4_7.64.0-3_amd64.deb
> 
> Guillem, could you try this version of the package and see if it fixes the
> issue for you? Once that's confirmed I'll upload to sid and ask for unblock.

Thanks! I tried yesterday and today to get a deterministic reproducer
with the version from unstable, but I'm not sure what's the trigger,
perhaps the torrent peers or the chunk arrival order or something. In
any case I was able to get the problem while redownloading some torrents
I had around. Installed the new package, and redownloaded several old
torrents and several new ones, and none have shown the problem since.

But even though I was getting that pretty often before, that does not
mean I might have been lucky until now! So, while it does look like the
issue is gone, I cannot say that with 100% assurance. :)

Will keep checking and report again in a day or two.

Thanks,
Guillem

Bug#926047: marked as done (missing licenses)

[Debian Bug Tracking System]

Your message dated Tue, 07 May 2019 12:49:24 +
with message-id 
and subject line Bug#926047: fixed in octave 4.4.1-6
has caused the Debian Bug report #926047,
regarding missing licenses
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
926047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926047
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: octave
Version: 5.1.0-1
Severity: serious
User: alteh...@debian.org
Usertags: ftp
thanks

Please add the missing licenses of:
 etc/fonts/*.otf
to your debian/copyright.

While you are at it, our hardworking trainees found:
  ./display-available.h:Copyright (C) 2012-2019 John W. Eaton
  ./main.in.cc:Copyright (C) 2012-2019 John W. Eaton
  ./main-gui.cc:Copyright (C) 2012-2019 John W. Eaton
  ./main-cli.cc:Copyright (C) 2012-2019 John W. Eaton
  ./display-available.c:Copyright (C) 2012-2019 John W. Eaton

Thanks!
  Thorsten
--- End Message ---
--- Begin Message ---
Source: octave
Source-Version: 4.4.1-6

We believe that the bug you reported is fixed in the latest version of
octave, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 926...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sébastien Villemot  (supplier of updated octave package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 07 May 2019 11:36:11 +0200
Source: octave
Architecture: source
Version: 4.4.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Octave Group 
Changed-By: Sébastien Villemot 
Closes: 926047
Changes:
 octave (4.4.1-6) unstable; urgency=medium
 .
   * d/copyright: add entry for etc/fonts/* (Closes: #926047)
Checksums-Sha1:
 87fdad9fc574041b851abdfd25b484122c4f4896 3393 octave_4.4.1-6.dsc
 72fb83097e1d18a2ffb84ab4b6661de8054fd83b 77376 octave_4.4.1-6.debian.tar.xz
 27894b8ae2c9eaea5fabf781938042ac85a0f25a 22806 octave_4.4.1-6_amd64.buildinfo
Checksums-Sha256:
 d600675dedd6ed31247375675ff5f62ccca3617229f468c3d55cfc69bc6b3be4 3393 
octave_4.4.1-6.dsc
 e026dbedc98992a00ab5e545a4500d33122084dc95fcf561f8b709854408386c 77376 
octave_4.4.1-6.debian.tar.xz
 ba4057fe300c4c1d23dad2d19639e5f8eb133bf4994fcd791b9b856328daeeb5 22806 
octave_4.4.1-6_amd64.buildinfo
Files:
 92d9b8aa44dea8ef76ea8144a4b304d9 3393 math optional octave_4.4.1-6.dsc
 c86ea5380a7a757c9d1d939fdf22a1a5 77376 math optional 
octave_4.4.1-6.debian.tar.xz
 e01a35497a7167b8b319d67246086732 22806 math optional 
octave_4.4.1-6_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEU5UdlScuDFuCvoxKLOzpNQ7OvkoFAlzReiEACgkQLOzpNQ7O
vkqprRAAnOniH4QGNnpe3SpJzWlnpz3SN90fAVGDF1voNPdAELwIM5x9tZzjYDJo
P+LA/BhQMLNdEPIDvCD2PTA9Xe0aiWG+DAFMXO147nQpmEeOP628LtBlgBkcm851
8BB3OvTpub5/Glj5CiLdBFDF0YO8DBJRc5J6fY3WXdycef4yQjDWcEh3PtX6ToKf
v1m4ELHZTITodgjkRku5MWqJDeGkg1Dxgddhsu5dA58N65oVlxCg5EL0bHDLti+/
qq5OW0gfm7IJI2i7ThBWZYk3FD4VgLq1ja5lTX1k1Nyf1f2pYoFd7HTcbLFOCW5k
nI7UJnqrV5jcJuqndtOeqlgTMu91JNCMroL9nfHoM1WXgYsL8lghSuPNuPfrkgXl
aXE1AvNLj44HMAvmBgkH8w5aCAaXOcLiefckSttR+i50UCKXdcUTFkW8bjGmx4Qs
BAE3DLu0BqNpnbd5a2RwilBE9dG2wqIsHRI/uIVPLrXS+PzwodNJaiocPlfFXKAk
KreSt2bwY5Cz57qI6yThQvrxGTBpH+Gciox3VN7yFfaDpDMMU+qoU7V4/Vzqgp/7
V8Urte9Gh0/ssAqc9f4EYOAy0M0A5vWIdtrwjikWP6YS+8/9kUFDHyi9RhX9aw67
zVsq511jYokDSwXnyBP1if7mAbmYmzhE+tS0K0DSFtrQZNap1VQ=
=TNFU
-END PGP SIGNATURE End Message ---

Bug#926047: marked as pending in octave

[Sébastien Villemot]

Control: tag -1 pending

Hello,

Bug #926047 in octave reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/pkg-octave-team/octave/commit/58abc9e0f348c30b95af99710ba1c692717cd7dc


d/copyright: add entry for etc/fonts/*

Closes: #926047


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/926047

Processed: Bug#926047 marked as pending in octave

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #926047 [octave] missing licenses
Ignoring request to alter tags of bug #926047 to the same tags previously set

-- 
926047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926047
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#554444: marked as done (libdebian-installer: Unable to parse Packages files with long lines)

[Debian Bug Tracking System]

Your message dated Tue, 07 May 2019 11:34:41 +
with message-id 
and subject line Bug#55: fixed in libdebian-installer 0.119
has caused the Debian Bug report #55,
regarding libdebian-installer: Unable to parse Packages files with long lines
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
55: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=55
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libdebian-installer
Version: 0.69

When using cdebootstrap to provide the rootfs at Mamona (an
OpenEmbedded-based distribution), cdebootstrap failed giving the
following message:
W: parser_rfc822: Iek! Don't find end of value!
E: Internal error: download

After looking at the libdebian-installer code, I found that the
problem is related with the READSIZE variable, as I got a package that
had more than 16384 characters at the recommends field.

I know that this is quite a huge line, but at OE we have quite many
packages that are split in a lot of different packages.

Applying the following patch fixed my problem:

[PATCH] parser_rfc822.c: doubling the READSIZE to support using it
with OpenEmbedded

---
 src/parser_rfc822.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/parser_rfc822.c b/src/parser_rfc822.c
index 576de0e..45ccc98 100644
--- a/src/parser_rfc822.c
+++ b/src/parser_rfc822.c
@@ -38,7 +38,7 @@
 #include 
 #include 

-#define READSIZE 16384
+#define READSIZE 32768

 int di_parser_rfc822_read (char *begin, size_t size, di_parser_info
*info, di_parser_read_entry_new entry_new, di_parser_read_entry_finish
entry_finish, void *user_data)
 {


--- End Message ---
--- Begin Message ---
Source: libdebian-installer
Source-Version: 0.119

We believe that the bug you reported is fixed in the latest version of
libdebian-installer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 554...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank  (supplier of updated libdebian-installer 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 07 May 2019 13:17:47 +0200
Source: libdebian-installer
Architecture: source
Version: 0.119
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team 
Changed-By: Bastian Blank 
Closes: 55 927544
Changes:
 libdebian-installer (0.119) unstable; urgency=medium
 .
   [ Cyril Brulebois ]
   * Drop support for arm*/ixp4xx and arm*/iop32x; support for those
 platforms was removed from the Linux kernel and therefore d-i.
   * Remove Christian Perrier from Uploaders, with many thanks for all
 his contributions over the years! (Closes: #927544)
 .
   [ Bastian Blank ]
   * Enlarge maximum line length in Packages and Sources files.
 (closes: #55)
Checksums-Sha1:
 415d0d6e5f04405f66bc8efed06d1798540d34ff 1875 libdebian-installer_0.119.dsc
 0193983f5a82d176f93699cbd91aa5ad0e33cfbd 71904 libdebian-installer_0.119.tar.xz
 579e1ed247a120dc5541f79894cf439abd9b6d99 5578 
libdebian-installer_0.119_source.buildinfo
Checksums-Sha256:
 6e183a126b9c139bc5ab14fb82afc8f409800f0dbee69e983b5195f15a23dee2 1875 
libdebian-installer_0.119.dsc
 2f39443c83faf0560521c3a0eabd439580d1cdd4f580a394efe522b4f58bfc7f 71904 
libdebian-installer_0.119.tar.xz
 bde16e99d8ff5131ca9d55d081bb8da4c6e9bea5b55ff5d8a5f04a58c4fd6068 5578 
libdebian-installer_0.119_source.buildinfo
Files:
 ff96b79d95c15e4078049dc8136b8f32 1875 libs optional 
libdebian-installer_0.119.dsc
 92b41e088597bd5ede62ff6d5c49f85a 71904 libs optional 
libdebian-installer_0.119.tar.xz
 f2926ce8ce364a0ac3a0c591fed6cbb0 5578 libs optional 
libdebian-installer_0.119_source.buildinfo

-BEGIN PGP SIGNATURE-

iQFFBAEBCgAvFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAlzRaj4RHHdhbGRpQGRl
Ymlhbi5vcmcACgkQbZOIhYpp/lEbewf+PS7pGt/gbkqt4g7W7x5Q43mZJly5qVJH
bXGabWKBlu7wnXjZ0FNIUbdrsUGoOQ4tnMK9nBoGRzhgtE2VIwIXeFBRwinKM7Jw
gZX8vBG0WiFPo1QSZSoConvtcyX4zeUBk0o4paaYO1+SJjo4wicE9jMvbqucdUWE
3CP/IB0K85Y3rac5QuhDbEWsDDRNNyZaL3YSOBCnNLG1SR2mUpP6HGDkHJh5qGeS
X1arKR2QeEV5Wm5Uw7qSK+YWR4IO2jWF6pVzSJ/fPTGDoTyfRUyZwOH+D0aNL7Ua
mxV8y7uvjswp/q/iXibktgpRJYeCgUzGHamL00uvvi/yWSF8WYaodA==
=RT7x

Processed: severity of 554444 is grave

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 55 grave
Bug #55 [libdebian-installer] libdebian-installer: Unable to parse Packages 
files with long lines
Severity set to 'grave' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
55: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=55
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#928598: marked as done (browserpass: FTBFS (cannot find package "github.com/sirupsen/logrus/hooks/syslog"))

[Debian Bug Tracking System]

Your message dated Tue, 07 May 2019 10:33:46 +
with message-id 
and subject line Bug#928598: fixed in browserpass 3.1.1-2
has caused the Debian Bug report #928598,
regarding browserpass: FTBFS (cannot find package 
"github.com/sirupsen/logrus/hooks/syslog")
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928598: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928598
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:browserpass
Version: 3.1.1-1
Severity: serious
Tags: ftbfs

Dear maintainer:

I tried to build this package in sid but it failed:


[...]
 debian/rules build-arch
dh build-arch --buildsystem=golang --with=golang
   dh_update_autotools_config -a -O--buildsystem=golang
   dh_autoreconf -a -O--buildsystem=golang
   dh_auto_configure -a -O--buildsystem=golang
   debian/rules override_dh_auto_build
make[1]: Entering directory '/<>'
dh_auto_build -O--buildsystem=golang -- -buildmode=pie -ldflags 
"-extldflags=-Wl,-z,now,-z,relro"
cd obj-x86_64-linux-gnu && go install 
-gcflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" 
-asmflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" -v -p 1 
-buildmode=pie -ldflags -extldflags=-Wl,-z,now,-z,relro 
github.com/browserpass/browserpass-native 
github.com/browserpass/browserpass-native/errors 
github.com/browserpass/browserpass-native/openbsd 
github.com/browserpass/browserpass-native/persistentlog 
github.com/browserpass/browserpass-native/request 
github.com/browserpass/browserpass-native/response 
github.com/browserpass/browserpass-native/version
src/github.com/browserpass/browserpass-native/persistentlog/syslog.go:8:2: 
cannot find package "github.com/sirupsen/logrus" in any of:
/usr/lib/go-1.11/src/github.com/sirupsen/logrus (from $GOROOT)
/<>/obj-x86_64-linux-gnu/src/github.com/sirupsen/logrus 
(from $GOPATH)
src/github.com/browserpass/browserpass-native/persistentlog/syslog.go:9:2: 
cannot find package "github.com/sirupsen/logrus/hooks/syslog" in any of:
/usr/lib/go-1.11/src/github.com/sirupsen/logrus/hooks/syslog (from 
$GOROOT)

/<>/obj-x86_64-linux-gnu/src/github.com/sirupsen/logrus/hooks/syslog
 (from $GOPATH)
dh_auto_build: cd obj-x86_64-linux-gnu && go install 
-gcflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" 
-asmflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" -v -p 1 
-buildmode=pie -ldflags -extldflags=-Wl,-z,now,-z,relro 
github.com/browserpass/browserpass-native 
github.com/browserpass/browserpass-native/errors 
github.com/browserpass/browserpass-native/openbsd 
github.com/browserpass/browserpass-native/persistentlog 
github.com/browserpass/browserpass-native/request 
github.com/browserpass/browserpass-native/response 
github.com/browserpass/browserpass-native/version returned exit code 1
make[1]: *** [debian/rules:11: override_dh_auto_build] Error 1
make[1]: Leaving directory '/<>'
make: *** [debian/rules:8: build-arch] Error 2
dpkg-buildpackage: error: debian/rules build-arch subprocess returned exit 
status 2


See also:

https://buildd.debian.org/status/package.php?p=browserpass

Seems like a missing build-dependency.

Thanks.
--- End Message ---
--- Begin Message ---
Source: browserpass
Source-Version: 3.1.1-2

We believe that the bug you reported is fixed in the latest version of
browserpass, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Meskes  (supplier of updated browserpass package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 07 May 2019 12:06:44 +0200
Source: browserpass
Binary: webext-browserpass webext-browserpass-dbgsym
Architecture: source amd64
Version: 3.1.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Mozilla Extension Maintainers 

Changed-By: Michael Meskes 
Description:
 webext-browserpass - web extension for the password manager pass
Closes: 928598
Changes:
 browserpass (3.1.1-2) unstable; 

Bug#928598: browserpass: FTBFS (cannot find package "github.com/sirupsen/logrus/hooks/syslog")

[Santiago Vila]

Package: src:browserpass
Version: 3.1.1-1
Severity: serious
Tags: ftbfs

Dear maintainer:

I tried to build this package in sid but it failed:


[...]
 debian/rules build-arch
dh build-arch --buildsystem=golang --with=golang
   dh_update_autotools_config -a -O--buildsystem=golang
   dh_autoreconf -a -O--buildsystem=golang
   dh_auto_configure -a -O--buildsystem=golang
   debian/rules override_dh_auto_build
make[1]: Entering directory '/<>'
dh_auto_build -O--buildsystem=golang -- -buildmode=pie -ldflags 
"-extldflags=-Wl,-z,now,-z,relro"
cd obj-x86_64-linux-gnu && go install 
-gcflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" 
-asmflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" -v -p 1 
-buildmode=pie -ldflags -extldflags=-Wl,-z,now,-z,relro 
github.com/browserpass/browserpass-native 
github.com/browserpass/browserpass-native/errors 
github.com/browserpass/browserpass-native/openbsd 
github.com/browserpass/browserpass-native/persistentlog 
github.com/browserpass/browserpass-native/request 
github.com/browserpass/browserpass-native/response 
github.com/browserpass/browserpass-native/version
src/github.com/browserpass/browserpass-native/persistentlog/syslog.go:8:2: 
cannot find package "github.com/sirupsen/logrus" in any of:
/usr/lib/go-1.11/src/github.com/sirupsen/logrus (from $GOROOT)
/<>/obj-x86_64-linux-gnu/src/github.com/sirupsen/logrus 
(from $GOPATH)
src/github.com/browserpass/browserpass-native/persistentlog/syslog.go:9:2: 
cannot find package "github.com/sirupsen/logrus/hooks/syslog" in any of:
/usr/lib/go-1.11/src/github.com/sirupsen/logrus/hooks/syslog (from 
$GOROOT)

/<>/obj-x86_64-linux-gnu/src/github.com/sirupsen/logrus/hooks/syslog
 (from $GOPATH)
dh_auto_build: cd obj-x86_64-linux-gnu && go install 
-gcflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" 
-asmflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" -v -p 1 
-buildmode=pie -ldflags -extldflags=-Wl,-z,now,-z,relro 
github.com/browserpass/browserpass-native 
github.com/browserpass/browserpass-native/errors 
github.com/browserpass/browserpass-native/openbsd 
github.com/browserpass/browserpass-native/persistentlog 
github.com/browserpass/browserpass-native/request 
github.com/browserpass/browserpass-native/response 
github.com/browserpass/browserpass-native/version returned exit code 1
make[1]: *** [debian/rules:11: override_dh_auto_build] Error 1
make[1]: Leaving directory '/<>'
make: *** [debian/rules:8: build-arch] Error 2
dpkg-buildpackage: error: debian/rules build-arch subprocess returned exit 
status 2


See also:

https://buildd.debian.org/status/package.php?p=browserpass

Seems like a missing build-dependency.

Thanks.

Processed: Bug#926047 marked as pending in octave

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #926047 [octave] missing licenses
Added tag(s) pending.

-- 
926047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926047
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#926047: marked as pending in octave

[Sébastien Villemot]

Control: tag -1 pending

Hello,

Bug #926047 in octave reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/pkg-octave-team/octave/commit/57584a053eda0f7b3231a474fe52493ac4a3373d


d/copyright: add entry for etc/fonts/*

Note that currently we hit a bug in libconfig-model-dpkg-perl, see #928597.

Closes: #926047


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/926047

Bug#921688: NMU Diff

[Tristan Seligmann]

Thank you for taking care of this; I plan to package a new upstream version
when I can, but the need to package new dependencies makes this non-trivial
and due to personal circumstances I have not yet had the opportunity to
handle this.

On Tue, 7 May 2019 at 04:30, Sam Hartman  wrote:

>
> Dear maintainer.
> I made the following 0-day NMU of electrum.
> I suspect that once you update to a new version you will not wish to
> include these changes, but in the interest of awareness of your package
> I wanted to make sure you were aware.
>
> diff --git a/debian/changelog b/debian/changelog
> index 4ff..c30a279 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,12 @@
> +electrum (3.2.3-1.1) unstable; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * On startup print a warning that this version in insecure and then
> +exit, Closes: #928518
> +
> +
> + -- Sam Hartman   Mon, 06 May 2019 22:11:19 -0400
> +
>  electrum (3.2.3-1) unstable; urgency=medium
>
>* New upstream release.
> diff --git a/debian/patches/replace-with-security-warning.patch
> b/debian/patches/replace-with-security-warning.patch
> new file mode 100644
> index 000..e8f409e
> --- /dev/null
> +++ b/debian/patches/replace-with-security-warning.patch
> @@ -0,0 +1,60 @@
> +From: Sam Hartman 
> +Date: Mon, 6 May 2019 22:10:51 -0400
> +X-Dgit-Generated: 3.2.3-1.1 3afceceac2d1042645e470189c13edb4f965e7a9
> +Subject: Replace with security warning
> +
> +On startup print to GUI and stdio a security warning and then exit.
> +
> +---
> +
> +--- electrum-3.2.3.orig/electrum/electrum
>  electrum-3.2.3/electrum/electrum
> +@@ -1,4 +1,4 @@
> +-#!/usr/bin/env python3
> ++#!/usr/bin/python3
> + # -*- mode: python -*-
> + #
> + # Electrum - lightweight Bitcoin client
> +@@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.rea
> + is_bundle = getattr(sys, 'frozen', False)
> + is_local = not is_bundle and os.path.exists(os.path.join(script_dir,
> "electrum.desktop"))
> + is_android = 'ANDROID_DATA' in os.environ
> ++try:
> ++import PyQt5
> ++except Exception:
> ++sys.exit("Error: Could not import PyQt5 on Linux systems, you may
> try 'sudo apt-get install python3-pyqt5'")
> +
> ++from PyQt5.QtGui import *
> ++from PyQt5.QtWidgets import *
> ++from PyQt5.QtCore import *
> ++import PyQt5.QtCore as QtCore
> + # move this back to gui/kivy/__init.py once plugins are moved
> + os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__))
> + '/electrum/gui/kivy/data/'
> +
> + if is_local or is_android:
> + sys.path.insert(0, os.path.join(script_dir, 'packages'))
> +
> ++security_message = ''' \
> ++This version of Electrum is vulnerable to malicious code inserted by
> ++attackers and is being actively exploited to try and convince users to
> ++give their private credentials to attackers.  See
> ++https://bugs.debian.org/921688 for details.  Until the version in
> ++Debian is updated, please see https://electrum.org/download.html
> ++'''
> ++sys.stderr.write(security_message)
> ++
> ++
> ++from electrum.gui.qt.util import MessageBoxMixin
> ++class Window(QMainWindow, MessageBoxMixin):
> ++
> ++def __init__(self, *args, **kwargs):
> ++super().__init__(*args, **kwargs)
> ++self.show_warning(msg = security_message, title = "THIS
> APPLICATION is INSECURE")
> ++
> ++
> ++app = QApplication(["electrum", "gui"])
> ++window = Window()
> ++sys.exit(2)
> +
> + def check_imports():
> + # pure-python dependencies need to be imported here for pyinstaller
> diff --git a/debian/patches/series b/debian/patches/series
> new file mode 100644
> index 000..8ffe66a
> --- /dev/null
> +++ b/debian/patches/series
> @@ -0,0 +1 @@
> +replace-with-security-warning.patch
> diff --git a/electrum/electrum b/electrum/electrum
> index dd35c35..8c5ef37 100755
> --- a/electrum/electrum
> +++ b/electrum/electrum
> @@ -1,4 +1,4 @@
> -#!/usr/bin/env python3
> +#!/usr/bin/python3
>  # -*- mode: python -*-
>  #
>  # Electrum - lightweight Bitcoin client
> @@ -30,13 +30,42 @@ script_dir =
> os.path.dirname(os.path.realpath(__file__))
>  is_bundle = getattr(sys, 'frozen', False)
>  is_local = not is_bundle and os.path.exists(os.path.join(script_dir,
> "electrum.desktop"))
>  is_android = 'ANDROID_DATA' in os.environ
> -
> +try:
> +import PyQt5
> +except Exception:
> +sys.exit("Error: Could not import PyQt5 on Linux systems, you may try
> 'sudo apt-get install python3-pyqt5'")
> +
> +from PyQt5.QtGui import *
> +from PyQt5.QtWidgets import *
> +from PyQt5.QtCore import *
> +import PyQt5.QtCore as QtCore
>  # move this back to gui/kivy/__init.py once plugins are moved
>  os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__))
> + '/electrum/gui/kivy/data/'
>
>  if is_local or is_android:
>  sys.path.insert(0, os.path.join(script_dir, 'packages'))
>
> +security_message = ''' \
> +This version of Electrum is vulnerable to malicious code inserted by
> +attackers and is being actively 

Bug#928172: debian-security-support: fails to upgrade from 'testing': dpkg: error: error executing hook

[Gabriel Filion]

On Mon, 29 Apr 2019 15:44:39 +0200 Santiago Vila  wrote:
> On Mon, Apr 29, 2019 at 01:22:18PM +, Holger Levsen wrote:
> > if we now could please focus on #928172 and ignore #927450 for now,
> > that would be great. (and "ignoring #927450" also means not mixing them
> > up.) 
> 
> Let's focus on #928172 if you like. I try not to mix them up, but I
> believe they are strongly related in the sense that the reason #928172
> is serious now is that the package in stable still has #927450.

so, I'm currently in this situation where the package doesn't upgrade.
and nothing else upgrades either because of this.

is there a known way to work around the issue that the hook encounters
in order to unblock my install?



signature.asc
Description: OpenPGP digital signature