Bug#927913: Second chromium kills the first one, and we see "Restore pages?"
Dear Maintainer, why don't you create binary packages of chromium and publish them in the unstable branch? Did I miss something important? I see this Chromium version as a required bugfix release. I'm asking for clarification. Thank you! best regards pgpSR6QQaVNMr.pgp Description: Digitale Signatur von OpenPGP
Bug#929662: docker.io: CVE-2018-15664 - upstream backport of patch for 18.09
Hi, thanks for reaching out. I applied the patch, that is no problem. However the new tests that were added makes my machine go crazy and reach the maximum number of process. Right now I'm configured like that: $ ulimit -u 62688 I will bumb this number but I also want to check a bit more in details what's happening and report that upstream, as I don't know if this is expected behavior or not. You can checkout the branch at https://salsa.debian.org/docker-team/docker/tree/arnaudr/cve-2018-15664 and try it by yourself if you're curious. In the meantime, I reached out to the release team at #930293 to prepare for the next unblock. So things are in progress, no need for help on this particular issue, but in general if you're interested in the docker package, then help with the packaging is more than welcome :) Arnaud On 6/9/19 9:31 AM, Afif Elghraoui wrote: > Hello, > > Is any help needed on this? Upstream has a backport of the patch for the > 18.09 series (same as Unstable): > > https://github.com/docker/engine/pull/253 > > Hopefully it won't be too much work to incorporate it. > > thanks and regards > Afif >
Bug#929715: strace: FTBFS: open: /dev/kvm: No such file or directory
Control: severity -1 important Hi there, On Saturday, June 01 2019, Steve McIntyre wrote: > On Wed, May 29, 2019 at 04:30:05PM +0200, Lucas Nussbaum wrote: >>Hi, >> >>During a rebuild of all packages in buster (in a buster chroot, not a >>sid chroot), your package failed to build on amd64. > > Hmmm, that's odd. I've just built the current package in fresh amd64 > and i386 chroots here, with no errors. I can also confirm building strace on a fresh sid chroot without errors. > Checking your log, the /dev/kvm error is not fatal and some tests are > skipped without KVM access. Also confirming this. > The actual failures that you're seeing are from 4 stat functions, > reported several times due to the build setup: > > $ grep ^FAIL: strace_4.26-0.2_testing.log | less > FAIL: lstat.gen.test > FAIL: stat.gen.test > FAIL: lstat.gen.test > FAIL: trace_lstat.gen.test > FAIL: stat.gen.test > FAIL: trace_stat.gen.test > FAIL: trace_lstat.gen.test > FAIL: trace_stat.gen.test > FAIL: lstat.gen > FAIL: stat.gen > FAIL: trace_lstat.gen > FAIL: trace_stat.gen > FAIL: lstat.gen > FAIL: stat.gen > FAIL: trace_lstat.gen > FAIL: trace_stat.gen > > so I've updated the bug title. Checking the log for more details, I'm > just seeing what *looks* like whitespace differences in the test > output. But I don't see it here on my system, which is surprising. Is > there anything at all special about your test setup that I should ba > aware of? I'm pondering if there's maybe a locale setup difference or > something, but that's just a guess OTTOMH...! Yeah, I agree with Steve here; these failures seem strange, but they are the apparent result of whitespace differences, and not real failures. For example: -lstat("/dev/full", 0xf7544fc0) = -1 EOVERFLOW (Value too large for defined data type) +lstat("/dev/full", 0xf7544fc0) = -1 EOVERFLOW (Value too large for defined data type) I spent some time looking into how strace prints these lines, and found that there is a specific function responsible for calculating the amount of whitespace that should go between the close parenthesis and the equal sign (on strace.c): void tabto(void) { if (current_tcp->curcol < acolumn) tprints(acolumn_spaces + current_tcp->curcol); } Here, "acolumn" is 40 (this value actually comes from a define in defs.h, "DEFAULT_ACOLUMN"), and "tprints" actually calls "fputs_unlocked", which is thread-unsafe according to its manpage. Not that it matters much, since strace is single-threaded, but these are the data points I gathered so far. These functions don't seem to be affected by locale. I also noticed that the test is actually comparing the output of "./lstat", which uses a static way to generate the syscall information lines (i.e., it doesn't have any mechanism for dynamically generating whitespaces according to the number of columns printed -- take a look at tests/{xstatx,lstatx}.c for more info), against the output generated by the compiled strace binary, which, as stated above, is much more dynamic when printing whitespaces. It seems to me that the testcase(s) should be adjusted to account for possible differences in whitespace. Having said all that, I believe this bug's severity should be reduced from "serious" to (at most) "important", at least until Lucas can provide more information about it. I've taken the liberty to do that; feel free to bump it back to "serious" if needed, of course. Thanks, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible http://sergiodj.net/ signature.asc Description: PGP signature
Processed: Re: Bug#929715: strace: FTBFS: open: /dev/kvm: No such file or directory
Processing control commands: > severity -1 important Bug #929715 [src:strace] Bug#929715: strace: FTBFS: failure in lstat tests Severity set to 'important' from 'serious' -- 929715: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929715 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#930227: marked as done (mender-client fails to build from source on all architectures)
Your message dated Mon, 10 Jun 2019 03:42:33 +0200 with message-id <20190610014233.itbnbmtqyksnp...@fatal.se> and subject line Re: mender-client fails to build from source on all architectures has caused the Debian Bug report #930227, regarding mender-client fails to build from source on all architectures to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930227 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: mender-client Version: 1.7.0-4 Severity: serious Justification: FTBFS Tags: security ftbfs While rebuilding all packages in buster for CVE-2018-17846 / CVE-2018-17847 / CVE-2018-17848 in golang-golang-x-net-dev, mender-client fails to build from source on all architectures where it was tried. The log on amd64 https://buildd.debian.org/status/fetch.php?pkg=mender-client=amd64=1.7.0-4%2Bb11=1559989410=0 ends like this: mdb.c: In function 'mdb_cursor_put': mdb.c:6725:9: warning: this statement may fall through [-Wimplicit-fallthrough=] if (SIZELEFT(fp) < offset) { ^ mdb.c:6730:5: note: here case MDB_CURRENT: ^~~~ github.com/mendersoftware/mender/installer # github.com/mendersoftware/mender/installer src/github.com/mendersoftware/mender/installer/installer.go:40:8: rootfs.InstallHandler undefined (type *handlers.Rootfs has no field or method InstallHandler) github.com/mendersoftware/mender/store dh_auto_build: cd obj-x86_64-linux-gnu && go install -gcflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" -asmflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" -v -p 4 -ldflags "-X main.Version=1.7.0-4+b11" github.com/mendersoftware/mender github.com/mendersoftware/mender/client github.com/mendersoftware/mender/client/test github.com/mendersoftware/mender/installer github.com/mendersoftware/mender/statescript github.com/mendersoftware/mender/store github.com/mendersoftware/mender/utils returned exit code 2 make[1]: *** [debian/rules:18: override_dh_auto_build] Error 2 make[1]: Leaving directory '/<>' make: *** [debian/rules:15: build-arch] Error 2 -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (990, 'testing'), (500, 'testing-debug'), (200, 'testing'), (100, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled signature.asc Description: OpenPGP digital signature --- End Message --- --- Begin Message --- Hello, On Sat, Jun 08, 2019 at 09:00:52PM +0200, Paul Gevers wrote: > Source: mender-client > Version: 1.7.0-4 > Severity: serious > Justification: FTBFS > Tags: security ftbfs > > While rebuilding all packages in buster for CVE-2018-17846 / > CVE-2018-17847 / CVE-2018-17848 in golang-golang-x-net-dev, > mender-client fails to build from source on all architectures where it > was tried. You say building in buster, yet the build log is clearly from sid: > > The log on amd64 > https://buildd.debian.org/status/fetch.php?pkg=mender-client=amd64=1.7.0-4%2Bb11=1559989410=0 > ends like this: [...] I'm going to claim if you built in buster there's no issue. As I see it the correct action is thus to close this bug report. If we put buster aside and focus on sid, I see two obvious ways to fix the build problem. The first would be to upload the updated mender-client packages sitting in git, the second to revert the mender-artifact package to previous version. As the second already seems to have happened, then as I see it the correct approach would be to just close this bug report. (I forsee if you do builds in sid that you aim to migrate to buster, there might be problems that the newly (re)built mender-client package will have a Built-Using field pointing to the new fugly "foo+reallybar" version of mender-artifact. I'm confident you know better than me how to handle that situation, just thought I'd mention it.) Either way it seems this bug report should be closed, thus doing so. (Adressing/CCing me or Lluis directly would also most likely be useful.) If there are any remaining issues, please share what those are. Regards, Andreas Henriksson--- End Message ---
Bug#907135: [Box Backup] Debian now requires 2048bit RSA keys
Agreed! In this case, the bug was reported on Aug 24 2018 by Adrian Bunk. It was removed about a months later, namely on September 23, for failing to build from source. Four weeks is arguably quite fast. Or quite slow, depending on whom you talk to. I probably could have reacted by disabling the test suite. Or by prodding you in those four weeks harder. Or at last have the bug fixed by end of last year, which would have left enough time to re-migrate to testing. In the future, I'll know better. Again, sorry. I'm happy to help with getting the package to buster-backports once it opens. -rt On Sun, Jun 9, 2019 at 5:29 PM Chris Wilson wrote: > Hi all, > > It seems a bit egregious to kick out packages that were broken by a minor > version upgrade in one of their dependencies (which after all is not > supposed to break anything), without any warning, let alone time to fix > such a complex issue properly. > > I hope that Debian will consider carefully whether this course of action > was really in the best interests of its users. > > Thanks, Chris. > -- regards, Reinhard
Bug#907135: [Box Backup] Debian now requires 2048bit RSA keys
Hi all, It seems a bit egregious to kick out packages that were broken by a minor version upgrade in one of their dependencies (which after all is not supposed to break anything), without any warning, let alone time to fix such a complex issue properly. I hope that Debian will consider carefully whether this course of action was really in the best interests of its users. Thanks, Chris. Sent from my iPhone > On 7 Jun 2019, at 22:26, Reinhard Tartler wrote: > > > >> On Wed, Jun 5, 2019 at 7:46 PM Chris Wilson wrote: >> Hi Reinhard, >> >> Could you have a look at this patch (documented here) to see if it's >> something like what you were hoping for? >> > > Hi Chris, > > I've uploaded this patch now to unstable, looks good, thanks for the patch. > It is still about 80k big, thoguh :-( - quite a lot to review manually. Most > of it is actually test code though! > > Unfortunately, I have bad news. I totally missed that boxbackup has already > been removed on 23 Sep 2018: > https://tracker.debian.org/news/989096/boxbackup-removed-from-testing/ > That's a bummer, because the freeze guidelines rule out migration of packages > that aren't part of testing since beginning of February (cf. > https://release.debian.org/buster/freeze_policy.html). > > Sorry about that, that's totally on me, I should have been more vocal about > this end of last year and totally dropped the ball here. > > I guess we'll have to go the backports route then. > > Best, > -rt > -- > regards, > Reinhard
Bug#928959: marked as done (papi: DFSG-unfree file in source)
Your message dated Sun, 09 Jun 2019 20:10:26 + with message-id and subject line Bug#928959: fixed in papi 5.7.0+dfsg-1 has caused the Debian Bug report #928959, regarding papi: DFSG-unfree file in source to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 928959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928959 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: papi Version: 5.7.0-1 Severity: serious At least one file in this package fails to permit derivative works: spwhitton@iris:~/tmp/papi>head -n15 src/components/appio/tests/iozone/fileop.c /* * Author: Don Capps * 3/13/2006 * * Author: Don Capps (ca...@iozone.org) * 7417 Crenshaw * Plano, TX 75025 * * Copyright 2006, 2007, 2008, 2009 Don Capps. * * License to freely use and distribute this software is hereby granted * by the author, subject to the condition that this copyright notice * remains intact. The author retains the exclusive right to publish * derivative works based on this work, including, but not limited to, * revised versions of this work", -- Sean Whitton signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: papi Source-Version: 5.7.0+dfsg-1 We believe that the bug you reported is fixed in the latest version of papi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 928...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Beckmann (supplier of updated papi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 09 Jun 2019 15:45:21 +0200 Source: papi Binary: libpapi-dev libpapi5.7 libpapi5.7-dbgsym papi-examples papi-tools papi-tools-dbgsym Architecture: source amd64 all Version: 5.7.0+dfsg-1 Distribution: experimental Urgency: medium Maintainer: Debian HPC Team Changed-By: Andreas Beckmann Description: libpapi-dev - PAPI development files (headers and API documentation) libpapi5.7 - PAPI runtime (shared libraries) papi-examples - PAPI example files and test programs papi-tools - PAPI utilities Closes: 928367 928959 Changes: papi (5.7.0+dfsg-1) experimental; urgency=medium . * Repack upstream tarball to remove src/components/appio/tests/iozone/* which does not permit distribution of derivative works. (Closes: #928959) * Remove unused convenience copies from repacked tarball. * Update debian/copyright. * Restore support for changing the SOVERSION frequently. * Change SONAME to libpapi.so.5.7. (Closes: #928367) * Bump libpfm4-dev B-D to >= 4.10.1+git7. * Upload to experimental. Checksums-Sha1: 330ed55bf35ffb7f74d95eecf16e2417f9c79571 2178 papi_5.7.0+dfsg-1.dsc c118ad80c32e002b21a072c4ee8a803f006c281b 1110820 papi_5.7.0+dfsg.orig.tar.xz 61361666eee5a07379181c92db7c262ab17473c5 16404 papi_5.7.0+dfsg-1.debian.tar.xz 6f5af4c214be7b08ea760bf1191c1aa22e7bcfc2 248252 libpapi-dev_5.7.0+dfsg-1_amd64.deb 8506b9e72dd8990983b18bcd2e9aecadbbc18a1c 233000 libpapi5.7-dbgsym_5.7.0+dfsg-1_amd64.deb dc50c51b9c923938b62f45846ea5d31fd0007cab 336740 libpapi5.7_5.7.0+dfsg-1_amd64.deb 30a80c96fcb22a8d87f274700d1ebe565990c26c 155432 papi-examples_5.7.0+dfsg-1_all.deb 20d9539fb994d94e89f9796223d568d6940ef831 109036 papi-tools-dbgsym_5.7.0+dfsg-1_amd64.deb bd5f9fa04c15ef581a88cae5474db1cd7b1bbee2 71152 papi-tools_5.7.0+dfsg-1_amd64.deb a9c10cb6e7362f452ad1b57fe66b8e92ec2a8af2 6884 papi_5.7.0+dfsg-1_amd64.buildinfo Checksums-Sha256: 3a74620078d2acb6451852eb31b81ef61e88fc4630266638ad7ca07163f509cc 2178 papi_5.7.0+dfsg-1.dsc 445495a15ec40c810791c2f85c16b1c62216127e2d20b1690f3b8898799bd125 1110820 papi_5.7.0+dfsg.orig.tar.xz 91e01e868f09b7b61997da6b29a5c8cad1f656047f7cc831248a244925c2ada0 16404 papi_5.7.0+dfsg-1.debian.tar.xz d0c8b3a68a98b10be0893c6a8fc8248d8c945f4cdcbecf6d92e1babd97d1784f 248252 libpapi-dev_5.7.0+dfsg-1_amd64.deb 5eb2bcc14c3ab75f73a3cfb708386585879c6df02e4cb7a545e5aad24f0a9fc3 233000 libpapi5.7-dbgsym_5.7.0+dfsg-1_amd64.deb 7a73462725bc5cf7c7c9bb7a93f100a52d59771854dcb78711b3c7b674df338e 336740 libpapi5.7_5.7.0+dfsg-1_amd64.deb
Bug#928367: marked as done (libpapi5: SOVERSION is too wide for the runtime check in PAPI_library_init())
Your message dated Sun, 09 Jun 2019 20:10:26 + with message-id and subject line Bug#928367: fixed in papi 5.7.0+dfsg-1 has caused the Debian Bug report #928367, regarding libpapi5: SOVERSION is too wide for the runtime check in PAPI_library_init() to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 928367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928367 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: papi Version: 5.7.0-1 Severity: serious Tags: upstream Forwarded: https://groups.google.com/a/icl.utk.edu/forum/#!topic/perfapi-devel/Qgv4BpZl64U applications built against libpapi5 (5.6.*-*) don't run with libpapi5 (5.7.*-*) (and vice versa and for all other mismatching major.minor combinations as well) due to the runtime check in PAPI_library_init() and the way PAPI_library_init() is to be called. Andreas --- End Message --- --- Begin Message --- Source: papi Source-Version: 5.7.0+dfsg-1 We believe that the bug you reported is fixed in the latest version of papi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 928...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Beckmann (supplier of updated papi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 09 Jun 2019 15:45:21 +0200 Source: papi Binary: libpapi-dev libpapi5.7 libpapi5.7-dbgsym papi-examples papi-tools papi-tools-dbgsym Architecture: source amd64 all Version: 5.7.0+dfsg-1 Distribution: experimental Urgency: medium Maintainer: Debian HPC Team Changed-By: Andreas Beckmann Description: libpapi-dev - PAPI development files (headers and API documentation) libpapi5.7 - PAPI runtime (shared libraries) papi-examples - PAPI example files and test programs papi-tools - PAPI utilities Closes: 928367 928959 Changes: papi (5.7.0+dfsg-1) experimental; urgency=medium . * Repack upstream tarball to remove src/components/appio/tests/iozone/* which does not permit distribution of derivative works. (Closes: #928959) * Remove unused convenience copies from repacked tarball. * Update debian/copyright. * Restore support for changing the SOVERSION frequently. * Change SONAME to libpapi.so.5.7. (Closes: #928367) * Bump libpfm4-dev B-D to >= 4.10.1+git7. * Upload to experimental. Checksums-Sha1: 330ed55bf35ffb7f74d95eecf16e2417f9c79571 2178 papi_5.7.0+dfsg-1.dsc c118ad80c32e002b21a072c4ee8a803f006c281b 1110820 papi_5.7.0+dfsg.orig.tar.xz 61361666eee5a07379181c92db7c262ab17473c5 16404 papi_5.7.0+dfsg-1.debian.tar.xz 6f5af4c214be7b08ea760bf1191c1aa22e7bcfc2 248252 libpapi-dev_5.7.0+dfsg-1_amd64.deb 8506b9e72dd8990983b18bcd2e9aecadbbc18a1c 233000 libpapi5.7-dbgsym_5.7.0+dfsg-1_amd64.deb dc50c51b9c923938b62f45846ea5d31fd0007cab 336740 libpapi5.7_5.7.0+dfsg-1_amd64.deb 30a80c96fcb22a8d87f274700d1ebe565990c26c 155432 papi-examples_5.7.0+dfsg-1_all.deb 20d9539fb994d94e89f9796223d568d6940ef831 109036 papi-tools-dbgsym_5.7.0+dfsg-1_amd64.deb bd5f9fa04c15ef581a88cae5474db1cd7b1bbee2 71152 papi-tools_5.7.0+dfsg-1_amd64.deb a9c10cb6e7362f452ad1b57fe66b8e92ec2a8af2 6884 papi_5.7.0+dfsg-1_amd64.buildinfo Checksums-Sha256: 3a74620078d2acb6451852eb31b81ef61e88fc4630266638ad7ca07163f509cc 2178 papi_5.7.0+dfsg-1.dsc 445495a15ec40c810791c2f85c16b1c62216127e2d20b1690f3b8898799bd125 1110820 papi_5.7.0+dfsg.orig.tar.xz 91e01e868f09b7b61997da6b29a5c8cad1f656047f7cc831248a244925c2ada0 16404 papi_5.7.0+dfsg-1.debian.tar.xz d0c8b3a68a98b10be0893c6a8fc8248d8c945f4cdcbecf6d92e1babd97d1784f 248252 libpapi-dev_5.7.0+dfsg-1_amd64.deb 5eb2bcc14c3ab75f73a3cfb708386585879c6df02e4cb7a545e5aad24f0a9fc3 233000 libpapi5.7-dbgsym_5.7.0+dfsg-1_amd64.deb 7a73462725bc5cf7c7c9bb7a93f100a52d59771854dcb78711b3c7b674df338e 336740 libpapi5.7_5.7.0+dfsg-1_amd64.deb badeb98a3ee6fe2c99546bdadac00ae158f7b9d158133a6e61ed13e9948c9c8f 155432 papi-examples_5.7.0+dfsg-1_all.deb 2f10e1c202d28e2c94bb571d1ab4bb5c39f2b9f7afcf5a63ea37f00058af047c 109036 papi-tools-dbgsym_5.7.0+dfsg-1_amd64.deb abc2b482a81f826daa03334044747881a29533f1218d247947d7ae930b7e6b6b 71152 papi-tools_5.7.0+dfsg-1_amd64.deb
Bug#928089: marked as done (chromium: crash when opening a new instance)
Your message dated Sun, 09 Jun 2019 19:24:21 + with message-id and subject line Bug#927913: fixed in chromium 75.0.3770.10-1 has caused the Debian Bug report #927913, regarding chromium: crash when opening a new instance to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 927913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927913 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: chromium Version: 74.0.3729.108-1 Severity: grave Justification: renders average web browser use impossible Hello, On a recent upgrade to Chromium 74.0.3729.108-1, any attempts to open a new instance of the browser (via the app launcher or by clicking an external link) hang for several seconds before crashing the previous Chromium instance and opening a new window. This causes work to be potentially lost. Downgrading to version 73.0.3683.75-1 in testing makes the problem go away. I can reproduce this with two systems, one running the NVIDIA binary driver (version 418.56-2 in unstable) and another running an Intel iGPU. Based on the command line output I've seen, I think the graphics setup might be related? On my NVIDIA system, running chromium from the terminal gives this: $ chromium [17554:17554:0427/125307.938566:ERROR:vaapi_wrapper.cc(335)] vaInitialize failed: unknown libva error Then I tried to install vdpau-va-driver and got this instead: james@intrepid:~$ chromium [13422:13422:0427/124503.122545:ERROR:vaapi_wrapper.cc(684)] vaQuerySurfaceAttributes failed VA error: invalid parameter [13422:13422:0427/124503.122582:ERROR:vaapi_wrapper.cc(574)] GetMaxResolution failed for va_profile 0 and entrypoint 1 [13422:13422:0427/124503.122591:ERROR:vaapi_wrapper.cc(684)] vaQuerySurfaceAttributes failed VA error: invalid parameter [13422:13422:0427/124503.122596:ERROR:vaapi_wrapper.cc(574)] GetMaxResolution failed for va_profile 1 and entrypoint 1 [13422:13422:0427/124503.122601:ERROR:vaapi_wrapper.cc(684)] vaQuerySurfaceAttributes failed VA error: invalid parameter [13422:13422:0427/124503.122606:ERROR:vaapi_wrapper.cc(574)] GetMaxResolution failed for va_profile 2 and entrypoint 1 [13422:13422:0427/124503.122612:ERROR:vaapi_wrapper.cc(684)] vaQuerySurfaceAttributes failed VA error: invalid parameter [13422:13422:0427/124503.122616:ERROR:vaapi_wrapper.cc(574)] GetMaxResolution failed for va_profile 3 and entrypoint 1 [13422:13422:0427/124503.122621:ERROR:vaapi_wrapper.cc(684)] vaQuerySurfaceAttributes failed VA error: invalid parameter [13422:13422:0427/124503.122626:ERROR:vaapi_wrapper.cc(574)] GetMaxResolution failed for va_profile 5 and entrypoint 1 [13422:13422:0427/124503.122632:ERROR:vaapi_wrapper.cc(684)] vaQuerySurfaceAttributes failed VA error: invalid parameter [13422:13422:0427/124503.122636:ERROR:vaapi_wrapper.cc(574)] GetMaxResolution failed for va_profile 6 and entrypoint 1 [13422:13422:0427/124503.122640:ERROR:vaapi_wrapper.cc(684)] vaQuerySurfaceAttributes failed VA error: invalid parameter [13422:13422:0427/124503.122643:ERROR:vaapi_wrapper.cc(574)] GetMaxResolution failed for va_profile 7 and entrypoint 1 [13422:13422:0427/124503.122647:ERROR:vaapi_wrapper.cc(684)] vaQuerySurfaceAttributes failed VA error: invalid parameter [13422:13422:0427/124503.122650:ERROR:vaapi_wrapper.cc(574)] GetMaxResolution failed for va_profile 8 and entrypoint 1 [13422:13422:0427/124503.122654:ERROR:vaapi_wrapper.cc(684)] vaQuerySurfaceAttributes failed VA error: invalid parameter [13422:13422:0427/124503.122658:ERROR:vaapi_wrapper.cc(574)] GetMaxResolution failed for va_profile 9 and entrypoint 1 [13422:13422:0427/124503.122662:ERROR:vaapi_wrapper.cc(684)] vaQuerySurfaceAttributes failed VA error: invalid parameter [13422:13422:0427/124503.122666:ERROR:vaapi_wrapper.cc(574)] GetMaxResolution failed for va_profile 10 and entrypoint 1 [13375:13375:0427/124511.868642:ERROR:http_bridge.cc(127)] Not implemented reached in virtual void syncer::HttpBridgeFactory::OnSignalReceived() [13375:13403:0427/124511.949307:ERROR:browser_process_sub_thread.cc(217)] Waited 13 ms for network service On my Intel system I see the following: $ chromium (chromium:17594): Gtk-WARNING **: 13:04:19.122: Theme parsing error: gtk.css:68:35: The style property GtkButton:child-displacement-x is deprecated and shouldn't be used anymore. It will be removed in a future version (chromium:17594): Gtk-WARNING **: 13:04:19.122: Theme parsing error: gtk.css:69:35: The style property GtkButton:child-displacement-y is deprecated and shouldn't be used anymore. It will be removed in a future version (chromium:17594): Gtk-WARNING **:
Bug#927913: marked as done (Second chromium kills the first one, and we see "Restore pages?")
Your message dated Sun, 09 Jun 2019 19:24:21 + with message-id and subject line Bug#927913: fixed in chromium 75.0.3770.10-1 has caused the Debian Bug report #927913, regarding Second chromium kills the first one, and we see "Restore pages?" to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 927913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927913 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: chromium Version: 74.0.3729.108-1 Severity: important $ chromium & $ sleep 22 $ chromium & The second one kills the first one, and we see "Restore pages?" --- End Message --- --- Begin Message --- Source: chromium Source-Version: 75.0.3770.10-1 We believe that the bug you reported is fixed in the latest version of chromium, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 927...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert (supplier of updated chromium package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 09 Jun 2019 18:35:36 + Source: chromium Architecture: source Version: 75.0.3770.10-1 Distribution: experimental Urgency: medium Maintainer: Debian Chromium Team Changed-By: Michael Gilbert Closes: 926032 927913 929026 Changes: chromium (75.0.3770.10-1) experimental; urgency=medium . * New upstream development release. - Fixes crash when launching chromium a second time (closes: #927913). * Document how to use widevine in README.debian (closes: #929026). * Apply vaapi update from the Fedora chromium 73 package (closes: #926032). Checksums-Sha1: 051bed303585339d32d861cd5bff3bf98ef9a67f 4203 chromium_75.0.3770.10-1.dsc 2b60f33d49c2953601c9e695c83b9d484eb960fa 253307148 chromium_75.0.3770.10.orig.tar.xz f55d5619f8b83818872f7140f27b4b4fc3f51e47 188116 chromium_75.0.3770.10-1.debian.tar.xz 8fcb6b83c57e8608ab126168af65724e1e7b59e9 21220 chromium_75.0.3770.10-1_source.buildinfo Checksums-Sha256: 65089795480ab2fa56c4f6c76562c3ecb311a25d7a7894c9a2ffb53809f2a2a7 4203 chromium_75.0.3770.10-1.dsc 6946a1e4179e56a93a8544eb710deb83f53cda1ed6104e97f38e04fbcea87622 253307148 chromium_75.0.3770.10.orig.tar.xz 872aa8d04b52ebe4b8e0f4f5c667473ae5c39882f0b5aa988e8d1674aace585f 188116 chromium_75.0.3770.10-1.debian.tar.xz 1522e00f794cacfd2ec9d52cdb9e10c4632deb7c055b6a09401dce7879dcb283 21220 chromium_75.0.3770.10-1_source.buildinfo Files: a03e16f91186b3ffd003fcd86650ff93 4203 web optional chromium_75.0.3770.10-1.dsc d8ba6a3a8d6971c19dfe363de63b4a3e 253307148 web optional chromium_75.0.3770.10.orig.tar.xz 34cd99cd2bd50d1dd5af26f4dde220a4 188116 web optional chromium_75.0.3770.10-1.debian.tar.xz c95f3277601b01d83e91f2e6e8ad7cb0 21220 web optional chromium_75.0.3770.10-1_source.buildinfo -BEGIN PGP SIGNATURE- iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlz9VlwACgkQuNayzQLW 9HMtSR/+LUM8gtweWIc/qsq77ZyQW/1+repNzI2KneLPelVO88Mpbm5rSZh8C6RK WTP3E9XrKoyZedCqF6gjVMSOEAIArByVNKxzpRIAhwQU+xAqIzP/A3FRGVf832Ia I8dZKGaYDx8LJmCTg99xh+y34I3eEg+0WPmEO8aY7/zJtQB5hCJfKoBch9ZOMkfI 1YxA691/jF47EY/mMkAaVNRTuchVW7w328o8lZbNDa0qbv+Sb09PErbPyFnC7xIw EkUNlHaex9vZdZOzdONQ2U1dXcQDPRHfCI2aazkugOTItdddqMDJOgYiqvBDaVGt xPZRe6unyfoaI3Ty0yXnaijAccF3FegNG20HIQuUFg1oml4NqtfLm5P2hiTtQAqh ZQGrt9/sSsrvIlXlO23VGDcqySvpRbcbY1/7peUunh+W8AOdBEKWVUY1py9n4ptP lYiXnK3hUfdnr8Ivpt/k5m0KPj9yKZzGV3s6S08EV5hTbom1KukhlQsaGrChvITd uxwnWdAmCBwIo+pkybWh/Jem9ZwGNnXx3IQMXvSHFCuowtUJGghhktCVQkySIpSp rZHy0zMwImk7mFeiokQx3FyQOzdrcDb4SDfmwaxNV+QPcfYCXaqJu7Qelq9g3sg9 NqSWNc2J1d5Nniz1eiugPI3YYPw4+nrIQZ9YjwbVNKoSZAkynrglmBu6YR1x0gL5 5fOEmrmDrTfNjA2/ozCj1b4Ipqzsqwh5FLwG3ez8MOhsGskyqDqoPJJZAm4LHi8z LVbem7woB6Tx0xaXmTnDEk8zJYQwMGWJ7N5JB/kklIVKKQcPxt70llXfMxBF9vlh 1J0I37M0OS9FBaqYH/8myMvEg22RtqHYVFJvQdzyZjaszoX2SQhlaayle03Uv/WW qrQjf0irDLJkzoEQbrziNssyRMAHm3stYeyS44rmUhLrNTIFGCadXmXEgkNIcC8E ArCod2wlCfDm/o3Sx0ehyudX95a+cYKL7nPaFVfu9LWnWlsmO9wf6hhK2bz+XhIe EuAJuswje0WnZ8JRUaX2NYCtCBtGIuEIgPblF7pOw0jeQeiDwPxgCiFq0bzG9fC4 7KZPzlvv5+aviBjcYiYxi+5UbrFNnVXFfnrAexKISKrFLTvaF51i6xTFLE1b01Mj dhQjP8pz8LxRVoVryQiKwFeu2A3U7MnKvVa6luSb1LBPELXXmenmXY1BTs7EWppx
Bug#927997: marked as done (Opening a link from a mail client restarts chromium)
Your message dated Sun, 09 Jun 2019 19:24:21 + with message-id and subject line Bug#927913: fixed in chromium 75.0.3770.10-1 has caused the Debian Bug report #927913, regarding Opening a link from a mail client restarts chromium to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 927913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927913 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: chromium Version: 74.0.3729.108-1 Severity: important Whenever I click on a link in evolution or thunderbird it takes a long time until chromium (which is configured as the default browser) comes up with the page. When it comes up, it'll show only the current link and all other tabs are gone, but instead it tells me that it was not shut down correctly and offers me to restore the old tabs. All worked well with any version prior to this one. Michael -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.0.0-trunk-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages chromium depends on: ii chromium-common 74.0.3729.108-1 ii libasound2 1.1.8-1 ii libatk-bridge2.0-0 2.30.0-5 ii libatk1.0-0 2.30.0-2 ii libatomic1 8.3.0-6 ii libatspi2.0-02.30.0-7 ii libavcodec58 7:4.1.1-1 ii libavformat587:4.1.1-1 ii libavutil56 7:4.1.1-1 ii libc62.28-9 ii libcairo-gobject21.16.0-4 ii libcairo21.16.0-4 ii libcups2 2.2.10-6 ii libdbus-1-3 1.12.12-1 ii libdrm2 2.4.97-1 ii libevent-2.1-6 2.1.8-stable-4 ii libexpat12.2.6-1 ii libflac8 1.3.2-3 ii libfontconfig1 2.13.1-2 ii libfreetype6 2.9.1-3 ii libgcc1 1:8.3.0-6 ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1 ii libglib2.0-0 2.58.3-1 ii libgtk-3-0 3.24.5-1 ii libharfbuzz0b2.3.1-1 ii libicu63 63.1-6 ii libjpeg62-turbo 1:1.5.2-2+b1 ii libjsoncpp1 1.7.4-3 ii liblcms2-2 2.9-3 ii libminizip1 1.1-8+b1 ii libnspr4 2:4.20-1 ii libnss3 2:3.42.1-1 ii libopenjp2-7 2.3.0-2 ii libopus0 1.3-1 ii libpango-1.0-0 1.42.4-6 ii libpangocairo-1.0-0 1.42.4-6 ii libpci3 1:3.5.2-5 ii libpng16-16 1.6.36-6 ii libpulse012.2-4 ii libre2-5 20190101+dfsg-2 ii libsnappy1v5 1.1.7-1 ii libstdc++6 8.3.0-6 ii libva2 2.4.0-1 ii libvpx5 1.7.0-3 ii libwebp6 0.6.1-2 ii libwebpdemux20.6.1-2 ii libwebpmux3 0.6.1-2 ii libx11-6 2:1.6.7-1 ii libx11-xcb1 2:1.6.7-1 ii libxcb1 1.13.1-2 ii libxcomposite1 1:0.4.4-2 ii libxcursor1 1:1.1.15-2 ii libxdamage1 1:1.1.4-3+b3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxi6 2:1.7.9-1 ii libxml2 2.9.4+dfsg1-7+b3 ii libxrandr2 2:1.5.1-1 ii libxrender1 1:0.9.10-1 ii libxslt1.1 1.1.32-2 ii libxss1 1:1.2.3-1 ii libxtst6 2:1.2.3-1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages chromium recommends: ii chromium-sandbox 74.0.3729.108-1 Versions of packages chromium suggests: pn chromium-driver pn chromium-l10n pn chromium-shell Versions of packages chromium-common depends on: ii x11-utils 7.7+4 ii xdg-utils 1.1.3-1 Versions of packages chromium-common recommends: ii chromium-sandbox 74.0.3729.108-1 ii fonts-liberation 1:1.07.4-9 ii gnome-shell [notification-daemon] 3.30.2-8 ii libgl1-mesa-dri18.3.6-1 pn libu2f-udev ii notification-daemon3.20.0-4 ii upower 0.99.10-1 Versions of packages chromium-sandbox depends on: ii libatomic1 8.3.0-6 ii libc6 2.28-9 ii libgcc1 1:8.3.0-6 ii libstdc++6 8.3.0-6 -- no debconf information --- End Message --- --- Begin Message --- Source: chromium Source-Version: 75.0.3770.10-1 We believe that the bug you reported is fixed in the latest version of chromium, which is due to be installed in the
Bug#903635: This is RC; breaks unrelated software
Hi Jonathan, On Wed, Apr 24, 2019 at 08:04:43PM +0100, Jonathan Dowland wrote: > severity 903635 critical > thanks > > Justification: "makes unrelated software on the system (or the whole system) > break" > > Installing docker.io changed my FORWARD chain policy to DROP, breaking > networking for unrelated virsh-based VMs that I had installed on the machine > at > the time. This matches exactly the text for severity: serious. Could you provide more info about "changed my FORWARD chain policy to DROP"? I set add `"iptables": false` to `/etc/docker/daemon.json`. Then reboot my laptop. Then run `iptables-save`. The result is ``` # Generated by xtables-save v1.8.2 on Mon Jun 10 01:22:35 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A DOCKER-USER -j RETURN COMMIT # Completed on Mon Jun 10 01:22:35 2019 ``` The FORWARD policy is ACCEPT. The origin bug is true that, docker still adds an empty chain, when iptables=false is set. But IMHO your justification is not real. -- Shengjing Zhu signature.asc Description: PGP signature
Bug#928107: marked as done (shim-signed: FTBFS in buster (unmet build-depends))
Your message dated Sun, 09 Jun 2019 17:03:22 + with message-id and subject line Bug#928107: fixed in shim-signed 1.33 has caused the Debian Bug report #928107, regarding shim-signed: FTBFS in buster (unmet build-depends) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 928107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928107 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: src:shim-signed Version: 1.30 Severity: serious Tags: ftbfs Dear maintainer: I tried to build this package in buster but it failed because the build-depends may not be met in buster. This is the final message given by sbuild: package: sbuild-build-depends-shim-signed-dummy version: 0.invalid.0 architecture: amd64 unsat-dependency: shim-unsigned:amd64 (= 15+1533136590.3beb971-5) If this is really a bug in the shim-unsigned package in testing, for not providing the exact functionality required by src:shim-signed to build, and it needs to be reuploaded again, so be it, but then please reassign this to shim-unsigned and use "affects src:shim-signed". I see that both shim-signed and shim-unsigned are maintained by the same team, so I really hope you can reach to an agreement here. On the other hand, if we are going to release buster with unbuildable packages, which imo we should never do, then this bug should be marked buster-ignore, but the way I read Release Policy this is not automatic and the maintainer should ask for permission to use buster-ignore first. Thanks. --- End Message --- --- Begin Message --- Source: shim-signed Source-Version: 1.33 We believe that the bug you reported is fixed in the latest version of shim-signed, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 928...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Steve McIntyre <93...@debian.org> (supplier of updated shim-signed package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 09 Jun 2019 17:32:54 +0100 Source: shim-signed Architecture: source Version: 1.33 Distribution: unstable Urgency: medium Maintainer: Debian EFI Team Changed-By: Steve McIntyre <93...@debian.org> Closes: 928107 Changes: shim-signed (1.33) unstable; urgency=medium . * Build against new signed binaries corresponding to 15+1533136590.3beb971-7 * Update Build-Depends and Depends to match. Closes: #928107 * Drop the hard-coded version in Built-Using; pick up the version of shim we're using properly. * Display the sha256sums of the binaries as we check them Checksums-Sha1: 140782f7c08705e185bd346c1d36f42c885b4c53 1824 shim-signed_1.33.dsc b8c8b3783b35f0d0985f861bab78960809c08ab9 834248 shim-signed_1.33.tar.xz 5474364a2ea9ab971fe967375c6d21a2a80c1894 5260 shim-signed_1.33_source.buildinfo Checksums-Sha256: d25838791787b504f237ac2a2645a1d7eaf8568b81b794a14b182ab67bf7faa5 1824 shim-signed_1.33.dsc 583ff460361100683a6a9cb804bf8bfe5204eefdba8fd87d0f77e1fc3526a209 834248 shim-signed_1.33.tar.xz 35b6190eb3a008efc150dc44840918e541a43b1963d8c43a5ca1232ea001a827 5260 shim-signed_1.33_source.buildinfo Files: 52af84ff4b9a98598e7d1cffde51a553 1824 utils optional shim-signed_1.33.dsc a9c227dcf64430d72f00a539a4b9c4de 834248 utils optional shim-signed_1.33.tar.xz a513257c28d91b1cb6f4d66dce55d15c 5260 utils optional shim-signed_1.33_source.buildinfo -BEGIN PGP SIGNATURE- iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAlz9NdsRHDkzc2FtQGRl Ymlhbi5vcmcACgkQWHl5VzRCaE4neA/+MxoprmsMBXxaE/ewK5taRa0GCG3ht0lw JdUel2n1RWGiWsILIRusyv+KSQZrFRalA89oMDYTNwaBR95H7vFg8MA8ATNOos8L WN9krmLKxF4hE76G4y0TVtNJOQFO527+v2hWkIpAHt3xZUIpIT1cJXepCIUszvAa DAr528KwV66tgcmyWanjM5AO3nK12KBr0Ka1QH+NhFy5F5WWZMJ+NNc/c+3r4ZBW l0Jai6oPIInbiZDVj5qfrOYxe+ZzALX40SIvAygQGusopcndf6HGe7++PQ4JY7Pj 1CYqgSU92lerh3hmUfvvwW/yNE0Txra3oGwVP4odmScy65sIHX/1wmKHLpYCgcJR 9H+32x2+2Vgh2xpgprj1E1sI/rlxa0oAuw6AmCzKhW602c8O+Crb9eEUTac7JCVd tzC94H96NiHypqWlisifCgMeAKnqXoZvbGMCreA+OstoGLtctMtK0M3tcdZawv8j cAnDAIeCdqGYsxmFw/bdqh8btHQZV+ySFeHt+tcgBJgqzogSpROF82NZ0v/XAuS+ 41zLqjkZzz5XzGp/pdzZitXgMikWubgJo3Dv7JId/oVruxGEVU/B2CRmY8l14WMJ
Bug#928052: CVE-2019-11502 CVE-2019-11503
Hi, I have not reviewed the whole patch but the following appeared on my redar while reviewing: On Sun, Jun 09, 2019 at 05:09:15PM +0900, Kentaro Hayashi wrote: > + [ Kentaro Hayashi ] > + * Non-maintainer upload. > + * d/patches/CVE-2019-11502.patch: fix unintended access to a private /tmp > +directory. (Closes: #928052) This should not close the bug yet as it only adresses CVE-2019-11502. #928052 both tracks CVE-2019-11502 CVE-2019-11503. So onless I miss smoething the changes to fix CVE-2019-11503 are missing yet. Regards, Salvatore
Processed: found 930276 in 2.2.5-1
Processing commands for cont...@bugs.debian.org: > found 930276 2.2.5-1 Bug #930276 [src:vlc] vlc: multiple vulnerabilities fixed in 3.0.7 release Marked as found in versions vlc/2.2.5-1. > thanks Stopping processing here. Please contact me if you need assistance. -- 930276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930276 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: found 930276 in 2.2.6-6
Processing commands for cont...@bugs.debian.org: > # for BTS graph > found 930276 2.2.6-6 Bug #930276 [src:vlc] vlc: multiple vulnerabilities fixed in 3.0.7 release Ignoring request to alter found versions of bug #930276 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 930276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930276 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: found 930276 in 2.2.6-6
Processing commands for cont...@bugs.debian.org: > # for BTS graphx > found 930276 2.2.6-6 Bug #930276 [src:vlc] vlc: multiple vulnerabilities fixed in 3.0.7 release Marked as found in versions vlc/2.2.6-6. > thanks Stopping processing here. Please contact me if you need assistance. -- 930276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930276 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#930276: vlc: multiple vulnerabilities fixed in 3.0.7 release
Source: vlc Version: 3.0.6-1 Severity: grave Tags: security upstream Justification: user security hole Control: fixed -1 3.0.7-1 Control: found -1 3.0.6-0+deb9u1 Hi Given there are no CVEs for the repsective issues (so far) add a single tracking bug in the BTS to get a reference, fixed already in 3.0.7-1 in unstable: vlc (3.0.7-1) unstable; urgency=high . * New upstream release. - Fix multiple integer overflows. - Fix multiple buffer overflows. - Fix use-after-free issue. - Fix NULL pointer dereference. - Fix other memory access bugs and infinite loops. * debian/rules: Be explicit about --enable-debug/disable-debug. Regards, Salvatore
Processed: vlc: multiple vulnerabilities fixed in 3.0.7 release
Processing control commands: > fixed -1 3.0.7-1 Bug #930276 [src:vlc] vlc: multiple vulnerabilities fixed in 3.0.7 release Marked as fixed in versions vlc/3.0.7-1. > found -1 3.0.6-0+deb9u1 Bug #930276 [src:vlc] vlc: multiple vulnerabilities fixed in 3.0.7 release Marked as found in versions vlc/3.0.6-0+deb9u1. -- 930276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930276 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#929718: marked as done (gdcm: FTBFS: dh_makeshlibs: failing due to earlier errors)
Your message dated Sun, 09 Jun 2019 18:30:55 +0200 with message-id <8d05af5ddcf9bd88135a40d1fc775e60032779bb.ca...@gmail.com> and subject line gdcm: FTBFS: dh_makeshlibs: failing due to earlier errors has caused the Debian Bug report #929718, regarding gdcm: FTBFS: dh_makeshlibs: failing due to earlier errors to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 929718: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929718 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: gdcm Version: 2.8.8-6 Severity: serious Tags: buster sid User: debian...@lists.debian.org Usertags: qa-ftbfs-20190529 qa-ftbfs Justification: FTBFS in buster on amd64 Hi, During a rebuild of all packages in buster (in a buster chroot, not a sid chroot), your package failed to build on amd64. Relevant part (hopefully): > make[1]: Entering directory '/<>' > # do not compress .map file for doxygen graph > dh_compress -X.map -X.pdf > make[1]: Leaving directory '/<>' >dh_fixperms -O--buildsystem=cmake\+ninja >dh_clifixperms -O--buildsystem=cmake\+ninja >dh_missing -O--buildsystem=cmake\+ninja >dh_strip -O--buildsystem=cmake\+ninja >dh_makeshlibs -O--buildsystem=cmake\+ninja > dpkg-gensymbols: error: some symbols or patterns disappeared in the symbols > file: see diff output below > dpkg-gensymbols: warning: debian/libvtkgdcm2.8a/DEBIAN/symbols doesn't match > completely debian/libvtkgdcm2.8a.symbols > --- debian/libvtkgdcm2.8a.symbols (libvtkgdcm2.8a_2.8.8-6_amd64) > +++ dpkg-gensymbolspIQKll 2019-05-29 05:16:07.185014757 + > @@ -855,17 +855,17 @@ > _ZN31vtkImageMapToWindowLevelColors2D1Ev@Base 2.8.7 > _ZN31vtkImageMapToWindowLevelColors2D2Ev@Base 2.8.7 > _ZN4gdcm11DataElement12SetByteValueEPKcNS_2VLE@Base 2.8.7 > - (arch-bits=64)_ZN4gdcm12SmartPointerINS_15SequenceOfItemsEEaSEPS1_@Base > 2.8.7-2~ > +#MISSING: 2.8.8-6# > (arch-bits=64)_ZN4gdcm12SmartPointerINS_15SequenceOfItemsEEaSEPS1_@Base > 2.8.7-2~ > _ZN4gdcm12SmartPointerINS_5ValueEEaSEPS1_@Base 2.8.7 > _ZN4gdcm20BitmapToBitmapFilterD1Ev@Base 2.8.7 > _ZN4gdcm20BitmapToBitmapFilterD2Ev@Base 2.8.7 > - > _ZN4gdcm22EncodingImplementationILi74550907EE4ReadINS_6StringILc92ELj16ELc32EvPT_mRSi@Base > 2.8.7 > +#MISSING: 2.8.8-6# > _ZN4gdcm22EncodingImplementationILi74550907EE4ReadINS_6StringILc92ELj16ELc32EvPT_mRSi@Base > 2.8.7 > > _ZN4gdcm22EncodingImplementationILi74550907EE4ReadINS_6StringILc92ELj64ELc0EvPT_mRSi@Base > 2.8.7 > > _ZN4gdcm22EncodingImplementationILi74550907EE4ReadINS_6StringILc92ELj64ELc32EvPT_mRSi@Base > 2.8.7 > _ZN4gdcm22EncodingImplementationILi74550907EE4ReadIdEEvPT_mRSi@Base 2.8.7 > _ZN4gdcm22EncodingImplementationILi74550907EE4ReadIiEEvPT_mRSi@Base 2.8.7-2~ > > _ZN4gdcm22EncodingImplementationILi74550907EE5WriteINS_6StringILc92ELj64ELc0EvPKT_mRSo@Base > 2.8.7 > - > (arch-bits=64)_ZN4gdcm22EncodingImplementationILi74550907EE5WriteINS_6StringILc92ELj64ELc32EvPKT_mRSo@Base > 2.8.7-2~ > +#MISSING: 2.8.8-6# > (arch-bits=64)_ZN4gdcm22EncodingImplementationILi74550907EE5WriteINS_6StringILc92ELj64ELc32EvPKT_mRSo@Base > 2.8.7-2~ > _ZN4gdcm4ItemD1Ev@Base 2.8.7 > _ZN4gdcm4ItemD2Ev@Base 2.8.7 > _ZN4gdcm6Object10UnRegisterEv@Base 2.8.7 > dh_makeshlibs: failing due to earlier errors > make: *** [debian/rules:49: binary] Error 2 The full build log is available from: http://qa-logs.debian.net/2019/05/29/gdcm_2.8.8-6_testing.log A list of current common problems and possible solutions is available at http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute! About the archive rebuild: The rebuild was done on EC2 VM instances from Amazon Web Services, using a clean, minimal and up-to-date chroot. Every failed build was retried once to eliminate random failures. --- End Message --- --- Begin Message --- Version: 2.8.8-9--- End Message ---
Processed: Re: provide type definitions for node-ast-types
Processing control commands: > block -1 by 929829 Bug #930267 [node-ast-types] provide type definitions for node-ast-types 930267 was blocked by: 930269 909427 930267 was blocking: 930266 Added blocking bug(s) of 930267: 929829 -- 930267: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930267 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#929983: ipxe-qemu: virtio booting no longer works after upgrade to buster
On Wed, Jun 05, 2019 at 01:24:06AM +0200, Thorsten Glaser wrote: [...] > I’ll attach the virsh dumpxml output below; I had reinstalled Debian > using an e1000 NIC and netboot in the meantime and reverted to virtio > afterwards, but I’m pretty sure this is reproducible even on other > virtualisation hosts, I will try that tomorrow. > I just test with plain qemu, and it looks good. qemu-system-x86_64 -m 2G -cpu host -accel kvm -device virtio-net-pci,netdev=net0 -netdev user,id=net0 -nographic ---BEGIN--- SeaBIOS (version 1.12.0-1) iPXE (http://ipxe.org) 00:03.0 C980 PCI2.10 PnP PMM+7FF90020+7FED0020 C980 Booting from Hard Disk... Boot failed: could not read the boot disk Booting from Floppy... Boot failed: could not read the boot disk Booting from DVD/CD... Boot failed: Could not read from CDROM (code 0003) Booting from ROM... iPXE (PCI 00:03.0) starting execution...ok iPXE initialising devices...ok iPXE 1.0.0+git-20190125.36a4c85-1 -- Open Source Network Boot Firmware -- http:/ /ipxe.org Features: DNS HTTP iSCSI NFS TFTP AoE ELF MBOOT PXE bzImage Menu PXEXT net0: 52:54:00:12:34:56 using virtio-net on :00:03.0 (open) [Link:up, TX:0 TXE:0 RX:0 RXE:0] Configuring (net0 52:54:00:12:34:56).. ok net0: 10.0.2.15/255.255.255.0 gw 10.0.2.2 net0: fec0::5054:ff:fe12:3456/64 gw fe80::2 net0: fe80::5054:ff:fe12:3456/64 Nothing to boot: No such file or directory (http://ipxe.org/2d03e13b) No more network devices iPXE> ---END---
Processed: Re: Processed: control
Processing commands for cont...@bugs.debian.org: > tags 929567 fixed-upstream Bug #929567 [emacs-gtk] libgtk-3-0:amd64: Emacs constantly crashes on startup with "X protocol error: BadLength..." Added tag(s) fixed-upstream. > End of message, stopping processing here. Please contact me if you need assistance. -- 929567: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929567 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Processed: control
Processing commands for cont...@bugs.debian.org: > found 929567 1:25.2+1-11 Bug #929567 [emacs-gtk] libgtk-3-0:amd64: Emacs constantly crashes on startup with "X protocol error: BadLength..." Marked as found in versions emacs/1:25.2+1-11. > thanks Stopping processing here. Please contact me if you need assistance. -- 929567: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929567 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: fixed 912637 in 7.22-21, fixed 912638 in 7.22-21, fixed 912639 in 7.22-21, tagging 885497 ...
Processing commands for cont...@bugs.debian.org: > fixed 912637 7.22-21 Bug #912637 {Done: Moshe Piekarski } [wordplay] wordplay: broken silent option Marked as fixed in versions wordplay/7.22-21. > fixed 912638 7.22-21 Bug #912638 {Done: Moshe Piekarski } [wordplay] wordplay: Cannot include space in input string Marked as fixed in versions wordplay/7.22-21. > fixed 912639 7.22-21 Bug #912639 {Done: Moshe Piekarski } [wordplay] wordplay: No multiword anagrams Marked as fixed in versions wordplay/7.22-21. > tags 885497 + experimental Bug #885497 {Done: Dmitry Smirnov } [src:xpra] xpra: Depends on unmaintained pygtk Added tag(s) experimental. > tags 834089 + experimental Bug #834089 {Done: Mathieu Mirmont } [socklog-run] runit: breaks users of runit: ln: failed to create symbolic link '/etc/service/bcron-sched': No such file or directory Added tag(s) experimental. > fixed 911732 0.14.0-3 Bug #911732 {Done: "Chris Lamb" } [hiredis] Please backport 0.14.0 to stretch-backports There is no source info for the package 'hiredis' at version '0.14.0-3' with architecture '' Unable to make a source version for version '0.14.0-3' Marked as fixed in versions 0.14.0-3. > thanks Stopping processing here. Please contact me if you need assistance. -- 834089: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834089 885497: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885497 911732: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911732 912637: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912637 912638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912638 912639: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912639 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Processed: control
Processing commands for cont...@bugs.debian.org: > reassign 929567 emacs-gtk 1:26.1+1-3.2 Bug #929567 [emacs] libgtk-3-0:amd64: Emacs constantly crashes on startup with "X protocol error: BadLength..." Bug reassigned from package 'emacs' to 'emacs-gtk'. Ignoring request to alter found versions of bug #929567 to the same values previously set Ignoring request to alter fixed versions of bug #929567 to the same values previously set Bug #929567 [emacs-gtk] libgtk-3-0:amd64: Emacs constantly crashes on startup with "X protocol error: BadLength..." Marked as found in versions emacs/1:26.1+1-3.2. > thanks Stopping processing here. Please contact me if you need assistance. -- 929567: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929567 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#908678: Update on the security-tracker git discussion
On Sat, Jun 08, 2019 at 06:29:24PM +0200, Salvatore Bonaccorso wrote: > Notes on possible CVE/list splits > - [...] After a face-to-face conversation with Daniel, Daniel suggested to create a priority list out of that, we will followup with that to that (ideally as gitlab task-list) here with a link once we have made our minds on it. Regards, Salvatore
Bug#909286: Please close
I wonder whether his bug should be closed. The behaviour described in the report no longer exists in version 67.0.1. (There is a warning about live bookmarks, though, but that's - I'd say - a different problem.) --Martin
Bug#908678: Update on the security-tracker git discussion
Hi Salvatore, On Sat, Jun 08, 2019 at 06:29:24PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Thu, Jun 06, 2019 at 06:11:53PM +0200, Salvatore Bonaccorso wrote: > > Hi Daniel, > > > > On Thu, Jun 06, 2019 at 08:35:47AM +0200, Daniel Lange wrote: > > > Am 06.06.19 um 07:31 schrieb Salvatore Bonaccorso: > > > > Could you again point me to your splitted up variant mirror? > > > > > > https://git.faster-it.de/debian_security_security-tracker_split_files/ > > > > Thanks! > > > > While starting to look at it, could you change the splitting to > > $year.list instead of list.$year? I know this comes from the initial > > script which was commited. It is though more intuitive working with > > $work.something than something.$year in this context. > > Thanks to Daniel for providing the converted repository (with list > named as well the other way around as $year.list, which is more > intuitive, and looks saner (to me)) which get updated regularly, this > helps as a extremly good basis. > > Below are some thoughs which I started thinking of during the last few > days, please not it might not yet be complete. Please as well try to > not push/force us too much -- whilst we understand the issue, and see > that something whatever the solution is (split, move somewhere else) > -- we have regularly more serious issues popping up we want and need > to look at those. But we acknowledge and see als well salsa admin > point of view. > > That said, here is what I have at the moment, some are easy, some > will/might be more involving. > > Notes on possible CVE/list splits > - > > - workflows on files itself by most active users. Often kept open > cross-checking issues all issues in one file. But this will "just" > need other ways to deal with the situation by the persons working > most on it. > - Code of security-tracker service and python modules itself which > currently rely on the data/*/list formats (DSA, DLA, CVE, ...) This > could probably be split up and use data/*/*.list > - Externally called but included in code: update script which fetches > MITRE list and integrates all needed changes (see further below). > - bin/bts-update (called from scripts/update-CVE-assignments in cron of > the securiy-tracker-services) operates based on data/CVE/list and > keeps track of the already tagged bugs by comparing with an 'oldlist'. > The oldlist is copied on a run on soriano.debian.org as 'state' file > similar to logroate's statefile (cron). > - bin/check-new-issues: parsing of TODO and checks for the new issues is > as well based on 'data/CVE/list' existence and parsing. After a split > up the interactive commands should still be able to navigate trough > the items. > - bin/check-syntax: Check syntax of the various lists based on the security- > tracker parser for the lists. make check-syntax from the Makefile, pre- > commit hook or C/I tests are all using this script for syntax check. > Depends on CVEfile as well from python/bugs.py. Relevant here is the > check-syntax target from the Makefile. At SVN times this was actually > only testing the syntax of the changed files, but now it just runs > make check-syntax. > - bin/compare-nvd-cve reads from data/CVE/list and this is probably > easier to adapt and it's used basically in a "experimental" target in > Makefile for update-compare-nvd target. AFAICS this is just reading > the information should be easy to adapt to any split up setup. > - bin/gen-{DSA,DLA}: Used the data/CVE/list for sanity check for > presence of the CVE. > - bin/get-todo-items (this script is currently not working correctly and > it's implemented already via the webview, so need to consider if we > actually still need it). > - bin/inject-embedded-code-copies (experimental script, not > actively used) > - bin/rejected-with-info relies on data/CVE/list directly, but will be > potentially easily adaptable in a splited setup. > - bin/setup-repo: checks for data/CVE/list just to make sure it's the > right repo. > - bin/report-vuln uses CVEFile (from python/bugs.py). > - bin/update and bin/updatelist: Parses DSA/DTSA/DLA list and > data/CVE/list adding new entries from MITRE feed and crossreferences > for the DSA/DLA's to a new data/CVE/list which then in the cronjob on > soriano will be committed. That is one processing those files in a > splitted setup this will need continue to work. > - bin/update-db (Used triggered by Makefile target to update security.db > sqlite database). > - bin/update-nvd (possibly dependency on the CVE lists via the used > modules but not directly). > - data/config.json contains the sources for CVE, DSA, DLA and extended > lists. Currently path thus will be a path component starting from > data, e.g. for CVE files path is '/CVE/list'. See as well "Setting up > an extended instance" in the documentation. > - lib/python/bugs.py contains the classes CVEFile, DSAFile, >
Bug#928420: marked as done (php-imagick: CVE-2019-11037)
Your message dated Sun, 09 Jun 2019 10:18:27 + with message-id and subject line Bug#928420: fixed in php-imagick 3.4.3-4.1 has caused the Debian Bug report #928420, regarding php-imagick: CVE-2019-11037 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 928420: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928420 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: php-imagick Version: 3.4.3~rc2-2 Severity: grave Tags: security upstream Forwarded: https://bugs.php.net/bug.php?id=77791 Hi, The following vulnerability was published for php-imagick. CVE-2019-11037[0]: | In PHP imagick extension in versions between 3.3.0 and 3.4.4, writing | to an array of values in ImagickKernel::fromMatrix() function did not | check that the address will be within the allocated array. This could | lead to out of bounds write to memory if the function is called with | the data controlled by untrusted party. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-11037 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11037 [1] https://bugs.php.net/bug.php?id=77791 Regards, Salvatore --- End Message --- --- Begin Message --- Source: php-imagick Source-Version: 3.4.3-4.1 We believe that the bug you reported is fixed in the latest version of php-imagick, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 928...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dominik George (supplier of updated php-imagick package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 06 Jun 2019 11:33:10 +0200 Source: php-imagick Binary: php-imagick php-imagick-dbgsym Architecture: source amd64 Version: 3.4.3-4.1 Distribution: unstable Urgency: high Maintainer: Debian PHP PECL Maintainers Changed-By: Dominik George Description: php-imagick - Provides a wrapper to the ImageMagick library Closes: 928420 Changes: php-imagick (3.4.3-4.1) unstable; urgency=high . * Non-maintainer upload. * Fix CVE-2019-11037. (Closes: #928420) Checksums-Sha1: f78f94b6686844a9f112bc3ffc6be459668919d4 2216 php-imagick_3.4.3-4.1.dsc 97c787dcaa3bcb695960c7cc12f5f6a907eacd81 12220 php-imagick_3.4.3-4.1.debian.tar.xz 4d904b2980033be5cb5e0aa4d492fc647e3df80d 400356 php-imagick-dbgsym_3.4.3-4.1_amd64.deb c3e382e5fce8d62f512c5daaa0b388c5f54eb9dd 11485 php-imagick_3.4.3-4.1_amd64.buildinfo b50b22a456b98ce994bad8b039aec7512559f8a5 102288 php-imagick_3.4.3-4.1_amd64.deb Checksums-Sha256: 2e1630e2f39e2317a41acbe806f18186d2808f102f945d49e8dcac2ff45f1b1b 2216 php-imagick_3.4.3-4.1.dsc eba65b41b6a8f4ae1eda49dac880f510325cd195dadf6c58b8830b630f00d2aa 12220 php-imagick_3.4.3-4.1.debian.tar.xz b9cfe37115b9ab32d3b41415a933bb96e2f8997bc8d5379b0103eff343ea4138 400356 php-imagick-dbgsym_3.4.3-4.1_amd64.deb 64f6232388c0939900e228ff3e4ce8dfa6e5f3e183febecb9042093513f9fd87 11485 php-imagick_3.4.3-4.1_amd64.buildinfo 0e06e3c26c5717de74398000a1702eef7639ced0a94ddc3bd450a75233cce8f1 102288 php-imagick_3.4.3-4.1_amd64.deb Files: c9f20343b8f763d1b1f79591ec49e95f 2216 php optional php-imagick_3.4.3-4.1.dsc a540c1e1df3296c60bd3a43e049f833e 12220 php optional php-imagick_3.4.3-4.1.debian.tar.xz 659c88da665b77239dcf0b15d5c1d7f1 400356 debug optional php-imagick-dbgsym_3.4.3-4.1_amd64.deb 5eb1be2ece0f3a66801892820bee88bc 11485 php optional php-imagick_3.4.3-4.1_amd64.buildinfo 42b0396abaa1613bf3abddea95859d95 102288 php optional php-imagick_3.4.3-4.1_amd64.deb -BEGIN PGP SIGNATURE- iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlz44s4xGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW oMTylsZ3EADI2LrccjL07877I1/IWWsFFYjYxMnHbFI+FVUaNorW76rruVPCu/Pm 4/WmVOjsgRDhQbqxf5TADJtdoaV/58WdrJZqLHneJoryfV0EGTJbV9PLSJ929/vE /LTOqI7P2ITRvX3ZWa7PW8Dm0NDYpMskXRicNvf5GU2ASoUJA5YB9oECuknjg3Uv NyIPKGt6Mq3ftl09PweQUy9F3gDuEilhbX67yVNcXY0mtbKegE7STsaGbBLkoBGd AlfP5/7GgUyiSLTN23o9IT/23WGMHrFFAkdeWfozWTwXeZEDgcD923iLuzTF6ZbS
Bug#930248: RM: gnome-xcf-thumbnailer -- RC buggy, dead-upstream, unmaintained, obsolete
Package: gnome-xcf-thumbnailer Severity: serious gnome-xcf-thumbnailer is currently RC buggy with 2 bugs: #655465 [S| | ] [gnome-xcf-thumbnailer] No thumbnails created in Gnome 3.2.1 #886072 [S| | ] [src:gnome-xcf-thumbnailer] gnome-xcf-thumbnailer: Depends on gconf However, at least on my system, xcf thumbnails are still generated in Gnome so it seems that this package is obsolete anyway. It is for sure dead-upstream (last release 10 years ago) and it seems to be unmaintained in Debian. Thus I suggest to RM this package. Dear maintainer, if you disagree, just close this bug. If you agree, please reassign this bug to ftp.d.o to make the RM happening. I will do that in exactly 3 months from now when there is no answer on this bug. -- Cheers, tobi signature.asc Description: PGP signature
Bug#929903: marked as done (m2crypto: testing for a fixed openssl causing test case regression)
Your message dated Sun, 09 Jun 2019 08:50:12 + with message-id and subject line Bug#929903: fixed in m2crypto 0.31.0-4 has caused the Debian Bug report #929903, regarding m2crypto: testing for a fixed openssl causing test case regression to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 929903: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929903 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: openssl Version: 1.1.1c-1 Severity: serious The m2crypto test suite fails with c, passes with b. The error log https://ci.debian.net/data/autopkgtest/testing/amd64/m/m2crypto/2436983/log.gz The testsuite complains about a missing error / the exception is not raised. The bisect says, this happens since |commit f61c68043d3bd2ad9718d356e7988ee2fdfc3621 | Author: Bernd Edlinger | Date: Thu Feb 28 10:08:18 2019 +0100 | | Fix memory overrun in rsa padding check functions | | Fixes #8364 and #8357 | | Reviewed-by: Kurt Roeckx | (Merged from https://github.com/openssl/openssl/pull/8365) | | (cherry picked from commit d7f5e5ae6d53f1387a42d210806cf5e9ed0882d6) Kurt, can you check if this is an error in the testsuite or something legal? Sebastian --- End Message --- --- Begin Message --- Source: m2crypto Source-Version: 0.31.0-4 We believe that the bug you reported is fixed in the latest version of m2crypto, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 929...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Stender (supplier of updated m2crypto package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 09 Jun 2019 09:42:32 +0200 Source: m2crypto Binary: m2crypto-doc python-m2crypto python-m2crypto-dbgsym Architecture: all source Version: 0.31.0-4 Distribution: unstable Urgency: medium Maintainer: Daniel Stender Changed-By: Daniel Stender Closes: 929903 Description: m2crypto-doc - Python wrapper for the OpenSSL library (docs) python-m2crypto - Python wrapper for the OpenSSL library (Python 2 modules) Changes: m2crypto (0.31.0-4) unstable; urgency=medium . * Add a few patches from upstream to avoid a testsuite regression while testing for bug which was fixed in OpenSSL 1.1.1c (Closes: #929903) [thanks to Sebastian Andrzej Siewior]. Checksums-Sha1: 281c1223db6bff9496497cc49b6498e1d7afff28 2308 m2crypto_0.31.0-4.dsc 568b0a49b6141b260cf78a634b93c1dd98f3e79a 59592 m2crypto_0.31.0-4.debian.tar.xz 1262707b02bb94ac466cec623f3430ceda1997c4 195084 m2crypto-doc_0.31.0-4_all.deb Checksums-Sha256: 9163b7920e0c88e158c1b652e218f7a300b5cfa002f0553075900a0ec6433172 2308 m2crypto_0.31.0-4.dsc af1f712653e4324d23578fccf8603aa8b90e1ede6db6ce83f4756a397fb65a52 59592 m2crypto_0.31.0-4.debian.tar.xz 1764a8df8380c2cd24e7e3cfb38c66acbee04155e26f60d879a6c1a245f1d282 195084 m2crypto-doc_0.31.0-4_all.deb Files: ddf49433caf74a1b8fa7ae4a0ce28f63 2308 python optional m2crypto_0.31.0-4.dsc 4b21f8d359ee132e4c9de60fc7c7f1d8 59592 python optional m2crypto_0.31.0-4.debian.tar.xz 01043fb23a0b6e5445b43a5edee304c7 195084 doc optional m2crypto-doc_0.31.0-4_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEERsscqJ6jt0N2dh25FeCa9N9RgsgFAlz8vRoACgkQFeCa9N9R gsg+FA/7BOW5XvvWLNPZaowtHyg2scsC9YbtKQeUZ4ZRj3uks9FpQs6COknfJPsN H1cS0bk4jiQhKOvtNeqLY0T8oJOfYITLUltfv8qDKnOmz3PcPoW9Jv3ru9vCdONf kaXYbdOSLsrN0QzKs53FBROb1Hb7Be1sE8vXoTEVETkm8ROmsQtktd2P+9+uW6t9 kyz+zhyN3psOFlxvm30PjrHAm2YsAegd6n00+KBax66Zbl0SYg9rpJCW/pc2V/1W xUwwwPqzHY/5/1Xkdw7SaVIK2dEmNG0GTIQhP0chCIbzPZAK3LCn/ztfXLJGo2R+ aoAvZNVQRW5V/KhNsWVmIy/NVw8xOQmz+530ctMo8PGkXzhSTlt2JqQjpZRs20Gc vIABeVl8W2eiB21velNONxrpU7POqvsVsO3qNo6BPGBqAs30WnEsyyw2hSRQvmmA Y/ISJDBOitwFx+Zwy/Lj25gxeYfJXra9z5vSvvpfbQg4ds1tYipJCSXjw0M6pLqB UP2lZ/E1CzVgd3l3ilJkKjhPILBypqq0E70uKI81oxf6VUwCFPYr2fl/MzVGfndw 6tIdc8qTYyxUn1N8V1NQSHaKPDIvt9a9YY1O0WmXZJa7iUr0JP8jzvBS3m6ACqlY T51XQfZmpmV2Ys9+QQ4AXSk5UmbI48GaDYxLnL64hd0PecJCiLo= =a5oF -END PGP SIGNATURE End Message ---
Bug#928052: CVE-2019-11502 CVE-2019-11503
control: tags -1 +patch I've tried to fix only CVE-2019-11502 as a challenge. The debdiff patch is added. I hope it will help to fix. diff -Nru snapd-2.37.4/debian/changelog snapd-2.37.4/debian/changelog --- snapd-2.37.4/debian/changelog 2019-03-01 02:21:26.0 +0900 +++ snapd-2.37.4/debian/changelog 2019-06-09 13:49:16.0 +0900 @@ -1,3 +1,12 @@ +snapd (2.37.4-1.1) unstable; urgency=medium + + [ Kentaro Hayashi ] + * Non-maintainer upload. + * d/patches/CVE-2019-11502.patch: fix unintended access to a private /tmp +directory. (Closes: #928052) + + -- Kentaro Hayashi Sun, 09 Jun 2019 13:49:16 +0900 + snapd (2.37.4-1) unstable; urgency=medium * New upstream release diff -Nru snapd-2.37.4/debian/patches/CVE-2019-11502.patch snapd-2.37.4/debian/patches/CVE-2019-11502.patch --- snapd-2.37.4/debian/patches/CVE-2019-11502.patch 1970-01-01 09:00:00.0 +0900 +++ snapd-2.37.4/debian/patches/CVE-2019-11502.patch 2019-06-09 13:49:16.0 +0900 @@ -0,0 +1,58 @@ +From bdbfeebef03245176ae0dc323392bb0522a339b1 Mon Sep 17 00:00:00 2001 +From: Zygmunt Krynicki +Date: Mon, 4 Mar 2019 18:40:11 +0100 +Subject: [PATCH] cmd/snap-confine: chown private /tmp parent to root.root +Origin: https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1 +Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928052 +Forwarded: not-needed + +When snap-confine creates a private /tmp directory for a given snap it +first creates a temporary directory in /tmp/ named after the snap, along +with a random name. Inside that directory it creates a /tmp directory +with permissions appropriate for a future /tmp, namely 1777. + +Up until recently the that directory was owned by the user who first +invoked snap-confine. Since the directory is reused by all the users on +the system this logic makes no sense. + +This patch changes the related logic so that the private /tmp directory +is owned by root, just like the real one. + +Signed-off-by: Zygmunt Krynicki + +Drop this patch when this package is upgraded to 2.38 or newer version. +This patch includes two commit: + +* https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1 +* https://github.com/snapcore/snapd/commit/1d7b5d8bea96139d3d9b301e6c06534d8fc95eff + +--- a/cmd/snap-confine/mount-support.c b/cmd/snap-confine/mount-support.c +@@ -62,8 +62,6 @@ + // TODO: fold this into bootstrap + static void setup_private_mount(const char *snap_name) + { +- uid_t uid = getuid(); +- gid_t gid = getgid(); + char tmpdir[MAX_BUF] = { 0 }; + + // Create a 0700 base directory, this is the base dir that is +@@ -71,8 +69,7 @@ + // + // Under that basedir, we put a 1777 /tmp dir that is then bind + // mounted for the applications to use +- sc_must_snprintf(tmpdir, sizeof(tmpdir), "/tmp/snap.%d_%s_XX", uid, +- snap_name); ++ sc_must_snprintf(tmpdir, sizeof(tmpdir), "/tmp/snap.%s_XX", snap_name); + if (mkdtemp(tmpdir) == NULL) { + die("cannot create temporary directory essential for private /tmp"); + } +@@ -99,7 +96,7 @@ + // MS_PRIVATE needs linux > 2.6.11 + sc_do_mount("none", "/tmp", NULL, MS_PRIVATE, NULL); + // do the chown after the bind mount to avoid potential shenanigans +- if (chown("/tmp/", uid, gid) < 0) { ++ if (chown("/tmp/", 0, 0) < 0) { + die("cannot change ownership of /tmp"); + } + // chdir to original directory diff -Nru snapd-2.37.4/debian/patches/series snapd-2.37.4/debian/patches/series --- snapd-2.37.4/debian/patches/series 2019-03-01 02:21:26.0 +0900 +++ snapd-2.37.4/debian/patches/series 2019-06-09 13:43:42.0 +0900 @@ -6,3 +6,4 @@ 0006-systemd-disable-snapfuse-system.patch 0007-i18n-use-dummy-localizations-to-avoid-dependencies.patch 0010-man-page-sections.patch +CVE-2019-11502.patch
Processed: Re: CVE-2019-11502 CVE-2019-11503
Processing control commands: > tags -1 +patch Bug #928052 [src:snapd] CVE-2019-11502 CVE-2019-11503 Added tag(s) patch. -- 928052: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928052 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: monit: CVE-2019-11454 CVE-2019-11455
Processing commands for cont...@bugs.debian.org: > severity 927775 important Bug #927775 {Done: Sergey B Kirpichev } [src:monit] monit: CVE-2019-11454 CVE-2019-11455 Severity set to 'important' from 'grave' > thanks Stopping processing here. Please contact me if you need assistance. -- 927775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927775 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#927775: monit: CVE-2019-11454 CVE-2019-11455
severity 927775 important thanks No reasons, so revert back severity. On Tue, 4 Jun 2019 08:00:43 +0300 Sergey B Kirpichev wrote: > On Tue, 23 Apr 2019 06:53:03 +0200 Salvatore Bonaccorso > wrote: > > CVE-2019-11454[0]: > > | Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash > > | Monit before 5.25.3 allows a remote unauthenticated attacker to > > | introduce arbitrary JavaScript via manipulation of an unsanitized user > > | field of the Authorization header for HTTP Basic Authentication, which > > | is mishandled during an _viewlog operation. > > > > > > CVE-2019-11455[1]: > > | A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit > > | before 5.25.3 allows a remote authenticated attacker to retrieve the > > | contents of adjacent memory via manipulation of GET or POST > > | parameters. The attacker can also cause a denial of service > > | (application outage). > > Why severity "grave"? Seems wrong accordingly to the > description in https://www.debian.org/Bugs/Developer#severities. > >
Bug#824229: marked as done (metapixel-prepare fails - metapixel: rwpng.c:199: open_png_file_writing: Assertion `0' failed.)
Your message dated Sun, 09 Jun 2019 07:03:22 + with message-id and subject line Bug#824229: fixed in metapixel 1.0.2-8 has caused the Debian Bug report #824229, regarding metapixel-prepare fails - metapixel: rwpng.c:199: open_png_file_writing: Assertion `0' failed. to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 824229: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824229 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: metapixel Version: 1.0.2-7.4+b1 Severity: normal Hi, I'm trying to create a metapixel library using the command metapixel-prepare path/to/src/files metapixel_lib but I'm getting the error message libpng error: Invalid palette metapixel: rwpng.c:199: open_png_file_writing: Assertion `0' failed. Aborted Error running metapixel - skipping file path/to/src/files/foo.jpg for each file in the source directory. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 4.5.0-2-686-pae (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages metapixel depends on: ii libc62.22-7 ii libgif7 5.1.4-0.1 ii libjpeg62-turbo 1:1.4.2-2 ii libpng16-16 1.6.21-4 ii zlib1g 1:1.2.8.dfsg-2+b1 metapixel recommends no packages. metapixel suggests no packages. -- no debconf information --- End Message --- --- Begin Message --- Source: metapixel Source-Version: 1.0.2-8 We believe that the bug you reported is fixed in the latest version of metapixel, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 824...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tobias Frost (supplier of updated metapixel package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 09 Jun 2019 01:53:30 +0200 Source: metapixel Architecture: source Version: 1.0.2-8 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Tobias Frost Closes: 824229 Changes: metapixel (1.0.2-8) unstable; urgency=medium . * QA upload. * Set maintainer to QA Team. * Switch to dpkg-source 3.0 (quilt) format - The patch had also created files which where already there, with identical content, just lowercased filename. Those are dropped from the patch. - Splitted the patch in two parts: one for libgif, one for libpng * Do not set palette and other optional metadata when writing png files. (Closes: #824229) * Convert to short debhelper format. * Bump compat level to 12 (and B-D on debhelper >=12). * Apply wrap-and-sort, remove trailing whitespaces from d/changelog * Add Homepage field in d/control. * Bump S-V to 4.3.0 -- no changes required * Add packaging repository at salsa.d.o. Checksums-Sha1: a29b9743c0e051a6728b2ea0016de6d710620089 1924 metapixel_1.0.2-8.dsc e48460de6d730d26c233f124e8b8513fc9bce336 4456 metapixel_1.0.2-8.debian.tar.xz 12ca9a151768c54e9509e4eaf77ceff189e6aa24 6035 metapixel_1.0.2-8_source.buildinfo Checksums-Sha256: 46031c38d84ce5cb56c02bac490b2e0a7c4df4315d90c43bbaab6b9dbe907f0d 1924 metapixel_1.0.2-8.dsc 2d43daeefded662fc86ea151fd1a35f7a40087d4d6c225a8e679ce1ccf89d5c7 4456 metapixel_1.0.2-8.debian.tar.xz 0f0faf3bb5d80f802715ad1c95ddb2e9473aed75ea993caa9910941e3037dc02 6035 metapixel_1.0.2-8_source.buildinfo Files: 876bf6f61a7463474b9363a3e6dc2d16 1924 graphics optional metapixel_1.0.2-8.dsc a6dc12658bf263a3f11de85d825090c6 4456 graphics optional metapixel_1.0.2-8.debian.tar.xz 5619984d7fcc02aa31fac9b213eab520 6035 graphics optional metapixel_1.0.2-8_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAlz8qV4ACgkQkWT6HRe9 XTYU4RAAtmO6zggqdpyvDleRGqAo99Y48Dl6d0PPQmDq/Bl06nnULkRfiHj3TFHD VL1zpbVFZwAn3xaNbco5f3zmu02HoFEP+568ssaxPcJ+j0IOCkZsKTdCjwOVmSm7 ADhaqHpId+i9da7Wqk3z34GS4N7YPUglo2jpQE0Vd+UbSDaNVjpqP6XJf06nVlof QbF5YYvFEby5Xml4FUIViwBYWlaOW/MrLSgotQjKIVf5HltJqPJA7Dn/uhBGVdPy
Bug#880047: closed by Peter Palfrader (Re: Bug#880047: postgrey doesn't start because it can't write its pid)
On Wed, May 15, 2019 at 08:12:07AM +, Debian Bug Tracking System wrote: > It seems to me that the default init script that ships with Debian 9 > does not use the directory /var/run/postgrey. postgrey/1.36-3+deb9u2 has worked just fine for me on Debian 9. I didn't experience any problems related to the init script. Peter asked me to try postgrey/1.36-5.1 and when installing that on Debian 9 it continues to work for me across reboots. Helmut