Bug#985085: source review findings - SUSE specific and CVE-2021-25315 does not apply to Debian
In brief, like carnil had suggested above, my review and findings concur that #985085 and CVE-2021-25315 are SUSE specific and do not apply to Debian. Thanks to Miuku of #suse on freenode for his helpful feedback accessing the SUSE src.rpm . I'll leave the bug open a few days, allowing for additional review and feedback. Looking closer, as can be seen from the link carnil provided, the SUSE bugzilla tracker for this issue notes: "Hi. Upstream was not affected with this issue. The issue was caused by overlapping of upstream patch and one of our patches." Victor Zhestkov 2021-03-13 13:54:38 UTC https://bugzilla.suse.com/show_bug.cgi?id=1182382#c16 Reviewing the mitre description for this CVE, it's corrected in the following two SUSE packages and versions: - SUSE Linux Enterprise Server 15 SP 3 salt version 3002.2-3 - openSUSE Tumbleweed salt versions after 3002.2-2.1 While I have not yet been able to access the source for the Enterprise Server fixed salt version (salt-3002.2-8.33.1.src.rpm), the openSUSE fixed salt version (salt-3002.2-4.1.src.rpm) can be downloaded from the following link (click "Grab binary packages directly" and then the src.rpm). https://software.opensuse.org//download.html?project=openSUSE%3AFactory=salt https://download.opensuse.org/repositories/openSUSE:/Factory/standard/src/salt-3002.2-4.1.src.rpm The SUSE salt.spec changelog for salt-3002.2-4.1.src.rpm documents fixing this CVE (by adding the patch Elimar Riesebieter linked to earlier): * Mon Mar 1 2021 Alexander Graul - Bring missing part of async batch implementation back (bsc#1182382) (CVE-2021-25315) https://bugzilla.suse.com/attachment.cgi?id=846239 This same fixed message can be seen in the SUSE Customer Center website, with links to the fixed SUSE Linux Enterprise Server salt-3002.2-8.33.1.src.rpm package, that requires a subscription to access (enter "CVE-2021-25315" at the search prompt). https://scc.suse.com/patches/ After downloading the src.rpm, source review can mostly be performed on Debian (see below for sample commands to begin; I did use an openSUSE VM to run rpmbuild on the src.rpm to get their patched source tree). Reading the "fix patch", it only changes one file -- salt/client/__init__.py . https://bugzilla.suse.com/attachment.cgi?id=846239 Comparing the current Debian testing and unstable salt package version (3002.5+dfsg1-1) with the latest fixed openSUSE salt version (salt-3002.2-4.1.src.rpm), the initial upstream client/__init__.py file is identical. The Debian package only applies a single patch to that file, which corrects a comment typo elsewhere ( debian/patches/Fix-various-spelling-mistakes.patch ). The SUSE salt RPM has ~160 patches applied to it (vs ~20 patches applied to the Debian one). Three of the SUSE salt patches modify the client/__init__.py file. While I admit to not being well versed in the Salt codebase, comparing the various patches it appears that SUSE adopted one approach to implement "eauth" (their Patch40 async-batch-implementation.patch), and upstream Salt (which Debian matches) implemented another, and in the process reset the initial SUSE authentication token parsing. This becomes very clear comparing an upstream version of client/__init__.py versus the SUSE patched version (diff or gvimdiff). A little curious SUSE continues with their approach and now patches out the current upstream, but that may be related to their other patches and the fact that their solution has been in place for several years now. Regardless, I don't see #985085 and CVE-2021-25315 appling to Debian, and recommend this bug be closed. regards, donfede # # spec file excerpts and comments, followed by my summary notes at dash (-), # of the 3x patches affecting client/__init__.py from salt.spec file in # openSUSE salt-3002.2-4.1.src.rpm Patch40: async-batch-implementation.patch Date: Fri, 16 Nov 2018 17:05:29 +0100 From: Mihai Dinca # PATCH-FIX_UPSTREAM https://github.com/saltstack/salt/pull/50546 # PATCH-FIX_UPSTREAM https://github.com/saltstack/salt/pull/51863 - >> This patch introduces the "overlap" code, including a call to batch_get_eauth() nearby the "fix patch" code. Patch63: fix-memory-leak-produced-by-batch-async-find_jobs-me.patch Date: Mon, 16 Sep 2019 11:27:30 +0200 From: Mihai Dinca # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/commit/6af07030a502c427781991fc9a2b994fa04ef32e - Minor addition elsewhere. Patch151: async-batch-implementation-fix-320.patch Date: Wed, 17 Feb 2021 16:47:11 +0300 From: Victor Zhestkov <35733135+vzhest...@users.noreply.github.com> # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/320 - This is the new "fix patch" code from the SUSE CVE fix; this code is present in Debian, but is the only eauth parameter processing present. # # sample commands to begin code review of suse
Bug#985883: python3-pep8: Does not install /usr/bin/pep8
On 28/3/21 3:01 am, Andrey Rahmatullin wrote> On Thu, Mar 25, 2021 at 07:30:14PM +1000, Russell Stuart wrote:>> Justification: renders package unusable> >> python3-pep8 does not install the pep8 executable under /bin or>> /usr/bin.> There is no pep8 executable anymore, and the transitional package that shipped a symlink from it to pycodestyle was dropped in 1.7.1-9 in 2020. See https://pep8.readthedocs.io/ Fair enough. For the benefit of people needing a clue like myself, adding a sentence to the package description like "If you are looking the pep8 program, it has been renamed to pycodestyle" would be helpful. OpenPGP_0xF5231C62E7843A8C.asc Description: application/pgp-keys OpenPGP_0xF5231C62E7843A8C.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature
Bug#985467: marked as done (guix: Risk of local privilege escalation via guix-daemon)
Your message dated Sun, 28 Mar 2021 03:48:34 + with message-id and subject line Bug#985467: fixed in guix 1.2.0-4 has caused the Debian Bug report #985467, regarding guix: Risk of local privilege escalation via guix-daemon to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985467 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: guix Version: 1.2.0-3 Severity: important Dear Maintainer, Hi, I saw an announcement that there is a risk of local privilege escalation via the guix daemon. https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix- daemon/ It says that "Machines where the Linux protected hardlinks feature is enabled, which is common, are also unaffected — this is the case when the contents of /proc/sys/fs/protected_hardlinks are 1." which appears to be true on my system. We probably should still apply the fix to our guix-daemon. Thanks Diane -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'stable-debug'), (500, 'testing'), (500, 'stable'), (110, 'unstable'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-4-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages guix depends on: ii guile-2.2 2.2.7+1-5.4 ii guile-2.2-libs 2.2.7+1-5.4 ii guile-gcrypt0.3.0-3 ii guile-git 0.4.0-3 ii guile-gnutls3.7.0-7 ii guile-json 4.3.2-2 ii guile-lzlib 0.0.2-2 ii guile-sqlite3 0.1.3-2 ii guile-ssh 0.13.1-4 ii guile-zlib 0.0.1-3 ii libbz2-1.0 1.0.8-4 ii libc6 2.31-9 ii libgcc-s1 10.1.0-1 ii libgcrypt20 1.8.7-3 ii libsqlite3-03.34.1-3 ii libssh-dev 0.9.5-1 ii libstdc++6 10.1.0-1 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages guix recommends: ii nscd 2.31-9 ii systemd 247.3-1 guix suggests no packages. --- End Message --- --- Begin Message --- Source: guix Source-Version: 1.2.0-4 Done: Vagrant Cascadian We believe that the bug you reported is fixed in the latest version of guix, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Vagrant Cascadian (supplier of updated guix package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 27 Mar 2021 19:18:29 -0700 Source: guix Architecture: source Version: 1.2.0-4 Distribution: unstable Urgency: medium Maintainer: Vagrant Cascadian Changed-By: Vagrant Cascadian Closes: 983248 985467 985916 Changes: guix (1.2.0-4) unstable; urgency=medium . * debian/patches: Fix privilege escalation issue in guix-daemon. (Closes: #985467) * debian/patches: Update init script to fix guix-daemon path. Thanks to florine forine. (Closes: #983248) * Add README.Debian documenting running with sysvinit and describing differences with other methods of installing guix. (Closes: #983248) * debian/patches: Adjust init script to use the _guixbuild group. * sysusers.d/guix-daemon.conf: Explicitly create _guixbuild group to workaround a bug in opensysusers. * Install /etc/profile.d/guix.sh to ensure proper functioning of guix profiles. (Closes: #985916) Checksums-Sha1: f8dfaa4d0377d6f21827a9111098a26a70e8de75 1778 guix_1.2.0-4.dsc 0e6b5c564022f5a7b9aa7b387934b0da72c69875 36692 guix_1.2.0-4.debian.tar.xz b0d0ca7871a4b2a138afb062cbfc9c16285c294c 9742 guix_1.2.0-4_amd64.buildinfo Checksums-Sha256: d7e5a8f680f1d76d83c5e0b8a133ba5c5992cfb5b49a213cd668cde49e1b680c 1778 guix_1.2.0-4.dsc 9f935efa05853aef7aeb6f43b1836de278e7e80c3615e320bc644fdf263e679c 36692 guix_1.2.0-4.debian.tar.xz 62b019769f4d29b1ecfd095da5751095ae1e8d868f96e09e25cedf564ae08e95 9742 guix_1.2.0-4_amd64.buildinfo Files: d93b46571216dc088c39f53c18d9597a 1778 admin optional guix_1.2.0-4.dsc fa31dd3143b4aca8ff6192de0f5c70c6
Processed: limit source to pacemaker, tagging 985173
Processing commands for cont...@bugs.debian.org: > limit source pacemaker Limiting to bugs with field 'source' containing at least one of 'pacemaker' Limit currently set to 'source':'pacemaker' > tags 985173 + pending Bug #985173 [pacemaker-resource-agents] pacemaker-resource-agents: missing Breaks+Replaces: pacemaker (<< 2) Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 985173: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985173 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#985991: libksgrd9: ksgrd_network_helper hogs CPU
Processing commands for cont...@bugs.debian.org: > severity 985991 important Bug #985991 [libksgrd9] libksgrd9: ksgrd_network_helper hogs CPU Severity set to 'important' from 'grave' > tags 985991 + moreinfo unreproducible Bug #985991 [libksgrd9] libksgrd9: ksgrd_network_helper hogs CPU Added tag(s) moreinfo and unreproducible. > thanks Stopping processing here. Please contact me if you need assistance. -- 985991: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985991 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#985991: libksgrd9: ksgrd_network_helper hogs CPU
severity 985991 important tags 985991 + moreinfo unreproducible thanks On Sat, 27 Mar 2021, Bert Schlumwig wrote: > when booting into a new KDE session, ksgrd_network_helper hogs 1 CPU-core > completely. The first thing I have to do is to set this thing to STOP. I don't see this behaviour. If you have a recipe to reproduce it, let us know. > This is a very famous bug known for years across all distributions, the net is > full of it. > > Is upstream sleeping? Again ... see my last email. Best Norbert -- PREINING Norbert https://www.preining.info Fujitsu Research Labs + IFMGA Guide + TU Wien + TeX Live + Debian Dev GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Bug#984520: Having the same issue
Hello - I also had this issue with a recent update. I had to boot to rescue and force install grub and bootloader. It's a laptop with single NVMe hard drive with lvm and luks setup by the default debian install. I think this previously happened in the past year. What can I do to help? I didn't keep logs.
Bug#982969: marked as done (emacs: expects working network in tests)
Your message dated Sat, 27 Mar 2021 23:19:49 + with message-id and subject line Bug#982969: fixed in emacs 1:27.1+1-3.1 has caused the Debian Bug report #982969, regarding emacs: expects working network in tests to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 982969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982969 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: emacs Version: 1:27.1+1-3 Severity: serious Tags: ftbfs Dear Maintainer, During a rebuild of the package on a Bullseye derivative, it is seen that the package fails to build from source. It is failing in the tests, where it seeks to access the internet, which by policy is disabled in the build environments. The same build failures can also be seen in the Reproducible Builds efforts. Below is just a snippet of the failures. ``` Test lookup-unicode-domains condition: (ert-test-failed ((should (network-lookup-address-info (puny-encode-domain "faß.de"))) :form (network-lookup-address-info "xn--fa-hia.de") :value nil)) FAILED 3/18 lookup-unicode-domains (0.000616 sec) Test unibyte-domain-name condition: (ert-test-failed ((should (network-lookup-address-info (string-to-unibyte "google.com"))) :form (network-lookup-address-info "google.com") :value nil)) FAILED 18/18 unibyte-domain-name (0.000981 sec) Ran 18 tests, 13 results as expected, 4 unexpected, 1 skipped (2022-03-21 01:59:54-1200, 1.713005 sec) 4 unexpected results: FAILED lookup-family-specification FAILED lookup-google FAILED lookup-unicode-domains FAILED unibyte-domain-name 1 skipped results: SKIPPED make-process-w32-debug-spawn-error ``` -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (990, 'testing'), (500, 'stable-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-3-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_USER Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8), LANGUAGE=en_US Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages emacs depends on: pn emacs-gtk | emacs-lucid | emacs-nox emacs recommends no packages. emacs suggests no packages. --- End Message --- --- Begin Message --- Source: emacs Source-Version: 1:27.1+1-3.1 Done: Sergio Durigan Junior We believe that the bug you reported is fixed in the latest version of emacs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 982...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sergio Durigan Junior (supplier of updated emacs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 20 Mar 2021 17:41:44 -0400 Source: emacs Architecture: source Version: 1:27.1+1-3.1 Distribution: unstable Urgency: medium Maintainer: Rob Browning Changed-By: Sergio Durigan Junior Closes: 982969 Changes: emacs (1:27.1+1-3.1) unstable; urgency=medium . * Non-maintainer upload. * d/p/0014-Skip-tests-that-require-Internet-when-there-s-no-Int.patch: Skip tests that require internet connection, fixing a FTBFS. (Closes: #982969) Checksums-Sha1: 2855da4069ec028c47c9a2de0a9f776b7e4b9e52 2833 emacs_27.1+1-3.1.dsc 02d10567570f7a1fc3f1566befc56c32e45dfa98 58868 emacs_27.1+1-3.1.debian.tar.xz d3692971f05bf73af6cf1311477434ba08068a76 20067 emacs_27.1+1-3.1_amd64.buildinfo Checksums-Sha256: cc2b93a92d929eb074239f0dbe816008e0b7e6e9061c4d2d73ee53836fca9ec1 2833 emacs_27.1+1-3.1.dsc a254fbdcd1ff75abe73514b79a1a1676b13b4156dc8ec7143237c786213b9bb5 58868 emacs_27.1+1-3.1.debian.tar.xz bfdd73aa6db55e194683faf6410891d0a956a9ce99dbc2abf1c842ed5e649027 20067 emacs_27.1+1-3.1_amd64.buildinfo Files: 9918a45f4df3c9b1a391c7f09a1f5424 2833 editors optional emacs_27.1+1-3.1.dsc 97369f6980175cb7e010524d23140c9c 58868 editors optional emacs_27.1+1-3.1.debian.tar.xz 39e2e805d2c53f0143fad15a61e7c03a 20067 editors optional emacs_27.1+1-3.1_amd64.buildinfo -BEGIN PGP
Bug#985281: r-cran-dt: unhandled symlink to directory conversion: /usr/lib/R/site-library/DT/htmlwidgets/lib/datatables-extensions -> ../../../../../../share/javascript/jquery-datatables-extensions
Hi, I pushed a change on Salsa[1] to make sure that the two following piuparts upgrade paths are working okay (thanks Andreas Tille for the permission): $ sudo piuparts \ --testdebs-repo='deb [trusted=true] http://[::1]/~emollier/repos experimental main' \ --distupgrade-to-testdebs \ --warn-on-leftovers-after-purge \ --distribution=buster \ --distribution=bullseye \ --apt r-cran-dt=0.17+dfsg-3 $ sudo piuparts \ --testdebs-repo='deb [trusted=true] http://[::1]/~emollier/repos experimental main' \ --distupgrade-to-testdebs \ --warn-on-leftovers-after-purge \ --distribution=bullseye \ --apt r-cran-dt=0.17+dfsg-3 The first describes installation from Buster, then upgrade to Bullseye, then purge. The second describes installation of initial Testing version, then purge. There is however this upgrade path that I struggle to fix, note the missing --distupgrade-to-testdebs, which goes through the existing 0.17+dfsg-2 in Testing, and which is still broken: $ sudo piuparts \ --testdebs-repo='deb [trusted=true] http://[::1]/~emollier/repos experimental main' \ --warn-on-leftovers-after-purge \ --distribution=buster \ --distribution=bullseye \ --apt r-cran-dt=0.17+dfsg-3 [...] 1m39.9s DEBUG: Command failed (status=2), but ignoring error: ['debsums', '--root', '/tmp/tmp0pvmpul0', '-ac', '--ignore-obsolete'] 1m39.9s ERROR: FAIL: debsums reports modifications inside the chroot: debsums: missing file /usr/share/javascript/jquery-datatables/css/dataTables.bootstrap.css (from libjs-jquery-datatables package) debsums: missing file /usr/share/javascript/jquery-datatables/css/dataTables.bootstrap.min.css (from libjs-jquery-datatables package) [...] debsums: missing file /usr/share/javascript/jquery-datatables-extensions/Buttons/js/dataTables.buttons.js (from libjs-jquery-datatables-extensions package) debsums: missing file /usr/share/javascript/jquery-datatables-extensions/Buttons/js/dataTables.buttons.min.js (from libjs-jquery-datatables-extensions package) Several packages from libjs-jquery-datatables-extension and libjs-jquery-datatables go missing after purge, eventually requiring the user of the rolling Sid machine to reinstall these packages, if removal of r-cran-dt occurs. Normally, with the new d/maintscript, this should not occur when jumping directly from Buster. How much is it a concern regarding the criticality of the bug? [1] https://salsa.debian.org/r-pkg-team/r-cran-dt/ Andreas Tille, on 2021-03-19 19:40:19 +0100: > > sudo piuparts --fail-on-broken-symlinks --warn-on-leftovers-after-purge > > r-cran-dt_0.17+dfsg-2_amd64.changes > ... > 1m7.6s DEBUG: Command failed (status=1), but ignoring error: ['lsof', '-w', > '+D', '/tmp/tmpc4jzyfzf'] > 1m9.2s ERROR: FAIL: Broken symlinks: > /usr/lib/R/site-library/crosstalk/lib/ionrangeslider -> > ../../shiny/www/shared/ionrangeslider (r-cran-crosstalk) > /usr/lib/R/site-library/crosstalk/lib/bootstrap/shim -> > ../../../shiny/www/shared/bootstrap/shim (r-cran-crosstalk) > /usr/lib/R/site-library/crosstalk/lib/bootstrap/js/npm.js -> > ../../../../shiny/www/shared/bootstrap/js/npm.js (r-cran-crosstalk) It sounds unrelated, I opened #986011 against r-cran-crosstalk. Kind Regards, -- Étienne Mollier Fingerprint: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da Sent from /dev/pts/3, please excuse my verbosity. signature.asc Description: PGP signature
Bug#986012: fatrace: autopkgtest regression: ^rm(.*): D /tmp/autopkgtest-lxc.yky1gevw/downtmp/build.jzI/src$ not found in log
Source: fatrace Version: 0.16.2-1 X-Debbugs-CC: debian...@lists.debian.org Severity: serious User: debian...@lists.debian.org Usertags: regression Dear maintainer(s), With a recent upload of fatrace the autopkgtest of fatrace fails in testing when that autopkgtest is run with the binary packages of fatrace from unstable. It passes when run with only packages from testing. In tabular form: passfail fatracefrom testing0.16.2-1 all others from testingfrom testing I copied some of the output at the bottom of this report. Currently this regression is blocking the migration to testing [1]. Can you please investigate the situation and fix it? More information about this bug and the reason for filing it can be found on https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation Paul [1] https://qa.debian.org/excuses.php?package=fatrace https://ci.debian.net/data/autopkgtest/testing/amd64/f/fatrace/11288159/log.gz autopkgtest [23:08:44]: test fatrace-currentmount: [--- starting fatrace... read a file... create a file... moving a file within the same directory robustness against ELOOP waiting for fatrace... checking log... ^rm(.*): D /tmp/autopkgtest-lxc.yky1gevw/downtmp/build.jzI/src$ not found in log ^touch(.*): + /tmp/autopkgtest-lxc.yky1gevw/downtmp/build.jzI/src$ not found in log ^mkdir(.*): + /tmp/autopkgtest-lxc.yky1gevw/downtmp/build.jzI/src$ not found in log ^mv(.*): <>\? /tmp/autopkgtest-lxc.yky1gevw/downtmp/build.jzI/src not found in log ^mv(.*): <\?> /tmp/autopkgtest-lxc.yky1gevw/downtmp/build.jzI/src not found in log ^mv(.*): < /tmp/autopkgtest-lxc.yky1gevw/downtmp/build.jzI/src$ not found in log ^mv(.*): > /tmp/autopkgtest-lxc.yky1gevw/downtmp/build.jzI/src/dest$ not found in log ^ln(.*): + /tmp/autopkgtest-lxc.yky1gevw/downtmp/build.jzI/src$ not found in log ^rm(.*): D /tmp/autopkgtest-lxc.yky1gevw/downtmp/build.jzI/src$ not found in log autopkgtest [23:08:47]: test fatrace-currentmount: ---] OpenPGP_signature Description: OpenPGP digital signature
Processed: owner 985282
Processing commands for cont...@bugs.debian.org: > owner 985282 ! Bug #985282 [dnsmasq] dnsmasq: unhandled symlink to directory conversion: /usr/share/doc/PACKAGE Owner recorded as Sébastien Villemot . > thanks Stopping processing here. Please contact me if you need assistance. -- 985282: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985282 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#984980: libaqbanking44: Wrong message after sending an transaction
Hello Micha, did you fill an unblock request? Regards MEchtilde Am 11.03.21 um 17:42 schrieb Micha Lenk: > Source: libaqbanking > Source-Version: 6.2.10-1 > > Hi Mechtilde, > >> On Jo, 11 mar 21, 15:17:15, Mechtilde Stehmann wrote: >>> Package: libaqbaning44 >>> Version: 6.2.9-1 >>> severity: grave >>> >>> I get the message the transaction failed after entering PIN and TAN but >>> the transaction was executed. >>> >>> Upstream has already fixed it in version 6.2.10 > > Thank you for reporting the issue. I've already uploaded libaqbanking > 6.2.10-1 to unstable a few hours ago. > > Let's try to get this fix into bullseye soon. > > Best regards, > Micha -- Mechtilde Stehmann ## Debian Developer ## PGP encryption welcome ## F0E3 7F3D C87A 4998 2899 39E7 F287 7BBA 141A AD7F OpenPGP_signature Description: OpenPGP digital signature
Bug#985891: dicompyler doesn't start
Control: severity -1 grave On Thu, Mar 25, 2021 at 08:41:08PM +0100, Andreas Tille wrote: > > raise DistributionNotFound(req, requirers) > > pkg_resources.DistributionNotFound: The 'matplotlib<2.2,>=1.3.0' > > distribution > > was not found and is required by dicompyler > > This is a bit misleading error output. The problem is that the code > might work with some former matplotlib versions / Python3 versions but > it is using a private module of matplotlib[1] which is simply forbidden. (not really misleading, it says the installed matplotlib version is not suitable for it) > I have reported this issue upstream (see above). > > Since this makes dicompyler unusable I have bumped the bug severity to > serious ... which will possibly mean that dicompyler will not be > distributed with the next Debian release if upstream does not come > up with some solution in the next 2-3 weeks. See also https://github.com/bastula/dicompyler/issues/122 (it mentions using skimage.measure.find_contours instead but you'll probably need to write a patch yourself). -- WBR, wRAR signature.asc Description: PGP signature
Processed: Re: Bug#985891: dicompyler doesn't start
Processing control commands: > severity -1 grave Bug #985891 [dicompyler] dicompyler doesn't start Severity set to 'grave' from 'serious' -- 985891: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985891 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#985883: python3-pep8: Does not install /usr/bin/pep8
On Thu, Mar 25, 2021 at 07:30:14PM +1000, Russell Stuart wrote: > Justification: renders package unusable > python3-pep8 does not install the pep8 executable under /bin or > /usr/bin. There is no pep8 executable anymore, and the transitional package that shipped a symlink from it to pycodestyle was dropped in 1.7.1-9 in 2020. See https://pep8.readthedocs.io/ -- WBR, wRAR signature.asc Description: PGP signature
Bug#985311: marked as done (libxcrypt migration blocker: inappropriate Build-Dependency: libltdl-dev during freeze)
Your message dated Sat, 27 Mar 2021 16:33:44 + with message-id and subject line Bug#985311: fixed in libxcrypt 1:4.4.18-2 has caused the Debian Bug report #985311, regarding libxcrypt migration blocker: inappropriate Build-Dependency: libltdl-dev during freeze to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985311: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985311 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libxcrypt Version: 1:4.4.18-1 Severity: serious libxcrypt introduced a new dependency cycle: src:libxcrypt Build-Depends on libltdl-dev (new) libltdl-dev is built from src:libtool src:libtool implicitly Build-Depends on libc6-dev libc6-dev depends on libxcrypt-dev libxcrypt-dev is built from src:libxcrypt The change in Build-Depends is inappropriate at this point of the freeze. Please revert and discuss how the change can be performed in a way that does not break architecture bootstrap. I think that libxcrypt really only needs /usr/share/aclocal/ltdl.m4. This file happens to be part of libtool, but it is otherwise architecture-independent and could be moved to an Arch:all package in principle. Doing so would unbreak cross bootstrap, but I don't understand the effects on a native bootstrap. As a workaround, I propose vendoring ltdl.m4. It is not uncommon to vendor m4 files for autoconf. While this usually makes updating them hard, this seems to be an exceptional case where such vendoring could be justifiable. As a long term solution, I propose demoting the libc6-dev -> libxcrypt-dev dependency to Recommends. Doing so shrinks the expectation of what build-essential provides. In any case, now is the wrong time to add this dependency. I'm filing it at rc severity to prevent testing migration during the bullseye freeze. Once bullseye is released, I no longer see a reason for it being rc even if it remains unsolved. That should give enough time to evaluate options and keep bullseye bootstrappable. Helmut --- End Message --- --- Begin Message --- Source: libxcrypt Source-Version: 1:4.4.18-2 Done: Marco d'Itri We believe that the bug you reported is fixed in the latest version of libxcrypt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Marco d'Itri (supplier of updated libxcrypt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 27 Mar 2021 17:11:11 +0100 Source: libxcrypt Architecture: source Version: 1:4.4.18-2 Distribution: unstable Urgency: medium Maintainer: Marco d'Itri Changed-By: Marco d'Itri Closes: 985311 985372 Changes: libxcrypt (1:4.4.18-2) unstable; urgency=medium . * Stop depending on libltdl-dev and instead just include in the package the relevant part of /usr/share/aclocal/ltdl.m4. (Closes: #985311) * Include upstream commit 86d1e4e to fix cross-compilation. (Closes: #985372) Checksums-Sha1: a51a329938be1fed722d23af54865929d9e4e573 1463 libxcrypt_4.4.18-2.dsc 41c5a5f65e9e9ae60da4348737c6df17e6af7972 7184 libxcrypt_4.4.18-2.debian.tar.xz cca4ddc2029d565b0023eb2123a867b0710916bd 6400 libxcrypt_4.4.18-2_amd64.buildinfo Checksums-Sha256: 52fc0204433da9c0a53034db0e70f0418cb671cd6e2e50518cac702ddb7af0de 1463 libxcrypt_4.4.18-2.dsc 1c6c4bd9e14c5022c8897a922391caa2c8b1a34dff1cd59d3bd2f229166c7247 7184 libxcrypt_4.4.18-2.debian.tar.xz 4fd5ccbd3d5751d473f93a740c58b5613095d9ad391bdd3b5dc8818ca0aadca4 6400 libxcrypt_4.4.18-2_amd64.buildinfo Files: 371bc42bbd5ec040e67e9ad266b1a59e 1463 admin optional libxcrypt_4.4.18-2.dsc a91e40a40099a2a22886c0b6688a01e6 7184 admin optional libxcrypt_4.4.18-2.debian.tar.xz cf4ef27e7b4e0751375432eaf0f3c306 6400 admin optional libxcrypt_4.4.18-2_amd64.buildinfo -BEGIN PGP SIGNATURE- iHUEARYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCYF9cYQAKCRDLPsM64d7X gdOzAQCURoG/0VesrfUZf24tUDBfFEiJjR/UQwwRX9LmAWz8qQD+I4OjHqS8AN+X bTGQrkHd77AUwKUOcNUNidhJ0Xy7yg4= =+/uI -END PGP SIGNATURE End Message ---
Processed: Re: Bug#983583: FTBFS on mips64el and mipsel
Processing control commands:
> reopen -1
Bug #983583 {Done: Adrian Bunk }
[src:golang-github-sylabs-sif] FTBFS on mips64el and mipsel
Bug reopened
Ignoring request to alter fixed versions of bug #983583 to the same values
previously set
> severity -1 important
Bug #983583 [src:golang-github-sylabs-sif] FTBFS on mips64el and mipsel
Severity set to 'important' from 'serious'
--
983583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983583
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#983583: FTBFS on mips64el and mipsel
Control: reopen -1 Control: severity -1 important On Sat, Mar 27, 2021 at 11:46 PM Adrian Bunk wrote: > > On Sat, Feb 27, 2021 at 02:33:38AM +0800, Shengjing Zhu wrote: > > Source: golang-github-sylabs-sif > > Version: 1.0.9-2 > > Severity: serious > > X-Debbugs-Cc: z...@debian.org > > > > Tried 3 times on buildd and failed at same test. > > > > === RUN TestAddDelObject > > unexpected fault address 0xffc8a0c000 > > fatal error: fault > > [signal SIGSEGV: segmentation violation code=0x2 addr=0xffc8a0c000 > > pc=0x12007ebe4] > > > > goroutine 22 [running]: > > runtime.throw(0x1201b74ed, 0x5) > > /usr/lib/go-1.15/src/runtime/panic.go:1116 +0x6c fp=0xce3430 > > sp=0xce3408 pc=0x120040afc > > runtime.sigpanic() > > > > Since it has been built on mipsx before, the failure will cause it > > impossible > > to fix issue later on these arch. > > > > It should either be removed from these arch or get fixed. > > This appears to be fixed now: > https://buildd.debian.org/status/package.php?p=golang-github-sylabs-sif The difference between these builds, seems to be a 5.10 kernel and 4.19 kernel on buildd. I'll reopen this but downgrade the severity, and loop debian-mips@ to see if it's regression on the kernel side. -- Shengjing Zhu
Bug#983583: marked as done (FTBFS on mips64el and mipsel)
Your message dated Sat, 27 Mar 2021 17:46:45 +0200 with message-id <20210327154645.GA6165@localhost> and subject line Re: Bug#983583: FTBFS on mips64el and mipsel has caused the Debian Bug report #983583, regarding FTBFS on mips64el and mipsel to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 983583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983583 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: golang-github-sylabs-sif Version: 1.0.9-2 Severity: serious X-Debbugs-Cc: z...@debian.org Tried 3 times on buildd and failed at same test. === RUN TestAddDelObject unexpected fault address 0xffc8a0c000 fatal error: fault [signal SIGSEGV: segmentation violation code=0x2 addr=0xffc8a0c000 pc=0x12007ebe4] goroutine 22 [running]: runtime.throw(0x1201b74ed, 0x5) /usr/lib/go-1.15/src/runtime/panic.go:1116 +0x6c fp=0xce3430 sp=0xce3408 pc=0x120040afc runtime.sigpanic() Since it has been built on mipsx before, the failure will cause it impossible to fix issue later on these arch. It should either be removed from these arch or get fixed. --- End Message --- --- Begin Message --- On Sat, Feb 27, 2021 at 02:33:38AM +0800, Shengjing Zhu wrote: > Source: golang-github-sylabs-sif > Version: 1.0.9-2 > Severity: serious > X-Debbugs-Cc: z...@debian.org > > Tried 3 times on buildd and failed at same test. > > === RUN TestAddDelObject > unexpected fault address 0xffc8a0c000 > fatal error: fault > [signal SIGSEGV: segmentation violation code=0x2 addr=0xffc8a0c000 > pc=0x12007ebe4] > > goroutine 22 [running]: > runtime.throw(0x1201b74ed, 0x5) > /usr/lib/go-1.15/src/runtime/panic.go:1116 +0x6c fp=0xce3430 > sp=0xce3408 pc=0x120040afc > runtime.sigpanic() > > Since it has been built on mipsx before, the failure will cause it impossible > to fix issue later on these arch. > > It should either be removed from these arch or get fixed. This appears to be fixed now: https://buildd.debian.org/status/package.php?p=golang-github-sylabs-sif cu Adrian--- End Message ---
Bug#977990: os-autoinst: FTBFS on i386: 3/3 Test #3: test-perl-testsuite ..............***Failed 332.81 sec
ping On Fri, Mar 12, 2021 at 05:33:27PM +0200, Adrian Bunk wrote: > On Thu, Feb 25, 2021 at 09:52:08AM +0100, Paul Gevers wrote: > > Control: found -1 4.5.1527308405.8b586d5-4.2 > > > > Hi Frédéric, Hideki, > > > > On 17-02-2021 22:01, Paul Gevers wrote: > > > If the forth time worked because of sheer luck, then please no, keep the > > > bug open until the build is less flaky. We need packages to be build > > > without failure [1]. Having to baby-sit flaky is not really an option as > > > there are too many packages in the Debian archive. > > > > I had a look at the reproducible build project history for os-autoinst > > [1] and the package FTBFS very, very often, both in unstable and > > testing. I have marked this bug as found, so now this package is able to > > migrate, *but* you'll have to fix this bug if you want the package to > > ship with bullseye. If you can't fix the tests and still believe that > > the package is in a good shape for the bullseye release, I suggest you > > disable the tests for now. > > Or if the package is not in a good shape on i386, > remove it from the architecture list. > > os-autoinst is amd64-only in buster. > > > Paul > >... > > cu > Adrian
Bug#985991: libksgrd9: ksgrd_network_helper hogs CPU
Package: libksgrd9 Version: 4:5.20.5-1 Severity: grave Justification: renders package unusable X-Debbugs-Cc: funat...@posteo.de Dear Maintainer, when booting into a new KDE session, ksgrd_network_helper hogs 1 CPU-core completely. The first thing I have to do is to set this thing to STOP. This is a very famous bug known for years across all distributions, the net is full of it. Is upstream sleeping? -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-5-amd64 (SMP w/4 CPU threads) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libksgrd9 depends on: ii libc62.31-10 ii libkf5configcore55.78.0-4 ii libkf5coreaddons55.78.0-4 ii libkf5i18n5 5.78.0-2 ii libkf5sysguard-data 4:5.20.5-1 ii libqt5core5a 5.15.2+dfsg-5 ii libqt5network5 5.15.2+dfsg-5 ii libstdc++6 10.2.1-6 libksgrd9 recommends no packages. libksgrd9 suggests no packages.
Bug#985453: marked as done (ibus-clutter: fails to upgrade from 'buster': insufficient dependencies)
Your message dated Sat, 27 Mar 2021 12:18:26 + with message-id and subject line Bug#985453: fixed in ibus-client-clutter 0.0+git20090728.a936bacf-7 has caused the Debian Bug report #985453, regarding ibus-clutter: fails to upgrade from 'buster': insufficient dependencies to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985453 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libclutter-imcontext-0.1-bin Version: 0.1.4-3.1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Control: affects -1 ibus Hi, during a test with piuparts I noticed your package fails to upgrade from 'buster'. It installed fine in 'buster', then the upgrade to 'bullseye' fails. >From the attached log (scroll to the bottom...): Setting up libclutter-imcontext-0.1-bin (0.1.4-3.1) ... Cannot load module /usr/lib/x86_64-linux-gnu/clutter-imcontext/immodules/im-ibus.so: GModule (/usr/lib/x86_64-linux-gnu/clutter-imcontext/immodules/im-ibus.so) initialization check failed: GLib version too old (micro mismatch) /usr/lib/x86_64-linux-gnu/clutter-imcontext/immodules/im-ibus.so does not export Clutter IM module API: GModule (/usr/lib/x86_64-linux-gnu/clutter-imcontext/immodules/im-ibus.so) initialization check failed: GLib version too old (micro mismatch) dpkg: error processing package libclutter-imcontext-0.1-bin (--configure): installed libclutter-imcontext-0.1-bin package post-installation script subprocess returned error exit status 1 This was observed during 'apt-get upgrade' (not dist-upgrade) of a buster chroot with ibus installed and --install-recommends enabled. libclutter-imcontext-0.1-bin seems to require some tighter dependencies ... cheers, Andreas ibus_1.5.23-2.log.gz Description: application/gzip --- End Message --- --- Begin Message --- Source: ibus-client-clutter Source-Version: 0.0+git20090728.a936bacf-7 Done: Ying-Chun Liu (PaulLiu) We believe that the bug you reported is fixed in the latest version of ibus-client-clutter, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ying-Chun Liu (PaulLiu) (supplier of updated ibus-client-clutter package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 27 Mar 2021 19:33:11 +0800 Source: ibus-client-clutter Architecture: source Version: 0.0+git20090728.a936bacf-7 Distribution: unstable Urgency: medium Maintainer: Ying-Chun Liu (PaulLiu) Changed-By: Ying-Chun Liu (PaulLiu) Closes: 985453 Changes: ibus-client-clutter (0.0+git20090728.a936bacf-7) unstable; urgency=medium . [ Andreas Beckmann ] * Tighten libglib2.0-0 dependency due to glib_check_version() usage. (Closes: #985453) Checksums-Sha1: f9eb6cadc03e915d9b8e66133f8f40deed9350a8 2074 ibus-client-clutter_0.0+git20090728.a936bacf-7.dsc 72b6f747869bf8ad6730a83b84c50525d154f485 4412 ibus-client-clutter_0.0+git20090728.a936bacf-7.debian.tar.xz 49b968f6eb54cabecee86d9ff39c9d6b64d7d115 15528 ibus-client-clutter_0.0+git20090728.a936bacf-7_source.buildinfo Checksums-Sha256: 3afea71d507decaca795a7292f24d10e7c069fd61b9c7d61ab3448990a980635 2074 ibus-client-clutter_0.0+git20090728.a936bacf-7.dsc ec244ddeb34093ce7137f57ac6d87f678f947fe9acf39c8f7819d76b890f6f38 4412 ibus-client-clutter_0.0+git20090728.a936bacf-7.debian.tar.xz 9cff0e353481f4a8f1875bf26dea19ac0921a532e5d2101169f7819bbddfbb7d 15528 ibus-client-clutter_0.0+git20090728.a936bacf-7_source.buildinfo Files: b99fa717b3bffd65b50606c8ce604870 2074 utils optional ibus-client-clutter_0.0+git20090728.a936bacf-7.dsc fd1693c2444d0709c3aeb8e807d37773 4412 utils optional ibus-client-clutter_0.0+git20090728.a936bacf-7.debian.tar.xz 74d799c5376171bf7dd9290b67bcbe4a 15528 utils optional ibus-client-clutter_0.0+git20090728.a936bacf-7_source.buildinfo -BEGIN PGP SIGNATURE- iQJHBAEBCgAxFiEEo2h49GQQhoFgDLZIRBc/oT0FiIgFAmBfGrgTHHBhdWxsaXVA ZGViaWFuLm9yZwAKCRBEFz+hPQWIiO2RD/wLYb456/Yi7QrVxbDaRNaU+FpaYZuM 74czM7RnQikrGTG6/IuCh5MflTfp3frJqxgks/atL5XRi3gy6k8f+iRV2PPLX9EK
Bug#985068: marked as done (squid: CVE-2020-25097: SQUID-2020:11 HTTP Request Smuggling)
Your message dated Sat, 27 Mar 2021 11:18:01 + with message-id and subject line Bug#985068: fixed in squid 4.6-1+deb10u5 has caused the Debian Bug report #985068, regarding squid: CVE-2020-25097: SQUID-2020:11 HTTP Request Smuggling to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985068: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985068 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: squid Version: 4.13-7 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 4.13-5 Control: found -1 4.6-1+deb10u4 Control: found -1 4.6-1 Hi, The following vulnerability was published for squid. CVE-2020-25097[0]: | SQUID-2020:11 HTTP Request Smuggling If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-25097 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097 [1] https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: squid Source-Version: 4.6-1+deb10u5 Done: Santiago García Mantiñán We believe that the bug you reported is fixed in the latest version of squid, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Santiago García Mantiñán (supplier of updated squid package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 22 Mar 2021 10:37:24 +0100 Source: squid Architecture: source Version: 4.6-1+deb10u5 Distribution: buster-security Urgency: medium Maintainer: Luigi Gangitano Changed-By: Santiago García Mantiñán Closes: 985068 Changes: squid (4.6-1+deb10u5) buster-security; urgency=medium . * SQUID-2020:11 HTTP Request Smuggling (CVE-2020-25097) (Closes: #985068) Checksums-Sha1: c32d76df0370d3fd126db260e2fefb0ee9d0d5a1 2674 squid_4.6-1+deb10u5.dsc 7f2978326f7940b85902cd1cbc5be2519badb682 70448 squid_4.6-1+deb10u5.debian.tar.xz 2284760f673577d26df3ac9a56aeb121e07a7b79 7771 squid_4.6-1+deb10u5_source.buildinfo Checksums-Sha256: ac58647fa9727f3f662eb91ba16f3a34d8d3f7808300183cf104b16a8e97bf38 2674 squid_4.6-1+deb10u5.dsc 74f2b98a46ef005748d7a1d3426920261020faefcd39359626cbfed6f9f869b3 70448 squid_4.6-1+deb10u5.debian.tar.xz 8431aed20d8fd54405739023262db28312a7c73a31394c4f050c6600a83159c2 7771 squid_4.6-1+deb10u5_source.buildinfo Files: 1865de4107d5a563a77bf1962d17a5bd 2674 web optional squid_4.6-1+deb10u5.dsc 82262afd784a621b6ac04704c65f7c0b 70448 web optional squid_4.6-1+deb10u5.debian.tar.xz fd92a815656f384189f659fa75ef3fb4 7771 web optional squid_4.6-1+deb10u5_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBqPldg9hG0uxqQ5ouGiMo9h21aMFAmBZj7MACgkQuGiMo9h2 1aMMZxAAgFZOEae6DW9wECi7JOEjT5oIW5iKkvlQ1TaKCUC8yIkEAw2BJVSeVfJz 1CwJRaXKBWNmqzFvvUDV7xud7slL8r9PHqZ5gWYeADYstpe9wyrPrRofyjCd/+4E isBS6+yOCeicuazkWX586ZjVTHVums6aoBrsnORWsTpcX5qG8b69+D7ZU5KQt+fe NeIo1AT0hoKIEjQ7sl77MW1xfsO/pAtidw9K1wNCTrDoMS1CaNuFq19JHmeDtr1g AH29BHw3o1eoQOwnDRkmeDIwOz05ihxyWfpxqCu7QkIK8DTvdT+KAE3l4SxN8ZnX 6Dl9sE2PUcvV3k6aY3pbSnWI2TykrvbK9iIizHKEybvSSi7HxBKZwb+DHvX/4nwB oEXKLkF2AU1Bh7oN6hAZQOhsyZWIWouDcD6hcQGqdsGp73JmqWHagNCNEUx/fdjM NgcKctjemrWJ857zFhFiWy/HFMQa+LByqkHJauP6SJbI6eqDIRSnh+qe4jmU0PdU Lv8wOHA9inu/pJMAaiskWX7JyjVF3jnV9YHmPn9nSU7RhK3pNIbbgfqLiVjVBhkp /XXEoXPQTt8kPrti6y8eOHLMG3q8Bq3EPLSaN86D02e+Um/njfr2lH6DJOE4scPm iNPGkLGnBVdfb3bSF8NTOX2uqw7rvh8Q70Qd6YKay928usn72Xg= =z0ON -END PGP SIGNATURE End Message ---
Bug#985971: marked as done (jemalloc accesses the network during build)
Your message dated Sat, 27 Mar 2021 10:48:53 + with message-id and subject line Bug#985971: fixed in jemalloc 5.2.1-3 has caused the Debian Bug report #985971, regarding jemalloc accesses the network during build to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985971 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: jemalloc Version: 5.2.1-2 Severity: serious Justification: policy 4.9 violation X-Debbugs-Cc: Vineet Gupta jemalloc's build attempts to retrieve docbookx.dtd from the network during build. There can be three outcomes: 1. Network is unavailable. A warning is printed. See e.g. https://buildd.debian.org/status/fetch.php?pkg=jemalloc=amd64=5.2.1-2=1610249375=0 | /usr/bin/xsltproc -o doc/jemalloc.html doc/html.xsl doc/jemalloc.xml | error : unreachable network | doc/jemalloc.xml:6: warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd; | ]> | ^ 2. Network works. The file is retrieved. 3. Network is broken. Garbage is retrieved and the build fails. In any case, the attempt is a violation of Debian Policy section 4.9. I suppose that simply adding docbook-xml to Build-Depends fixes this. This issue was originally observed by Vineet Gupta (via outcome 3). Helmut --- End Message --- --- Begin Message --- Source: jemalloc Source-Version: 5.2.1-3 Done: Faidon Liambotis We believe that the bug you reported is fixed in the latest version of jemalloc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Faidon Liambotis (supplier of updated jemalloc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 27 Mar 2021 10:33:42 +0200 Source: jemalloc Architecture: source Version: 5.2.1-3 Distribution: unstable Urgency: medium Maintainer: Faidon Liambotis Changed-By: Faidon Liambotis Closes: 985971 Changes: jemalloc (5.2.1-3) unstable; urgency=medium . * Add docbook-xml to Build-Depends, to avoid xsltproc accessing the network to fetch docbookx.dtd. Thanks to Helmum Grohne for the report and fix. (Closes: #985971) Checksums-Sha1: a5489cbec5ae4e153f724d3eedcdb47a6e094796 1977 jemalloc_5.2.1-3.dsc 0e1e40ba23618ffe8a09b5c9879e30abc48faa7a 14128 jemalloc_5.2.1-3.debian.tar.xz 54164e3491d751d29e3f5d8c361eeca9763f0cab 5734 jemalloc_5.2.1-3_source.buildinfo Checksums-Sha256: cd5edfde760e5ed5b9f64951f88edc7c665d4585909ac46ac65eb6895788a743 1977 jemalloc_5.2.1-3.dsc a5a016aa349b71cc49984a0944b4b683a2a1ea280bb7fad38c5749e92b7bf5c5 14128 jemalloc_5.2.1-3.debian.tar.xz 39a44811c20ad3c35464977d592cb5d335ea335d5cba1d059224418ce514b4fa 5734 jemalloc_5.2.1-3_source.buildinfo Files: 07b97bce6ba7c9cd37f46c47f0a12416 1977 libs optional jemalloc_5.2.1-3.dsc 43c193675017f828a8a9ee5e12ac3e65 14128 libs optional jemalloc_5.2.1-3.debian.tar.xz f5301dec271941163448aace03a508f5 5734 libs optional jemalloc_5.2.1-3_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEqVksUhy5BAd9ZZgAnQteWx7sjw4FAmBe8l8ACgkQnQteWx7s jw6EFQ/8DyxzbxqJX6K/2vED0Xx2EWaQn2er/lCrQDagOUYw2+1x+CS+lrXkmWee IjQiSQ0UNUmiv0RfyOywfyvjnvfpZgCFRmc+g0k8pG21YeJ6FBJTtFcCvUaDtdvo wytSpTcWMiYIujFAwuWoFKPqhrv7u+sWqp4ChuI/EJ1AdIZDkhz7tfxUZk/wW7EC 1WC4oGLk7IVKphKAasG/Qxc+lMPD0MIcd6Gl2TVoSyNdlKopdCCLj4/9uaSnYOhE W/1Ql+IVqvBqYxuTAHkf+Mw9VjWgBaxJBI2ndbLTIjWEeuasYrMFNhgrMKoEz4Oq br6Bv1H67p4DNncJ+CJY+bqgbzkt2NO0wUX4Ve6rmBW0l5BMKrLmkWzzN+/d7GjX OAckqE3iRN+sm42DzWq01uWBwaUFUM59+svEEbHp/mO8M2rYnqMYhXXwS5U9xeuc 3LAYc9hiQ48X+jrs2i7Aim2K7LUiq1V/QRLv6PlYWCYkzAYxQzAPWa6LXTHkePyC MERIxQaOrnDxmp9mkTVCeLx+v7fOPIgC2iuWHKxdcBFbxyFP2xkDI619gImGqvIH T5KGuYZeG6djOm+SYjCwM9feZYFIGJICbUCMav2sYet3aUTVUGB54hNA9CaYDPtQ yiE3SwhojNYSqH3gmXG4iCehdN2+Yzbp7Ny92Qiuog02DK5cj/k= =RDSs -END PGP SIGNATURE End Message ---
Bug#985963: debuerreotype: uses debian-archive-keyring in autopkgtests without real dependency
control: tags -1 important > [1]: > https://github.com/debuerreotype/debian-debuerreotype/commit/349027dd77b24effecb9574fd61c40e81f283a74 > > However, I'm not sure I agree with "Severity: serious" (or even > whether this is worth an upload during the deep state of bullseye's > freeze), given that it only occurs in a non-standard configuration and > only applies to the tests (and does not render the package otherwise > unusable in any functional way). Thoughts? Ok, release team should be already aware of the issue, and I admit the severity was somewhat a corner-case scenario. Since it doesn't change anything on the package itself, and the autopkgtests passes in this configuration, I think its ok to downgrade (specially because the fix is already committed thanks for that!) They might want to increase the severity, but from my perspective, no rush at all :) Gianfranco
Bug#985971: jemalloc accesses the network during build
Source: jemalloc Version: 5.2.1-2 Severity: serious Justification: policy 4.9 violation X-Debbugs-Cc: Vineet Gupta jemalloc's build attempts to retrieve docbookx.dtd from the network during build. There can be three outcomes: 1. Network is unavailable. A warning is printed. See e.g. https://buildd.debian.org/status/fetch.php?pkg=jemalloc=amd64=5.2.1-2=1610249375=0 | /usr/bin/xsltproc -o doc/jemalloc.html doc/html.xsl doc/jemalloc.xml | error : unreachable network | doc/jemalloc.xml:6: warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd; | ]> | ^ 2. Network works. The file is retrieved. 3. Network is broken. Garbage is retrieved and the build fails. In any case, the attempt is a violation of Debian Policy section 4.9. I suppose that simply adding docbook-xml to Build-Depends fixes this. This issue was originally observed by Vineet Gupta (via outcome 3). Helmut
