Bug#988217: marked as pending in u-boot
Control: tag -1 pending Hello, Bug #988217 in u-boot reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/u-boot/-/commit/3f9f5486a74cb783f631f95320316fd5dd82dfb9 debian/patches: Fix boot failure caused by efi loader switching to non-secure mode too early. Thanks to Bastian Germann and Heinrich Schuchardt. (Closes: #988217) (this message was generated automatically) -- Greetings https://bugs.debian.org/988217
Processed: Bug#988217 marked as pending in u-boot
Processing control commands: > tag -1 pending Bug #988217 [u-boot-sunxi] bootefi causes boot failure with boot.scr Added tag(s) pending. -- 988217: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988217 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: turns out this API violation is by design
Processing commands for cont...@bugs.debian.org: > severity 988027 important Bug #988027 [libklibc-dev] klibc: sigsetjmp ignores second argument, siglongjmp always restores signals Severity set to 'important' from 'serious' > tags 988027 + upstream Bug #988027 [libklibc-dev] klibc: sigsetjmp ignores second argument, siglongjmp always restores signals Added tag(s) upstream. > outlook 988027 a patch is available but this must be discussed with upstream > as this API violation is documented as by design Outlook recorded from message bug 988027 message > thanks Stopping processing here. Please contact me if you need assistance. -- 988027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988027 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#943425: [klibc] #943425 [s390x] setjmp/longjmp do not save/restore all registers in use
Hello Ben, any chance to upload at least the patch for s390x? This affects a release architrecture, so I’d NMU this if necessary, so we have it fixed in bullseye. Thanks, //mirabilos -- “Having a smoking section in a restaurant is like having a peeing section in a swimming pool.” -- Edward Burr
Processed: Re: Bug#987816: dask.distributed: FTBFS due to a build-time test failure
Processing control commands: > tag -1 + unreproducible Bug #987816 [src:dask.distributed] dask.distributed: FTBFS due to a build-time test failure Added tag(s) unreproducible. > forwarded -1 https://github.com/dask/distributed/issues/4839 Bug #987816 [src:dask.distributed] dask.distributed: FTBFS due to a build-time test failure Set Bug forwarded-to-address to 'https://github.com/dask/distributed/issues/4839'. -- 987816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987816 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#987816: dask.distributed: FTBFS due to a build-time test failure
Control: tag -1 + unreproducible Control: forwarded -1 https://github.com/dask/distributed/issues/4839 Hi Andrej (2021.04.30_05:27:41_-0400) > While rebuilding your package for Apertis, I found that it fails to > build because a few of the build-time tests fail. I rebuilt the package > in Debian and received the same result. > __ test_process_time > ___ > ___ test_thread_time > ___ I tried to reproduce this, twice, and these tests passed, no FTBFS. The particular numbers in those tests look like they were pulled out of thin air. I do however see test failures in the autopkgtest, which are somewhat flaky. SR -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
Processed: tagging 988942, tagging 988943, bug 988943 is forwarded to https://github.com/gin-gonic/gin/pull/2474 ...
Processing commands for cont...@bugs.debian.org: > tags 988942 + upstream Bug #988942 [golang-github-containers-image] CVE-2021-20291 Added tag(s) upstream. > tags 988943 + upstream Bug #988943 [src:golang-github-gin-gonic-gin] CVE-2020-28483 Added tag(s) upstream. > forwarded 988943 https://github.com/gin-gonic/gin/pull/2474 Bug #988943 [src:golang-github-gin-gonic-gin] CVE-2020-28483 Set Bug forwarded-to-address to 'https://github.com/gin-gonic/gin/pull/2474'. > tags 988944 + upstream Bug #988944 [src:google-oauth-client-java] CVE-2020-7692 Added tag(s) upstream. > forwarded 988944 > https://github.com/googleapis/google-oauth-java-client/issues/469 Bug #988944 [src:google-oauth-client-java] CVE-2020-7692 Set Bug forwarded-to-address to 'https://github.com/googleapis/google-oauth-java-client/issues/469'. > found 988944 1.28.0-1 Bug #988944 [src:google-oauth-client-java] CVE-2020-7692 Marked as found in versions google-oauth-client-java/1.28.0-1. > tags 988945 + upstream Bug #988945 [src:rust-http] CVE-2019-25009 Added tag(s) upstream. > found 988945 0.1.19-2 Bug #988945 [src:rust-http] CVE-2019-25009 Marked as found in versions rust-http/0.1.19-2. > tags 988946 + upstream Bug #988946 [libhibernate-validator-java] CVE-2020-10693 Added tag(s) upstream. > tags 988948 + upstream Bug #988948 [src:thrift] CVE-2019-11939 Added tag(s) upstream. > tags 988949 + upstream Bug #988949 [src:thrift] CVE-2020-13949 Added tag(s) upstream. > tags 988950 + upstream Bug #988950 [src:golang-github-nats-io-jwt] CVE-2020-26892 CVE-2020-26521 Added tag(s) upstream. > thanks Stopping processing here. Please contact me if you need assistance. -- 988942: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988942 988943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988943 988944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944 988945: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988945 988946: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988946 988948: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988948 988949: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988949 988950: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988950 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#988102: marked as done (python-libnacl: failing in tests on 32 bit systems)
Your message dated Fri, 21 May 2021 21:04:23 +
with message-id
and subject line Bug#988102: fixed in python-libnacl 1.7.2-3
has caused the Debian Bug report #988102,
regarding python-libnacl: failing in tests on 32 bit systems
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
988102: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988102
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-libnacl
Version: 1.7.2-2
Severity: serious
Tags: ftbfs
Justification: fails to build from source
User: de...@lists.apertis.org
Usertags: apertis-ftbfs
X-Debbugs-Cc: de...@lists.apertis.org
Dear Maintainer,
Your package fails to build, so far on 32 bit systems. It is failing in
one of the tests.
The build failure snippet is below
***
dh_auto_test: warning: Compatibility levels before 10 are deprecated (level 9
in use)
I: pybuild base:232: cd
/srv/build/python-libnacl-1.7.2/.pybuild/cpython3_3.9_libnacl/build; python3.9
-m nose -v tests
test_gcm_aead (unit.test_aead.TestAEAD) ... ok
test_ietf_aead (unit.test_aead.TestAEAD) ... ok
test_auth_rejects_wrong_lengths (unit.test_auth_verify.TestAuthVerify) ... ok
test_auth_verify (unit.test_auth_verify.TestAuthVerify) ... ok
test_auth_verify_rejects_wrong_key_lengths
(unit.test_auth_verify.TestAuthVerify) ... ok
test_onetimeauth_rejects_wrong_lengths (unit.test_auth_verify.TestAuthVerify)
... ok
test_onetimeauth_verify (unit.test_auth_verify.TestAuthVerify) ... ok
test_onetimeauth_verify_rejects_wrong_key_lengths
(unit.test_auth_verify.TestAuthVerify) ... ok
test_key_blake (unit.test_blake.TestBlake) ... ok
test_keyless_blake (unit.test_blake.TestBlake) ... ok
test_publickey (unit.test_dual.TestDual) ... ok
test_secretkey (unit.test_dual.TestDual) ... ok
test_sign (unit.test_dual.TestDual) ... ok
test_publickey (unit.test_public.TestPublic) ... ok
test_secretkey (unit.test_public.TestPublic) ... ok
test_secret_box (unit.test_raw_auth_sym.TestSecretBox) ... ok
test_secret_box_easy (unit.test_raw_auth_sym_easy.TestSecretBox) ... ok
test_key_generichash (unit.test_raw_generichash.TestGenericHash) ... ok
test_keyless_generichash (unit.test_raw_generichash.TestGenericHash) ... ok
test_hash (unit.test_raw_hash.TestHash) ... ok
test_box (unit.test_raw_public.TestPublic) ... ok
test_box_seal (unit.test_raw_public.TestPublic) ... ok
test_boxnm (unit.test_raw_public.TestPublic) ... ok
test_gen (unit.test_raw_public.TestPublic) ... ok
test_scalarmult_rejects_wrong_length (unit.test_raw_public.TestPublic) ... ok
test_crypto_kdf_derive_from_key (unit.test_raw_random.TestRandomBytes) ...
Aborted (core dumped)
E: pybuild pybuild:353: test: plugin distutils failed with: exit code=134: cd
/srv/build/python-libnacl-1.7.2/.pybuild/cpython3_3.9_libnacl/build; python3.9
-m nose -v tests
dh_auto_test: error: pybuild --test -i python{version} -p 3.9 returned exit
code 13
make: *** [debian/rules:7: binary] Error 255
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
Command `dpkg-buildpackage --changes-option=-DDistribution=bullseye` failed.
gbp:error: '/home/rrs/bin/gbp-pbuilder' failed: it exited with 2
***
-- System Information:
Debian Release: 11.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500,
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'),
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_USER
Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages python-libnacl depends on:
ii libsodium23 1.0.18-1
pn python
python-libnacl recommends no packages.
python-libnacl suggests no packages.
--- End Message ---
--- Begin Message ---
Source: python-libnacl
Source-Version: 1.7.2-3
Done: Stefano Rivera
We believe that the bug you reported is fixed in the latest version of
python-libnacl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
Processed: Bug#988102 marked as pending in python-libnacl
Processing control commands: > tag -1 pending Bug #988102 [python-libnacl] python-libnacl: failing in tests on 32 bit systems Added tag(s) pending. -- 988102: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988102 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#988102: marked as pending in python-libnacl
Control: tag -1 pending Hello, Bug #988102 in python-libnacl reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/python-team/packages/python-libnacl/-/commit/85f33465c05e814d100718a526956141a9e19c8f Patch: Fix crypto_kdf_derive_from_key() on 32-bit platforms. (Closes: #988102) (this message was generated automatically) -- Greetings https://bugs.debian.org/988102
Bug#988480: marked as done (pydantic: CVE-2021-29510)
Your message dated Fri, 21 May 2021 20:21:01 +
with message-id
and subject line Bug#988480: fixed in pydantic 1.7.4-1
has caused the Debian Bug report #988480,
regarding pydantic: CVE-2021-29510
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
988480: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988480
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pydantic
Version: 1.7.3-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for pydantic.
Note, strictly speaking the severity is slightly choosen inaproritate
for the type of security issue. Making it RC given pydantic is only in
testing and unstable, and a fix should go into bullseye before the
bullseye release.
CVE-2021-29510[0]:
| Pydantic is a data validation and settings management using Python
| type hinting. In affected versions passing either `'infinity'`,
| `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date`
| fields causes validation to run forever with 100% CPU usage (on one
| CPU). Pydantic has been patched with fixes available in the following
| versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on
| pypi(https://pypi.org/project/pydantic/#history), and will be
| available on conda-forge(https://anaconda.org/conda-forge/pydantic)
| soon. See the changelog(https://pydantic-docs.helpmanual.io/) for
| details. If you absolutely can't upgrade, you can work around this
| risk using a validator(https://pydantic-
| docs.helpmanual.io/usage/validators/) to catch these values. This is
| not an ideal solution (in particular you'll need a slightly different
| function for datetimes), instead of a hack like this you should
| upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and
| are unable to upgrade to a fixed version of pydantic, please create an
| issue at https://github.com/samuelcolvin/pydantic/issues requesting a
| back-port, and we will endeavour to release a patch for earlier
| versions of pydantic.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-29510
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29510
[1]
https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh
[2]
https://github.com/samuelcolvin/pydantic/commit/7e83fdd2563ffac081db7ecdf1affa65ef38c468
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pydantic
Source-Version: 1.7.4-1
Done: Stefano Rivera
We believe that the bug you reported is fixed in the latest version of
pydantic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera (supplier of updated pydantic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Fri, 21 May 2021 16:05:17 -0400
Source: pydantic
Architecture: source
Version: 1.7.4-1
Distribution: unstable
Urgency: medium
Maintainer: Michael Banck
Changed-By: Stefano Rivera
Closes: 988480
Changes:
pydantic (1.7.4-1) unstable; urgency=medium
.
* Team upload.
* New upstream point release.
- Fixes CVE-2021-29510: Date and datetime parsing could cause an infinite
loop by passing either 'infinity' or float('inf') (Closes: #988480)
* Update watch file to version 4 with current uscan(1) recommended regex.
Checksums-Sha1:
69202697049601ced5f46f424081e1e13ceb7861 1482 pydantic_1.7.4-1.dsc
3389b69caa9d7d7568a77c8969746dd82bd1f957 267198 pydantic_1.7.4.orig.tar.gz
cd933972cf0c8957e09dbc6b935fc95f8c74770d 2980 pydantic_1.7.4-1.debian.tar.xz
ae026e87242dc2daa2f62345f132bf2b8eccafba 6211 pydantic_1.7.4-1_source.buildinfo
Checksums-Sha256:
2f3cabe8157c5c304ef26dc66ae1150a8b4bb368c3c718625d3ac76c32cf0534 1482
pydantic_1.7.4-1.dsc
b0d2081726dbe6697465f2e1ebba51da3b1415008936ad003cf63fa2c48253f6 267198
pydantic_1.7.4.orig.tar.gz
7dc53241d7401fd9c436467fdf4013b7f2c406a9eda571e02d2dff55e327fd5a 2980
Processed: Re: Processed (with 1 error): Re: Bug#987686: webkit2gtk breaks balsa autopkgtest: xwd: error: No window with name Balsa exists!
Processing commands for cont...@bugs.debian.org: > severity 987686 important Bug #987686 [src:balsa] balsa autopkgtest fails with xdg-desktop-portal-gtk Severity set to 'important' from 'serious' > thanks Stopping processing here. Please contact me if you need assistance. -- 987686: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987686 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed (with 1 error): Re: Bug#987686: webkit2gtk breaks balsa autopkgtest: xwd: error: No window with name Balsa exists!
Processing control commands: > tags -1 important Unknown tag/s: important. Recognized are: patch wontfix moreinfo unreproducible help security upstream pending confirmed ipv6 lfs d-i l10n newcomer a11y ftbfs fixed-upstream fixed fixed-in-experimental sid experimental potato woody sarge sarge-ignore etch etch-ignore lenny lenny-ignore squeeze squeeze-ignore wheezy wheezy-ignore jessie jessie-ignore stretch stretch-ignore buster buster-ignore bullseye bullseye-ignore bookworm bookworm-ignore trixie trixie-ignore. > retitle -1 balsa autopkgtest fails with xdg-desktop-portal-gtk Bug #987686 [src:balsa] webkit2gtk breaks balsa autopkgtest: xwd: error: No window with name Balsa exists! Changed Bug title to 'balsa autopkgtest fails with xdg-desktop-portal-gtk' from 'webkit2gtk breaks balsa autopkgtest: xwd: error: No window with name Balsa exists!'. -- 987686: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987686 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#987686: webkit2gtk breaks balsa autopkgtest: xwd: error: No window with name Balsa exists!
Control: tags -1 important Control: retitle -1 balsa autopkgtest fails with xdg-desktop-portal-gtk Hi On 21-05-2021 21:43, Alberto Garcia wrote: > In any case I would definitely reduce the severity of the bug, I just > didn't want to do it on behalf of the original reporter :) Oh, with the current downgraded dependency the issue is gone. So, lowering the severity to prevent removal of balsa for something that isn't an RC issue in bullseye. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#988950: CVE-2020-26892 CVE-2020-26521
Source: golang-github-nats-io-jwt Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team https://advisories.nats.io/CVE/CVE-2020-26892.txt https://advisories.nats.io/CVE/CVE-2020-26521.txt Cheers, Moritz
Bug#987686: webkit2gtk breaks balsa autopkgtest: xwd: error: No window with name Balsa exists!
On Fri, May 21, 2021 at 09:28:02PM +0200, Paul Gevers wrote: > > In webkit2gtk 2.32.1-1 the dependency on xdg-desktop-portal-gtk was > > downgraded to a recommendation so the test no longer fails. > > balsa is close to autoremoval from bullseye because of this issue. > Should xdg-desktop-portal-gtk really be a Depends? (Having the > possibility to downgrade the dependency suggest it *is* not a > dependency). > > > The underlying cause is still there so I don't know if you want to > > keep this bug report open to look for a proper solution. > > If you're OK with keeping the downgraded dependency then I think > this bug can be downgraded too. Arguably this bug could be closed since the test no longer fails, although I think it's useful to keep it open in order to track the issue. But that's up to the Balsa maintainers in my opinion. In any case I would definitely reduce the severity of the bug, I just didn't want to do it on behalf of the original reporter :) Berto
Bug#988945: CVE-2019-25009
Source: rust-http Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team CVE-2019-25009: https://rustsec.org/advisories/RUSTSEC-2019-0034.html https://github.com/hyperium/http/commit/82d53dbdfdb1ffbeb0323200a0bbd30b5f895fa7 https://github.com/hyperium/http/commit/8ffe094df1431321d450860cc56a22dd53175f5e Cheers, Moritz
Bug#988944: CVE-2020-7692
Source: google-oauth-client-java Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team CVE-2020-7692: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276 https://github.com/googleapis/google-oauth-java-client/issues/469 https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824 Cheers, Moritz
Bug#987547: debspawn: diff for NMU version 0.4.1-1.1
Control: tags 987547 + pending Dear maintainer, I've prepared an NMU for debspawn (versioned as 0.4.1-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards. SR diff -Nru debspawn-0.4.1/debian/changelog debspawn-0.4.1/debian/changelog --- debspawn-0.4.1/debian/changelog 2020-12-21 21:16:47.0 -0400 +++ debspawn-0.4.1/debian/changelog 2021-05-21 15:23:54.0 -0400 @@ -1,3 +1,10 @@ +debspawn (0.4.1-1.1) unstable; urgency=medium + + * Depend on dpkg-dev, which was Recommended through build-essential, but not +required, causing a crash. (Closes: #987547) + + -- Stefano Rivera Fri, 21 May 2021 15:23:54 -0400 + debspawn (0.4.1-1) unstable; urgency=medium * New upstream version: 0.4.1 diff -Nru debspawn-0.4.1/debian/control debspawn-0.4.1/debian/control --- debspawn-0.4.1/debian/control 2020-12-21 21:15:47.0 -0400 +++ debspawn-0.4.1/debian/control 2021-05-21 15:23:38.0 -0400 @@ -19,6 +19,7 @@ Package: debspawn Architecture: all Depends: debootstrap, + dpkg-dev, python3-toml, systemd-container, zstd,
Processed: debspawn: diff for NMU version 0.4.1-1.1
Processing control commands: > tags 987547 + pending Bug #987547 [debspawn] missing dependency on dpkg-dev Added tag(s) pending. -- 987547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#987686: webkit2gtk breaks balsa autopkgtest: xwd: error: No window with name Balsa exists!
Hi Alberto, On 11-05-2021 21:03, Alberto Garcia wrote: > On Tue, Apr 27, 2021 at 11:27:32PM +0200, Alberto Garcia wrote: > >> Nothing to do with webkit actually. The test launches Balsa, waits >> for two seconds and then takes a screenshot of the window. The bug >> happens because when xdg-desktop-portal-gtk is installed Balsa takes >> a very long time to start so those two seconds are not enough. > > In webkit2gtk 2.32.1-1 the dependency on xdg-desktop-portal-gtk was > downgraded to a recommendation so the test no longer fails. balsa is close to autoremoval from bullseye because of this issue. Should xdg-desktop-portal-gtk really be a Depends? (Having the possibility to downgrade the dependency suggest it *is* not a dependency). > The underlying cause is still there so I don't know if you want to > keep this bug report open to look for a proper solution. If you're OK with keeping the downgraded dependency then I think this bug can be downgraded too. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#987646: marked as done (eclipse-titan: Frequent parallel FTBFS)
Your message dated Fri, 21 May 2021 19:18:29 + with message-id and subject line Bug#987646: fixed in eclipse-titan 7.2.0-1.1 has caused the Debian Bug report #987646, regarding eclipse-titan: Frequent parallel FTBFS to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 987646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987646 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: eclipse-titan Version: 7.2.0-1 Severity: serious Tags: ftbfs eclipse-titan (7.2.0-1) unstable; urgency=medium ... * debian/rules: ... - removed unnecessary --no-parallel option -- Gergely Pilisi Tue, 16 Feb 2021 10:25:17 +0100 Unfortunately --no-parallel is still necessary: https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/eclipse-titan.html ... Notify: Parsing TTCN-3 module `TitanLoggerControl.ttcn'... Notify: Checking modules... Notify: Generating code... Notify: None of the files needed update. Notify: Generating TTCN-3 modules... touch RT1/TitanLoggerControl.cc.compiled Notify: File 'TitanLoggerApi.ttcn' was generated. Notify: File `RT1/PreGenRecordOf.hh' was generated. Notify: Generating TTCN-3 modules... Notify: File 'TitanLoggerApi.ttcn' was generated. Notify: File `RT1/PreGenRecordOf.cc' was generated. Notify: 2 files were updated. sed -e 's/XSD.String/charstring/g;s/XSD.AnySimpleType/charstring/g;s/XSD.Integer/integer/g;s/XSD.Float/float/g;s/XSD.Double/float/g;s/XSD.Boolean/boolean/g;s/import from XSD all;//g' TitanLoggerApi.ttcn >TitanLoggerApi.ttcn_ touch RT1/PreGenRecordOf.cc.compiled sed -e 's/XSD.String/charstring/g;s/XSD.AnySimpleType/charstring/g;s/XSD.Integer/integer/g;s/XSD.Float/float/g;s/XSD.Double/float/g;s/XSD.Boolean/boolean/g;s/import from XSD all;//g' TitanLoggerApi.ttcn >TitanLoggerApi.ttcn_ mv TitanLoggerApi.ttcn_ TitanLoggerApi.ttcn mv TitanLoggerApi.ttcn_ TitanLoggerApi.ttcn mv: cannot stat 'TitanLoggerApi.ttcn_': No such file or directory make[4]: *** [Makefile:280: TitanLoggerApi.ttcn] Error 1 https://buildd.debian.org/status/fetch.php?pkg=eclipse-titan=powerpc=7.2.0-1=1613472632=0 ... Notify: File `RT1/TitanLoggerControl.hh' was generated. Notify: Parsing TTCN-3 module `TitanLoggerControl.ttcn'... Notify: File `RT1/TitanLoggerControl.cc' was generated. Notify: 2 files were updated. touch RT1/TitanLoggerControl.cc.compiled Notify: Checking modules... Notify: Generating code... Notify: None of the files needed update. touch RT1/TitanLoggerControl.cc.compiled Notify: File `RT1/PreGenRecordOf.hh' was generated. Notify: File `RT1/PreGenRecordOf.cc' was generated. Notify: 2 files were updated. touch RT1/PreGenRecordOf.cc.compiled Notify: Generating TTCN-3 modules... Notify: File 'TitanLoggerApi.ttcn' was generated. Notify: None of the files needed update. sed -e 's/XSD.String/charstring/g;s/XSD.AnySimpleType/charstring/g;s/XSD.Integer/integer/g;s/XSD.Float/float/g;s/XSD.Double/float/g;s/XSD.Boolean/boolean/g;s/import from XSD all;//g' TitanLoggerApi.ttcn >TitanLoggerApi.ttcn_ touch RT1/PreGenRecordOf.cc.compiled Notify: Generating TTCN-3 modules... Notify: File 'TitanLoggerApi.ttcn' was generated. sed -e 's/XSD.String/charstring/g;s/XSD.AnySimpleType/charstring/g;s/XSD.Integer/integer/g;s/XSD.Float/float/g;s/XSD.Double/float/g;s/XSD.Boolean/boolean/g;s/import from XSD all;//g' TitanLoggerApi.ttcn >TitanLoggerApi.ttcn_ mv TitanLoggerApi.ttcn_ TitanLoggerApi.ttcn mkdir -p RT1 mv TitanLoggerApi.ttcn_ TitanLoggerApi.ttcn if ../compiler2/compiler -o RT1 TitanLoggerApi.ttcn - TitanLoggerApi.ttcn; then :; else mv TitanLoggerApi.ttcn TitanLoggerApi.ttcn.$$.bad; exit 1; fi mv: cannot stat 'TitanLoggerApi.ttcn_': No such file or directory make[4]: *** [Makefile:280: TitanLoggerApi.ttcn] Error 1 --- End Message --- --- Begin Message --- Source: eclipse-titan Source-Version: 7.2.0-1.1 Done: Stefano Rivera We believe that the bug you reported is fixed in the latest version of eclipse-titan, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 987...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefano Rivera (supplier of updated eclipse-titan package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED
Bug#988940: gnome-shell-extension-redshift: Is this package obsolete?
Package: gnome-shell-extension-redshift Version: 3.20.1-2.1 Severity: serious https://extensions.gnome.org/extension/685/redshift/ Deprecation notice: As of GNOME 3.24, there is native support for night light mode in your display settings. This extension is not required or reccomended anymore.
Processed: severity of 986603 is important
Processing commands for cont...@bugs.debian.org: > severity 986603 important Bug #986603 [courier-mlm] courier-MLM : it runs as root ? or we must manually set up as coureir user? Severity set to 'important' from 'grave' > thanks Stopping processing here. Please contact me if you need assistance. -- 986603: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986603 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#987646: eclipse-titan: diff for NMU version 7.2.0-1.1
Control: tags 987646 + patch Dear maintainer, I've prepared an NMU for eclipse-titan (versioned as 7.2.0-1.1). The diff is attached to this message. Regards. SR diff -Nru eclipse-titan-7.2.0/debian/changelog eclipse-titan-7.2.0/debian/changelog --- eclipse-titan-7.2.0/debian/changelog 2021-02-16 05:25:17.0 -0400 +++ eclipse-titan-7.2.0/debian/changelog 2021-05-21 14:58:09.0 -0400 @@ -1,3 +1,11 @@ +eclipse-titan (7.2.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Re-instate the --no-parallel option, fixing FTBFS on multi-core machines. +(Closes: #987646) + + -- Stefano Rivera Fri, 21 May 2021 14:58:09 -0400 + eclipse-titan (7.2.0-1) unstable; urgency=medium * New release. diff -Nru eclipse-titan-7.2.0/debian/rules eclipse-titan-7.2.0/debian/rules --- eclipse-titan-7.2.0/debian/rules 2021-02-16 05:20:17.0 -0400 +++ eclipse-titan-7.2.0/debian/rules 2021-05-21 14:48:25.0 -0400 @@ -3,7 +3,7 @@ export DEB_BUILD_MAINT_OPTIONS=hardening=+all %: - dh $@ --verbose + dh $@ --verbose --no-parallel override_dh_shlibdeps: dh_shlibdeps -l$(CURDIR)/Install/lib
Processed: eclipse-titan: diff for NMU version 7.2.0-1.1
Processing control commands: > tags 987646 + patch Bug #987646 [src:eclipse-titan] eclipse-titan: Frequent parallel FTBFS Added tag(s) patch. -- 987646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987646 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#978166: marked as done (whipper: Missing dependency on flac)
Your message dated Fri, 21 May 2021 18:48:33 + with message-id and subject line Bug#978166: fixed in whipper 0.9.0-7 has caused the Debian Bug report #978166, regarding whipper: Missing dependency on flac to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 978166: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978166 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: whipper Version: 0.9.0-4 Severity: important X-Debbugs-Cc: age.bo...@protonmail.com Dear Maintainer, * What led up to the situation? After a new/clean install of whipper, it's primary function, ripping a cd, does not work, resulting in an error instead. * What exactly did you do (or not do) that was effective (or ineffective)? Run "whipper cd rip" (after having configured the drive) * What was the outcome of this action? The first track will fail 5 times with error: --- Traceback (most recent call last): File "/usr/lib/python3/dist-packages/whipper/extern/task/task.py", line 518, in c callable_task(*args, **kwargs) File "/usr/lib/python3/dist-packages/whipper/common/encode.py", line 63, in _flac_encode flac.encode(self.track_path, self.track_out_path) File "/usr/lib/python3/dist-packages/whipper/program/flac.py", line 15, in encode check_call(['flac', '--silent', '--verify', '-o', outfile, File "/usr/lib/python3.8/subprocess.py", line 359, in check_call retcode = call(*popenargs, **kwargs) File "/usr/lib/python3.8/subprocess.py", line 340, in call with Popen(*popenargs, **kwargs) as p: File "/usr/lib/python3.8/subprocess.py", line 854, in __init__ self._execute_child(args, executable, preexec_fn, close_fds, File "/usr/lib/python3.8/subprocess.py", line 1702, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename) FileNotFoundError: [Errno 2] No such file or directory: 'flac' --- * What outcome did you expect instead? No error and a ripped cd/track. Installing the dependency 'flac', as instructed in the list of dependencies [1] fixes the issue. Yours faithfully, Age [1] https://github.com/whipper-team/whipper#required-dependencies -- System Information: Debian Release: bullseye/sid APT prefers groovy-updates APT policy: (500, 'groovy-updates'), (500, 'groovy-security'), (500, 'groovy'), (100, 'groovy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.8.0-29-generic (SMP w/4 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages whipper depends on: ii cd-paranoia 10.2+2.0.0-1build1 ii cdrdao 1:1.2.4-1build1 ii libc6 2.32-0ubuntu3 ii libsndfile1 1.0.28-8 ii python3 3.8.6-0ubuntu1 ii python3-cdio2.1.0-1build2 ii python3-gi 3.38.0-1 ii python3-musicbrainzngs 0.7.1-2 ii python3-mutagen 1.45.0-1 ii python3-requests2.23.0+dfsg-2 ii python3-ruamel.yaml 0.16.12-2 ii sox 14.4.2+git20190427-2 whipper recommends no packages. whipper suggests no packages. -- no debconf information --- End Message --- --- Begin Message --- Source: whipper Source-Version: 0.9.0-7 Done: Krzysztof Krzyżaniak (eloy) We believe that the bug you reported is fixed in the latest version of whipper, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 978...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Krzysztof Krzyżaniak (eloy) (supplier of updated whipper package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 27 Apr 2021 14:22:21 +0200 Source: whipper Architecture: source Version: 0.9.0-7 Distribution: unstable Urgency: medium Maintainer: Krzysztof Krzyżaniak (eloy) Changed-By: Krzysztof Krzyżaniak (eloy) Closes: 968880 971628 978166 Changes: whipper (0.9.0-7)
Bug#978166: Updated package
Hi eloy (2021.05.08_05:58:59_-0400) > There's updated package released in salsa.debian.org > https://salsa.debian.org/debian/whipper/-/tree/debian/0.9.0-7 but I > have problems with uploading it into ftp debian.org. Until I resolve > problems with uploading someone can take build from there and upload it. I added a fix for #971628 and sponsored the upload. The changelog is kind of weird, it has many uploads in it that never hit the Debian archive... Without know the back-story, I didn't fold them into a -5, but kept it as -7. SR -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
Bug#988109: buster-pu: package mqtt-client/1.14-1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org
Hello Stable release team,
I would like to update mqtt-client in buster for fixing CVE-2019-0222.
It is fixed in stretch, bullseye and sid. Right now stretch-security
has a newer version(1.14-1+9u1) than buster, breaking clean upgrades
to buster. CVE-2019-0222 is no-dsa thus using pu. Vcs field URL also
updated.
Debdiff is attached. Please allow to upload this fix to Buster.
--abhijith
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru mqtt-client-1.14/debian/changelog mqtt-client-1.14/debian/changelog
--- mqtt-client-1.14/debian/changelog 2016-07-19 13:30:10.0 +0530
+++ mqtt-client-1.14/debian/changelog 2021-05-21 21:59:49.0 +0530
@@ -1,3 +1,13 @@
+mqtt-client (1.14-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2019-0222: unmarshalling corrupt MQTT frame can lead to
+broker Out of Memory exception making it unresponsive.
+(Closes: #988109)
+ * Update Vcs-* URL in d/control.
+
+ -- Abhijith PA Fri, 21 May 2021 21:59:49 +0530
+
mqtt-client (1.14-1) unstable; urgency=medium
* New upstream release
diff -Nru mqtt-client-1.14/debian/control mqtt-client-1.14/debian/control
--- mqtt-client-1.14/debian/control 2016-07-19 13:28:53.0 +0530
+++ mqtt-client-1.14/debian/control 2021-05-21 21:59:49.0 +0530
@@ -10,8 +10,8 @@
libmaven-bundle-plugin-java,
maven-debian-helper (>= 1.5)
Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/mqtt-client.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/mqtt-client.git
+Vcs-Git: https://salsa.debian.org/java-team/mqtt-client.git
+Vcs-Browser: https://salsa.debian.org/java-team/mqtt-client
Homepage: http://mqtt-client.fusesource.org
Package: libmqtt-client-java
diff -Nru mqtt-client-1.14/debian/patches/CVE-2019-0222.patch
mqtt-client-1.14/debian/patches/CVE-2019-0222.patch
--- mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 1970-01-01
05:30:00.0 +0530
+++ mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 2021-05-21
21:59:02.0 +0530
@@ -0,0 +1,21 @@
+Description: CVE-2019-0222
+
+ unmarshalling corrupt MQTT frame can lead
+ to broker Out of Memory exception making it unresponsive.
+
+Author: Abhijith PA
+
+diff --git
a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
+index
08fb8391abbbdb365310cda08373b3a7e4befc3e..a0a5e8ee4cec70d37b9c451e9f2bd02010107dfa
100644
+--- a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
+@@ -62,6 +62,9 @@ public final class MessageSupport {
+
+ static protected UTF8Buffer readUTF(DataByteArrayInputStream is) throws
ProtocolException {
+ int size = is.readUnsignedShort();
++if (size < 0) {
++throw new ProtocolException("Invalid message encoding");
++}
+ Buffer buffer = is.readBuffer(size);
+ if (buffer == null || buffer.length != size) {
+ throw new ProtocolException("Invalid message encoding");
diff -Nru mqtt-client-1.14/debian/patches/series
mqtt-client-1.14/debian/patches/series
--- mqtt-client-1.14/debian/patches/series 1970-01-01 05:30:00.0
+0530
+++ mqtt-client-1.14/debian/patches/series 2021-05-21 21:59:02.0
+0530
@@ -0,0 +1 @@
+CVE-2019-0222.patch
signature.asc
Description: PGP signature
Bug#988141: marked as done (impacket: CVE-2021-31800)
Your message dated Fri, 21 May 2021 17:18:32 + with message-id and subject line Bug#988141: fixed in impacket 0.9.22-2 has caused the Debian Bug report #988141, regarding impacket: CVE-2021-31800 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 988141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988141 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: impacket Version: 0.9.22-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for impacket. CVE-2021-31800[0]: | Multiple path traversal vulnerabilities exist in smbserver.py in | Impacket through 0.9.22. An attacker that connects to a running | smbserver instance can list and write to arbitrary files via ../ | directory traversal. This could potentially be abused to achieve | arbitrary code execution by replacing /etc/shadow or an SSH authorized | key. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-31800 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31800 [1] https://github.com/SecureAuthCorp/impacket/commit/49c643bf66620646884ed141c94e5fdd85bcdd2f Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: impacket Source-Version: 0.9.22-2 Done: Stefano Rivera We believe that the bug you reported is fixed in the latest version of impacket, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 988...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefano Rivera (supplier of updated impacket package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 21 May 2021 13:02:37 -0400 Source: impacket Architecture: source Version: 0.9.22-2 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Stefano Rivera Closes: 988141 Changes: impacket (0.9.22-2) unstable; urgency=medium . * Team upload. * Resolve CVE-2021-31800: Fix Path Traversal vulnerabilities by checking path prefix against incoming filename. (Closes: #988141) Checksums-Sha1: 3cc70df1546544dc0c8a088838bef45814060bc6 1497 impacket_0.9.22-2.dsc d6a96f51f8ab54a7feada339a344139a7c999fd2 40340 impacket_0.9.22-2.debian.tar.xz df185a2a8b3196fde0f556180155b58a5958d031 5547 impacket_0.9.22-2_source.buildinfo Checksums-Sha256: ab03c9731228be2db3d2b110e3623ee0b6c4f889d07e60b245c6213b308950eb 1497 impacket_0.9.22-2.dsc 58a63b219f79964d93f4ea92f57a4485256ba542d2a2f9093b6a51330ebc3067 40340 impacket_0.9.22-2.debian.tar.xz eb6b8de3d969983b454e426c27da74c29f650d3054dc387e6c10b8b65637a35a 5547 impacket_0.9.22-2_source.buildinfo Files: 74bca306f5e1ffaf5e94012e28439197 1497 python optional impacket_0.9.22-2.dsc 2a8e8aae1c064b60b43f8155d53d3bd5 40340 python optional impacket_0.9.22-2.debian.tar.xz f298d8f00627a2a6fa33fab905bd50e9 5547 python optional impacket_0.9.22-2_source.buildinfo -BEGIN PGP SIGNATURE- iHUEARYKAB0WIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYKfnvwAKCRBHew2wJjpU 2L8LAP9mWglgHrYj8SZiK/FuIQa5CBQ0OqeFgatS5mNt/XgiGAEA96NqWS4w/zJQ Hf5Ju2FKXzqpb+L50i+XIDtDZvPhvQo= =rlDY -END PGP SIGNATURE End Message ---
Bug#984490: marked as done (test-archive.t fails in the autopkg tests)
Your message dated Fri, 21 May 2021 17:18:40 + with message-id and subject line Bug#986514: fixed in mercurial 5.6.1-3 has caused the Debian Bug report #986514, regarding test-archive.t fails in the autopkg tests to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 986514: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986514 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: src:mercurial Version: 5.6.1-2 Severity: serious Tags: sid bullseye test-archive.t fails in the autopkg tests (all architectures), triggered by the python3-defaults upload: https://ci.debian.net/data/autopkgtest/testing/amd64/m/mercurial/10823665/log.gz --- /tmp/autopkgtest-lxc.75_lnl28/downtmp/build.6MQ/src/tests/test-archive.t +++ /tmp/autopkgtest-lxc.75_lnl28/downtmp/build.6MQ/src/tests/test-archive.t.err @@ -350,49 +350,59 @@ > sys.stderr.write(str(e) + '\n') > EOF $ "$PYTHON" getarchive.py "$TIP" gz | gunzip | tar tf - 2>/dev/null - test-archive-1701ef1f1510/.hg_archival.txt - test-archive-1701ef1f1510/.hgsub - test-archive-1701ef1f1510/.hgsubstate - test-archive-1701ef1f1510/bar - test-archive-1701ef1f1510/baz/bletch - test-archive-1701ef1f1510/foo - test-archive-1701ef1f1510/subrepo/sub + HTTP Error 400: no such method: archive;node=1701ef1f1510;type=gz + + gzip: stdin: unexpected end of file + [2] $ "$PYTHON" getarchive.py "$TIP" bz2 | bunzip2 | tar tf - 2>/dev/null - test-archive-1701ef1f1510/.hg_archival.txt - test-archive-1701ef1f1510/.hgsub - test-archive-1701ef1f1510/.hgsubstate - test-archive-1701ef1f1510/bar - test-archive-1701ef1f1510/baz/bletch - test-archive-1701ef1f1510/foo - test-archive-1701ef1f1510/subrepo/sub + HTTP Error 400: no such method: archive;node=1701ef1f1510;type=bz2 + + bunzip2: Compressed file ends unexpectedly; + perhaps it is corrupted? *Possible* reason follows. + bunzip2: Inappropriate ioctl for device + Input file = (stdin), output file = (stdout) + + It is possible that the compressed file(s) have become corrupted. + You can use the -tvv option to test integrity of such files. + + You can use the `bzip2recover' program to attempt to recover + data from undamaged sections of corrupted files. + + [2] $ "$PYTHON" getarchive.py "$TIP" zip > archive.zip + HTTP Error 400: no such method: archive;node=1701ef1f1510;type=zip $ unzip -t archive.zip Archive: archive.zip - testing: test-archive-1701ef1f1510/.hg_archival.txt*OK (glob) - testing: test-archive-1701ef1f1510/.hgsub*OK (glob) - testing: test-archive-1701ef1f1510/.hgsubstate*OK (glob) - testing: test-archive-1701ef1f1510/bar*OK (glob) - testing: test-archive-1701ef1f1510/baz/bletch*OK (glob) - testing: test-archive-1701ef1f1510/foo*OK (glob) - testing: test-archive-1701ef1f1510/subrepo/sub*OK (glob) - No errors detected in compressed data of archive.zip. +End-of-central-directory signature not found. Either this file is not +a zipfile, or it constitutes one disk of a multi-part archive. In the +latter case the central directory and zipfile comment will be found on +the last disk(s) of this archive. + unzip: cannot find zipfile directory in one of archive.zip or + archive.zip.zip, and cannot find archive.zip.ZIP, period. + [9] test that we can download single directories and files $ "$PYTHON" getarchive.py "$TIP" gz baz | gunzip | tar tf - 2>/dev/null - test-archive-1701ef1f1510/baz/bletch + HTTP Error 400: no such method: archive;node=1701ef1f1510;type=gz;file=baz + + gzip: stdin: unexpected end of file + [2] $ "$PYTHON" getarchive.py "$TIP" gz foo | gunzip | tar tf - 2>/dev/null - test-archive-1701ef1f1510/foo + HTTP Error 400: no such method: archive;node=1701ef1f1510;type=gz;file=foo + + gzip: stdin: unexpected end of file + [2] test that we detect file patterns that match no files $ "$PYTHON" getarchive.py "$TIP" gz foobar - HTTP Error 404: file(s) not found: foobar + HTTP Error 400: no such method: archive;node=1701ef1f1510;type=gz;file=foobar test that we reject unsafe patterns $ "$PYTHON" getarchive.py "$TIP" gz relre:baz - HTTP Error 404: file(s) not found: relre:baz + HTTP Error 400: no such method: archive;node=1701ef1f1510;type=gz;file=relre:baz $ killdaemons.py ERROR: test-archive.t output changed !# Ret was: 0 (test-archive.t) --- End Message --- --- Begin Message --- Source: mercurial Source-Version: 5.6.1-3 Done: Stefano Rivera We believe that the bug you reported is fixed in the latest version of mercurial, which is due to be
Bug#988885: CVE-2021-31323 CVE-2021-31322 CVE-2021-31321 CVE-2021-31320 CVE-2021-31319 CVE-2021-31318 CVE-2021-31317 CVE-2021-31315
Hello! Thank you for pointing out these CVEs. I investigated deeper into the issues and reviewed the code as of 0.1+dfsg-1 version of the package. Luckily, most of these issues are not related to rlottie as currently packaged in Debian. Below are some of my notes. They do not imply 100% guarantee, and real tests are needed. CVE-2021-31323: Code was refactored. mData is now an std::vector this is extended before parseProperty() call. https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/lottie/lottieparser.cpp/#L1741 CVE-2021-31322, CVE-2021-31319: Seems unaffected due to checking added by Fix-crash-on-invalid- data.patch https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/lottie/lottiemodel.cpp/#L248 CVE-2021-31320: The mentioned while loop has been enhanced by Fix-crash-on-invalid- data.patch https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/vector/vdrawhelper.cpp/#L168 CVE-2021-31318: Seems unaffected, because Fix-crash-on-invalid-data.patch inserts type checking before static_cast<> operator. https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/lottie/lottieitem.cpp/#L454 CVE-2021-31315: Seems to be already fixed by Check-buffer-length.patch https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/vector/vrle.cpp/#L559 CVE-2021-31321: Code differs, but bez_stack is an array of constant size on the gray_TWorker structure. It is twice the size of mentioned in the advisory. However, the vulnerability may be still present. https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/vector/freetype/v_ft_raster.cpp/#L308 CVE-2021-31317: Not fixed. Need tests. As for the penultimate bug, I think it would be better to dispose of bundled freetype code and rely solely on libfreetype already packaged in Debian. But this may require a lot of changes that are unacceptable during freeze. Also note, these issues are all described in context of Telegram Android client. Nowadays, telegram-desktop is the only package in Debian main archive that depends on rlottie. Telegram Desktop does not support end- to-end encrypted secret chats, and so incoming animated stickers are subject to filtering by Telegram servers. Because of this, a remote attack is a little more difficult. There is another thing. For Debian, rlottie is built without a redefined RAPIDJSON_ASSERT macro, in contrast to upstream Telegram Desktop. By default the macro expands to abort() function call. This fact may result in additional SIGABRT crashes on invalid input data. But it will protect against more dangerous failures. https://github.com/desktop-app/cmake_helpers/blob/ac193a597d6b953f9869a240e21e275ce6e388cb/external/rlottie/CMakeLists.txt#L116 signature.asc Description: This is a digitally signed message part
Processed: Bug#988141 marked as pending in impacket
Processing control commands: > tag -1 pending Bug #988141 [src:impacket] impacket: CVE-2021-31800 Added tag(s) pending. -- 988141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988141 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#988141: marked as pending in impacket
Control: tag -1 pending Hello, Bug #988141 in impacket reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/python-team/packages/impacket/-/commit/9c3b727071485625cce2a21d0b70ee7756cc37cc Resolve CVE-2021-31800: Fix Path Traversal vulnerabilities by checking path prefix against incoming filename. (Closes: #988141) (this message was generated automatically) -- Greetings https://bugs.debian.org/988141
Bug#988853: marked as done (spip: broken symlink: /usr/share/spip/prive/javascript/js.cookie.js -> ../../../../lib/nodejs/js-cookie/src/js.cookie.js)
Your message dated Fri, 21 May 2021 17:03:25 + with message-id and subject line Bug#988853: fixed in spip 3.2.11-3 has caused the Debian Bug report #988853, regarding spip: broken symlink: /usr/share/spip/prive/javascript/js.cookie.js -> ../../../../lib/nodejs/js-cookie/src/js.cookie.js to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 988853: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988853 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: spip Version: 3.2.11-2 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package ships (or creates) a broken symlink. >From the attached log (scroll to the bottom...): 1m19.9s ERROR: FAIL: Broken symlinks: /usr/share/spip/prive/javascript/js.cookie.js -> ../../../../lib/nodejs/js-cookie/src/js.cookie.js (spip) js.cookie.js is (nowadays?) located at /usr/share/nodejs/js-cookie/src/js.cookie.js cheers, Andreas spip_3.2.11-2.log.gz Description: application/gzip --- End Message --- --- Begin Message --- Source: spip Source-Version: 3.2.11-3 Done: David Prévot We believe that the bug you reported is fixed in the latest version of spip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 988...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. David Prévot (supplier of updated spip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 21 May 2021 11:14:54 -0400 Source: spip Architecture: source Version: 3.2.11-3 Distribution: unstable Urgency: medium Maintainer: David Prévot Changed-By: David Prévot Closes: 988853 Changes: spip (3.2.11-3) unstable; urgency=medium . * Adapt symlink to changed path in latest node-js-cookie. Thanks to Andreas Beckmann (Closes: #988853) Checksums-Sha1: 489a8a3dacef37d4132f22b40d5082a841e05ceb 1500 spip_3.2.11-3.dsc bf401b142b1ef02694abedbd4b9e38c7543787a3 71968 spip_3.2.11-3.debian.tar.xz 5e6504cc5e920ec2880914c64eb6f2e6a369a9dc 6374 spip_3.2.11-3_amd64.buildinfo Checksums-Sha256: 51d0ec1ec9dcc0379427100ef0c46b9d2eef583571ded21c5b9bec09e6a6c852 1500 spip_3.2.11-3.dsc a5ec5f795285b4e775ea2818a4296889310f42362525b03b3b40b14aa869d386 71968 spip_3.2.11-3.debian.tar.xz e98f8fb859a44c3b98b06603dee84067f76d190a6c0b2d8634262097d8d190c1 6374 spip_3.2.11-3_amd64.buildinfo Files: 9d76472a73a2cc09a06abcfaaf6dc938 1500 web optional spip_3.2.11-3.dsc 10bbc2f1479e263f4770c5e31daa09a9 71968 web optional spip_3.2.11-3.debian.tar.xz 3c57a1caca17449eea3411106a477974 6374 web optional spip_3.2.11-3_amd64.buildinfo -BEGIN PGP SIGNATURE- iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmCn5nUSHHRhZmZpdEBk ZWJpYW4ub3JnAAoJEAWMHPlE9r08KP0H/0I/C1DjRf/omOh54iRf2paFv+7Ikn9o uKvjz5PhFeKvyGF4JSX+doUrsLIGG7kOAq+G5e5XyIYkeUKvoA2Zskoha80TjmAH FVoMk1+orP8GkpRHe5OGHzlst+1822VoqCr6TiRWI5vpspXXitTgZt572mHadufe n7vnzPLl8P000x+Sx/+29nvKZdZtxJ7kAZesuvpCzzroRvebY8sTyYOVUVT/OEbN 9jOBX9AHIE1Nba6LyKuXdlpzaGK2Fza/Yf930UMWrcpYnBpzSI+CBxImBWnzq+ix BTu9uuUwIeQ7aLVLBQZ84ByAoIrdn37FGIuS/bZIKKMi1Jwm4zQagP0= =3TSV -END PGP SIGNATURE End Message ---
Bug#986514: marked as pending in mercurial
Control: tag -1 pending Hello, Bug #986514 in mercurial reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/python-team/packages/mercurial/-/commit/b94b1fcb3b4cbb5cdd80fd245ef4be38efed4e4e python-3.9.2.patch: Use "&" instead of ";" as query string separator in test-archive.t to fix FTBFS with Python 3.9.2, which changed its urllib.parse.parse_qsl() behavior to only accept "&" as a separator by default. (closes: #986514) (this message was generated automatically) -- Greetings https://bugs.debian.org/986514
Processed: Bug#986514 marked as pending in mercurial
Processing control commands: > tag -1 pending Bug #986514 [src:mercurial] mercurial: FTBFS: dh_auto_test: error: make -j4 check PYTHON=python3.9 "TESTFLAGS=--verbose --timeout 1440 --jobs 4 --blacklist /<>/debian/mercurial.test_blacklist" returned exit code 2 Bug #984490 [src:mercurial] test-archive.t fails in the autopkg tests Added tag(s) pending. Added tag(s) pending. -- 984490: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984490 986514: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986514 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#988929: jverein: broken symlinks: /usr/share/jameica/plugins/jverein/lib/*-*.jar -> ../../../../java/*.jar
Package: jverein Version: 2.8.18+git20200921.6212a59+dfsg-3 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package ships (or creates) a broken symlink. >From the attached log (scroll to the bottom...): 1m38.1s ERROR: FAIL: Broken symlinks: /usr/share/jameica/plugins/jverein/lib/bsh-core-2.0b4.jar -> ../../../../java/bsh.jar (jverein) /usr/share/jameica/plugins/jverein/lib/core-3.1.0.jar -> ../../../../java/core.jar (jverein) /usr/share/jameica/plugins/jverein/lib/csvjdbc.jar -> ../../../../java/csvjdbc.jar (jverein) /usr/share/jameica/plugins/jverein/lib/ez-vcard-0.9.5.jar -> ../../../../java/ez-vcard.jar (jverein) /usr/share/jameica/plugins/jverein/lib/freemarker-2.3.23.jar -> ../../../../java/freemarker.jar (jverein) /usr/share/jameica/plugins/jverein/lib/jackson-core-2.6.1.jar -> ../../../../java/jackson-core.jar (jverein) /usr/share/jameica/plugins/jverein/lib/javase-3.1.0.jar -> ../../../../java/javase.jar (jverein) /usr/share/jameica/plugins/jverein/lib/javax.mail-1.6.2.jar -> ../../../../java/javax.mail.jar (jverein) /usr/share/jameica/plugins/jverein/lib/joda-time-2.3.jar -> ../../../../java/joda-time.jar (jverein) /usr/share/jameica/plugins/jverein/lib/jollyday-0.4.7.jar -> ../../../../java/jollydday.jar (jverein) /usr/share/jameica/plugins/jverein/lib/junit-4.8.1.jar -> ../../../../java/junit4.jar (jverein) /usr/share/jameica/plugins/jverein/lib/nc.jar -> ../../../../java/nc.jar (jverein) /usr/share/jameica/plugins/jverein/lib/snakeyaml-1.13.jar -> ../../../../java/snakeyaml.jar (jverein) /usr/share/jameica/plugins/jverein/lib/vinnie-2.0.1.jar -> ../../../../java/vinnie.jar (jverein) There seem to be a bunch of dependencies on *-java packages missing. If all these are purely optional, feel free to downgrade the severity and add Recommends/Suggests on the missing packages. cheers, Andreas jverein_2.8.18+git20200921.6212a59+dfsg-3.log.gz Description: application/gzip
Processed: forcibly merging 986514 984490
Processing commands for cont...@bugs.debian.org: > forcemerge 986514 984490 Bug #986514 [src:mercurial] mercurial: FTBFS: dh_auto_test: error: make -j4 check PYTHON=python3.9 "TESTFLAGS=--verbose --timeout 1440 --jobs 4 --blacklist /<>/debian/mercurial.test_blacklist" returned exit code 2 Bug #984490 [src:mercurial] test-archive.t fails in the autopkg tests Set Bug forwarded-to-address to 'https://bz.mercurial-scm.org/show_bug.cgi?id=6504'. Added tag(s) upstream and fixed-upstream. Merged 984490 986514 > thanks Stopping processing here. Please contact me if you need assistance. -- 984490: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984490 986514: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986514 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#966233: marked as done (pyyaml: CVE-2020-14343)
Your message dated Fri, 21 May 2021 15:43:47 + with message-id and subject line Bug#966233: fixed in pyyaml 5.3.1-4 has caused the Debian Bug report #966233, regarding pyyaml: CVE-2020-14343 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 966233: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966233 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: pyyaml Version: 5.3.1-2 Severity: important Tags: security upstream Forwarded: https://github.com/yaml/pyyaml/issues/420 X-Debbugs-Cc: Debian Security Team Hi, The following vulnerability was published for pyyaml. CVE-2020-14343[0]: | .load() and FullLoader still vulnerable to fairly trivial RCE The CVE is for an incomplete fix of CVE-2020-1747, see [1]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-14343 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343 [1] https://github.com/yaml/pyyaml/issues/420 Regards, Salvatore --- End Message --- --- Begin Message --- Source: pyyaml Source-Version: 5.3.1-4 Done: Stefano Rivera We believe that the bug you reported is fixed in the latest version of pyyaml, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 966...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefano Rivera (supplier of updated pyyaml package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 21 May 2021 11:11:00 -0400 Source: pyyaml Architecture: source Version: 5.3.1-4 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Stefano Rivera Closes: 966233 Changes: pyyaml (5.3.1-4) unstable; urgency=medium . * Team upload. . [ Debian Janitor ] * Apply multi-arch hints. + python3-yaml-dbg: Add Multi-Arch: same. . [ Stefano Rivera ] * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader. (Closes: #966233) Checksums-Sha1: 9b26e6ea9936451b66d5f4fba470abbeed750289 1542 pyyaml_5.3.1-4.dsc 083aa565edcc70218feb83f38aaa87b2bc965ac2 7756 pyyaml_5.3.1-4.debian.tar.xz 70d0a89ce8da83bfeff5ff905e284384969e103e 5791 pyyaml_5.3.1-4_source.buildinfo Checksums-Sha256: ef2a56e41400e8133cdc90d3bf789bdbc1efa14794976fa687966ea8f92ffe7a 1542 pyyaml_5.3.1-4.dsc 2f51f2d3fed9b778fc889047aa4cd380f0421b3ab97f4ae0d140e39d78d50733 7756 pyyaml_5.3.1-4.debian.tar.xz 408b1cbbe78d0b9997146567ac9f403dd27657d7a695ef5b4b3db106983931df 5791 pyyaml_5.3.1-4_source.buildinfo Files: 9ff35540640392d5bf5d4d7f0b1ab9aa 1542 python optional pyyaml_5.3.1-4.dsc ccc3f6bbfcc0edf326d599a526aef656 7756 python optional pyyaml_5.3.1-4.debian.tar.xz 790a3132aa82402f0396638d1211e8af 5791 python optional pyyaml_5.3.1-4_source.buildinfo -BEGIN PGP SIGNATURE- iHUEARYKAB0WIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYKfOQQAKCRBHew2wJjpU 2MxRAQDueAYajK4HYdGxWJ7ALSSNecl1Bas6ohw3MNQa+xEzVwD9Get6dy5el/J/ Y3jiXUgrJKmXnvuzqelV5XvE7JSvqAc= =GNEv -END PGP SIGNATURE End Message ---
Processed: Bug#966233 marked as pending in pyyaml
Processing control commands: > tag -1 pending Bug #966233 [src:pyyaml] pyyaml: CVE-2020-14343 Added tag(s) pending. -- 966233: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966233 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#966233: marked as pending in pyyaml
Control: tag -1 pending Hello, Bug #966233 in pyyaml reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/python-team/packages/pyyaml/-/commit/a44d77fa7260cc1fb293fac9849ae5f3fc489577 Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader. (Closes: #966233) (this message was generated automatically) -- Greetings https://bugs.debian.org/966233
Processed: reopening 988763, severity of 988763 is important
Processing commands for cont...@bugs.debian.org:
> reopen 988763
Bug #988763 {Done: Ryan Kavanagh } [rxvt-unicode]
rxvt-unicode: CVE-2021-33477: (potential remote) code execution via ESC G Q
Bug reopened
Ignoring request to alter fixed versions of bug #988763 to the same values
previously set
> severity 988763 important
Bug #988763 [rxvt-unicode] rxvt-unicode: CVE-2021-33477: (potential remote)
code execution via ESC G Q
Severity set to 'important' from 'grave'
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
988763: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988763
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Processed: limit source to spip, tagging 988853
Processing commands for cont...@bugs.debian.org: > limit source spip Limiting to bugs with field 'source' containing at least one of 'spip' Limit currently set to 'source':'spip' > tags 988853 + pending Bug #988853 [spip] spip: broken symlink: /usr/share/spip/prive/javascript/js.cookie.js -> ../../../../lib/nodejs/js-cookie/src/js.cookie.js Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 988853: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988853 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#985220: marked as done (velocity: CVE-2020-13936)
Your message dated Fri, 21 May 2021 14:47:09 + with message-id and subject line Bug#985220: fixed in velocity 1.7-5+deb10u1 has caused the Debian Bug report #985220, regarding velocity: CVE-2020-13936 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985220 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: velocity Version: 1.7-5.1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.7-5 Hi, The following vulnerability was published for velocity. CVE-2020-13936[0]: | An attacker that is able to modify Velocity templates may execute | arbitrary Java code or run arbitrary system commands with the same | privileges as the account running the Servlet container. This applies | to applications that allow untrusted users to upload/modify velocity | templates running Apache Velocity Engine versions up to 2.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13936 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13936 [1] https://www.openwall.com/lists/oss-security/2021/03/10/1 Regards, Salvatore --- End Message --- --- Begin Message --- Source: velocity Source-Version: 1.7-5+deb10u1 Done: Chris Lamb We believe that the bug you reported is fixed in the latest version of velocity, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb (supplier of updated velocity package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 13 May 2021 11:11:57 +0100 Source: velocity Binary: velocity velocity-doc Architecture: source all Version: 1.7-5+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian Java Maintainers Changed-By: Chris Lamb Description: velocity - Java-based template engine for web application velocity-doc - Documentation for velocity Closes: 985220 Changes: velocity (1.7-5+deb10u1) buster; urgency=medium . * CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability that can be exploited by applications that allow untrusted users to upload/modify Velocity templates. (Closes: #985220) Checksums-Sha1: 92dbb67afb71643f1125ec4be71fcf65a69a1613 2457 velocity_1.7-5+deb10u1.dsc e518672d725a8e2ecde62390ceaf5aec01a75a6e 9588 velocity_1.7-5+deb10u1.debian.tar.xz 905afe15eeb329da0a56b3c90139d390f8c30a37 616616 velocity-doc_1.7-5+deb10u1_all.deb 62851057b22dd3281d27b2116ecb38c5a722c575 429228 velocity_1.7-5+deb10u1_all.deb 0e5c78daf44fbca1de98a66c22776af0b57d49ac 13196 velocity_1.7-5+deb10u1_amd64.buildinfo Checksums-Sha256: 333427ad94554953f1714b104a08fc54af93629248b75b3122e67dcf69106da1 2457 velocity_1.7-5+deb10u1.dsc c2d1ed52f73d14db895681846aeabd7fa79a6f57be2a6e8457f28c27f40a19d0 9588 velocity_1.7-5+deb10u1.debian.tar.xz 5cfbba3a36d6af84b239cf4f5e3b7bbd04e8501af18bb00f5bfb670443ec1dbb 616616 velocity-doc_1.7-5+deb10u1_all.deb 092a598e67e9d0b96654933a3f92a5c346ada486a42a26d01b6c2b3ade987ae1 429228 velocity_1.7-5+deb10u1_all.deb 63f558e0e17ec6bd80d3de837ace193e1791cad07c78e276294432b3302e1c35 13196 velocity_1.7-5+deb10u1_amd64.buildinfo Files: c5c5ea4054a336065c8c467194c85666 2457 java optional velocity_1.7-5+deb10u1.dsc d05b3a2b9faed3347efaf18dee6d435d 9588 java optional velocity_1.7-5+deb10u1.debian.tar.xz 0106e4b4da62708be59eccc5627d71d8 616616 doc optional velocity-doc_1.7-5+deb10u1_all.deb 912ab4f564be33ee49d809c25f9d6a6a 429228 java optional velocity_1.7-5+deb10u1_all.deb a72e5a27730d9f0fa62798c8ece4e929 13196 java optional velocity_1.7-5+deb10u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCg850ACgkQHpU+J9Qx HlhxOBAAw01jAm1oaVU2JToVk+GKwg3taeH8yESWtqE/3OEsjGJU2MBYNzM1l9zs GQuqAvQtvN57iYRUF3jkYhLxZH+Hk40oZwuCaytfTlhU2mirPlWZNW1W2FQHRvmR Y5cifj2xMCF2/qyXYdennlYxcnUwEPRWF5iZG8LZvufAj3xyZRL3MYk1M9cJtt+6
Bug#964274: marked as done (ruby-websocket-extensions: CVE-2020-7663)
Your message dated Fri, 21 May 2021 14:47:09 + with message-id and subject line Bug#964274: fixed in ruby-websocket-extensions 0.1.2-1+deb10u1 has caused the Debian Bug report #964274, regarding ruby-websocket-extensions: CVE-2020-7663 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 964274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964274 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby-websocket-extensions Version: 0.1.2-1 Severity: grave Tags: security upstream Hi, The following vulnerability was published for ruby-websocket-extensions. CVE-2020-7663[0]: | websocket-extensions ruby module prior to 0.1.5 allows Denial of | Service (DoS) via Regex Backtracking. The extension parser may take | quadratic time when parsing a header containing an unclosed string | parameter value whose content is a repeating two-byte sequence of a | backslash and some other character. This could be abused by an | attacker to conduct Regex Denial Of Service (ReDoS) on a single- | threaded server by providing a malicious payload with the Sec- | WebSocket-Extensions header. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7663 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7663 [1] https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2 [2] https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b Regards, Salvatore --- End Message --- --- Begin Message --- Source: ruby-websocket-extensions Source-Version: 0.1.2-1+deb10u1 Done: Chris Lamb We believe that the bug you reported is fixed in the latest version of ruby-websocket-extensions, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 964...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb (supplier of updated ruby-websocket-extensions package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 13 May 2021 11:23:30 +0100 Source: ruby-websocket-extensions Binary: ruby-websocket-extensions Architecture: source all Version: 0.1.2-1+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian Ruby Extras Maintainers Changed-By: Chris Lamb Description: ruby-websocket-extensions - Generic extension manager for WebSocket connections Closes: 964274 Changes: ruby-websocket-extensions (0.1.2-1+deb10u1) buster; urgency=medium . * CVE-2020-7663: Prevent a denial of service attack that is exploitable by an exponential-time regular expression backtracking vulnerability. (Closes: #964274) Checksums-Sha1: b89b8d5d73c5aa6ebab19c4d6a2e4afe8d13d78d 2232 ruby-websocket-extensions_0.1.2-1+deb10u1.dsc 930a2f8c4a192142f8d18343f24201c6e0558498 2672 ruby-websocket-extensions_0.1.2-1+deb10u1.debian.tar.xz b184c7f60a46a1c483c36586c8a1ae6ffaead4b7 9868 ruby-websocket-extensions_0.1.2-1+deb10u1_all.deb e3ce51b2abe810a68445a9a745446ee502667c05 9060 ruby-websocket-extensions_0.1.2-1+deb10u1_amd64.buildinfo Checksums-Sha256: 4bd2e3f3fd198a249ff54a0ef897cc9f86a94186c36d024ae471ce7df5d99145 2232 ruby-websocket-extensions_0.1.2-1+deb10u1.dsc 17cff3ce972cac784285efe3b4461267b85cb7bec9e16f7e1646a4a078184646 2672 ruby-websocket-extensions_0.1.2-1+deb10u1.debian.tar.xz fcaa1b942765aa1eb6897b327ce910a1e304d60fee83fedad47c7bf9a3791ea7 9868 ruby-websocket-extensions_0.1.2-1+deb10u1_all.deb 5faf8f4f8b7691fd0979fa5e14def2d202a306fc936348bf55af6ddbebcbdb07 9060 ruby-websocket-extensions_0.1.2-1+deb10u1_amd64.buildinfo Files: 912a3f68cb0efb1a103792cedcefc30c 2232 ruby optional ruby-websocket-extensions_0.1.2-1+deb10u1.dsc 604995a868d6184d4451d47e433c2333 2672 ruby optional ruby-websocket-extensions_0.1.2-1+deb10u1.debian.tar.xz c1f0cda0da75c5dd277f35c16f786496 9868 ruby optional ruby-websocket-extensions_0.1.2-1+deb10u1_all.deb 74e82bb802bebfa4ab0c443a78c0b9fb 9060 ruby optional ruby-websocket-extensions_0.1.2-1+deb10u1_amd64.buildinfo -BEGIN PGP SIGNATURE-
Bug#988763: rxvt-unicode: Remote(?) code execution via ESC G Q
Dear Ryan, I just wrote: Curious that you do not consider this a bug: similar things were fixed in other terminal emulators like xterm, so people could "safely" view (i.e. cat or grep) any files, e.g. root perusing syslog. I guess I should have given examples or references. Some that come to mind: www.debian.org/security/2003/dsa-380 www.debian.org/security/2009/dsa-1694 bugs.debian.org/511516 Anyway, I solved my problem by "apt purge rxvt-unicode" on all my machines. Cheers, Paul -- Paul Szabo p...@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz School of Mathematics and Statistics University of SydneyAustralia I support NTEU members taking a stand for workplace rights in the face of poorly-run change management. Visit www.nteu.org.au/sydney to learn more.
Processed: severity of 987856 is serious
Processing commands for cont...@bugs.debian.org:
> severity 987856 serious
Bug #987856 {Done: Nobuhiro Iwamatsu } [src:lz4] lz4:
CVE-2021-3520
Severity set to 'serious' from 'important'
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
987856: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987856
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#981876: marked as done (gdpc: flaky autopkgtest on ppc64el)
Your message dated Fri, 21 May 2021 12:33:25 + with message-id and subject line Bug#981876: fixed in gdpc 2.2.5-14 has caused the Debian Bug report #981876, regarding gdpc: flaky autopkgtest on ppc64el to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 981876: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981876 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: gdpc Version: 2.2.5-10 Severity: serious Tags: sid bullseye X-Debbugs-CC: debian...@lists.debian.org User: debian...@lists.debian.org Usertags: flaky Dear maintainer(s), Your package has an autopkgtest, great. However, I looked into the history of your autopkgtest [1] on i386 (because it is blocking glib2.0) and I noticed it fails regularly, while a rerun passes. I copied some of the output at the bottom of this report. Because the unstable-to-testing migration software now blocks on regressions in testing, flaky tests, i.e. tests that flip between passing and failing without changes to the list of installed packages, are causing people unrelated to your package to spend time on these tests. Please do get in touch if we need to dive into this together. Or if you want to discuss this issue. I noticed that all the failed runs I checked were done on the same worker. Could the problem be a timing issue? (The worker has a spinning disk and is slower than our other workers). Paul https://ci.debian.net/data/autopkgtest/testing/i386/g/gdpc/10255341/log.gz autopkgtest [04:19:42]: test run-unit-test: [--- kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] autopkgtest [04:19:52]: test run-unit-test: ---] OpenPGP_signature Description: OpenPGP digital signature --- End Message --- --- Begin Message --- Source: gdpc Source-Version: 2.2.5-14 Done: Andreas Tille We believe that the bug you reported is fixed in the latest version of gdpc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 981...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Tille (supplier of updated gdpc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 21 May 2021 14:15:14 +0200 Source: gdpc Architecture: source Version: 2.2.5-14 Distribution: unstable Urgency: medium Maintainer: Debian Med Packaging Team Changed-By: Andreas Tille Closes: 981876 Changes: gdpc (2.2.5-14) unstable; urgency=medium . * Remove ppc64el from autopkgtest Closes: #981876 Checksums-Sha1: 726c9667d4299917e157d6a0af69220777bc2dc3 2209 gdpc_2.2.5-14.dsc 78640edf66d4bb584fba5e4c61fa975e7327ad19 8796 gdpc_2.2.5-14.debian.tar.xz a4c8eac4acf4bd16d489d808a042d0294232e6e6 11071 gdpc_2.2.5-14_amd64.buildinfo Checksums-Sha256: e001663892f0fd21b3e16367a7ea86c97d0b6632afe7109d4a38667014c97b37 2209 gdpc_2.2.5-14.dsc 925d211c65472f71ea5e53106d222d9f784e3dc57d4092ee7277a7b342fa112d 8796 gdpc_2.2.5-14.debian.tar.xz 8c5f9385e8d57583cc8de17af0b88b16bb2b669e7345dc6ea2d3defe84bf57ba 11071 gdpc_2.2.5-14_amd64.buildinfo Files: 00c45402dee2c544921d5e914f4039e5 2209 science optional gdpc_2.2.5-14.dsc f9f59b1be725e88fa3b2dcb9443a1264 8796 science optional gdpc_2.2.5-14.debian.tar.xz 14ef4be2e544b54aeff38fd75c09ea19 11071 science optional gdpc_2.2.5-14_amd64.buildinfo -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmCnpPkRHHRpbGxlQGRl Ymlhbi5vcmcACgkQV4oElNHGRtGdDA/+Ll+x0eiOCTRHiavoEUhs8VwTHr42q3kM QYrzJfiP3YeOmMl2yPEa6X4lAdua34XHzYcw51PZABBunAPEWjmfR1AR012QVI/b wnhL8oGmNqXZZbgTlvRNRc4PhFyMkQyLtSj+35OuP0nzOrRDYN5zfPFL+NJn/Tw4 /uyBwa8iac+RyqIctRI8apClN7KQ2vJan01Ywc5Ujfp17D2ig/54VKjXvTuWymLM ZHjbvXAkeEgxRaVJNupIM/CEWTQyrCWKVdBPgUwrzePFDydbcTmPRIXZZI+364dh VpgFDkV4OM2PFB4RVsnfJ3xH2CbVszqBcbzAhVrZUidsb0aQqTliN0RejdDYj65S Xqx6WDWKkoSeqX/b1xgJb2GU2oZ2/a2rKxbGDCwi2q94arW7VxzJ5uioadjwgIXw d/IeD/eRHiFmrGHbSGVB4kgEWW2djN8rVTr0eAEfsByqgeTFIUx3YUq/XBV3aUbR P+bx0BNtDTvhk//IaBFgulLn6l7qqZEc8fcoIqwWGXEffps44M3CiXJUF/Eh7V+W 86hkuhD+MQyuGJ1gvJVyUgi9zrAiYDT6vmxc4RjjaQhgIrFhA6wAlOyR5Oi0VlXD jtCiSouBnNXl2Hs9riEmmsGmEFAYLKw+ikg6XiPOTXPhuMn7GjK1NAaUIpXrswJ9 CyJ9eUbRXCc= =QVhc -END
Bug#988917: pg-partman: CVE-2021-33204
Source: pg-partman Version: 4.4.1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for pg-partman. CVE-2021-33204[0]: | In the pg_partman (aka PG Partition Manager) extension before 4.5.1 | for PostgreSQL, arbitrary code execution can be achieved via SECURITY | DEFINER functions because an explicit search_path is not set. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33204 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33204 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#988763: rxvt-unicode: Remote(?) code execution via ESC G Q
Dear Ryan, Curious that you do not consider this a bug: similar things were fixed in other terminal emulators like xterm, so people could "safely" view (i.e. cat or grep) any files, e.g. root perusing syslog. Looking at the further message on FullDisclosure: https://seclists.org/fulldisclosure/2021/May/51 (quoted below for completeness), it seems that this is now fixed upstream in version 9.25, maybe they did consider it a bug. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz School of Mathematics and Statistics University of SydneyAustralia Quoting message: From: def To: Date: Thu, 20 May 2021 04:38:34 +0300 Subject: Re: [FD] (u)rxvt terminal (+bash) remoteish code execution 0day Minor clarifications and additional details for the post. First and foremost, this vulnerability is not technically a zero-day for rxvt-unicode since the bug has been independently discovered & publicly discussed at oss-security at least in 2017: https://www.openwall.com/lists/oss-security/2017/05/01/20 Upstream patched the vulnerability silently back in 2017. According to rxvt-unicode commit messages and changelog entries, the vulnerability was considered to have minor "security implications" explaining why it never was considered critical enough to backport to old Linux distros. Moreover, the first patched version is rxvt-unicode 9.25 (2021-05-14) released barely a couple of weeks ago. Therefore, most Linux distros still ship *unpatched* rxvt-unicode 9.22 (2016-05-14). Yes, 9.23 & 9.24 version numbers do not exist because they were skipped in the upstream. Nonetheless the exploit remains 0day (i.e., no upstream patch available) for at least the following rxvt forks and derivatives. - rxvt 2.7.10 (the original rxvt terminal) - mrxvt 0.5.4 (unmaintainen rxvt teminal with tabs) - aterm 1.0.1 (random rxvt-based terminal from Debbie "jessie" repos) - eterm 0.9.7 (Enlightenmenth Finally, the vulnerability can be exploited in any context in which the attacker can plant payload scripts in a subdirectory of CWD and trigger code execution by writing (unescaped) ANSI escape sequences to stdout or stderr. Suitable target programs besides `scp` include popular CLI tools like `unrar` and `busybox tar` as demonstrated in the PoCs here: https://huumeet.info/~def/rxvt0day/ Note that GNU tar is not exploitable due to properly escaped filenames. - def
Processed: severity of 988874 is normal
Processing commands for cont...@bugs.debian.org:
> severity 988874 normal
Bug #988874 {Done: David Bremner } [darktable] darktable:
broken symlinks: /usr/share/darktable/js/*.js -> ../../javascript/*/*.js
Severity set to 'normal' from 'serious'
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
988874: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988874
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#982758: webext-browserpass: Failed to install on upgrade to bullseye
Hi Michael, Michael Meskes wrote: > I'm with Daniel on this one as I cannot reproduce it either: > > Preparing to unpack .../webext-browserpass_3.7.2-1+b1_amd64.deb ... > Unpacking webext-browserpass (3.7.2-1+b1) over (2.0.22-2) ... Indeed. Using a clean Sid chroot, installing webext-browserpass from Buster and then upgrading does not exhibit this issue. Nevertheless IIRC I ran into it when upgrading a (production) Thinkpad from Buster to Bullseye, i.e. no other versions of webext-browserpass than those from Buster and Bullseye were involved. There were though a quite few other webext-* packages involved on that dist-upgrade. Those are now installed now on bullseye and contain the common directories involved in that symlink/directory switch: # dpkg -S /usr/share/chromium/extensions /usr/share/mozilla/extensions webext-browserpass, webext-ublock-origin-chromium, webext-bulk-media-downloader, webext-privacy-badger, webext-https-everywhere: /usr/share/chromium/extensions webext-browserpass, webext-ublock-origin-firefox, webext-treestyletab, webext-bulk-media-downloader, webext-form-history-control, webext-privacy-badger, webext-https-everywhere, webext-noscript, webext-debianbuttons, firefox-esr, webext-umatrix: /usr/share/mozilla/extensions > Something fishy is going on here. I'm not sure how to find out what > though if I cannot reproduce it. Also I wonder if removing the > package from testing is helpful or even correct in such a case. Good question. My gut feeling at least says that the RC severity is justified as quite some people ran into it and it actually causes apt to abort in a quite nasty way. > Anyway, any idea how to find out what's going on and what is > different on your systems? Currently not, unfortunately, as I don't have further ideas where to look for. I currently suspect a relation to respectively overlap with a similar symlink/directory switch of maybe one of the directories mentioned above. > For instance I tried on a sid system where I install the old > browserpass package. (It also seems important to not just remove but really purge the current package in case it was installed befotrehand. But I assume you either did that or used a fresh install.) > Did everyone with the error see it on a dist-upgrade only? In my case yes. I have it installed on multiple sid boxes and it didn't occur on any of them (which are upgraded in a rolling release fashion). Will soonish upgrade another productive Buster desktop to Bullseye where webext-browserpass is installed. Will have a close eye on the moment when upgrading webext-browserpass respectively will upgrade that package in a separate package upgrade from the remainder. Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#988881: marked as done (r-cran-rcdklibs: broken symlinks: /usr/lib/R/site-library/rcdklibs/cont/{gettext,libintl}.jar)
Your message dated Fri, 21 May 2021 10:05:02 +
with message-id
and subject line Bug#91: fixed in r-cran-rcdklibs 2.3+dfsg-8
has caused the Debian Bug report #91,
regarding r-cran-rcdklibs: broken symlinks:
/usr/lib/R/site-library/rcdklibs/cont/{gettext,libintl}.jar
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
91: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=91
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: r-cran-rcdklibs
Version: 2.3+dfsg-7
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package ships (or creates)
a broken symlink.
>From the attached log (scroll to the bottom...):
1m44.0s ERROR: FAIL: Broken symlinks:
/usr/lib/R/site-library/rcdklibs/cont/gettext.jar ->
../../../../../share/java/gettext.jar (r-cran-rcdklibs)
/usr/lib/R/site-library/rcdklibs/cont/libintl.jar ->
../../../../../share/java/libintl.jar (r-cran-rcdklibs)
This looks like a missing dependency on gettext (which ships gettext.jar
and depends on gettext-base which ships libintl.jar).
But the missing dependency could also be in libcdk-java,
feel free to reassign (or downgrade if these two are "not needed" at all)
cheers,
Andreas
r-cran-rcdklibs_2.3+dfsg-7.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: r-cran-rcdklibs
Source-Version: 2.3+dfsg-8
Done: Andreas Tille
We believe that the bug you reported is fixed in the latest version of
r-cran-rcdklibs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille (supplier of updated r-cran-rcdklibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Fri, 21 May 2021 11:24:30 +0200
Source: r-cran-rcdklibs
Architecture: source
Version: 2.3+dfsg-8
Distribution: unstable
Urgency: medium
Maintainer: Debian R Packages Maintainers
Changed-By: Andreas Tille
Closes: 91
Changes:
r-cran-rcdklibs (2.3+dfsg-8) unstable; urgency=medium
.
* Depends: gettext (thanks for the hint to Andreas Beckmann)
Closes: #91
Checksums-Sha1:
de287e61df394e3627b0e32ee391c86f4e65c713 2132 r-cran-rcdklibs_2.3+dfsg-8.dsc
1bf1d324047640f02ae556ccdb7b61add53cdf70 2512
r-cran-rcdklibs_2.3+dfsg-8.debian.tar.xz
4693c0ae1d774b3f5fd90f7234724ea1f91a2b35 15828
r-cran-rcdklibs_2.3+dfsg-8_amd64.buildinfo
Checksums-Sha256:
c1b24bb7ef33048acd198d5b838e4cc9974472f9e625fdd74c50daefe3f1271a 2132
r-cran-rcdklibs_2.3+dfsg-8.dsc
fb0d741f8b929f47958aaa8e4edafae6888b453ed318e539cbf408d69b926545 2512
r-cran-rcdklibs_2.3+dfsg-8.debian.tar.xz
f14e5ca909d6616f6ca398cd4aa44b3c1f8cb226e266273a16a20e034da74ecc 15828
r-cran-rcdklibs_2.3+dfsg-8_amd64.buildinfo
Files:
cde657cf651ed50cad8dfaf624a799b9 2132 gnu-r optional
r-cran-rcdklibs_2.3+dfsg-8.dsc
896720a03500868fe00b2df5c9b60aa0 2512 gnu-r optional
r-cran-rcdklibs_2.3+dfsg-8.debian.tar.xz
919a9e912581939810a8351d9bdf5679 15828 gnu-r optional
r-cran-rcdklibs_2.3+dfsg-8_amd64.buildinfo
-BEGIN PGP SIGNATURE-
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmCngEERHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtHMQg/9FBYKUj/BsqAM2UtxpU0bzA/wOLtv7mS5
SSE8pvXwLAIU1G9Y9PBkADrB7zocoHu1EENQaxoEi6V+pxOUATe0tCjUOjP/jtN8
L3y9y1/cgAjMH28PHhzDAULcFI89ieoaStJXO8HQjNUuO7zWFy6HILwSOVaUYbuf
SNPeutoHaEvrMOTXCIXFqK7TASIxNMh5knoTyvKMHuqrE82DyuokcuOjhMtbphdT
PHy+bqxZZ4lSRbA/1NYiC+n9ygGtjujnSe8s8P97Ou5VDWOAjkWz7MhwG+OVq8hM
hM6DscpVvflUfUdFz2dMWSIXYANbBwXTkh4ufE+NyI9gd5ikRoYfMchmYiVkNpNT
H27bFfGZ82V/ylCd1Loj4orqJ/UM1sDtyvFSSvio/EGf22rB1H/yEMo7sDETgDZt
0T6imRhN/g5DjQL201MB9muVThu5Yq/Th02n4biz5OIab//tt81RHni+LYVk7a7A
24TL0+Iii3ynHzt1fLAHtvPrNmsk4OCx3qbeg/naLqb4S6ZbpJW/zvf4voaFBFK+
VQ7XTab1cib4ofIZKyO0691zDPJqMnMYxEQjtOyWNKkoFjF9dK3IN35tXd/Zugw4
OBQf1BdQO8u36Kvq1OHaOtE+1jmW3uk5/IRjN8WbJfBXLM4BlC7k1AO9VVxbf/7Y
QUp2BD7cu9w=
=3MW5
-END PGP SIGNATURE End Message ---
Processed: Re: Bug#988816: fwupd: cannot install with fwupd-amd64-signed
Processing control commands: > reassign -1 fwupd-amd64-signed Bug #988816 [fwupd] fwupd: cannot install with fwupd-amd64-signed Bug reassigned from package 'fwupd' to 'fwupd-amd64-signed'. No longer marked as found in versions fwupd/1.5.7-3. Ignoring request to alter fixed versions of bug #988816 to the same values previously set > forcemerge 973715 -1 Bug #973715 [fwupd-amd64-signed] fwupd-amd64-signed: Uninstallable; not binNMU-friendly Bug #988816 [fwupd-amd64-signed] fwupd: cannot install with fwupd-amd64-signed Severity set to 'grave' from 'normal' Marked as found in versions fwupd-amd64-signed/1.4.6+2. Merged 973715 988816 -- 973715: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973715 988816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988816 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#988909: lintian-brush: autopkgtest failure and FTBFS
Source: lintian-brush
Version: 0.99
Severity: serious
Tags: ftbfs
X-Debbugs-CC: debian...@lists.debian.org
User: debian...@lists.debian.org
Usertags: needs-update
Hi Maintainer
Sometime between 2021-03-30 and 2021-04-06, lintian-brush's
autopkgtests started to fail in testing [1]. I've copied what I hope
is the relevant part of the log below.
As can be seen in the reproducible builds [2], lintian-brush 0.99 also
FTBFS in testing with similar test failures.
Regards
Graham
[1] https://ci.debian.net/packages/l/lintian-brush/testing/amd64/
[2]
https://tests.reproducible-builds.org/debian/history/amd64/lintian-brush.html
==
FAIL: fixer test: fix-repository for upstream-metadata-file
--
Traceback (most recent call last):
File
"/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/fixers.py",
line 124, in runTest
raise AssertionError("unexpected output: %s" % diff.decode())
AssertionError: unexpected output: diff --no-dereference -x '*~' -ur
/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/../../tests/upstream-metadata-file/fix-repository/out/debian/upstream/metadata
/tmp/tmpzkp5kvzj/testdir/debian/upstream/metadata
---
/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/../../tests/upstream-metadata-file/fix-repository/out/debian/upstream/metadata
2021-02-22 17:53:37.0 +
+++ /tmp/tmpzkp5kvzj/testdir/debian/upstream/metadata 2021-05-18
18:03:14.495773132 +
@@ -1,2 +1,3 @@
---
+Name: testdir
Repository: https://github.com/rehsack/MooX-Locale-Passthrough.git
==
FAIL: fixer test: readme-other for upstream-metadata-file
--
Traceback (most recent call last):
File
"/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/fixers.py",
line 124, in runTest
raise AssertionError("unexpected output: %s" % diff.decode())
AssertionError: unexpected output: diff --no-dereference -x '*~' -ur
/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/../../tests/upstream-metadata-file/readme-other/out/debian/upstream/metadata
/tmp/tmps5pqnfx6/testdir/debian/upstream/metadata
---
/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/../../tests/upstream-metadata-file/readme-other/out/debian/upstream/metadata
2021-02-22 17:53:37.0 +
+++ /tmp/tmps5pqnfx6/testdir/debian/upstream/metadata 2021-05-18
18:03:16.043794222 +
@@ -1,5 +1,5 @@
---
-Name: blah
+Name: testdir
Bug-Database: https://github.com/blah/blah/issues
Bug-Submit: https://github.com/blah/blah/issues/new
Repository: https://github.com/blah/blah.git
==
FAIL: fixer test: readme-command for upstream-metadata-file
--
Traceback (most recent call last):
File
"/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/fixers.py",
line 124, in runTest
raise AssertionError("unexpected output: %s" % diff.decode())
AssertionError: unexpected output: diff --no-dereference -x '*~' -ur
/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/../../tests/upstream-metadata-file/readme-command/out/debian/upstream/metadata
/tmp/tmp15k6z5py/testdir/debian/upstream/metadata
---
/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/../../tests/upstream-metadata-file/readme-command/out/debian/upstream/metadata
2021-02-22 17:53:37.0 +
+++ /tmp/tmp15k6z5py/testdir/debian/upstream/metadata 2021-05-18
18:03:17.267810898 +
@@ -1,5 +1,5 @@
---
-Name: blah
+Name: testdir
Bug-Database: https://github.com/OpenPrinting/cups-filters/issues
Bug-Submit: https://github.com/OpenPrinting/cups-filters/issues/new
Repository: https://github.com/blah/blah.git
==
FAIL: fixer test: watch-git for upstream-metadata-file
--
Traceback (most recent call last):
File
"/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/fixers.py",
line 124, in runTest
raise AssertionError("unexpected output: %s" % diff.decode())
AssertionError: unexpected output: diff --no-dereference -x '*~' -ur
/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/../../tests/upstream-metadata-file/watch-git/out/debian/upstream/metadata
/tmp/tmpxt62c_q8/testdir/debian/upstream/metadata
---
/tmp/autopkgtest-lxc.v852ysn5/downtmp/build.yU2/src/lintian_brush/tests/../../tests/upstream-metadata-file/watch-git/out/debian/upstream/metadata
2021-02-22 17:53:37.0 +
+++ /tmp/tmpxt62c_q8/testdir/debian/upstream/metadata
Processed: Re: pipx broken with python 3.9
Processing control commands: > tags -1 + patch Bug #976146 [pipx] pipx broken with python 3.9 Added tag(s) patch. -- 976146: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976146 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#976146: pipx broken with python 3.9
Control: tags -1 + patch I was just pointed at this issue , didn't realize the compatibility with Python 3.9. I updated to the current upstream version, which seems to work fine with 3.9. Packaging proposal at https://launchpad.net/ubuntu/+source/python-pipx/0.16.2.1-0ubuntu3 This also drops the unneeded build dependency on python3-distutils.
Bug#982758: webext-browserpass: Failed to install on upgrade to bullseye
Hi all,
> Preparing to unpack .../370-webext-browserpass_3.7.2-1+b1_amd64.deb ...
> Unpacking webext-browserpass (3.7.2-1+b1) over (2.0.22-2) ...
> dpkg: error processing archive
> /tmp/apt-dpkg-install-VKYulC/370-webext-browserpass_3.7.2-1+b1_amd64.deb
> (--unpack):
>unable to open
> '/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/browserp...@maximbaz.com/icon.png.dpkg-new':
> No such file or directory
> Reinstalling
> /etc/chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json that
> was moved away
I'm with Daniel on this one as I cannot reproduce it either:
Preparing to unpack .../webext-browserpass_3.7.2-1+b1_amd64.deb ...
Unpacking webext-browserpass (3.7.2-1+b1) over (2.0.22-2) ...
Setting up webext-browserpass (3.7.2-1+b1) ...
Removing obsolete conffile
/etc/chromium/native-messaging-hosts/com.dannyvankoote
n.browserpass.json ...
Something fishy is going on here. I'm not sure how to find out what though if I
cannot reproduce it. Also I wonder if removing the package from testing is
helpful or even correct in such a case. Anyway, any idea how to find out what's
going on and what is different on your systems? For instance I tried on a sid
system where I install the old browserpass package. Did everyone with the error
see it on a dist-upgrade only? Could you test on sid?
Thanks,
Michael
--
Michael Meskes
Michael at Fam-Meskes dot De
Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org
Bug#988330: libbusiness-us-usps-webtools-perl Buster update
Hi, I prepared an update for Buster (branch = buster). Please review Cheers, Yadd
