Bug#990765: marked as done (sshfs: please add Breaks: fuse (<< 2))
Your message dated Wed, 07 Jul 2021 04:03:25 +
with message-id
and subject line Bug#990765: fixed in sshfs-fuse 3.7.1+repack-2
has caused the Debian Bug report #990765,
regarding sshfs: please add Breaks: fuse (<< 2)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
990765: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990765
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sshfs
Version: 3.7.1+repack-1
Severity: serious
Tags: patch
User: debian...@lists.debian.org
Usertags: piuparts
Upgrading sshfs from buster to bullseye requires to replace fuse
with fuse3 in order to install sshfs.
Since there is no clean upgrade path for fuse -> fuse3 (#918984, will
not be fixed for bullseye but only for bookworm), we need to add some
Breaks/Depends elsewhere to make this switch happen without requiring
manual interaction.
One such location is in sshfs itself, others are freedombox and
kdeconnect. Usually two breaks (in distinct packages) are needed to push
apt's scores from 'preferring to keep fuse installed' to 'switching to
fuse3'.
Please see the attached patch.
Andreas
diff -Nru sshfs-fuse-3.7.1+repack/debian/changelog
sshfs-fuse-3.7.1+repack/debian/changelog
--- sshfs-fuse-3.7.1+repack/debian/changelog2020-11-24 13:40:01.0
+0100
+++ sshfs-fuse-3.7.1+repack/debian/changelog2021-07-05 14:48:37.0
+0200
@@ -1,3 +1,10 @@
+sshfs-fuse (3.7.1+repack-2) UNRELEASED; urgency=medium
+
+ * fuse3: Add Breaks: fuse (<< 3) to help switching from fuse to fuse3 on
+upgrades from buster. (Closes: #-1)
+
+ -- Andreas Beckmann Mon, 05 Jul 2021 14:48:37 +0200
+
sshfs-fuse (3.7.1+repack-1) unstable; urgency=medium
* New upstream release
diff -Nru sshfs-fuse-3.7.1+repack/debian/control
sshfs-fuse-3.7.1+repack/debian/control
--- sshfs-fuse-3.7.1+repack/debian/control 2020-11-24 13:40:01.0
+0100
+++ sshfs-fuse-3.7.1+repack/debian/control 2021-07-05 14:48:37.0
+0200
@@ -24,6 +24,7 @@
Depends: ${shlibs:Depends}, ${misc:Depends}
,fuse3 [linux-any] | fuse4bsd [kfreebsd-any]
,openssh-client
+Breaks: fuse (<< 3)
Description: filesystem client based on SSH File Transfer Protocol
sshfs is a filesystem client based on the SSH File Transfer Protocol.
Since most SSH servers already support this protocol it is very easy
--- End Message ---
--- Begin Message ---
Source: sshfs-fuse
Source-Version: 3.7.1+repack-2
Done: Andreas Beckmann
We believe that the bug you reported is fixed in the latest version of
sshfs-fuse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 990...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Beckmann (supplier of updated sshfs-fuse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Wed, 07 Jul 2021 13:44:14 +1000
Source: sshfs-fuse
Architecture: source
Version: 3.7.1+repack-2
Distribution: unstable
Urgency: medium
Maintainer: Bartosz Fenski
Changed-By: Andreas Beckmann
Closes: 990765
Changes:
sshfs-fuse (3.7.1+repack-2) unstable; urgency=medium
.
* Add Breaks: fuse (<< 3) to help switching from fuse to fuse3 on
upgrades from buster. (Closes: #990765).
Checksums-Sha1:
b75a1024c21abf521f8f99226bb24c8fd04de9dc 2024 sshfs-fuse_3.7.1+repack-2.dsc
4e49fd3d688caf48fe7161eee4507c7242a61983 5048
sshfs-fuse_3.7.1+repack-2.debian.tar.xz
dfb81ec7523a93338be7f478e2877828fbdb1cec 7859
sshfs-fuse_3.7.1+repack-2_amd64.buildinfo
Checksums-Sha256:
c1645ab8ee8f6c39fe166d0944eff6b1248971f4995309c3ee5369cd47845a54 2024
sshfs-fuse_3.7.1+repack-2.dsc
4dc6ff5cc3d927cd88e9efda4ee14bd2bf679a7fa21b8a63d391765ec04526f8 5048
sshfs-fuse_3.7.1+repack-2.debian.tar.xz
5fd82086281f81804a22e0b36746f0199b6221867c20839ea0c7faabc4ad2137 7859
sshfs-fuse_3.7.1+repack-2_amd64.buildinfo
Files:
01a1b72ab7b8b79a26f8b5b5bf6146a2 2024 utils optional
sshfs-fuse_3.7.1+repack-2.dsc
07d2d4b808bfbae345f9019f585855f4 5048 utils optional
sshfs-fuse_3.7.1+repack-2.debian.tar.xz
8203d6393b884702b02c43d1e8b2ce2f 7859 utils optional
sshfs-fuse_3.7.1+repack-2_amd64.buildinfo
-BEGIN PGP SIGNATURE-
Processed: Bug#990765 marked as pending in sshfs-fuse
Processing control commands: > tag -1 pending Bug #990765 [sshfs] sshfs: please add Breaks: fuse (<< 2) Added tag(s) pending. -- 990765: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990765 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#990765: marked as pending in sshfs-fuse
Control: tag -1 pending Hello, Bug #990765 in sshfs-fuse reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/sshfs-fuse/-/commit/3240d3e615f6286dc4fbafb71d7006fc27b1190a Add Breaks: fuse (<< 3) to help switching from fuse to fuse3 on upgrades from buster. (Closes: #990765). Thanks, Andreas. (this message was generated automatically) -- Greetings https://bugs.debian.org/990765
Bug#990708: [debian-mysql] Bug#990708: Bug#990708: mariadb-server-10.5: upgrade problems due to galera-3 -> galera-4 switch
> I do have this in a VM so I think we can easily repro this. > > // Fresh VM install from debian-10.9.0-i386-netinst.iso > # history > 1 visudo > 2 rm /etc/motd > 3 poweroff > 4 apt install mariadb-server > 5 dpkg -l|grep mariadb > 6 sed -i 's/buster/bullseye/g' /etc/apt/sources.list > 7 apt update > 8 apt upgrade > 9 apt dist-upgrade // output below >10 dpkg -l|grep mariadb // output below >11 apt dist-upgrade // output below I added a CI job that runs about these and indeed it ends up removing mariadb-server, and thus the upgrade does not progress. https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/3c93860e3c065c44e007405915fa762468c82afa https://salsa.debian.org/mariadb-team/mariadb-10.5/-/jobs/1743608 Now this is reproducible, good.
Bug#990764: marked as done (kdeconnect: please add Breaks: fuse (<< 3) and Depends: fuse3 (>= 3))
Your message dated Tue, 06 Jul 2021 20:18:07 +
with message-id
and subject line Bug#990764: fixed in kdeconnect 20.12.3-2
has caused the Debian Bug report #990764,
regarding kdeconnect: please add Breaks: fuse (<< 3) and Depends: fuse3 (>= 3)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
990764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990764
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: kdeconnect
Version: 20.12.3-1
Severity: serious
Tags: patch
User: debian...@lists.debian.org
Usertags: piuparts
Upgrading e.g. kde-full (with --instaill-recommends enabled) from
buster to bullseye requires to replace fuse with fuse3 in order to
install sshfs.
Since there is no clean upgrade path for fuse -> fuse3 (#918984, will
not be fixed for bullseye but only for bookworm), we need to add some
Breaks/Depends elsewhere to make this switch happen without requiring
manual interaction.
Here is an excerpt of the diff of the apt problem resolution from
an upgrade of kde-full (with --install-recommends enabled) from buster
to
a) current bullseye (which does not upgrade sshfs at all) and
b) a bullseye with kdeconnect and sshfs patched to carry more Depends/Breaks.
The apt scores change from 'preferring to keep fuse installed' to
'switching to fuse3'.
...
- Calculating upgrade...Starting pkgProblemResolver with broken count: 50
+ Calculating upgrade...Starting pkgProblemResolver with broken count: 52
...
- Investigating (0) fuse3:amd64 < none -> 3.10.3-2 @un uN Ib >
- Broken fuse3:amd64 Breaks on fuse:amd64 < 2.9.9-1+deb10u1 -> 2.9.9-5 @ii umU
>
-Considering fuse:amd64 4 as a solution to fuse3:amd64 3
-Holding Back fuse3:amd64 rather than change fuse:amd64
- Investigating (0) sshfs:amd64 < 2.10+repack-2 -> 3.7.1+repack-1 @ii umU Ib >
- Broken sshfs:amd64 Depends on fuse3:amd64 < none | 3.10.3-2 @un uH >
-Considering fuse3:amd64 3 as a solution to sshfs:amd64 2
-Holding Back sshfs:amd64 rather than change fuse3:amd64
+ Investigating (0) fuse3:amd64 < none -> 3.10.3-2 @un uN Ib >
+ Broken fuse3:amd64 Breaks on fuse:amd64 < 2.9.9-1+deb10u1 -> 2.9.9-5 @ii umU
>
+Considering fuse:amd64 2 as a solution to fuse3:amd64 5
+Added fuse:amd64 to the remove list
+Conflicts//Breaks against version 2.9.9-1+deb10u1 for fuse but that is not
InstVer, ignoring
+Fixing fuse3:amd64 via remove of fuse:amd64
...
- Try to Re-Instate (1) sshfs:amd64
The following packages will be REMOVED:
-g++-8 gcc-8 kaccessible katepart kde-runtime kde-style-breeze-qt4
+fuse g++-8 gcc-8 kaccessible katepart kde-runtime kde-style-breeze-qt4
...
The following packages have been kept back:
-sshfs
...
- 1681 upgraded, 302 newly installed, 131 to remove and 1 not upgraded.
+ 1681 upgraded, 304 newly installed, 132 to remove and 0 not upgraded.
...
Please see the attached patch.
Andreas
diff -Nru kdeconnect-20.12.3/debian/changelog
kdeconnect-20.12.3/debian/changelog
--- kdeconnect-20.12.3/debian/changelog 2021-03-08 22:43:49.0 +0100
+++ kdeconnect-20.12.3/debian/changelog 2021-07-01 11:21:47.0 +0200
@@ -1,3 +1,10 @@
+kdeconnect (20.12.3-2) UNRELEASED; urgency=medium
+
+ * kdeconnect: Add Breaks: fuse (<< 3) and Depends: fuse3 (>= 3) to ensure
+fuse gets replaced by fuse3 on upgrades from buster. (Closes: #-1)
+
+ -- Andreas Beckmann Thu, 01 Jul 2021 11:21:47 +0200
+
kdeconnect (20.12.3-1) unstable; urgency=medium
* New upstream release (20.12.3).
diff -Nru kdeconnect-20.12.3/debian/control kdeconnect-20.12.3/debian/control
--- kdeconnect-20.12.3/debian/control 2021-03-08 22:31:44.0 +0100
+++ kdeconnect-20.12.3/debian/control 2021-07-01 11:21:47.0 +0200
@@ -55,9 +55,12 @@
qml-module-qtquick-particles2,
qml-module-qtquick-window2,
qml-module-qtquick2,
- sshfs,
+ sshfs (>= 3),
${misc:Depends},
${shlibs:Depends},
+# Ensure fuse gets replaced by fuse3 on upgrades from buster s.t. sshfs can be
installed.
+ fuse3 (>= 3),
+Breaks: fuse (<< 3)
Description: connect smartphones to your desktop devices
Tool to integrate your smartphone, tablet, and desktop devices.
Remote-control, share files, synchronize notifications, and more!
--- End Message ---
--- Begin Message ---
Source: kdeconnect
Source-Version: 20.12.3-2
Done: Norbert Preining
We believe that the bug you reported is fixed in the latest version of
kdeconnect, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the
Bug#990412: pam: Regression - it won't search /lib/security
On Tue, Jul 06, 2021 at 08:46:30AM -0600, Sam Hartman wrote: > > "Hideki" == Hideki Yamane writes: > control: tags -1 -patch -pending > I NACK this proposed NMU. > This many years after multiarch, I think it is entirely reasonable for > PAM to drop support for non-multiarch paths at the transition between > buster and bullseye. > As I said earlier in the bug, I'm happy to add breaks on libpam-yubico > or other packages as necessary. > I think Steve is quite familiar with multiarch and while he hasn't > commented yet I'm assuming he dropped those patch lines as part of > removing unnecessary upstream deltas. > I think you failed to read my comments in the 990412 bug log before > Merging and reassigning. For the record, I did not intentionally drop those lines, this was a matter of a mis-merge. My only concern about dropping support for the legacy path is that this is an API that may be used by third-party software, not just by Debian packages. I'm ok with requiring all Debian packages to use the multiarch path for PAM modules, provided libpam0g then also declares a Breaks: against older versions of those packages which use the legacy path. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature
Bug#990561: marked as done (libuv1: CVE-2021-22918)
Your message dated Tue, 06 Jul 2021 18:32:07 + with message-id and subject line Bug#990561: fixed in libuv1 1.24.1-1+deb10u1 has caused the Debian Bug report #990561, regarding libuv1: CVE-2021-22918 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 990561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990561 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libuv1 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, the latest nodejs security release included an issue in libuv: https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ The patch hasn't landed in libuv.git, but here's the patch as applied by nodejs: https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829 For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-22918 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: libuv1 Source-Version: 1.24.1-1+deb10u1 Done: Dominique Dumont We believe that the bug you reported is fixed in the latest version of libuv1, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 990...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dominique Dumont (supplier of updated libuv1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 04 Jul 2021 18:42:30 +0200 Source: libuv1 Architecture: source Version: 1.24.1-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Dominique Dumont Changed-By: Dominique Dumont Closes: 990561 Changes: libuv1 (1.24.1-1+deb10u1) buster-security; urgency=high . * add patch for CVE-2021-22918 (Closes: #990561) * For buster, this patch also tweaks tests so they can be compiled. (because of a missing macro and "static" declaration) Checksums-Sha1: f9cafe9e5c02431f26945de9fff040e3984cc46f 2084 libuv1_1.24.1-1+deb10u1.dsc 83ec703ec3a3a4b62c73f6930ca60ceccf41b64b 1204188 libuv1_1.24.1.orig.tar.gz dc5d6724bbec659e30321b67a186d1d8fd8cb19c 17248 libuv1_1.24.1-1+deb10u1.debian.tar.xz 1131e73b5d402115d9de43c7bdd7fe47f140e66a 6202 libuv1_1.24.1-1+deb10u1_source.buildinfo Checksums-Sha256: 03683643b506f3dec9c5e611a4d9faa43482616317d7d69fcaab4de669e2a137 2084 libuv1_1.24.1-1+deb10u1.dsc 55f4d03e5d600d8a753e8f300f4ce5a9a39d7f8386855627fcc952bd561f4b4e 1204188 libuv1_1.24.1.orig.tar.gz e9812eda6552f94291863216c27dba5502504f197211e0c5285a9727483f4b27 17248 libuv1_1.24.1-1+deb10u1.debian.tar.xz 6f80e580a58c4934ff134e786a22f5b1e6978404e53a37721fa569d929b2b6a1 6202 libuv1_1.24.1-1+deb10u1_source.buildinfo Files: 25c1a696134fcb8d84da2cf4e39fdee4 2084 libs optional libuv1_1.24.1-1+deb10u1.dsc 31f92d18edb56afa7a3828a827cbe2a0 1204188 libs optional libuv1_1.24.1.orig.tar.gz d00c3fd9e49057f3930352d535a7c164 17248 libs optional libuv1_1.24.1-1+deb10u1.debian.tar.xz e3a62236136f282aab7960ea11c8ee20 6202 libs optional libuv1_1.24.1-1+deb10u1_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEn3I5/LZk8Qsz6dwDwx9P2UmrK2wFAmDipuAACgkQwx9P2Umr K2zgXQ/9F5pEBxrgfBOnQ1Fz3iJL3fhsqBKiWS9UeMgvkcLfWiqjwRpSD4D9AOJw J57H3E6usXSyUwsur/Wf1r+Yj/li6f9wSpK/iMxXnyAOKTFQDQetVMQTxTKigTNO k/it041cwhChljRGv3r90Zc8/ddJ+2ppVRPoiteJjYQfQFpv6qFizLwPIk28iucT 3SGxBxnteJRBeEhdNT7yobENN5fKu7fLi2pVzoDIlM2ak30g/UTQb9P927UdYIOm MLP6J9WC6NxMaUVXzn01xgyeIfXta0ddAR2+OQNGjtphSYD+En/4zX9pzMRtShTV 38MuqTn6KeyhvPklJokonu3L9DuObQLyA0FkupYTRuaPKJE51L3dVwMsEDvfjTZZ tTwLrWXsnoDxUyKXdAbnjd8AWcdLkKVvHj6RqUkjUvtTcR/5f55odN48WhXO8Qs2 5SvcLW+iuqcnsDsdylNynVEQce8P/vkjXOm+ZJac/AyL7w/109tgS4pdCENWrcnJ MxvlNbfd9vUp1TNh7PWi5oDnXXPdv5vkVOHpZwNSaDwgOsw4usVeiOohJos/qNy/ jGzoCdM6845TkJKl2VJwhImeFyRY9VLG6BiXHW4tKe9riLVc5g2JBhTi0qlXzvlb zKd/37g8FLBTtsJ4biRFIhl6rrqVzvzb3SK2evwnvTIv6KTxWfs= =y4X4 -END PGP SIGNATURE End Message ---
Bug#989615: marked as done (intel-microcode: CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 CVE-2020-24489 (INTEL-SA-00464, INTEL-SA-00465, INTEL-SA-00442))
Your message dated Tue, 06 Jul 2021 18:32:07 + with message-id and subject line Bug#989615: fixed in intel-microcode 3.20210608.2~deb10u1 has caused the Debian Bug report #989615, regarding intel-microcode: CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 CVE-2020-24489 (INTEL-SA-00464, INTEL-SA-00465, INTEL-SA-00442) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 989615: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989615 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: intel-microcode Version: 3.20210216.1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 3.20200609.2~deb10u1 Hi, The following vulnerabilities were published for intel-microcode. CVE-2020-24511[0] (INTEL-SA-00464), CVE-2020-24512[1] (INTEL-SA-00464), CVE-2020-24513[2] (INTEL-SA-00465), CVE-2021-24489[3] (INTEL-SA-00442). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-24511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24511 [1] https://security-tracker.debian.org/tracker/CVE-2020-24512 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24512 [2] https://security-tracker.debian.org/tracker/CVE-2020-24513 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24513 [3] https://security-tracker.debian.org/tracker/CVE-2021-24489 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24489 [4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20210608 Regards, Salvatore --- End Message --- --- Begin Message --- Source: intel-microcode Source-Version: 3.20210608.2~deb10u1 Done: Henrique de Moraes Holschuh We believe that the bug you reported is fixed in the latest version of intel-microcode, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 989...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Henrique de Moraes Holschuh (supplier of updated intel-microcode package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 23 Jun 2021 17:52:40 -0300 Binary: intel-microcode Source: intel-microcode Architecture: amd64 i386 source Version: 3.20210608.2~deb10u1 Distribution: buster-security Urgency: high Maintainer: Henrique de Moraes Holschuh Changed-By: Henrique de Moraes Holschuh Closes: 989615 Description: intel-microcode - Processor microcode firmware for Intel CPUs Changes: intel-microcode (3.20210608.2~deb10u1) buster-security; urgency=high . * SECURITY UPDATE with known possible regressions * Refer to the changelog entry for 3.20210608.1 for the list of security fixes in this release. * Possible regression: CoffeLake processors with signature 0x906ea *and* Intel Wireless LAN on-board - The Intel WiFi firmware might stop working, refer to: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56 * Possible regression: Skylake R0/D0 (signatures 0x406e3 and 0x506e3), - Motherboards with severely outdated firmware where the UEFI/BIOS microcode revision is less than 0x80 may hang on boot. Refer to: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 * Reintroduces all fixes (including several security updates) to Skylake D0/R0 that were temporarily disabled in past releases. Refer to changelog entries since (and including) 3.20200609.1 for the list of security fixes. . intel-microcode (3.20210608.2) unstable; urgency=high . * Correct INTEL-SA-00442 CVE id to CVE-2020-24489 in changelog and debian/changelog (3.20210608.1). . intel-microcode (3.20210608.1) unstable; urgency=high . * New upstream microcode datafile 20210608 (closes: #989615) * Implements mitigations for CVE-2020-24511 CVE-2020-24512 (INTEL-SA-00464), information leakage through shared resources, and timing discrepancy sidechannels * Implements mitigations for CVE-2020-24513
Processed: Proposed patch/debdiff
Processing control commands: > tags 990748 + patch Bug #990748 [src:linuxptp] linuxptp: CVE-2021-3570 Ignoring request to alter tags of bug #990748 to the same tags previously set > tags 990749 + patch Bug #990749 [src:linuxptp] linuxptp: CVE-2021-3571 Ignoring request to alter tags of bug #990749 to the same tags previously set -- 990748: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990748 990749: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990749 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Proposed patch/debdiff
Processing control commands: > tags 990748 + patch Bug #990748 [src:linuxptp] linuxptp: CVE-2021-3570 Added tag(s) patch. > tags 990749 + patch Bug #990749 [src:linuxptp] linuxptp: CVE-2021-3571 Added tag(s) patch. -- 990748: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990748 990749: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990749 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#990748: Proposed patch/debdiff
Control: tags 990748 + patch
Control: tags 990749 + patch
Hi
Attached is the current proposed debdiff (not yet uploaded).
Regards,
Salvatore
diff -Nru linuxptp-3.1/debian/changelog linuxptp-3.1/debian/changelog
--- linuxptp-3.1/debian/changelog 2020-12-13 23:33:39.0 +0100
+++ linuxptp-3.1/debian/changelog 2021-07-06 20:16:00.0 +0200
@@ -1,3 +1,13 @@
+linuxptp (3.1-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Validate the messageLength field of incoming messages (CVE-2021-3570)
+(Closes: #990748)
+ * tc: Fix length of follow-up message of one-step sync (CVE-2021-3571)
+(Closes: #990749)
+
+ -- Salvatore Bonaccorso Tue, 06 Jul 2021 20:16:00 +0200
+
linuxptp (3.1-2) unstable; urgency=medium
[ Punit Agrawal ]
diff -Nru
linuxptp-3.1/debian/patches/Validate-the-messageLength-field-of-incoming-message.patch
linuxptp-3.1/debian/patches/Validate-the-messageLength-field-of-incoming-message.patch
---
linuxptp-3.1/debian/patches/Validate-the-messageLength-field-of-incoming-message.patch
1970-01-01 01:00:00.0 +0100
+++
linuxptp-3.1/debian/patches/Validate-the-messageLength-field-of-incoming-message.patch
2021-07-06 20:11:54.0 +0200
@@ -0,0 +1,96 @@
+From: Richard Cochran
+Date: Sat, 17 Apr 2021 15:15:18 -0700
+Subject: Validate the messageLength field of incoming messages.
+Origin:
https://github.com/richardcochran/linuxptp/commit/ce15e4de5926724557e8642ec762a210632f15ca
+Bug-Debian: https://bugs.debian.org/990748
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3570
+
+The PTP messageLength field is redundant because the length of a PTP
+message is precisely determined by the message type and the appended
+TLVs. The current implementation validates the sizes of both the main
+message (according to the fixed header length and fixed length by
+type) and the TLVs (by using the 'L' of the TLV).
+
+However, when forwarding a message, the messageLength field is used.
+If a message arrives with a messageLength field larger than the actual
+message size, the code will read and possibly write data beyond the
+allocated buffer.
+
+Fix the issue by validating the field on ingress. This prevents
+reading and sending data past the message buffer when forwarding a
+management message or other messages when operating as a transparent
+clock, and it also prevents a memory corruption in msg_post_recv()
+after forwarding a management message.
+
+Reported-by: Miroslav Lichvar
+Signed-off-by: Richard Cochran
+---
+ msg.c | 18 --
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/msg.c b/msg.c
+index d1619d4973f1..5ae8ebbfc3ae 100644
+--- a/msg.c
b/msg.c
+@@ -186,7 +186,7 @@ static int suffix_post_recv(struct ptp_message *msg, int
len)
+ {
+ uint8_t *ptr = msg_suffix(msg);
+ struct tlv_extra *extra;
+- int err;
++ int err, suffix_len = 0;
+
+ if (!ptr)
+ return 0;
+@@ -204,12 +204,14 @@ static int suffix_post_recv(struct ptp_message *msg, int
len)
+ tlv_extra_recycle(extra);
+ return -EBADMSG;
+ }
++ suffix_len += sizeof(struct TLV);
+ len -= sizeof(struct TLV);
+ ptr += sizeof(struct TLV);
+ if (extra->tlv->length > len) {
+ tlv_extra_recycle(extra);
+ return -EBADMSG;
+ }
++ suffix_len += extra->tlv->length;
+ len -= extra->tlv->length;
+ ptr += extra->tlv->length;
+ err = tlv_post_recv(extra);
+@@ -219,7 +221,7 @@ static int suffix_post_recv(struct ptp_message *msg, int
len)
+ }
+ msg_tlv_attach(msg, extra);
+ }
+- return 0;
++ return suffix_len;
+ }
+
+ static void suffix_pre_send(struct ptp_message *msg)
+@@ -337,7 +339,7 @@ void msg_get(struct ptp_message *m)
+
+ int msg_post_recv(struct ptp_message *m, int cnt)
+ {
+- int pdulen, type, err;
++ int err, pdulen, suffix_len, type;
+
+ if (cnt < sizeof(struct ptp_header))
+ return -EBADMSG;
+@@ -422,9 +424,13 @@ int msg_post_recv(struct ptp_message *m, int cnt)
+ break;
+ }
+
+- err = suffix_post_recv(m, cnt - pdulen);
+- if (err)
+- return err;
++ suffix_len = suffix_post_recv(m, cnt - pdulen);
++ if (suffix_len < 0) {
++ return suffix_len;
++ }
++ if (pdulen + suffix_len != m->header.messageLength) {
++ return -EBADMSG;
++ }
+
+ return 0;
+ }
+--
+2.32.0
+
diff -Nru linuxptp-3.1/debian/patches/series linuxptp-3.1/debian/patches/series
--- linuxptp-3.1/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ linuxptp-3.1/debian/patches/series 2021-07-06 20:14:15.0 +0200
@@ -0,0 +1,2 @@
+Validate-the-messageLength-field-of-incoming-message.patch
Bug#990412: pam: Regression - it won't search /lib/security
> "Hideki" == Hideki Yamane writes: >> I think Steve is quite familiar with multiarch and while he >> hasn't commented yet I'm assuming he dropped those patch lines as >> part of removing unnecessary upstream deltas. Hideki> I want his comment, too. Okay, let's hold off until Steve speaks up then. Meanwhile, I definitely think we should fix libpam-yubico any other PAM modules we ideftify. PAM modules need to be multi-arch so that if any non-native application calls libpam, it works. So there's at least an important if not serious bug in not having multi-arch:same for a PAM module. signature.asc Description: PGP signature
Bug#990412: pam: Regression - it won't search /lib/security
Hi Sam, On Tue, 06 Jul 2021 08:46:30 -0600 Sam Hartman wrote: > This many years after multiarch, I think it is entirely reasonable for > PAM to drop support for non-multiarch paths at the transition between > buster and bullseye. It was NOT raised as a goal of bullseye for libpam-* packages those are not multiarch-ed, IMO. And at this time, last minutes for release, we should ensure "it works" as previously to deliver values for users. Breaking several libpam-* packages is not. Is there any *strong* reason to not deffer make libpam-* packages multiarch-ed to bookworm release? > I think Steve is quite familiar with multiarch and while he hasn't > commented yet I'm assuming he dropped those patch lines as part of > removing unnecessary upstream deltas. I want his comment, too. git log in his repo just says "refresh patches" for this change, and debian/patches-applied/lib_security_multiarch_compat is the patch for non-multiarch pam modules and still remains. If it was intended, it should be removed, I suppose. > I think you failed to read my comments in the 990412 bug log before > Merging and reassigning. Okay, will read again. Thanks! -- Hideki Yamane
Processed: PAM intentionally dropped multiarch paths
Processing commands for cont...@bugs.debian.org: > retitle 979973 libpam-ubico does not use multiarch paths Bug #979973 [libpam0g] no such file or directory when PAM accesses it Bug #990412 [libpam0g] pam_yubico fails to install module in multiarch path Changed Bug title to 'libpam-ubico does not use multiarch paths' from 'no such file or directory when PAM accesses it'. Changed Bug title to 'libpam-ubico does not use multiarch paths' from 'pam_yubico fails to install module in multiarch path'. > reassign 979973 libpam-yubico Bug #979973 [libpam0g] libpam-ubico does not use multiarch paths Bug #990412 [libpam0g] libpam-ubico does not use multiarch paths Bug reassigned from package 'libpam0g' to 'libpam-yubico'. Bug reassigned from package 'libpam0g' to 'libpam-yubico'. No longer marked as found in versions libpam0g/1.4.0-1. No longer marked as found in versions libpam0g/1.4.0-1. Ignoring request to alter fixed versions of bug #979973 to the same values previously set Ignoring request to alter fixed versions of bug #990412 to the same values previously set > found 979973 2.26-1 Bug #979973 [libpam-yubico] libpam-ubico does not use multiarch paths Bug #990412 [libpam-yubico] libpam-ubico does not use multiarch paths Marked as found in versions yubico-pam/2.26-1. Marked as found in versions yubico-pam/2.26-1. > End of message, stopping processing here. Please contact me if you need assistance. -- 979973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979973 990412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990412 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#990412: pam: Regression - it won't search /lib/security
> "Hideki" == Hideki Yamane writes: control: tags -1 -patch -pending I NACK this proposed NMU. This many years after multiarch, I think it is entirely reasonable for PAM to drop support for non-multiarch paths at the transition between buster and bullseye. As I said earlier in the bug, I'm happy to add breaks on libpam-yubico or other packages as necessary. I think Steve is quite familiar with multiarch and while he hasn't commented yet I'm assuming he dropped those patch lines as part of removing unnecessary upstream deltas. I think you failed to read my comments in the 990412 bug log before Merging and reassigning. signature.asc Description: PGP signature
Processed: your mail
Processing commands for cont...@bugs.debian.org: > found 979973 libpam0g/1.4.0-1 Bug #979973 [libpam0g] no such file or directory when PAM accesses it Bug #990412 [libpam0g] pam_yubico fails to install module in multiarch path The source libpam0g and version 1.4.0-1 do not appear to match any binary packages Marked as found in versions libpam0g/1.4.0-1. Marked as found in versions libpam0g/1.4.0-1. > thanks Stopping processing here. Please contact me if you need assistance. -- 979973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979973 990412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990412 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: your mail
Processing commands for cont...@bugs.debian.org: > reassign 979973 libpam0g Bug #979973 [pam] no such file or directory when PAM accesses it Bug #990412 [pam] pam_yubico fails to install module in multiarch path Bug reassigned from package 'pam' to 'libpam0g'. Bug reassigned from package 'pam' to 'libpam0g'. Ignoring request to alter found versions of bug #979973 to the same values previously set Ignoring request to alter found versions of bug #990412 to the same values previously set Ignoring request to alter fixed versions of bug #979973 to the same values previously set Ignoring request to alter fixed versions of bug #990412 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 979973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979973 990412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990412 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: your mail
Processing commands for cont...@bugs.debian.org: > notfound 979973 1.4.0-1 Bug #979973 [pam] no such file or directory when PAM accesses it Bug #990412 [pam] pam_yubico fails to install module in multiarch path There is no source info for the package 'pam' at version '1.4.0-1' with architecture '' Unable to make a source version for version '1.4.0-1' No longer marked as found in versions pam/1.4.0-1 and 1.4.0-1. No longer marked as found in versions pam/1.4.0-1 and 1.4.0-1. > thanks Stopping processing here. Please contact me if you need assistance. -- 979973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979973 990412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990412 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: pam: Regression - it won't search /lib/security
Processing control commands: > tags -1 +patch +pending Bug #990412 [pam] pam_yubico fails to install module in multiarch path Bug #979973 [pam] no such file or directory when PAM accesses it Added tag(s) patch. Added tag(s) patch. Bug #990412 [pam] pam_yubico fails to install module in multiarch path Bug #979973 [pam] no such file or directory when PAM accesses it Added tag(s) pending. Added tag(s) pending. -- 979973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979973 990412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990412 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#990412: pam: Regression - it won't search /lib/security
control: tags -1 +patch +pending
Hi,
I've found the root cause of this bug, and fixed it.
On my local sid machine, I've tested it with edit /etc/pam.d/su
as search pam_yubico.so, exec su and it searchs /lib/security/pam_yubico.so :)
See below debdiff. If it seems to be okay, I'll put it into sid
and request unblock.
diff -Nru pam-1.4.0/debian/changelog pam-1.4.0/debian/changelog
--- pam-1.4.0/debian/changelog 2021-03-16 04:01:55.0 +0900
+++ pam-1.4.0/debian/changelog 2021-07-06 22:09:15.0 +0900
@@ -1,3 +1,13 @@
+pam (1.4.0-7.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * debian/patches-applied/lib_security_multiarch_compat
+- Fix regression that was introduced in 1.4.0-1, some lines were not
+ applied during refresh patch and it doesn't work.
+ (Closes: #979973, #990412)
+
+ -- Hideki Yamane Tue, 06 Jul 2021 22:09:15 +0900
+
pam (1.4.0-7) unstable; urgency=medium
* Updated portuguese debconf translation, thanks Pedro Ribeiro, Closes:
diff -Nru pam-1.4.0/debian/patches-applied/lib_security_multiarch_compat
pam-1.4.0/debian/patches-applied/lib_security_multiarch_compat
--- pam-1.4.0/debian/patches-applied/lib_security_multiarch_compat
2021-01-31 07:09:52.0 +0900
+++ pam-1.4.0/debian/patches-applied/lib_security_multiarch_compat
2021-07-06 22:09:15.0 +0900
@@ -11,11 +11,11 @@
order to get everything installed where we want it and get absolute paths
the way we want them.
-Index: pam/libpam/pam_handlers.c
+Index: pam-1.4.0/libpam/pam_handlers.c
===
pam.orig/libpam/pam_handlers.c
-+++ pam/libpam/pam_handlers.c
-@@ -735,7 +735,18 @@
+--- pam-1.4.0.orig/libpam/pam_handlers.c
pam-1.4.0/libpam/pam_handlers.c
+@@ -735,7 +735,27 @@ _pam_load_module(pam_handle_t *pamh, con
success = PAM_ABORT;
D(("_pam_load_module: _pam_dlopen(%s)", mod_path));
@@ -31,11 +31,20 @@
+ } else {
+ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
+ }
++ if (!mod->dl_handle) {
++ if (asprintf(_full_path, "%s/%s",
++_PAM_ISA, mod_path) >= 0) {
++ mod->dl_handle = _pam_dlopen(mod_full_path);
++ _pam_drop(mod_full_path);
++ } else {
++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
++ }
++ }
+ }
D(("_pam_load_module: _pam_dlopen'ed"));
D(("_pam_load_module: dlopen'ed"));
if (mod->dl_handle == NULL) {
-@@ -812,7 +823,6 @@
+@@ -812,7 +832,6 @@ int _pam_add_handler(pam_handle_t *pamh
struct handler **handler_p2;
struct handlers *the_handlers;
const char *sym, *sym2;
@@ -43,7 +52,7 @@
servicefn func, func2;
int mod_type = PAM_MT_FAULTY_MOD;
-@@ -824,16 +834,7 @@
+@@ -824,16 +843,7 @@ int _pam_add_handler(pam_handle_t *pamh
if ((handler_type == PAM_HT_MODULE || handler_type ==
PAM_HT_SILENT_MODULE) &&
mod_path != NULL) {
Processed: your mail
Processing commands for cont...@bugs.debian.org: > found 979973 pam/1.4.0-1 Bug #979973 [pam] no such file or directory when PAM accesses it Bug #990412 [pam] pam_yubico fails to install module in multiarch path Marked as found in versions pam/1.4.0-1. Marked as found in versions pam/1.4.0-1. > thanks Stopping processing here. Please contact me if you need assistance. -- 979973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979973 990412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990412 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: your mail
Processing commands for cont...@bugs.debian.org: > severity 979973 grave Bug #979973 [libpam-yubico] no such file or directory when PAM accesses it Severity set to 'grave' from 'important' > notfound 979973 yubico-pam/2.26-1.1 Bug #979973 [libpam-yubico] no such file or directory when PAM accesses it No longer marked as found in versions yubico-pam/2.26-1.1. > notfound 990412 yubico-pam/2.23-1 Bug #990412 [libpam-yubico] pam_yubico fails to install module in multiarch path No longer marked as found in versions yubico-pam/2.23-1. > reassign 979973 pam Bug #979973 [libpam-yubico] no such file or directory when PAM accesses it Bug reassigned from package 'libpam-yubico' to 'pam'. Ignoring request to alter found versions of bug #979973 to the same values previously set Ignoring request to alter fixed versions of bug #979973 to the same values previously set > reassign 990412 pam Bug #990412 [libpam-yubico] pam_yubico fails to install module in multiarch path Bug reassigned from package 'libpam-yubico' to 'pam'. Ignoring request to alter found versions of bug #990412 to the same values previously set Ignoring request to alter fixed versions of bug #990412 to the same values previously set > merge 979973 990412 Bug #979973 [pam] no such file or directory when PAM accesses it Bug #990412 [pam] pam_yubico fails to install module in multiarch path Merged 979973 990412 > found 979973 1.4.0-1 Bug #979973 [pam] no such file or directory when PAM accesses it Bug #990412 [pam] pam_yubico fails to install module in multiarch path There is no source info for the package 'pam' at version '1.4.0-1' with architecture '' Unable to make a source version for version '1.4.0-1' Marked as found in versions 1.4.0-1. Marked as found in versions 1.4.0-1. > thanks Stopping processing here. Please contact me if you need assistance. -- 979973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979973 990412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990412 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#990765: sshfs: please add Breaks: fuse (<< 2)
Package: sshfs
Version: 3.7.1+repack-1
Severity: serious
Tags: patch
User: debian...@lists.debian.org
Usertags: piuparts
Upgrading sshfs from buster to bullseye requires to replace fuse
with fuse3 in order to install sshfs.
Since there is no clean upgrade path for fuse -> fuse3 (#918984, will
not be fixed for bullseye but only for bookworm), we need to add some
Breaks/Depends elsewhere to make this switch happen without requiring
manual interaction.
One such location is in sshfs itself, others are freedombox and
kdeconnect. Usually two breaks (in distinct packages) are needed to push
apt's scores from 'preferring to keep fuse installed' to 'switching to
fuse3'.
Please see the attached patch.
Andreas
diff -Nru sshfs-fuse-3.7.1+repack/debian/changelog
sshfs-fuse-3.7.1+repack/debian/changelog
--- sshfs-fuse-3.7.1+repack/debian/changelog2020-11-24 13:40:01.0
+0100
+++ sshfs-fuse-3.7.1+repack/debian/changelog2021-07-05 14:48:37.0
+0200
@@ -1,3 +1,10 @@
+sshfs-fuse (3.7.1+repack-2) UNRELEASED; urgency=medium
+
+ * fuse3: Add Breaks: fuse (<< 3) to help switching from fuse to fuse3 on
+upgrades from buster. (Closes: #-1)
+
+ -- Andreas Beckmann Mon, 05 Jul 2021 14:48:37 +0200
+
sshfs-fuse (3.7.1+repack-1) unstable; urgency=medium
* New upstream release
diff -Nru sshfs-fuse-3.7.1+repack/debian/control
sshfs-fuse-3.7.1+repack/debian/control
--- sshfs-fuse-3.7.1+repack/debian/control 2020-11-24 13:40:01.0
+0100
+++ sshfs-fuse-3.7.1+repack/debian/control 2021-07-05 14:48:37.0
+0200
@@ -24,6 +24,7 @@
Depends: ${shlibs:Depends}, ${misc:Depends}
,fuse3 [linux-any] | fuse4bsd [kfreebsd-any]
,openssh-client
+Breaks: fuse (<< 3)
Description: filesystem client based on SSH File Transfer Protocol
sshfs is a filesystem client based on the SSH File Transfer Protocol.
Since most SSH servers already support this protocol it is very easy
Bug#990764: kdeconnect: please add Breaks: fuse (<< 3) and Depends: fuse3 (>= 3)
Package: kdeconnect
Version: 20.12.3-1
Severity: serious
Tags: patch
User: debian...@lists.debian.org
Usertags: piuparts
Upgrading e.g. kde-full (with --instaill-recommends enabled) from
buster to bullseye requires to replace fuse with fuse3 in order to
install sshfs.
Since there is no clean upgrade path for fuse -> fuse3 (#918984, will
not be fixed for bullseye but only for bookworm), we need to add some
Breaks/Depends elsewhere to make this switch happen without requiring
manual interaction.
Here is an excerpt of the diff of the apt problem resolution from
an upgrade of kde-full (with --install-recommends enabled) from buster
to
a) current bullseye (which does not upgrade sshfs at all) and
b) a bullseye with kdeconnect and sshfs patched to carry more Depends/Breaks.
The apt scores change from 'preferring to keep fuse installed' to
'switching to fuse3'.
...
- Calculating upgrade...Starting pkgProblemResolver with broken count: 50
+ Calculating upgrade...Starting pkgProblemResolver with broken count: 52
...
- Investigating (0) fuse3:amd64 < none -> 3.10.3-2 @un uN Ib >
- Broken fuse3:amd64 Breaks on fuse:amd64 < 2.9.9-1+deb10u1 -> 2.9.9-5 @ii umU
>
-Considering fuse:amd64 4 as a solution to fuse3:amd64 3
-Holding Back fuse3:amd64 rather than change fuse:amd64
- Investigating (0) sshfs:amd64 < 2.10+repack-2 -> 3.7.1+repack-1 @ii umU Ib >
- Broken sshfs:amd64 Depends on fuse3:amd64 < none | 3.10.3-2 @un uH >
-Considering fuse3:amd64 3 as a solution to sshfs:amd64 2
-Holding Back sshfs:amd64 rather than change fuse3:amd64
+ Investigating (0) fuse3:amd64 < none -> 3.10.3-2 @un uN Ib >
+ Broken fuse3:amd64 Breaks on fuse:amd64 < 2.9.9-1+deb10u1 -> 2.9.9-5 @ii umU
>
+Considering fuse:amd64 2 as a solution to fuse3:amd64 5
+Added fuse:amd64 to the remove list
+Conflicts//Breaks against version 2.9.9-1+deb10u1 for fuse but that is not
InstVer, ignoring
+Fixing fuse3:amd64 via remove of fuse:amd64
...
- Try to Re-Instate (1) sshfs:amd64
The following packages will be REMOVED:
-g++-8 gcc-8 kaccessible katepart kde-runtime kde-style-breeze-qt4
+fuse g++-8 gcc-8 kaccessible katepart kde-runtime kde-style-breeze-qt4
...
The following packages have been kept back:
-sshfs
...
- 1681 upgraded, 302 newly installed, 131 to remove and 1 not upgraded.
+ 1681 upgraded, 304 newly installed, 132 to remove and 0 not upgraded.
...
Please see the attached patch.
Andreas
diff -Nru kdeconnect-20.12.3/debian/changelog
kdeconnect-20.12.3/debian/changelog
--- kdeconnect-20.12.3/debian/changelog 2021-03-08 22:43:49.0 +0100
+++ kdeconnect-20.12.3/debian/changelog 2021-07-01 11:21:47.0 +0200
@@ -1,3 +1,10 @@
+kdeconnect (20.12.3-2) UNRELEASED; urgency=medium
+
+ * kdeconnect: Add Breaks: fuse (<< 3) and Depends: fuse3 (>= 3) to ensure
+fuse gets replaced by fuse3 on upgrades from buster. (Closes: #-1)
+
+ -- Andreas Beckmann Thu, 01 Jul 2021 11:21:47 +0200
+
kdeconnect (20.12.3-1) unstable; urgency=medium
* New upstream release (20.12.3).
diff -Nru kdeconnect-20.12.3/debian/control kdeconnect-20.12.3/debian/control
--- kdeconnect-20.12.3/debian/control 2021-03-08 22:31:44.0 +0100
+++ kdeconnect-20.12.3/debian/control 2021-07-01 11:21:47.0 +0200
@@ -55,9 +55,12 @@
qml-module-qtquick-particles2,
qml-module-qtquick-window2,
qml-module-qtquick2,
- sshfs,
+ sshfs (>= 3),
${misc:Depends},
${shlibs:Depends},
+# Ensure fuse gets replaced by fuse3 on upgrades from buster s.t. sshfs can be
installed.
+ fuse3 (>= 3),
+Breaks: fuse (<< 3)
Description: connect smartphones to your desktop devices
Tool to integrate your smartphone, tablet, and desktop devices.
Remote-control, share files, synchronize notifications, and more!
Bug#990758: freedombox: please add Breaks: fuse (<< 3) and Depends: fuse3 (>= 3)
Package: freedombox Version: 21.4.2 Severity: serious Tags: patch User: debian...@lists.debian.org Usertags: piuparts Upgrading freedombox from buster to bullseye requires to replace fuse with fuse3 in order to install sshfs. Since there is no clean upgrade path for fuse -> fuse3 (#918984, will not be fixed for bullseye but only for bookworm), we need to add some Breaks/Depends elsewhere to make this switch happen without requiring manual interaction. Here is an excerpt of the diff of the apt problem resolution from an upgrade of buster to a) current bullseye (which does not upgrade freedombox at all) and b) a bullseye with freedombox and sshfs patched to carry more Depends/Breaks. The apt scores change from 'preferring to keep fuse installed' to 'switching to fuse3'. ... - Starting 2 pkgProblemResolver with broken count: 12 + Starting 2 pkgProblemResolver with broken count: 14 ... - Investigating (0) fuse3:amd64 < none -> 3.10.3-2 @un uN Ib > - Broken fuse3:amd64 Breaks on fuse:amd64 < 2.9.9-1+deb10u1 -> 2.9.9-5 @ii umU > -Considering fuse:amd64 4 as a solution to fuse3:amd64 2 -Holding Back fuse3:amd64 rather than change fuse:amd64 - Investigating (0) sshfs:amd64 < none -> 3.7.1+repack-1 @un uN Ib > - Broken sshfs:amd64 Depends on fuse3:amd64 < none | 3.10.3-2 @un uH > -Considering fuse3:amd64 2 as a solution to sshfs:amd64 0 -Holding Back sshfs:amd64 rather than change fuse3:amd64 - Investigating (0) freedombox:amd64 < 19.1+deb10u2 -> 21.4.2 @ii umU Ib > - Broken freedombox:amd64 Depends on sshfs:amd64 < none | 3.7.1+repack-1 @un uH > -Considering sshfs:amd64 0 as a solution to freedombox:amd64 0 -Holding Back freedombox:amd64 rather than change sshfs:amd64 + Investigating (0) fuse3:amd64 < none -> 3.10.3-2 @un uN Ib > + Broken fuse3:amd64 Breaks on fuse:amd64 < 2.9.9-1+deb10u1 -> 2.9.9-5 @ii umU > +Considering fuse:amd64 2 as a solution to fuse3:amd64 3 +Added fuse:amd64 to the remove list +Conflicts//Breaks against version 2.9.9-1+deb10u1 for fuse but that is not InstVer, ignoring +Fixing fuse3:amd64 via remove of fuse:amd64 ... - Try to Re-Instate (1) freedombox:amd64 Done ... The following packages will be REMOVED: -g++-8 gcc-8 libgc1c2 libgcc-8-dev libpolkit-backend-1-0 libpython-stdlib -libstdc++-8-dev php7.3-cli php7.3-common php7.3-fpm php7.3-json -php7.3-opcache php7.3-readline python python-django-common python-minimal -python-pyicu python3.7 +fuse g++-8 gcc-8 libgc1c2 libgcc-8-dev libpolkit-backend-1-0 +libpython-stdlib libstdc++-8-dev php7.3-cli php7.3-common php7.3-fpm +php7.3-json php7.3-opcache php7.3-readline python python-django-common +python-minimal python-pyicu python3.7 ... - The following packages have been kept back: -freedombox ... - 532 upgraded, 119 newly installed, 18 to remove and 1 not upgraded. + 532 upgraded, 186 newly installed, 19 to remove and 0 not upgraded. Please see the attached patch. Andreas diff -Nru freedombox-21.4.2/debian/changelog freedombox-21.4.2+nmu1~deb11anbe3/debian/changelog --- freedombox-21.4.2/debian/changelog 2021-03-28 15:23:46.0 +0200 +++ freedombox-21.4.2+nmu1~deb11anbe3/debian/changelog 2021-07-01 12:43:04.0 +0200 @@ -1,3 +1,10 @@ +freedombox (21.4.3) UNRELEASED; urgency=medium + + * freedombox: Add Breaks: fuse (<< 3) and Depends: fuse3 (>= 3) to ensure +fuse gets replaced by fuse3 on upgrades from buster. (Closes: #-1) + + -- Andreas Beckmann Thu, 01 Jul 2021 12:43:04 +0200 + freedombox (21.4.2) unstable; urgency=high [ Burak Yavuz ] diff -Nru freedombox-21.4.2/debian/control freedombox-21.4.2+nmu1~deb11anbe3/debian/control --- freedombox-21.4.2/debian/control2021-03-28 15:23:46.0 +0200 +++ freedombox-21.4.2+nmu1~deb11anbe3/debian/control2021-07-01 12:43:04.0 +0200 @@ -58,6 +58,8 @@ Breaks: freedombox-setup (<< 0.13~), plinth (<< 0.46.0~), +# Ensure fuse gets replaced by fuse3 on upgrades from buster s.t. sshfs can be installed. + fuse (<< 3), Replaces: freedombox-setup (<< 0.13~), plinth (<< 0.46.0~), @@ -116,6 +118,8 @@ python3-yaml, sudo, wget, +# Ensure fuse gets replaced by fuse3 on upgrades from buster s.t. sshfs can be installed. + fuse3 (>= 3), Recommends: # Priority: standard bzip2,
Processed: your mail
Processing commands for cont...@bugs.debian.org:
> unarchive 907590
Bug #907590 {Done: Debian FTP Masters }
[src:grafana] grafana: CVE-2018-15727: authentication bypass flaw
Warning: Unknown package 'src:grafana'
Unarchived Bug 907590
Warning: Unknown package 'src:grafana'
> fixed 907590 5.2.3-1
Bug #907590 {Done: Debian FTP Masters }
[src:grafana] grafana: CVE-2018-15727: authentication bypass flaw
Warning: Unknown package 'src:grafana'
The source 'grafana' and version '5.2.3-1' do not appear to match any binary
packages
Marked as fixed in versions grafana/5.2.3-1.
Warning: Unknown package 'src:grafana'
> archive 907590
Bug #907590 {Done: Debian FTP Masters }
[src:grafana] grafana: CVE-2018-15727: authentication bypass flaw
Warning: Unknown package 'src:grafana'
Warning: Unknown package 'src:grafana'
archived 907590 to archive/90 (from 907590)
Warning: Unknown package 'src:grafana'
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
907590: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907590
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#990749: linuxptp: CVE-2021-3571
Source: linuxptp Version: 3.1-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for linuxptp. CVE-2021-3571[0]: | linuxptp: wrong length of one-step follow-up in transparent clock If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3571 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3571 Please adjust the affected versions in the BTS as needed. Note, as for CVE-2021-3570 I set the severity here as well to RC thinking the fix needs to go into bullseye before the release. Let me know if I can help with a NMU. Regards, Salvatore
Processed: linuxptp: CVE-2021-3570
Processing control commands: > found -1 1.9.2-1 Bug #990748 [src:linuxptp] linuxptp: CVE-2021-3570 Marked as found in versions linuxptp/1.9.2-1. -- 990748: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990748 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#990748: linuxptp: CVE-2021-3570
Source: linuxptp Version: 3.1-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.9.2-1 Hi, The following vulnerability was published for linuxptp. CVE-2021-3570[0]: | linuxptp: missing length check of forwarded messages If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3570 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3570 Please adjust the affected versions in the BTS as needed. Note, I did set the severity here straight to RC as I think the fix should go in bullseye. I can try to help with a NMU if needed. Regards, Salvatore
