[SECURITY] [DLA 2452-2] libdatetime-timezone-perl regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2452-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk November 17, 2020 https://wiki.debian.org/LTS - - Package: libdatetime-timezone-perl Version: 2.09-1+2020d+1 Debian Bug : 974899 2.09-1+2020d accidentally did omit changes to some files, resulting in warnings. For Debian 9 stretch, this problem has been fixed in version 2.09-1+2020d+1. We recommend that you upgrade your libdatetime-timezone-perl packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+y/10ACgkQiNJCh6LY mLGG/g/+JI792cq+qWhZxM9fvEfnb+I1kjpbg6n0B2uYQDsZ5ofh1/S5lws3hmN3 prAi1DCF5eLtLc6YRp29mKxQEDvXaPdyyFIYeb2JzYsxpmKe/Aky7wKiWrFBDUb7 DlPBENR0U22grxDFsORJ2B3Pw5fXodQuU6RhLCraur4Nh0tyKdBvVgBlxrZbpHUb t1/GNdJa5eTLqLMKeai30aXZcRHc/hl4tlKyVdWkjrphyg2s9tDOm6idqVBFhkpw YVhAg13uIv1xTyiF12t/2+bb1+IHB/0200ApIam7VMCdZIYlWG0DPqpwtK1Joh32 5fotdeweDvaBL1ljQkxhAlBOK6dXCQ2NQZb47V9TUAHlQTufHQ9yZfVwzV80AtCl s3gybTwPz8dB472AC2ST5PtnlyE0S7q6IWgSYKKzqyzPrUISQtcDELJCt0agZ2OL pD9s6tn0siZTdRY9xpFqMXoF7xzj5ZpnGmtNklmFpfa6Vz3Np35oJqGu49w+zChT Ggj9NUsR4pWik52EdYY8oOhFojsdcD8VfX6wv/QfVN6dbQ2bGla+mZA1iPkdnsHW xb0G1ifpyqLOqQhdhoq8z611KN3e6ZCJpnCZg0Wo/RXpyHM5ET4n6OQnlyoVK6sf lDn0CI8YY/CqQUCu47nFWwpnBYogTnxhEalipMbTw+xwrJzSjeI= =XeVd -END PGP SIGNATURE-
[SECURITY] [DLA 2453-1] restic security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-2453-1debian-...@lists.debian.org https://www.debian.org/lts/security/Brian May November 17, 2020 https://wiki.debian.org/LTS - - Package: restic Version: 0.3.3-1+deb9u1 CVE ID : CVE-2020-9283 golang-go.crypto was recently updated with a fix for CVE-2020-9283. This in turn requires all packages that use the affected code to be recompiled in order to pick up the security fix. CVE-2020-9283 SSH signature verification could cause Panic when given invalid Public key. For Debian 9 stretch, this problem has been fixed in version 0.3.3-1+deb9u1. We recommend that you upgrade your restic packages. For the detailed security status of restic please refer to its security tracker page at: https://security-tracker.debian.org/tracker/restic Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl+y89sACgkQKpJZkldk Svo/mQ//byuAryq/R2DPP8Jps6jsNp61xH7gDU4+5MUofps/OgoD0POzOlHyVtOr 4DyNx2ihe7dWqQt4zoZoBFx3BJP37oKjA73uP3zlucvwxMvWduI2b2PuR0rbiFrY WDAe/2g13qBzKCxrBIKTerfeIdiqVk3rfiDxCeQ4oBmeNi3AFYJZoBb8CCJDqIez 3Nl7ETqJzby5me+M4jD5pY/7bYHpqGFF+AmOyJt4jonHfNxi20k5WumdOlyUq8BN SOGu4qg+h5gruKhyYISDQnS3FjTJwWEBaJwWEgwPkdmnqTdc6gyf6M1Zsr6vLeu9 5Sq3JstomgnN6fNwZhAzJR34vvEEbanwbn92lQJMkuP5+LOaSD3qVvoVcXIEYPeo NjQzzgbvfcMwPqamgAENbftu9ovxyMO3FxqXY9uchASHhj8aoZZaP2ztK9u9WE7f A6pRfOreu8hTSW8A3Ypwf0RBij8NDrNE645ZSES54TrIAu/bliHZrHO7vTMYqLR2 oVcdAJn3UFYBxG4xJkd8Sl40sS5eALGoa4hQKisYepVV3WC6hptV5lTBoUvVHLHx D7fh1cyDvgdd7sLnT17SvfKZriReqb6rQdOHmbVTIELoAF3KS16RySIxs7HjNmT1 a5Uf5oaRlyNzLZZbVnEvnRpKUazmCIMeH01cNdgiZ1RM+XOFbX8= =NL89 -END PGP SIGNATURE-
Accepted restic 0.3.3-1+deb9u1 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 16 Nov 2020 09:27:41 +1100 Source: restic Binary: restic Architecture: source amd64 Version: 0.3.3-1+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Félix Sipma Changed-By: Brian May Description: restic - backup program with multiple revisions, encryption and more Changes: restic (0.3.3-1+deb9u1) stretch-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2020-9283: Rebuild with security fix in golang-go.crypto. Signature verification could cause Panic when given invalid Public key. Checksums-Sha1: 4b9d730d37c4b8235ddf608a3cba19f125f92c08 2247 restic_0.3.3-1+deb9u1.dsc c8a653c62a7bb6e6c71da12c40d26d0f3f819f67 21685233 restic_0.3.3.orig.tar.gz 262d83059b292a4f1192fa748547b43477cf974a 5596 restic_0.3.3-1+deb9u1.debian.tar.xz 6a4c30ee79e133879c25dde016c8130cd093685c 8331 restic_0.3.3-1+deb9u1_amd64.buildinfo b8f4952433e73f8a7d8aa87070a978147f91406e 2006170 restic_0.3.3-1+deb9u1_amd64.deb Checksums-Sha256: af86aa1ebb6b331257f8b884ec419a2d9cfbe1351cbf35e62947c4d27a47dfac 2247 restic_0.3.3-1+deb9u1.dsc b42bbb4a9a0f87c6a3ce7de6dd30ab53719b54e796b57fde3886cbfc0f2a05ef 21685233 restic_0.3.3.orig.tar.gz 8d7ca9912669ce53f375de3453c7853ee47b177ffc1dc42c6990bdedfa4627c1 5596 restic_0.3.3-1+deb9u1.debian.tar.xz d37942fdca9ca67dcc89b9e6100024db2e9034be7156389190192bec2be8cd80 8331 restic_0.3.3-1+deb9u1_amd64.buildinfo 48d989a57b18a8580b828dac4ab3eae0ff3013284a144f6a4e347cb3bed74436 2006170 restic_0.3.3-1+deb9u1_amd64.deb Files: 8200f54e2340556921579dc2725fb5c6 2247 utils extra restic_0.3.3-1+deb9u1.dsc 20b06d432199107a622a179fc03f0648 21685233 utils extra restic_0.3.3.orig.tar.gz 0f2f84e9d0ee46b05ff8f05e4b89ce1b 5596 utils extra restic_0.3.3-1+deb9u1.debian.tar.xz 4d12eb23ff20c79b4fc478a5e47b7d33 8331 utils extra restic_0.3.3-1+deb9u1_amd64.buildinfo 7c17097604d4e3193630f3cf53ed6004 2006170 utils extra restic_0.3.3-1+deb9u1_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl+y7ZkACgkQKpJZkldk Svq0Ww//YLYF3kS6vP5lhNnEq+JFfC+Kgt4BuP27FgOr1Q8agNRBGZ6eRHd0PaaM dz3TxeHzB1mI76qu569cT512FHrVDi3wzXID7bwzrqyJVfYpMa775+dxNSNI6N8C kdlj8iXw5yks9eK9DkpaBmXZeVlG3FQEW1aPaNWIVTOJkgALhpz7YiilGlChncFY hZV4T0AFq2V4RKpdvrTUyUmyuqRPy710FwIInK8GjYpLADC8cY0+21EVW3/6Nt24 MYzZHr9ocMsSu3JUsyu5U2s+E/j6YEr9GbEhGmuF/HFdbPBjZ5jJ17ctH2R63bVk WioJ2ZD7flFYeSg/IGTlelLA6uuGe5sDt6Ag5R2GBSZ/1i10jcXs0jsGz34MZXpg PnnC7S26ZJH9ldAl2K537bcuFtSyXXLj8wereifRb93t9FXVn1Ku48W4ISwuA8gi ETuQI7bDkRe5h5AGmOWOhWQfadlVfDa4F2mSN6Xn1ZibDF9jZJq3XA9PNs3r3H6y D6HfcEleqXToFtOM/477NfkIHKunsKg5QnnPHNbuse+h+Z2PZi1mMemfPn8hqNra PBeAPQrg8cesjOXcHuEkisFJwpjqRucsjKaVvAmXF2+F4ZOhtEuJHZOOXXXCs3o6 VOYjQj8Svpnu6VdegLs3Sg9/eM6cmOgZg8j4RvhSMQLhI79PcG4= =jfpz -END PGP SIGNATURE-
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Abhijith PA writes: > I generated DLA for jupyter-notebook just before upload. But upload was > rejected due to `Built-Using refers to non-existing source package`. I have > pinged ftp masters couple of times to manually move needed packages to > security-master. If any ftp masters here, please help. I have a similar issue. I opened up a bug report: https://bugs.debian.org/974877 I suggest you do they same. At least with the bug report there is a formal public record of the pending request. -- Brian May
Re: Bug#974899: libdatetime-timezone-perl: Inconsistent Olson versions within Timezone data
Version: 1:2.09-1+2020d+1 On Mon, Nov 16, 2020 at 09:35:02AM +, Ben Smithurst wrote: >... > Loaded DateTime::TimeZone::Europe::London, which is from a different version > (2020d) of the Olson database than this installation of DateTime::TimeZone > (2019c). >... Apologies for the breakage, I've just uploaded 1:2.09-1+2020d+1 to fix it. cu Adrian
Re: cacti graph zoom bug
Hi Matus, On Tue, Nov 17, 2020 at 1:01 AM Matus UHLAR - fantomas wrote: > I have submitted a bug, containing fix for this issue: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974926 > > I'm not sure if anyone is willing to fix this in the stretch version, but if > it's the case, here you are... This indeed warrants a fix. I'll upload the fixed version with the attached patch if no one beats me to it :) - u
Accepted libdatetime-timezone-perl 1:2.09-1+2020d+1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 16 Nov 2020 20:41:28 +0200 Source: libdatetime-timezone-perl Binary: libdatetime-timezone-perl Architecture: source Version: 1:2.09-1+2020d+1 Distribution: stretch-security Urgency: medium Maintainer: Debian Perl Group Changed-By: Adrian Bunk Description: libdatetime-timezone-perl - framework exposing the Olson time zone database to Perl Closes: 974899 Changes: libdatetime-timezone-perl (1:2.09-1+2020d+1) stretch-security; urgency=medium . * Non-maintainer upload by the LTS team. * Fix incomplete update in the previous upload. (Closes: #974899) Checksums-Sha1: cbed12baf07e6622b379865df026549674b64851 2593 libdatetime-timezone-perl_2.09-1+2020d+1.dsc 35478ed77027b9b48031c6f1c4f0dfc2ab57bae9 937390 libdatetime-timezone-perl_2.09.orig.tar.gz d0bed2edbf713ae542d684f6c8c224f52a38ddde 176280 libdatetime-timezone-perl_2.09-1+2020d+1.debian.tar.xz Checksums-Sha256: 87582efdde751ac82ef6b5888d576affbd0a869464c323af87a112a449e0ef2e 2593 libdatetime-timezone-perl_2.09-1+2020d+1.dsc b694761873ce904f17d6edf957c74bd25d0b7b3cf6745f95bcabf85279c1f0b2 937390 libdatetime-timezone-perl_2.09.orig.tar.gz eb677155282eee1656d15b41733b481182874e12a80aaabd39eeb61b69024f6b 176280 libdatetime-timezone-perl_2.09-1+2020d+1.debian.tar.xz Files: ffdc38c6d547bce0c9370d3224ae6687 2593 perl optional libdatetime-timezone-perl_2.09-1+2020d+1.dsc a7c3c4a68286096e8f158e351c76ef3a 937390 perl optional libdatetime-timezone-perl_2.09.orig.tar.gz 69fc61f273ffc9b75d34f5a676b6b8f6 176280 perl optional libdatetime-timezone-perl_2.09-1+2020d+1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+y0k0ACgkQiNJCh6LY mLF2BQ/6ArMqDeHRuu/XX3gGCqKd7XajYZ4SPncWiw5r+FNz5GHI+HXy5ab48HSl 4s84LZsg5QmD65LG8juENiDLaBsc2b8OmGQdBVyXzDtzBmcOFU4vVjw3sINpl9An RU10tNTJ/iVb1hkF/YBqVvJxe0TdF5gArRAN5A7oGC+e1aOQjzjyH3HZTPxXTESU ZigjZpFlzn3CxO0OmlI+vqWrckTXuAj86iJ9r1VdHck2xem5jVV/N4WZyGDDU+96 cQKlEmE69RUTobEhfmHWWR0Q4SCAaMgOu9X8krB/FaMaKsO/+VvaUrTvd77RZFA2 GIsLCC8anEcn9ez3YId8WYlYzcEIL6r/yhhmsFo4GDDyOehbK1aJp4Oh1wRg4amC 1h/UYV0xx7wLNT3bXxvIx70hbsPJEz3wIPuW6I9/oE8nSoHLzq+aCH4gxeOoRn18 RQLIZ0PkNsXYui/vkqskatiSSrVnvQ5V07VquEqJFbfjEEuvMl/Bs6WEP4ksZpuQ mQfPms0f8GqFvygWcMendveH5SLwamLFoqas88TgPtitoEGhitd6+CzY6ZAoW5Sp 09g+T3rAXKHN5AfKdm4P98Nk3G6j0RfprmtLUYpioaj7zy8YPLrzt8KpocbyISir xq7iynIz0pNxrqE4Au2a/uSu1zPv1S6UtxjwDVSAbAvTd5d2I9Y= =Lw5h -END PGP SIGNATURE-
cacti graph zoom bug
Hello, a graph zooming bug appeared in cacti ~2 months ago. The bug appears in cacti 0.8 in stretch, it's fixed in buster. I have submitted a bug, containing fix for this issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974926 I'm not sure if anyone is willing to fix this in the stretch version, but if it's the case, here you are... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: Fwd: Bug#974899: libdatetime-timezone-perl: Inconsistent Olson versions within Timezone data
On Mon, Nov 16, 2020 at 04:29:05PM +0100, Florian Schlichting wrote: > Hi Adrian, > > are you aware of this regression in stretch-security, can you fix this > soonish (it leaves several hundred lines in my log every hour) and/or > leave a comment in the bug? Yes, I've seen the bug and already looking into it. > thanks, > Florian cu Adrian
Fwd: Bug#974899: libdatetime-timezone-perl: Inconsistent Olson versions within Timezone data
Hi Adrian,
are you aware of this regression in stretch-security, can you fix this
soonish (it leaves several hundred lines in my log every hour) and/or
leave a comment in the bug?
thanks,
Florian
- Forwarded message from Ben Smithurst -
From: Ben Smithurst
To: Debian Bug Tracking System
Resent-From: Ben Smithurst
Resent-To: debian-bugs-d...@lists.debian.org
Reply-To: Ben Smithurst ,
974...@bugs.debian.org
Date: Mon, 16 Nov 2020 09:35:02 +
Subject: Bug#974899: libdatetime-timezone-perl: Inconsistent Olson versions
within Timezone data
Package: libdatetime-timezone-perl
Version: 1:2.09-1+2020d
Severity: important
Dear Maintainer,
There seems to be an internally inconsistency in this package in that
the Olson versions defined in timezones are inconsistent:
% dpkg -L libdatetime-timezone-perl | xargs grep olson_version 2>/dev/null |
cut -d' ' -f3 | sort | uniq -c
2
175 {'2019c'}
185 {'2020d'}
This leads to warnings appearing:
Loaded DateTime::TimeZone::Europe::London, which is from a different version
(2020d) of the Olson database than this installation of DateTime::TimeZone
(2019c).
-- System Information:
Debian Release: 9.2
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8),
LANGUAGE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libdatetime-timezone-perl depends on:
ii libclass-singleton-perl1.5-1
ii libmodule-runtime-perl 0.014-2
ii libnamespace-autoclean-perl0.28-1
ii libparams-validationcompiler-perl 0.23-1
ii libscalar-list-utils-perl 1:1.47-1
ii libspecio-perl 0.33-1
ii libtry-tiny-perl 0.28-1
ii perl 5.24.1-3+deb9u5
ii perl-base [libscalar-list-utils-perl] 5.24.1-3+deb9u5
Versions of packages libdatetime-timezone-perl recommends:
ii libdatetime-perl 2:1.42-1
libdatetime-timezone-perl suggests no packages.
-- no debconf information
- End forwarded message -
Re: Bug#974899: libdatetime-timezone-perl: Inconsistent Olson versions within Timezone data
On Mon, 16 Nov 2020 09:35:02 +, Ben Smithurst wrote:
> Package: libdatetime-timezone-perl
> Version: 1:2.09-1+2020d
> Severity: important
>
> Dear Maintainer,
>
> There seems to be an internally inconsistency in this package in that
> the Olson versions defined in timezones are inconsistent:
>
> % dpkg -L libdatetime-timezone-perl | xargs grep olson_version 2>/dev/null |
> cut -d' ' -f3 | sort | uniq -c
> 2
> 175 {'2019c'}
> 185 {'2020d'}
>
> This leads to warnings appearing:
>
> Loaded DateTime::TimeZone::Europe::London, which is from a different version
> (2020d) of the Olson database than this installation of DateTime::TimeZone
> (2019c).
Hi Ben,
thanks for your bug report!
The version of libdatetime-timezone-perl this bug is reported against
(in stretch(-security)) is not maintained by the package maintainers
but by the LTS team. I'm cc'ing their list and the uploader of
1:2.09-1+2020d.
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`- NP: Supertramp: My Kind Of Lady
signature.asc
Description: Digital Signature
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Mon, Nov 16, 2020 at 12:36:23PM +0100, Emilio Pozuelo Monfort wrote: > These used to include the DLA number. Maybe those could be back? copy error on my side, sorry. - DLA 2446-1 (10 Nov 2020) (moin) - DLA 2432-1 (04 Nov 2020) (jupyter-notebook) -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄ Dance like no one's watching. Encrypt like everyone is. signature.asc Description: PGP signature
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Hi, On 16/11/20 5:06 pm, Emilio Pozuelo Monfort wrote: > Hi, ... > fwiw the jupyter-notebook DLA is not in -announce either, so it's not just > missing in the website. I generated DLA for jupyter-notebook just before upload. But upload was rejected due to `Built-Using refers to non-existing source package`. I have pinged ftp masters couple of times to manually move needed packages to security-master. If any ftp masters here, please help. --abhijith
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Hi, On 16/11/2020 11:31, Holger Levsen wrote: There are three DLAs which have been reserved but not yet been published: - (15 Nov 2020) (libvncserver) - (10 Nov 2020) (moin) - (04 Nov 2020) (jupyter-notebook) These used to include the DLA number. Maybe those could be back? fwiw the jupyter-notebook DLA is not in -announce either, so it's not just missing in the website. Cheers, Emilio
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
hi, today is a nice Monday: - no packages were unclaimed for LTS. - no packages were unclaimed for ELTS. - noone claimed too many packages. There are three DLAs which have been reserved but not yet been published: - (15 Nov 2020) (libvncserver) - (10 Nov 2020) (moin) - (04 Nov 2020) (jupyter-notebook) Have a great week! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
