Bug#775892: unblock (pre-approval): python-django/1.7.3-1
Hi Mehdi, On Tue, 17 Feb 2015, Mehdi Dogguy wrote: Le 2015-02-04 09:01, Raphael Hertzog a écrit : it's been two weeks that I have opened this pre-approval request and I got almost no feedback from the release team (except Neil saying that he has no answer for me on IRC). Neil or Niels? Sorry, I meant Niels. I can understand why the former doesn't have any answer for you on this subject. The latter might not have make his mind yet on this because it is not an easy subject. Sure. If I don't hear back from you in the next two days, I will proceed with what I believe to be best, which is: Do you think such a statement helps you in any way? Well, it was not meant to help me, but to help Debian. If the arguments I have put forth were not enough to convince anyone of the release team in a reasonable timeframe, then I hoped that some real-life testing in unstable would be a supplementary proof that it was the safe thing to do. The non-trivial part is to try to draw a line to know what should be allowed to be updated using new upstream releases, and what doesn't. An effort has been made into this direction (See packages like linux, iceweasel, postgresql, etc...) but I think that there is still room for improvement there. Certainly, that's why I was arguing that we could/should handle python-django like the cases that you mention. And if you don't agree, then I would be interested to know what could bring you the required confidence so that we can gain that status (maybe adding autopkgtests to reverse dependencies and running those tests, or stuff like that). Anyway. Based on my blabla about security stuff, I've decided to unblock this package so that it migrates to Jessie. Note that this doesn't mean that we will accept (let's say) 1.7.5 next time. Thanks! -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150218083802.ga3...@home.ouaza.com
Bug#778673: unblock: suricata/2.0.6-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package suricata
We just uploaded to unstable a new suricata version (2.0.6-2) which
would require another unblock to enter jessie.
This is the debdiff, which was generated with (unfiltered):
% debdiff suricata_2.0.6-1.dsc suricata_2.0.6-2.dsc
diff -Nru suricata-2.0.6/debian/changelog suricata-2.0.6/debian/changelog
--- suricata-2.0.6/debian/changelog 2015-02-18 11:42:51.0 +0100
+++ suricata-2.0.6/debian/changelog 2015-02-18 11:33:51.0 +0100
@@ -1,3 +1,14 @@
+suricata (2.0.6-2) unstable; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * d/patches: drop 10-fix-missing-script-autoreconf.patch (Closes: #778670)
+ * d/rules: prevent not .so libhtp files from entering binary suricata package
+
+ [ Pierre Chifflier ]
+ * Add conflicts/replaces fields for transition from libhtp (Closes: #778668)
+
+ -- Pierre Chifflier pol...@debian.org Wed, 18 Feb 2015 11:19:31 +0100
+
suricata (2.0.6-1) unstable; urgency=medium
[ Pierre Chifflier ]
diff -Nru suricata-2.0.6/debian/control suricata-2.0.6/debian/control
--- suricata-2.0.6/debian/control 2015-02-18 11:42:51.0 +0100
+++ suricata-2.0.6/debian/control 2015-02-18 11:33:51.0 +0100
@@ -30,6 +30,8 @@
Depends: ${shlibs:Depends},
${misc:Depends},
${python:Depends}
+Conflicts: libhtp1 ( 0.5.16), libhtp-dev ( 0.5.16)
+Replaces: libhtp1 ( 0.5.16), libhtp-dev ( 0.5.16)
Recommends: oinkmaster, snort-rules-default, python
Description: Next Generation Intrusion Detection and Prevention Tool
Suricata is a network Intrusion Detection System (IDS). It is based on
diff -Nru suricata-2.0.6/debian/patches/10-fix-missing-script-autoreconf.patch
suricata-2.0.6/debian/patches/10-fix-missing-script-autoreconf.patch
--- suricata-2.0.6/debian/patches/10-fix-missing-script-autoreconf.patch
2015-02-18 11:42:51.0 +0100
+++ suricata-2.0.6/debian/patches/10-fix-missing-script-autoreconf.patch
1970-01-01 01:00:00.0 +0100
@@ -1,13 +0,0 @@
-Index: suricata/libhtp/configure.ac
-===
suricata.orig/libhtp/configure.ac 2014-04-01 08:25:37.604832456 +0200
-+++ suricata/libhtp/configure.ac 2014-04-02 20:11:01.504628889 +0200
-@@ -3,7 +3,7 @@
- dnl Initialization macros
- dnl --
-
--AC_INIT([LibHTP], m4_esyscmd([./get-version.sh VERSION]))
-+AC_INIT([LibHTP], 0.5.10)
- AM_INIT_AUTOMAKE()
-
- AC_CONFIG_HEADERS([config.h])
diff -Nru suricata-2.0.6/debian/patches/series
suricata-2.0.6/debian/patches/series
--- suricata-2.0.6/debian/patches/series2015-02-18 11:42:51.0
+0100
+++ suricata-2.0.6/debian/patches/series1970-01-01 01:00:00.0
+0100
@@ -1 +0,0 @@
-10-fix-missing-script-autoreconf.patch
diff -Nru suricata-2.0.6/debian/rules suricata-2.0.6/debian/rules
--- suricata-2.0.6/debian/rules 2015-02-18 11:42:51.0 +0100
+++ suricata-2.0.6/debian/rules 2015-02-18 10:57:35.0 +0100
@@ -35,7 +35,11 @@
rm -rf $(DEB_DESTDIR)/usr/lib/python*;\
(cd scripts/suricatasc \
python -B setup.py install --install-layout=deb --prefix
$(DEB_DESTDIR)/usr)
+ # we don't want to deploy any of the libhtp files, only the .so
rm -rf $(CURDIR)/debian/suricata/usr/lib/*/*.la
+ rm -rf $(CURDIR)/debian/suricata/usr/lib/*/*.a
+ rm -rf $(CURDIR)/debian/suricata/usr/lib/*/pkgconfig
+ rm -rf $(CURDIR)/debian/suricata/usr/include
override_dh_auto_configure:
dh_auto_configure -- $(CONFIGURE_ARGS)
unblock suricata/2.0.6-2
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/20150218105404.30362.85533.report...@r2d2.cica.es
More trigger cycles
Hi, Based on #778695, it seems like we still have trigger cycles. At this point in the freeze, I am afraid it is too late to fix the remaining cycles. I have asked Johannes if this kind of trigger cycles can be found via his script. If so, hopefully we can have them eliminated for Stretch, but as said - we are over 3 months into the freeze and these trigger cycles are still biting us. @dpkg maintainers: Please make the necessary changes to revert the trigger cycle error or have dpkg recover from it automatically immediately without aborting the upgrade. Thanks, ~Niels -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54e4d337.8020...@thykier.net
Bug#775892: unblock (pre-approval): python-django/1.7.3-1
Le 2015-02-18 09:38, Raphael Hertzog a écrit : And if you don't agree, then I would be interested to know what could bring you the required confidence so that we can gain that status (maybe adding autopkgtests to reverse dependencies and running those tests, or stuff like that). The list of packages that we started with are the ones that give more trouble to the security team. Maybe the list should be expanded, I don't know. Most probably. What we would like to have is a general discussion (not now please... but after jessie release) to put some criteria to help to distinguish packages that need a special treatement and others that don't. For now, the criteria has been security team has trouble with X but I don't find this criteria good enough. The autopkgtests might be part of the answer, but not the only one I hope. Regards, -- Mehdi -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/a9c0b395a32dffb5ece4cfa864808...@dogguy.org
Bug#778673: unblock: suricata/2.0.6-2
On 18 February 2015 at 18:01, Julien Cristau jcris...@debian.org wrote: On Wed, Feb 18, 2015 at 11:54:04 +0100, Arturo Borrero Gonzalez wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package suricata We just uploaded to unstable a new suricata version (2.0.6-2) which would require another unblock to enter jessie. This is the debdiff, which was generated with (unfiltered): % debdiff suricata_2.0.6-1.dsc suricata_2.0.6-2.dsc The libhtp.so symlink should not be installed either, so you shouldn't need any conflicts with libhtp-dev. Is OK to upload a -3 with no symlink and request again for unblock? regards -- Arturo Borrero González -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAOkSjBgBQso_hpTK=zX8MBqG7RgH53We6+HN7qDHOVT7oh6O=q...@mail.gmail.com
Bug#778673: unblock: suricata/2.0.6-2
On Wed, Feb 18, 2015 at 11:54:04 +0100, Arturo Borrero Gonzalez wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package suricata We just uploaded to unstable a new suricata version (2.0.6-2) which would require another unblock to enter jessie. This is the debdiff, which was generated with (unfiltered): % debdiff suricata_2.0.6-1.dsc suricata_2.0.6-2.dsc The libhtp.so symlink should not be installed either, so you shouldn't need any conflicts with libhtp-dev. Cheers, Julien signature.asc Description: Digital signature
Bug#778636: marked as done (unblock: cvsweb/3:3.0.6-8)
Your message dated Wed, 18 Feb 2015 19:10:49 +0100 with message-id 20150218181049.ga1...@dogguy.org and subject line Re: Bug#778636: unblock: cvsweb/3:3.0.6-8 has caused the Debian Bug report #778636, regarding unblock: cvsweb/3:3.0.6-8 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 778636: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778636 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package cvsweb There is an incompatibility with Perl 5.18, which can be fixed by the patch added in 3:3.0.6-8. The bug itself has been reported with severity important. However the reporter speaks about errors. So given the fact, that the patch makes cvsweb fully functional again and is pretty small, I'd like to request an unblock of the package. The .debdiff is attached. It also covers the fact, that the package has been moved to collab-maint. Regards, Daniel unblock cvsweb/3:3.0.6-8 - -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (850, 'unstable'), (700, 'testing'), (560, 'stable'), (500, 'oldstable'), (110, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJU44MvAAoJEEvNBWfCltBdHtAP/0LkjoItzVfo7sixb8lRIAQ9 wQeSBbFRJMZjKGRt3LPVkxZ9HMNhi/yrz6EQLyAR62yMUCWCTvpdKNf2R7gcG9LP 4me54mEq5TweQreEZ4qYVkEgUXW1uy0MlBYSydfy8/E4j/L4vbwWIahSIVtnoI48 h58bd1LP93ztOxkt/uoF83OUAc+rBSC1mQl2MA34CAv9MIW6VJirPZNbgwo9Kh81 tJFuu4D20W/1t8/OJ/gisnOXp7KGKhs87jBPaj6mj6PAr4/hPAaw+P6vvHjwvakP WkzU5eSOz0OTmLr36bweTd+hdcRAcVqJ19Z0oz8jU2CgyKAyLajm65J0vmSAP4vB s/eE6NZHzTmkoAXRUDU0meyLcxkkl1U21hSVWei44TulVzo0yXHixx56Feipl0B1 z4HQ5ZomYfd+fa3VhX7+GGchQZEQPq+/wzFWQEXzJPBp12Y2sDx/XaoJLPJymL2M xte5ERfurb5UV7qXeg3bVXzN+Wq2udgPsutFkiGN6GcTvOCobQCoq846wPN0HyU/ bqc6Zx4eqggQ2zSJnq2f+ZfA4X+YFitHCtL/JjOsdKIHGeoUUAkWF3yh9fS8NisC rkaaIzqOXBZaUp+CGJ58EdNNnAFqF9v8oXvJby71+A4RZQFMT+7i7WAHaCzIoRV7 BJWV5+QghjhWGkLNEZs7 =TkaI -END PGP SIGNATURE- diff -Nru cvsweb-3.0.6/debian/changelog cvsweb-3.0.6/debian/changelog --- cvsweb-3.0.6/debian/changelog 2011-10-27 23:32:13.0 +0200 +++ cvsweb-3.0.6/debian/changelog 2015-02-17 18:56:43.0 +0100 @@ -1,3 +1,13 @@ +cvsweb (3:3.0.6-8) unstable; urgency=medium + + * debian/control (Vcs-Browser, Vcs-Svn): Relocated to collab-maint. +(DM-Upload-Allowed): Obsolete and dropped. + * debian/patches/733054_perl_518.patch: Added (closes: #733054). +- Added Perl 5.18 compatibility and fixed errors. + * debian/patches/series: Adjusted. + + -- Daniel Leidert dleid...@debian.org Tue, 17 Feb 2015 18:56:37 +0100 + cvsweb (3:3.0.6-7) unstable; urgency=low * debian/control: Added Vcs-Svn field. diff -Nru cvsweb-3.0.6/debian/control cvsweb-3.0.6/debian/control --- cvsweb-3.0.6/debian/control 2011-10-27 23:23:35.0 +0200 +++ cvsweb-3.0.6/debian/control 2014-11-17 13:41:40.0 +0100 @@ -1,13 +1,12 @@ Source: cvsweb -Maintainer: Daniel Leidert (dale) daniel.leid...@wgdd.de +Maintainer: Daniel Leidert dleid...@debian.org Section: vcs Priority: optional Build-Depends: debhelper ( 7.0.50~) Standards-Version: 3.9.2 Homepage: http://www.freebsd.org/projects/cvsweb.html -Vcs-Browser: https://svn.wgdd.de/svn/packages/cvsweb/trunk/ -Vcs-Svn: https://svn.wgdd.de/svn/packages/cvsweb/trunk/ -DM-Upload-Allowed: yes +Vcs-Browser: http://anonscm.debian.org/viewvc/collab-maint/deb-maint/cvsweb/trunk/ +Vcs-Svn: svn://anonscm.debian.org/collab-maint/deb-maint/cvsweb/trunk/ Package: cvsweb Architecture: all diff -Nru cvsweb-3.0.6/debian/patches/733054_perl_518.patch cvsweb-3.0.6/debian/patches/733054_perl_518.patch --- cvsweb-3.0.6/debian/patches/733054_perl_518.patch 1970-01-01 01:00:00.0 +0100 +++ cvsweb-3.0.6/debian/patches/733054_perl_518.patch 2015-02-17 12:16:26.0 +0100 @@ -0,0 +1,25 @@ +Origin: http://cvsweb.netbsd.org/bsdweb.cgi/~checkout~/pkgsrc/www/cvsweb/patches/patch-cvsweb.cgi?rev=1.1.2.2content-type=text/plain +Acked-by: Daniel Leidert dleid...@debian.org +Description: Add Perl 5.18 compatibility. +Bug-Debian: https://bugs.debian.org/733054 + +--- a/cvsweb.cgi b/cvsweb.cgi +@@ -1192,7 +1192,7 @@ + legendGeneral options/legend + input type=hidden name=copt value=1 / + EOF +-
Bug#778704: marked as done (unblock: libgtk2-perl/1.2492-4)
Your message dated Wed, 18 Feb 2015 19:23:13 + with message-id 1424287393.10789.3.ca...@adam-barratt.org.uk and subject line Re: Bug#778704: unblock: libgtk2-perl/1.2492-4 has caused the Debian Bug report #778704, regarding unblock: libgtk2-perl/1.2492-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 778704: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778704 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgtk2-perl The only change it contains is a security fix cherry-picked from upstream, and the corresponding test case. I'm in the process of convincing them to ask a CVE, and of preparing a security upload for Wheezy. unblock libgtk2-perl/1.2492-4 Thanks! diff -Nru libgtk2-perl-1.2492/debian/changelog libgtk2-perl-1.2492/debian/changelog --- libgtk2-perl-1.2492/debian/changelog 2014-08-29 23:46:41.0 +0200 +++ libgtk2-perl-1.2492/debian/changelog 2015-02-18 19:53:25.0 +0100 @@ -1,3 +1,10 @@ +libgtk2-perl (2:1.2492-4) unstable; urgency=high + + * Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch: +new patch, cherry-picked from upstream, that fixes a security issue. + + -- intrigeri intrig...@debian.org Wed, 18 Feb 2015 19:45:09 +0100 + libgtk2-perl (2:1.2492-3) unstable; urgency=medium [ Salvatore Bonaccorso ] diff -Nru libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch --- libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch 1970-01-01 01:00:00.0 +0100 +++ libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch 2015-02-18 19:53:25.0 +0100 @@ -0,0 +1,47 @@ +From: Torsten Schönfeld kaffeeti...@gmx.de +Date: Sat, 17 Jan 2015 14:59:24 +0100 +Origin: https://git.gnome.org/browse/perl-Gtk2/commit/?id=4856da628ce37099b27b66a88141dc6daad693b0 +Applied-Upstream: 1.2495 +Subject: Fix incorrect memory management in Gtk2::Gdk::Display::list_devices + +We do not own the returned list. +--- + t/GdkDisplay.t | 4 +++- + xs/GdkDisplay.xs | 2 -- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/t/GdkDisplay.t b/t/GdkDisplay.t +index d290446..f4aef59 100644 +--- a/t/GdkDisplay.t b/t/GdkDisplay.t +@@ -1,7 +1,7 @@ + #!/usr/bin/perl -w + use strict; + use Gtk2::TestHelper +- tests = 26, ++ tests = 27, + at_least_version = [2, 2, 0, GdkDisplay is new in 2.2]; + + # $Id$ +@@ -32,6 +32,8 @@ ok(!$display - pointer_is_grabbed()); + # $display - beep(); + $display - sync(); + ++# Do this twice to ensure we did not damage the list. ++isa_ok(($display - list_devices())[0], Gtk2::Gdk::Device); + isa_ok(($display - list_devices())[0], Gtk2::Gdk::Device); + + $display - put_event(Gtk2::Gdk::Event - new(button-press)); +diff --git a/xs/GdkDisplay.xs b/xs/GdkDisplay.xs +index f558f1d..a019eee 100644 +--- a/xs/GdkDisplay.xs b/xs/GdkDisplay.xs +@@ -69,8 +69,6 @@ gdk_display_list_devices (display) + devices = gdk_display_list_devices (display); + for (i = devices ; i != NULL ; i = i-next) + XPUSHs (sv_2mortal (newSVGdkDevice (i-data))); +- g_list_free (devices); +- + + GdkEvent* gdk_display_get_event (GdkDisplay *display) + diff -Nru libgtk2-perl-1.2492/debian/patches/series libgtk2-perl-1.2492/debian/patches/series --- libgtk2-perl-1.2492/debian/patches/series 2014-08-29 23:46:41.0 +0200 +++ libgtk2-perl-1.2492/debian/patches/series 2015-02-18 19:53:25.0 +0100 @@ -1,3 +1,4 @@ Make_t_GtkCellRenderer.t_more_robust.patch 30-disable_libgtk_version_check.patch fix-typo.patch +Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch ---End Message--- ---BeginMessage--- On Wed, 2015-02-18 at 20:10 +0100, intrigeri wrote: Please unblock package libgtk2-perl The only change it contains is a security fix cherry-picked from upstream, and the corresponding test case. Unblocked, thanks. Regards, Adam---End Message---
Bug#771701: marked as done ((pre-approval) unblock: bareos/14.2.1+20141017gitc6c5b56-4)
Your message dated Wed, 18 Feb 2015 19:20:34 +0100
with message-id 20150218182034.gb1...@dogguy.org
and subject line Re: Bug#771701: (pre-approval) unblock:
bareos/14.2.1+20141017gitc6c5b56-4
has caused the Debian Bug report #771701,
regarding (pre-approval) unblock: bareos/14.2.1+20141017gitc6c5b56-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
771701: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771701
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear RT,
I would like to get the fixes for the three currently open bugs in bareos
into jessie:
#769096 [i] [bareos-common] bareos-storage: unowned files after purge (policy
6.8, 10.8): /etc/bareos/.rndpwd
#769536 [i] [bareos-database-common] bareos-database-common: circular
dependency hell
#768606 [m] [bareos-database-common] bareos-database-common: probably wrong 2nd
paragraph in package description
The first two are important and should meet the freeze rules, the last one
is minor, but should count as documentation change :)
The (filtered) diffstat looks like this:
debian/bareos-common.postrm | 16
debian/control | 11 ++-
2 files changed, 22 insertions(+), 5 deletions(-)
I attach the debdiff against 14.2.1+20141017gitc6c5b56-3 to this message.
Missing from the diff: changelog (obviously) and d/control.in which is not
used in Debian at all.
If that looks sane to you, I'd love to hear a Go! from you :)
Hugs and thanks for all the work you do
Evgeni
PS, obvious hint would be:
unblock bareos/14.2.1+20141017gitc6c5b56-4
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff --git a/debian/bareos-common.postrm b/debian/bareos-common.postrm
new file mode 100644
index 000..6bcfc65
--- /dev/null
+++ b/debian/bareos-common.postrm
@@ -0,0 +1,16 @@
+#! /bin/sh
+
+set -e
+
+case $1 in
+ purge)
+rm -f /etc/bareos/.rndpwd
+;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/control b/debian/control
index 6ea5d85..f35057e 100644
--- a/debian/control
+++ b/debian/control
@@ -85,7 +85,7 @@ Package:bareos-common
Architecture: any
Pre-Depends:debconf (= 1.4.30) | debconf-2.0, adduser
Depends:openssl, ${shlibs:Depends}, ${misc:Depends}
-Conflicts: bacula-director-common, bacula-common
+Conflicts: bacula-director-common, bacula-common
Description:Backup Archiving Recovery Open Sourced - common files
Bareos is a set of programs to manage backup, recovery and verification of
data across a network of computers of different kinds.
@@ -96,12 +96,13 @@ Description:Backup Archiving Recovery Open Sourced - common files
Package:bareos-database-common
Architecture: any
Pre-Depends:debconf (= 1.4.30) | debconf-2.0
-Depends:bareos-database-postgresql (= ${binary:Version}) | bareos-database-mysql (= ${binary:Version}) | bareos-database-sqlite3 (= ${binary:Version}), bareos-common (= ${binary:Version}), dbconfig-common, lsb-base (= 3.2-13), ${shlibs:Depends}, ${misc:Depends}
+Depends:bareos-common (= ${binary:Version}), dbconfig-common, lsb-base (= 3.2-13), ${shlibs:Depends}, ${misc:Depends}
Description: Backup Archiving Recovery Open Sourced - common catalog files
Bareos is a set of programs to manage backup, recovery and verification of
data across a network of computers of different kinds.
.
- This package provides common files for the Bareos Director daemon.
+ This package provides generic abstraction libs and files to connect the Bareos
+ Director daemon to a database.
Package:bareos-database-postgresql
@@ -145,7 +146,7 @@ Description: Backup Archiving Recovery Open Sourced - SQLite backend
Package:bareos-database-tools
Architecture: any
Pre-Depends:debconf (= 1.4.30) | debconf-2.0
-Depends:bareos-common (= ${binary:Version}), bareos-database-common (= ${binary:Version}), lsb-base (= 3.2-13), ${shlibs:Depends}, ${misc:Depends}
+Depends:bareos-common (= ${binary:Version}), bareos-database-postgresql (= ${binary:Version}) | bareos-database-mysql (=
Bug#777553: pu: package libfcgi/2.4.0-8
Control: tags -1 + confirmed On Mon, 2015-02-09 at 19:53 -0800, Joe Damato wrote: On Mon, Feb 9, 2015 at 1:16 PM, Salvatore Bonaccorso car...@debian.org wrote: Joe, if you get an ack from the release team on your upload for libfcgi I can happily sponsor the upload itself. How do I go about doing that? Is there a separate email list I need to ping? No, just be patient until we replied. :-) Please feel free to go ahead with the upload. I don't have a GPG key that is connected to Debian in any way. I can create a key and upload it to the MIT pgp server. Is that useful at all for the upload of my changes file? Not sure if signing with my key will help or just complicate things further. From what I read, I was under the impression that changes without signatures from GPG keys in the web of trust are not processed in the upload queue. That's correct. You'd need someone with a known key to sponsor your upload. According to his earlier mail, Salvatore is happy to do that, so you shouldn't have to do anything further. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1424286681.4278.10.ca...@adam-barratt.org.uk
Bug#777649: marked as done (unblock: cgmanager/0.33-2+deb8u1)
Your message dated Wed, 18 Feb 2015 20:07:06 +0100
with message-id 54e4e2da.7080...@thykier.net
and subject line Re: Bug#777649: cgmanager security update for jessie
has caused the Debian Bug report #777649,
regarding unblock: cgmanager/0.33-2+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
777649: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777649
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: release.debian.org
Usertags: jessie-pu
A security issue was found in cgmanager, allowing root-owned privileged
containers to fully administer cgroups on the host. Two other issues
were found which allow cgmanager to be crashed by unprivileged users.
These have all been fixed in sid. The debdiff below, against the current
jessie package, fixes them for jessie.
debdiff:
diff -Nru cgmanager-0.33/debian/changelog cgmanager-0.33/debian/changelog
--- cgmanager-0.33/debian/changelog 2014-10-13 18:35:43.0 -0500
+++ cgmanager-0.33/debian/changelog 2015-01-26 09:15:49.0 -0600
@@ -1,3 +1,16 @@
+cgmanager (0.33-3) testing; urgency=medium
+
+ * SECURITY UPDATE: Cross-cgroup resource control bypass.
+- debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch, modify
+ cgmanager.c to verify that requests are allowed under the caller's
+ cgroup.
+- CVE-2014-1425
+ * 0004-chown-stop-cgmanager-crash-on-chown-of-bad-file.patch and
+0005-prevent-some-cgmanager-asserts.patch: prevent cgmanager
+crashing on unhandled asserts or dbus error (LP: #1407787)
+
+ -- Serge Hallyn serge.hal...@ubuntu.com Mon, 26 Jan 2015 09:12:02 -0600
+
cgmanager (0.33-2) unstable; urgency=medium
* Cherrypick two upstream patches to ensure that 'movepid all' continues
diff -Nru
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch
---
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch
1969-12-31 18:00:00.0 -0600
+++
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch
2015-01-26 09:15:58.0 -0600
@@ -0,0 +1,201 @@
+From 6267916d4ea939794e0583cd8b08bd0b9594a6e2 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn serge.hal...@ubuntu.com
+Date: Wed, 26 Nov 2014 01:00:10 -0600
+Subject: [PATCH 1/1] make sure to check cgroup hierarchy
+
+Some cases weren't doing that, although at least those were still
+checking for proper ownership.
+
+Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
+---
+ cgmanager.c | 85
+ 1 file changed, 80 insertions(+), 5 deletions(-)
+
+Index: cgmanager-0.33/cgmanager.c
+===
+--- cgmanager-0.33.orig/cgmanager.c
cgmanager-0.33/cgmanager.c
+@@ -558,13 +558,20 @@ next:
+ int get_value_main(void *parent, const char *controller, const char *cgroup,
+ const char *key, struct ucred p, struct ucred r, char **value)
+ {
+- char path[MAXPATHLEN];
++ char pcgpath[MAXPATHLEN], path[MAXPATHLEN];
+
+ if (!sane_cgroup(cgroup)) {
+ nih_error(%s: unsafe cgroup, __func__);
+ return -1;
+ }
+
++ // Get p's current cgroup in pcgpath
++ if (!compute_pid_cgroup(p.pid, controller, , pcgpath, NULL)) {
++ nih_error(%s: Could not determine the proxy's cgroup for %s,
++ __func__, controller);
++ return -1;
++ }
++
+ if (!compute_pid_cgroup(r.pid, controller, cgroup, path, NULL)) {
+ nih_error(%s: Could not determine the requested cgroup
(%s:%s),
+ __func__, controller, cgroup);
+@@ -577,6 +584,14 @@ int get_value_main(void *parent, const c
+ return -1;
+ }
+
++ // Make sure target cgroup is under proxy's
++ int plen = strlen(pcgpath);
++ if (strncmp(pcgpath, path, plen) != 0) {
++ nih_error(%s: target cgroup is not below r (%d)'s, __func__,
++ r.pid);
++ return -1;
++ }
++
+ /* append the filename */
+ if (strlen(path) + strlen(key) + 2 MAXPATHLEN) {
+ nih_error(%s: filename too long for cgroup %s key %s,
__func__, path, key);
+@@ -608,19 +623,34 @@ int set_value_main(const char *controlle
+ struct ucred r)
+
+ {
+- char path[MAXPATHLEN];
++ char pcgpath[MAXPATHLEN], path[MAXPATHLEN];
+
+ if (!sane_cgroup(cgroup)) {
+
Processed: Re: Bug#777553: pu: package libfcgi/2.4.0-8
Processing control commands: tags -1 + confirmed Bug #777553 [release.debian.org] pu: package libfcgi/2.4.0-8 Added tag(s) confirmed. -- 777553: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777553 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b777553.142428669018098.transcr...@bugs.debian.org
Bug#775506: unblock: tbb/4.2~20140122-4
On Wed, Feb 18, 2015 at 10:35:38AM +0800, Steven Capper steven.cap...@gmail.com wrote: Hi, arm64 should be building in -5, so shouldn't the arm64 reverse dependancies be unaffected? Under mips, mipsel, and s390x tbb fails to build unit tests due to missing/incorrect gcc atomics. I have very little confidence in the functional correctness of the reverse dependencies, so I would be inclined to remove them to be safe. Ok. Thanks for the confirmation. I've followed-up on Bug#775263 and asked for the removal of old binaries and reverse dependencies. Once that done, we will be able to unblock tbb. Regards, -- Mehdi Dogguy -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150218190121.gd1...@dogguy.org
Bug#778622: wheezy-pu: package vigor/0.016-19+deb7u1
Control: tags -1 + confirmed On Tue, 2015-02-17 at 15:33 +, Colin Watson wrote: I'd like to upload the following patch to stable-proposed-updates to fix #778409, which the security team doesn't think warrants a DSA (and honestly I'd have to agree). Would this be OK? It matches 0.016-24 in unstable. Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1424286391.4278.7.ca...@adam-barratt.org.uk
Bug#778704: unblock: libgtk2-perl/1.2492-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgtk2-perl The only change it contains is a security fix cherry-picked from upstream, and the corresponding test case. I'm in the process of convincing them to ask a CVE, and of preparing a security upload for Wheezy. unblock libgtk2-perl/1.2492-4 Thanks! diff -Nru libgtk2-perl-1.2492/debian/changelog libgtk2-perl-1.2492/debian/changelog --- libgtk2-perl-1.2492/debian/changelog 2014-08-29 23:46:41.0 +0200 +++ libgtk2-perl-1.2492/debian/changelog 2015-02-18 19:53:25.0 +0100 @@ -1,3 +1,10 @@ +libgtk2-perl (2:1.2492-4) unstable; urgency=high + + * Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch: +new patch, cherry-picked from upstream, that fixes a security issue. + + -- intrigeri intrig...@debian.org Wed, 18 Feb 2015 19:45:09 +0100 + libgtk2-perl (2:1.2492-3) unstable; urgency=medium [ Salvatore Bonaccorso ] diff -Nru libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch --- libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch 1970-01-01 01:00:00.0 +0100 +++ libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch 2015-02-18 19:53:25.0 +0100 @@ -0,0 +1,47 @@ +From: Torsten Schönfeld kaffeeti...@gmx.de +Date: Sat, 17 Jan 2015 14:59:24 +0100 +Origin: https://git.gnome.org/browse/perl-Gtk2/commit/?id=4856da628ce37099b27b66a88141dc6daad693b0 +Applied-Upstream: 1.2495 +Subject: Fix incorrect memory management in Gtk2::Gdk::Display::list_devices + +We do not own the returned list. +--- + t/GdkDisplay.t | 4 +++- + xs/GdkDisplay.xs | 2 -- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/t/GdkDisplay.t b/t/GdkDisplay.t +index d290446..f4aef59 100644 +--- a/t/GdkDisplay.t b/t/GdkDisplay.t +@@ -1,7 +1,7 @@ + #!/usr/bin/perl -w + use strict; + use Gtk2::TestHelper +- tests = 26, ++ tests = 27, + at_least_version = [2, 2, 0, GdkDisplay is new in 2.2]; + + # $Id$ +@@ -32,6 +32,8 @@ ok(!$display - pointer_is_grabbed()); + # $display - beep(); + $display - sync(); + ++# Do this twice to ensure we did not damage the list. ++isa_ok(($display - list_devices())[0], Gtk2::Gdk::Device); + isa_ok(($display - list_devices())[0], Gtk2::Gdk::Device); + + $display - put_event(Gtk2::Gdk::Event - new(button-press)); +diff --git a/xs/GdkDisplay.xs b/xs/GdkDisplay.xs +index f558f1d..a019eee 100644 +--- a/xs/GdkDisplay.xs b/xs/GdkDisplay.xs +@@ -69,8 +69,6 @@ gdk_display_list_devices (display) + devices = gdk_display_list_devices (display); + for (i = devices ; i != NULL ; i = i-next) + XPUSHs (sv_2mortal (newSVGdkDevice (i-data))); +- g_list_free (devices); +- + + GdkEvent* gdk_display_get_event (GdkDisplay *display) + diff -Nru libgtk2-perl-1.2492/debian/patches/series libgtk2-perl-1.2492/debian/patches/series --- libgtk2-perl-1.2492/debian/patches/series 2014-08-29 23:46:41.0 +0200 +++ libgtk2-perl-1.2492/debian/patches/series 2015-02-18 19:53:25.0 +0100 @@ -1,3 +1,4 @@ Make_t_GtkCellRenderer.t_more_robust.patch 30-disable_libgtk_version_check.patch fix-typo.patch +Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch
Bug#778254: marked as done (release.debian.org: jessie's new kernel breaks openafs-modules-dkms)
Your message dated Wed, 18 Feb 2015 13:57:47 -0500 (EST) with message-id alpine.gso.1.10.1502181356210.3...@multics.mit.edu and subject line Re: release.debian.org: jessie's new kernel breaks openafs-modules-dkms has caused the Debian Bug report #778254, regarding release.debian.org: jessie's new kernel breaks openafs-modules-dkms to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 778254: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778254 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal Bug #778196 was filed against openafs-modules-dkms to note that the latest kernel to hit jessie (which was the unblock request in #776899) causes the DKMS module to fail to build. The new kernel introduced a KPI change for accesses to the d_alias field of struct dentry, which must now be made through the d_u union. I updated openafs in sid to include upstream's patches for new linux support (including the d_u change) when the new kernel hit sid, but that update also included a new translation and several bugfixes of various severity. Additionally, openafs in sid has a newer upstream version than openafs in jessie, due to excessive optimism on my part in the lead up to freeze. (It is also the case that nearly every upstream update for openafs includes support for new linux versions, since the KPI is a moving target, so I am used to having to pull in new upstream versions regularly.) The version in jessie also does not have native systemd support, and it remains unclear whether the systemd sysv compat is causing problems for jessie users that native unit files could resolve (#760063) -- for at least some users, the issue seems to have mysteriously gone away but there is no openafs or systemd change which obviously should have resolved things. The question is, how should we resolve the situation for jessie? It seems like the most likely answer is a minimal patch uploaded to testing-proposed-updates, but I wanted to ask the release team whether there were other options, such as unblocking the openafs currently in sid (even though it is a new upstream version). It is probably worth noting that openafs is a leaf package. -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) ---End Message--- ---BeginMessage--- From IRC: oftc / #debian-release / kaduk_ 14:28 () Did I provide sufficient information in #778254 for the release-team to be able to give me guidance for what to do? oftc / #debian-release / zwiebelbot 14:28 (zwiebelbot!~zwie...@zwiebel.bot.oftc.net Debian#778254: release.debian.org: jessie's new kernel breaks openafs-modules-dkms - https://bugs.debian.org/778254 oftc / #debian-release / nthykier 14:29 (nthykier!~nthyk...@cheddar.halon.org.uk) kaduk_: probably it is TL;DR - sadly that is a common problem for us these days oftc / #debian-release / kaduk_ 14:30 () Ah. There's always too many things to do, I suppose. oftc / #debian-release / nthykier 14:34 (nthykier!~nthyk...@cheddar.halon.org.uk) kaduk_: ok, the changes in the sid version are definitely TL;DR - I would be uncomfortable with unblocking that blob oftc / #debian-release / kaduk_ 14:35 () nthykier: okay, so I must to t-p-u as I suspected, then. oftc / #debian-release / kaduk_ 14:36 () And hope that there are no more KPI-breaking kernel security updates in the future. oftc / #debian-release / nthykier 14:36 (nthykier!~nthyk...@cheddar.halon.org.uk) kaduk_: yes, I would strongly recommend going that route - though, there is a limit to what we accept via tpu. If it is a sufficiently large changeset, we may request it being via sid (reverting the previous upload) oftc / #debian-release / kaduk_ 14:37 () nthykier: I think the smallest-scoped fix to just cope with the KPI change would be quite small, but would leave things in a more fragile state if there are further kernel updates in the future. oftc / #debian-release / nthykier 14:42 (nthykier!~nthyk...@cheddar.halon.org.uk) kaduk_: and a slightly larger variant might be more robust? oftc / #debian-release / kaduk_ 14:43 () nthykier: I think so, but I would have to double-check. oftc /
Processed: Re: Bug#778622: wheezy-pu: package vigor/0.016-19+deb7u1
Processing control commands: tags -1 + confirmed Bug #778622 [release.debian.org] wheezy-pu: package vigor/0.016-19+deb7u1 Added tag(s) confirmed. -- 778622: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778622 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b778622.142428640116091.transcr...@bugs.debian.org
Bug#771208: unblock: busybox/1:1.22.0-14
On Thu, Dec 11, 2014 at 08:52:05AM +0100, Ivo De Decker iv...@debian.org wrote: Could you do a new upload with only the security fix? I just did so and uploaded 1:1.22.0-9+deb8u1 to t-p-u. Regards, -- Mehdi Dogguy -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150218212311.gf1...@dogguy.org
Bug#778665: unblock: logol/1.7.0-2
On Wed, 2015-02-18 at 21:25 +0100, Mehdi Dogguy wrote: On Wed, Feb 18, 2015 at 06:21:05AM +, olivier sallou olivier.sal...@gmail.com wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-CC: debian-...@lists.debian.org Please unblock package logol I have to admit that I have troubles to take a decision for this case. If we are going to remove gridengine, then I'd remove logol as well because: I'm confused. My understanding from the thread ending at https://lists.debian.org/950673988.3780910.1423380824041.javamail.zim...@irisa.fr was that we were keeping the drmaa package. [...] Also, I wonder if it is a good time to remove gridengine at all. It is not like it needed many updates in stable or oldstable to worry about it. My preference would be to keep gridengine and not bother ourselves. http://lists.alioth.debian.org/pipermail/pkg-gridengine-devel/2014-October/000737.html says It should be removed in its current state, particularly as the configuration is totally insecure and doesn't ship the components to secure it and the package has been RFH for nearly two years. Given that and the discussion in #776131, I'm not sure keeping the package in its current state is the best idea. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1424294873.13812.8.ca...@adam-barratt.org.uk
Bug#771208: unblock: busybox/1:1.22.0-14
Mehdi Dogguy me...@dogguy.org (2015-02-18): On Thu, Dec 11, 2014 at 08:52:05AM +0100, Ivo De Decker iv...@debian.org wrote: Could you do a new upload with only the security fix? I just did so and uploaded 1:1.22.0-9+deb8u1 to t-p-u. Please push both your jessie branch and tag to git. Mraw, KiBi. signature.asc Description: Digital signature
Bug#778713: marked as done (unblock: krb5/1.12.1+dfsg-18)
Your message dated Wed, 18 Feb 2015 22:34:47 +0100 with message-id 20150218213447.gg1...@dogguy.org and subject line Re: Bug#778713: unblock: krb5/1.12.1+dfsg-18 has caused the Debian Bug report #778713, regarding unblock: krb5/1.12.1+dfsg-18 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 778713: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778713 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package krb5 Upstream released a patch for CVE-2014-5355, a NULL dereference or out-of-bounds read in krb5_recvauth(). It is not clear that any aging is necessary; perhaps the security team will request some. The attached debdiff includes upstream's commit message, which includes more details about the issue. unblock krb5/1.12.1+dfsg-18 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru krb5-1.12.1+dfsg/debian/changelog krb5-1.12.1+dfsg/debian/changelog --- krb5-1.12.1+dfsg/debian/changelog 2015-02-03 10:33:39.0 -0500 +++ krb5-1.12.1+dfsg/debian/changelog 2015-02-18 12:52:19.0 -0500 @@ -1,3 +1,9 @@ +krb5 (1.12.1+dfsg-18) unstable; urgency=high + + * Import upstream patch for CVE-2014-5355, Closes: #778647 + + -- Benjamin Kaduk ka...@mit.edu Wed, 18 Feb 2015 12:52:14 -0500 + krb5 (1.12.1+dfsg-17) unstable; urgency=high * MITKRB5-SA-2015-001 diff -Nru krb5-1.12.1+dfsg/debian/.git-dpm krb5-1.12.1+dfsg/debian/.git-dpm --- krb5-1.12.1+dfsg/debian/.git-dpm 2015-02-03 10:33:39.0 -0500 +++ krb5-1.12.1+dfsg/debian/.git-dpm 2015-02-18 12:39:54.0 -0500 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -769a3f26c919339002ef2936592a90d144d0e238 -769a3f26c919339002ef2936592a90d144d0e238 +200a429df2c47467eb3a0973eb7594a475cc18fe +200a429df2c47467eb3a0973eb7594a475cc18fe 00dec38e79dd6436e9efed873df00e6ea11fdd0e 00dec38e79dd6436e9efed873df00e6ea11fdd0e krb5_1.12.1+dfsg.orig.tar.gz diff -Nru krb5-1.12.1+dfsg/debian/patches/series krb5-1.12.1+dfsg/debian/patches/series --- krb5-1.12.1+dfsg/debian/patches/series 2015-02-03 10:33:39.0 -0500 +++ krb5-1.12.1+dfsg/debian/patches/series 2015-02-18 12:39:54.0 -0500 @@ -27,3 +27,4 @@ upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch 0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch upstream/0029-MITKRB5-SA-2015-0001.patch +upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch diff -Nru krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch --- krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 1969-12-31 19:00:00.0 -0500 +++ krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 2015-02-18 12:39:54.0 -0500 @@ -0,0 +1,112 @@ +From 200a429df2c47467eb3a0973eb7594a475cc18fe Mon Sep 17 00:00:00 2001 +From: Greg Hudson ghud...@mit.edu +Date: Tue, 9 Dec 2014 12:37:44 -0500 +Subject: Fix krb5_read_message handling [CVE-2014-5355] + +In recvauth_common, do not use strcmp against the data fields of +krb5_data objects populated by krb5_read_message(), as there is no +guarantee that they are C strings. Instead, create an expected +krb5_data value and use data_eq(). + +In the sample user-to-user server application, check that the received +client principal name is null-terminated before using it with printf +and krb5_parse_name. + +CVE-2014-5355: + +In MIT krb5, when a server process uses the krb5_recvauth function, an +unauthenticated remote attacker can cause a NULL dereference by +sending a zero-byte version string, or a read beyond the end of +allocated storage by sending a non-null-terminated version string. +The example user-to-user server application (uuserver) is similarly +vulnerable to a zero-length or non-null-terminated principal name +string. + +The krb5_recvauth function reads two version strings from the client +using krb5_read_message(), which produces a krb5_data structure +containing a length and a pointer to an octet sequence. krb5_recvauth +assumes that the data pointer is a valid C string and passes it to +strcmp() to
Bug#771208: unblock: busybox/1:1.22.0-14
On Wed, Feb 18, 2015 at 10:30:50PM +0100, Cyril Brulebois k...@debian.org wrote: Mehdi Dogguy me...@dogguy.org (2015-02-18): On Thu, Dec 11, 2014 at 08:52:05AM +0100, Ivo De Decker iv...@debian.org wrote: Could you do a new upload with only the security fix? I just did so and uploaded 1:1.22.0-9+deb8u1 to t-p-u. Please push both your jessie branch and tag to git. I don't have write access to d-i repos. I'd rather let someone else import the .dsc and push it back to alioth. -- Mehdi Dogguy -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2015021821.gh1...@dogguy.org
Bug#771208: unblock: busybox/1:1.22.0-14
Mehdi Dogguy me...@dogguy.org (2015-02-18): On Wed, Feb 18, 2015 at 10:30:50PM +0100, Cyril Brulebois k...@debian.org wrote: Please push both your jessie branch and tag to git. I don't have write access to d-i repos. Wrong. Mraw, KiBi. signature.asc Description: Digital signature
Bug#778665: unblock: logol/1.7.0-2
On Wed, Feb 18, 2015 at 06:21:05AM +, olivier sallou olivier.sal...@gmail.com wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-CC: debian-...@lists.debian.org Please unblock package logol I have to admit that I have troubles to take a decision for this case. If we are going to remove gridengine, then I'd remove logol as well because: a) I don't know if releasing w/o DRMAA support in logol makes much sense. Does it? b) It was not part of past stable releases. c) I am not comfortable with the introduced changes to remove DRMAA support. Also, I wonder if it is a good time to remove gridengine at all. It is not like it needed many updates in stable or oldstable to worry about it. My preference would be to keep gridengine and not bother ourselves. Any other opinions from the team? Regards, -- Mehdi Dogguy -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150218202553.ge1...@dogguy.org
Bug#778673: unblock: suricata/2.0.6-2
On Wed, Feb 18, 2015 at 18:44:16 +0100, Arturo Borrero Gonzalez wrote: On 18 February 2015 at 18:01, Julien Cristau jcris...@debian.org wrote: On Wed, Feb 18, 2015 at 11:54:04 +0100, Arturo Borrero Gonzalez wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package suricata We just uploaded to unstable a new suricata version (2.0.6-2) which would require another unblock to enter jessie. This is the debdiff, which was generated with (unfiltered): % debdiff suricata_2.0.6-1.dsc suricata_2.0.6-2.dsc The libhtp.so symlink should not be installed either, so you shouldn't need any conflicts with libhtp-dev. Is OK to upload a -3 with no symlink and request again for unblock? Sure. Cheers, Julien signature.asc Description: Digital signature
Bug#776748: (pre-approval) unblock: libxml2/2.9.1+dfsg1-5 (via t-p-u)
On Thu, Feb 12, 2015 at 23:37:48 +0800, Aron Xu wrote: On Wed, Feb 11, 2015 at 5:59 AM, Julien Cristau jcris...@debian.org wrote: On Tue, Feb 3, 2015 at 04:02:51 +0800, Aron Xu wrote: Updated version of debdiff, removing the -O3 change. The changelog still says build with -O3. Updated as attached. Go ahead, thanks. Cheers, Julien signature.asc Description: Digital signature
Bug#778713: unblock: krb5/1.12.1+dfsg-18
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package krb5 Upstream released a patch for CVE-2014-5355, a NULL dereference or out-of-bounds read in krb5_recvauth(). It is not clear that any aging is necessary; perhaps the security team will request some. The attached debdiff includes upstream's commit message, which includes more details about the issue. unblock krb5/1.12.1+dfsg-18 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru krb5-1.12.1+dfsg/debian/changelog krb5-1.12.1+dfsg/debian/changelog --- krb5-1.12.1+dfsg/debian/changelog 2015-02-03 10:33:39.0 -0500 +++ krb5-1.12.1+dfsg/debian/changelog 2015-02-18 12:52:19.0 -0500 @@ -1,3 +1,9 @@ +krb5 (1.12.1+dfsg-18) unstable; urgency=high + + * Import upstream patch for CVE-2014-5355, Closes: #778647 + + -- Benjamin Kaduk ka...@mit.edu Wed, 18 Feb 2015 12:52:14 -0500 + krb5 (1.12.1+dfsg-17) unstable; urgency=high * MITKRB5-SA-2015-001 diff -Nru krb5-1.12.1+dfsg/debian/.git-dpm krb5-1.12.1+dfsg/debian/.git-dpm --- krb5-1.12.1+dfsg/debian/.git-dpm 2015-02-03 10:33:39.0 -0500 +++ krb5-1.12.1+dfsg/debian/.git-dpm 2015-02-18 12:39:54.0 -0500 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -769a3f26c919339002ef2936592a90d144d0e238 -769a3f26c919339002ef2936592a90d144d0e238 +200a429df2c47467eb3a0973eb7594a475cc18fe +200a429df2c47467eb3a0973eb7594a475cc18fe 00dec38e79dd6436e9efed873df00e6ea11fdd0e 00dec38e79dd6436e9efed873df00e6ea11fdd0e krb5_1.12.1+dfsg.orig.tar.gz diff -Nru krb5-1.12.1+dfsg/debian/patches/series krb5-1.12.1+dfsg/debian/patches/series --- krb5-1.12.1+dfsg/debian/patches/series 2015-02-03 10:33:39.0 -0500 +++ krb5-1.12.1+dfsg/debian/patches/series 2015-02-18 12:39:54.0 -0500 @@ -27,3 +27,4 @@ upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch 0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch upstream/0029-MITKRB5-SA-2015-0001.patch +upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch diff -Nru krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch --- krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 1969-12-31 19:00:00.0 -0500 +++ krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 2015-02-18 12:39:54.0 -0500 @@ -0,0 +1,112 @@ +From 200a429df2c47467eb3a0973eb7594a475cc18fe Mon Sep 17 00:00:00 2001 +From: Greg Hudson ghud...@mit.edu +Date: Tue, 9 Dec 2014 12:37:44 -0500 +Subject: Fix krb5_read_message handling [CVE-2014-5355] + +In recvauth_common, do not use strcmp against the data fields of +krb5_data objects populated by krb5_read_message(), as there is no +guarantee that they are C strings. Instead, create an expected +krb5_data value and use data_eq(). + +In the sample user-to-user server application, check that the received +client principal name is null-terminated before using it with printf +and krb5_parse_name. + +CVE-2014-5355: + +In MIT krb5, when a server process uses the krb5_recvauth function, an +unauthenticated remote attacker can cause a NULL dereference by +sending a zero-byte version string, or a read beyond the end of +allocated storage by sending a non-null-terminated version string. +The example user-to-user server application (uuserver) is similarly +vulnerable to a zero-length or non-null-terminated principal name +string. + +The krb5_recvauth function reads two version strings from the client +using krb5_read_message(), which produces a krb5_data structure +containing a length and a pointer to an octet sequence. krb5_recvauth +assumes that the data pointer is a valid C string and passes it to +strcmp() to verify the versions. If the client sends an empty octet +sequence, the data pointer will be NULL and strcmp() will dereference +a NULL pointer, causing the process to crash. If the client sends a +non-null-terminated octet sequence, strcmp() will read beyond the end +of the allocated storage, possibly causing the process to crash. + +uuserver similarly uses krb5_read_message() to read a client principal +name, and then passes it to printf() and krb5_parse_name() without +verifying that it is a valid C string. + +The krb5_recvauth function is used by kpropd and the Kerberized +versions of the BSD rlogin and rsh daemons. These daemons are usually +run out of inetd or in a mode which forks before processing incoming +connections, so a process crash will generally not result in a +complete denial of service. + +Thanks to
Bug#778295: OAR 2.5.4-2 patch 3
Hi Mehdi, To me, this bug is critical, because it makes the use of the moldable jobs feature break the advance reservation feature, and both features are important to users of OAR. Moldable jobs are especially used in the case of heterogeneous clusters (e.g. clusters composed of nodes of 2 or more different hardware specifications, because of a purchase in 2 or more phases for instance). In that case, a job must be described with several choices of specifications (e.g. # of cores + total time of execution), one for each of the different homogeneous subsets of the cluster. This is quite a common case, met in many installations of OAR. The advance reservation feature is wanted by users who need to interact with their job, thus be able to program the job execution time in order to be sure to be present in front of the machines. This feature is used a lot in research testbeds like Grid'5000 (www.grid5000.fr). I would admit that using both the moldable job feature and the advance reservation feature in a same use case (by a same user) is not so likely to happen (which explain also why the bug wasn't noticed before the release). But having both users submitting moldable jobs and users making advance reservations will happen (the bug was reported quite quicky actually). For ref, the error log is the following: [debug] [2015-02-18 21:35:26.373] [MetaSched] Begin processing of waiting reservations (accepted reservations which do not have assigned resources yet) [debug] [2015-02-18 21:35:26.376] [MetaSched] [2] job is (0,u:,,) [debug] [2015-02-18 21:35:26.379] [MetaSched] [2] add job occupation in gantt (0,,,) [debug] [2015-02-18 21:35:26.379] [MetaSched] [2] Add job in database Use of uninitialized value in vec at /usr/lib/oar/oar_meta_sched line 342. Use of uninitialized value $r in vec at /usr/lib/oar/oar_meta_sched line 357. [debug] [2015-02-18 21:35:26.380] [MetaSched] End processing of waiting reservations DBD::Pg::db do failed: ERROR: syntax error at or near ) LINE 2: VALUES (3,) ^ at /usr/share/perl5/OAR/IO.pm line 6270. Job 1 is a moldable job here, then job 2's scheduling causes errors in the code of the scheduler. As a result it is not scheduled, nor executed. The administrator of the cluster will have no clue else than install the next release of OAR, or the patched version. Last info: The patch actually fixes another bug, regarding the clean-up of the resource tree structure (calls to delete_tree_nodes_with_not_enough_resources). This is a regression bug. It is part of the patch because it was in the same commit in the upstream VCS. We could consider that second issue separately, but I think it is worth being fixed as well, eventually as a whole. Hope I convinced you. Thanks for your time Best regards, Pierre -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54e50b77.2030...@free.fr
Bug#778734: unblock: bind9/9.9.5.dfsg-9
package: release.debian.org
user: release.debian@packages.debian.org
usertags: unblock
severity: normal
x-debbugs-cc: debian-b...@lists.debian.org
Please consider unblocking bind9. It fixes a new security issue.
unblock bind9/9.9.5.dfsg-9
unblock-udeb bind9/9.9.5.dfsg-9
diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog
--- bind9-9.9.5.dfsg/debian/changelog
+++ bind9-9.9.5.dfsg/debian/changelog
@@ -1,3 +1,10 @@
+bind9 (1:9.9.5.dfsg-9) unstable; urgency=high
+
+ * Fix CVE-2015-1349: named crash due to managed key rollover, primarily only
+affecting setups using DNSSEC (closes: #778733).
+
+ -- Michael Gilbert mgilb...@debian.org Thu, 19 Feb 2015 03:42:21 +
+
bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium
* Launch rndc command in the background in networking scripts to avoid a
only in patch2:
unchanged:
--- bind9-9.9.5.dfsg.orig/lib/dns/zone.c
+++ bind9-9.9.5.dfsg/lib/dns/zone.c
@@ -8496,6 +8496,12 @@
namebuf, tag);
trustkey = ISC_TRUE;
}
+ } else {
+ /*
+ * No previously known key, and the key is not
+ * secure, so skip it.
+ */
+ continue;
}
/* Delete old version */
@@ -8544,7 +8550,7 @@
trust_key(zone, keyname, dnskey, mctx);
}
- if (!deletekey)
+ if (secure !deletekey)
set_refreshkeytimer(zone, keydata, now);
}
Processed: your mail
Processing commands for cont...@bugs.debian.org: tag 778492 -moreinfo Bug #778492 [release.debian.org] unblock: ndisc6/1.0.1-2 Removed tag(s) moreinfo. thanks Stopping processing here. Please contact me if you need assistance. -- 778492: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778492 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.142432540111773.transcr...@bugs.debian.org
Bug#778665: unblock: logol/1.7.0-2
Le Wed Feb 18 2015 at 9:25:56 PM, Mehdi Dogguy me...@dogguy.org a écrit : On Wed, Feb 18, 2015 at 06:21:05AM +, olivier sallou olivier.sal...@gmail.com wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-CC: debian-...@lists.debian.org Please unblock package logol I have to admit that I have troubles to take a decision for this case. If we are going to remove gridengine, then I'd remove logol as well because: a) I don't know if releasing w/o DRMAA support in logol makes much sense. Does it? Yes it does. Logol works in local mode or drmaa mode. Here we just remove the drmaa mode. b) It was not part of past stable releases. As it did not exist before, it could not be in previous stable releases c) I am not comfortable with the introduced changes to remove DRMAA support. I am the author of the software, so I can tell you changes are fine. We just remove the drmaa support option. Also, I wonder if it is a good time to remove gridengine at all. It is not like it needed many updates in stable or oldstable to worry about it. My preference would be to keep gridengine and not bother ourselves. Keeping gridengine would be fine for me ;-) But the bug causing the gridengine removal (and consequently logol) contains quite a lot of discussions already. It seems that current release contains security issues and maintenance issues. Olivier Any other opinions from the team? Regards, -- Mehdi Dogguy
Bug#776095: wheezy-pu: package sudo/1.8.5p2-1+nmu2
Hi Adam and Andreas, On Sun, Jan 25, 2015 at 02:10:49PM +, Adam D. Barratt wrote: Control: tags -1 + confirmed On Fri, 2015-01-23 at 22:38 +0100, Andreas Beckmann wrote: I'd like to get a fix into wheezy to avoid dpkg complaining about modified conffiles if /etc/sudoers is the unmodified version from lenny (this happens on lenny - squeeze - wheezy upgrades). #660594 Fix is backported from 1.8.7-1, but adding only the md5sum from the lenny config. Verified in piuparts that this allows smooth upgrades. Please go ahead. Version number is nonstandard since the wheezy version has a weird version. Better suggestions welcome. -1+deb7u1 would sort wrongly and -1+nmu1+deb7u1 looks fairly weird as well. -1+nmu2 will do, under the circumstances. Could you please delay this upload until the update through security.d.o for sudo is done? We have uploaded there and already builded addressing https://security-tracker.debian.org/tracker/CVE-2014-9680 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150219074814.GA18315@eldamar.local
Bug#778492: unblock: ndisc6/1.0.1-2
On Tue, Feb 17, 2015 at 10:03 AM, Mehdi Dogguy wrote: Wouldn't that break the installer? ... since netcfg is installing rdnssd and network-manager is being installed by default. I don't see why it would. Yes, rdnssd-udeb is used by netcfg in the d-i environment but network-manager is not present there, and in-target network-manager will certainly get installed for most tasksel options, but rdnssd will not. So I don't see any reason to expect conflict. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=mngg4n5bzg4js1qd9gurq7qtwxfrndmufh+myolcem...@mail.gmail.com
Bug#777553: pu: package libfcgi/2.4.0-8
Hi Adam, hi Joe, On Wed, Feb 18, 2015 at 07:11:22PM +, Adam D. Barratt wrote: Control: tags -1 + confirmed On Mon, 2015-02-09 at 19:53 -0800, Joe Damato wrote: On Mon, Feb 9, 2015 at 1:16 PM, Salvatore Bonaccorso car...@debian.org wrote: Joe, if you get an ack from the release team on your upload for libfcgi I can happily sponsor the upload itself. How do I go about doing that? Is there a separate email list I need to ping? No, just be patient until we replied. :-) Please feel free to go ahead with the upload. I don't have a GPG key that is connected to Debian in any way. I can create a key and upload it to the MIT pgp server. Is that useful at all for the upload of my changes file? Not sure if signing with my key will help or just complicate things further. From what I read, I was under the impression that changes without signatures from GPG keys in the web of trust are not processed in the upload queue. That's correct. You'd need someone with a known key to sponsor your upload. According to his earlier mail, Salvatore is happy to do that, so you shouldn't have to do anything further. I just have uploaded the package prepared by Joe to ftp-master. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150219050500.GA27789@eldamar.local
Bug#778636: unblock: cvsweb/3:3.0.6-8
Am Dienstag, den 17.02.2015, 19:44 +0100 schrieb Mehdi Dogguy:
Le 2015-02-17 19:06, Daniel Leidert a écrit :
There is an incompatibility with Perl 5.18, which can be fixed by the
patch
added in 3:3.0.6-8. The bug itself has been reported with severity
important.
However the reporter speaks about errors.
I can verify, that version 3:3.0.6-7 results in an 500er error of the
server, so it doesn't work at all. Thus a higher severity is justified.
Is this relevant for Perl =5.18, or 5.18 only? Did you test your
changes using
Perl 5.14 too? (so that it keeps working even after a partial upgrade).
I tested with both Perl versions. The patch consists of two changes and
I'll explain both below.
(1) The use of for my $var qw() has already been deprecated with Perl
5.14 [1] in Wheezy. cvsweb in Wheezy logs a warning here:
Use of qw(...) as parentheses is deprecated at /usr/lib/cgi-bin/cvsweb line
1197.
So the fix applied in -8 works with Perl 5.14 too and further fixes the
one remaining loop without parenthesis (there are 3 more for-loops in
the script, in which the qw() is already correctly surrounded by
parenthesis). With Perl 5.18 cvsweb stops working reporting a syntax
error. This change is vital for Wheezy.
(2) The second change fixes a warning reported by Perl 5.18:
defined(@array) is deprecated at /usr/lib/cgi-bin/cvsweb line 2956.
Seems, the defined() call is [..] not useful on arrays because it
checks for an undefined scalar value [..]. To achieve the same a simple
if (@array) {...} is enough. So the second change should be safe and
it works with Perl 5.14 too.
[1]
http://blogs.perl.org/users/rurban/2010/09/qw-in-list-context-deprecated.html
Regards, Daniel
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1424266856.7707.13.ca...@wgdd.de
Bug#778732: nmu: abiword_3.0.1-1
Package: release.debian.org Severity: normal Tags: experimental User: release.debian@packages.debian.org Usertags: binnmu nmu abiword_3.0.1-1 . ALL . experimental . -m Rebuild against libical1a. libical1 has been renamed to libical1a. Andreas -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150219025239.21522.98667.report...@zam581.zam.kfa-juelich.de
Re: Possible unblock request of snort+daq into testing?
On Mon, Feb 09, 2015 at 12:20:43AM +0100, Mehdi Dogguy wrote: Back in November 2014, Ivo described the solution to have snort and daq into Jessie (See [1]). Unfortunately, this didn't happen and he was forced to remove the packages from Jessie, as announced. We understand that the outcome will not benefit for our users and we carefully read your arguments. But we cannot accept the packages into Jessie now, especially when the recommended solutions have not been implemented. It is rather late now and we are focused on reducing Jessie's RC bugs only. I hope you will understand our position too. Ok. Fully understood, thanks for the reply. Regards Javier signature.asc Description: Digital signature
Bug#778730: nmu: gnokii_0.6.31+dfsg-2
Package: release.debian.org Severity: normal Tags: experimental User: release.debian@packages.debian.org Usertags: binnmu nmu gnokii_0.6.31+dfsg-2 . ALL . experimental . -m Rebuild against libical1a. libical1 is gone ... Andreas -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150219024441.21146.77079.report...@zam581.zam.kfa-juelich.de
