Bug#782165: wheezy-pu: package debootstrap/1.0.48+deb7u3
Adam D. Barratt a...@adam-barratt.org.uk (2015-04-08): Control: tags -1 + confirmed On Wed, 2015-04-08 at 21:51 +0200, Cyril Brulebois wrote: finally time to get some stable updates… Here's the bug report I'd like to address in wheezy: “debootstrap: host's /run/shm gets unmounted after debootstrap run” (https://bugs.debian.org/753442). I'll have to check it inside a VM soon-ish (because I don't seem to have any hosts running wheezy at the moment), but given the change that got backported and the fact we've had the fix in testing, and in backports for quite a while, I don't seem to have so many doubts about it. Please feel free to go ahead, thanks. Great, thanks. Local tests seem to confirm the nasty bug is fixed as desired, so I've just uploaded the package. Mraw, KiBi. signature.asc Description: Digital signature
Bug#781829: wheezy-pu: package dpkg/1.16.16
On Thu, 2015-04-09 at 06:07 +0200, Guillem Jover wrote: Hi! On Wed, 2015-04-08 at 20:58:02 +0100, Adam D. Barratt wrote: Those look okay too, assuming that the structs aren't used outside of dpkg itself. They are part of libdpkg, which is only ever shipped as a static library, so this should be safe. It seems I forgot another commit, attached. :( Sorry. This should be the last one. ACK. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1428554109.7798.32.ca...@adam-barratt.org.uk
Bug#782180: unblock pre-approval: apt-zip/0.18+nmu1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, following is a debdiff which should fix the following issues in apt-zip: #782179 [G|+| ] [apt-zip] apt-zip: apt-zip-list --aptgetaction=update doesn't do anything because apt-get -qq --print-uris update outputs nothing #781915 [G| | ] [apt-zip] Checksum fails and other issues in Jessie #638840 [i|+| ] [apt-zip] apt-zip: wrong checksum: checksum calculation broken The last one (#638840) is currently only set to severity important, but IMHO validates for severity grave, too, as it doesn't download any packages anymore because of the failed hashsum check. This patch does not fix #718376 (Most deb data.tar member files are unsupported) and there seem similar issues with package lists. Additionally the patch also fixes this non-RC and no-op issue: #624368 [m| | ] [apt-zip] Updating the apt-zip Uploaders list Would the following debdiff suffice for an unblock? If so, I'd upload it as NMU either directly or to DELAYED/1 so that it migrates to Testing before the deadline ends. diff -Nru apt-zip-0.18/debian/changelog apt-zip-0.18+nmu1/debian/changelog --- apt-zip-0.18/debian/changelog 2008-02-01 08:18:33.0 +0100 +++ apt-zip-0.18+nmu1/debian/changelog 2015-04-09 03:49:29.0 +0200 @@ -1,3 +1,20 @@ +apt-zip (0.18+nmu1) unstable; urgency=medium + + * Non-maintainer upload + * Fix updating package lists by using -q instead of -qq for apt-get +update (Closes: #782179) + * Properly handle package list downloads (Closes: #781915) ++ Don't try to bunzip2 empty files ++ Don't save files with .bz2 or .gz suffix without suffix ++ Don't try to add .bz2 or .gz suffix to URIs which already have them. ++ Honour the fact that apt can't know checksums of package list in + advance. + * Fix checksum verification of packages (Closes: #638840; patch by +Rainer Dorsch rdor...@web.de, thanks!) + * Remove François Févotte from Uploaders (Closes: #624368) + + -- Axel Beckert a...@debian.org Thu, 09 Apr 2015 01:30:22 +0200 + apt-zip (0.18) unstable; urgency=medium * Use sha256 instead of md5 for checksum, as in apt 0.7.7. diff -Nru apt-zip-0.18/apt-zip-inst apt-zip-0.18+nmu1/apt-zip-inst --- apt-zip-0.18/apt-zip-inst 2008-02-01 08:07:37.0 +0100 +++ apt-zip-0.18+nmu1/apt-zip-inst 2015-04-09 03:44:21.0 +0200 @@ -36,8 +36,9 @@ tar xvf ${MEDIUM}/${APTZIPTARFILE} | while read FILE do - [ `basename $FILE .bz2` != $FILE ] bunzip2 -f $FILE - [ `basename $FILE .gz` != $FILE ] gunzip -f $FILE + [ ! -s $FILE ] rm -f $FILE + [ -e $FILE -a `basename $FILE .bz2` != $FILE ] bunzip2 -f $FILE + [ -e $FILE -a `basename $FILE .gz` != $FILE ] gunzip -f $FILE done rm -f foo-stamp ) diff -Nru apt-zip-0.18/apt-zip-list apt-zip-0.18+nmu1/apt-zip-list --- apt-zip-0.18/apt-zip-list 2008-02-01 07:57:01.0 +0100 +++ apt-zip-0.18+nmu1/apt-zip-list 2015-04-09 02:35:38.0 +0200 @@ -33,9 +33,15 @@ TMP=$(tempfile -p aptzip) TEMP=$(tempfile -p aptzip) +if [ $APTGETACTION = update ]; then +APTGETQUIETLEVEL=-q +else +APTGETQUIETLEVEL=-qq +fi + [ -n $PACKAGES ] apt-get ${APTGETEXTRAOPTS} -qq --print-uris install $PACKAGES $TMP -[ -n $APTGETACTION ] apt-get ${APTGETEXTRAOPTS} -qq --print-uris ${APTGETACTION} $TMP -grep $GREP $TMP | tr -d ' | sed 's/SHA256://' | sort -u $TEMP +[ -n $APTGETACTION ] apt-get ${APTGETEXTRAOPTS} ${APTGETQUIETLEVEL} --print-uris ${APTGETACTION} $TMP +grep $GREP $TMP | tr -d ' | sed 's/MD5Sum://' | sort -u $TEMP if [ $? != 0 ] then error apt-get failed diff -Nru apt-zip-0.18/debian/control apt-zip-0.18+nmu1/debian/control --- apt-zip-0.18/debian/control 2008-02-01 08:24:00.0 +0100 +++ apt-zip-0.18+nmu1/debian/control2015-04-09 01:50:07.0 +0200 @@ -4,7 +4,7 @@ Build-Depends-Indep: docbook-utils, docbook Build-Depends: debhelper (= 5), cdbs Maintainer: Giacomo Catenazzi c...@debian.org -Uploaders: Eddy Petrișor eddy.petri...@gmail.com, François Févotte francois.fevo...@ensta.org +Uploaders: Eddy Petrișor eddy.petri...@gmail.com Standards-Version: 3.7.3 Homepage: http://alioth.debian.org/projects/apt-zip diff -Nru apt-zip-0.18/methods/wget apt-zip-0.18+nmu1/methods/wget --- apt-zip-0.18/methods/wget 2008-02-01 07:54:37.0 +0100 +++ apt-zip-0.18+nmu1/methods/wget 2015-04-09 03:34:04.0 +0200 @@ -31,10 +31,12 @@ [ ! ${USECHECKSUMS} = 'no' ] cat -EOF check(){ [ ! -r \$1 ] return 1 + [ ! -s \$1 ] return 1 [ \$2 = 0 ] return \$3 [ \$2 = ] return \$3 - [ \`type sha256sum\` ] - if [ \`sha256sum \$1 | cut -d' ' -f1\` = \$2 ] + [ \$2 = : ] return \$3 + [ \`type
Bug#782002: unblock: (pre-approval) opensc
Le Mon, 06 Apr 2015 20:34:42 +0200, Niels Thykier ni...@thykier.net a écrit : Hello, [...] Ack, please upload this to unstable and let us know once it has been accepted! opensc 0.14.0-2 is now in unstable. Cheers, Laurent Bigonville -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150409004549.79090...@fornost.bigon.be
Bug#782175: Unblock: chrony/1.30-2 [RC] -- RFS at mentors.debian.net
Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock Hello release team, because of three CVE security messages I have made an updated package of chrony which is now on mentors.debian.net. Please unblock package chrony/1.30-2. The RFS can be seen here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782173 The updated package fixes three RC bugs: * It includes the following security fixes (Closes: #782160): - Fix CVE-2015-1853: Protect authenticated symmetric NTP associations against DoS attacks. - Fix CVE-2015-1821: Fix access configuration with subnet size indivisible by 4. - Fix CVE-2015-1822: Fix initialization of reply slots for authenticated commands. Details are in the attached debdiff. Please unblock package chrony/1.30-2. Many thanks for your work, --- Have a nice day. Joachim (Germany) diff -urN d10/debian/changelog d14/debian/changelog --- d10/debian/changelog 2014-08-10 19:10:56.0 +0200 +++ d14/debian/changelog 2015-04-09 00:31:10.0 +0200 @@ -1,3 +1,19 @@ +chrony (1.30-2) unstable; urgency=medium + + * New upstream release. + * It includes the following security fixes (Closes: #782160): +- Fix CVE-2015-1853: Protect authenticated symmetric NTP + associations against DoS attacks. +- Fix CVE-2015-1821: Fix access configuration with subnet + size indivisible by 4. +- Fix CVE-2015-1822: Fix initialization of reply slots for + authenticated commands. + * debian/control: + - Update e-mail address of myself. + - Add Vincent Blut as co-maintainer. + + -- Joachim Wiedorn joodeb...@joonet.de Thu, 09 Apr 2015 00:06:34 +0200 + chrony (1.30-1) unstable; urgency=medium * New upstream release with following bugfixes: diff -urN d10/debian/control d14/debian/control --- d10/debian/control 2014-08-08 20:40:03.0 +0200 +++ d14/debian/control 2015-04-09 00:05:48.0 +0200 @@ -1,7 +1,8 @@ Source: chrony Section: admin Priority: extra -Maintainer: Joachim Wiedorn ad_deb...@joonet.de +Maintainer: Joachim Wiedorn joodeb...@joonet.de +Uploaders: Vincent Blut vincent.deb...@free.fr Standards-Version: 3.9.5 Build-Depends: debhelper (= 9), texinfo, bison, diff -urN d10/debian/patches/11_protect-authenticated-symmetric-ass.patch d14/debian/patches/11_protect-authenticated-symmetric-ass.patch --- d10/debian/patches/11_protect-authenticated-symmetric-ass.patch 1970-01-01 01:00:00.0 +0100 +++ d14/debian/patches/11_protect-authenticated-symmetric-ass.patch 2015-04-08 23:50:45.0 +0200 @@ -0,0 +1,72 @@ +From d856bd34c4862398411d29200520e3a3b1d4569e Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar mlich...@redhat.com +Date: Thu, 5 Mar 2015 12:44:30 +0100 +Subject: ntp: protect authenticated symmetric associations against DoS attacks + +An attacker knowing that NTP hosts A and B are peering with each other +(symmetric association) can send a packet with random timestamps to host +A with source address of B which will set the NTP state variables on A +to the values sent by the attacker. Host A will then send on its next +poll to B a packet with originate timestamp that doesn't match the +transmit timestamp of B and the packet will be dropped. If the attacker +does this periodically for both hosts, they won't be able to synchronize +to each other. It is a denial-of-service attack. + +According to [1], NTP authentication is supposed to protect symmetric +associations against this attack, but in the NTPv3 (RFC 1305) and NTPv4 +(RFC 5905) specifications the state variables are updated before the +authentication check is performed, which means the association is +vulnerable to the attack even when authentication is enabled. + +To fix this problem, save the originate and local timestamps only when +the authentication check (test5) passed. + +[1] https://www.eecis.udel.edu/~mills/onwire.html + +diff --git a/ntp_core.c b/ntp_core.c +index ebb6a7c..e654c88 100644 +--- a/ntp_core.c b/ntp_core.c +@@ -914,9 +914,6 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins + + /* */ + +- /* Save local receive timestamp */ +- inst-local_rx = *now; +- + pkt_leap = (message-lvm 6) 0x3; + if (pkt_leap == 0x3) { + source_is_synchronized = 0; +@@ -948,14 +945,6 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins + test2 = 1; /* Success */ + } + +- /* Regardless of any validity checks we apply, we are required to +- save this field from the packet into the ntp source +- instance record. See RFC1305 section 3.4.4, peer.org - pkt.xmt +- peer.peerpoll - pkt.poll. Note we can't do this assignment +- before test1 has been carried out!! */ +- +- inst-remote_orig = message-transmit_ts; +- + /* Test 3 requires that pkt.org
Re: Proposal to do regular jenkins updates via jessie-updates (Was: Re: Removing Jenkins from Jessie)
On Wed, 2015-04-08 at 23:33 +0200, Niels Thykier wrote: On 2015-04-08 22:45, Miguel Landaeta wrote: On Wed, 08 Apr 2015 18:17:59 +0200, Niels Thykier escribió: [...] I had a chat with James Page and Emmanuel Bourg about Jenkins over IRC. We concluded that it was infeasible for Debian to maintain Jenkins due to the lack of upstream commitment to a LTS release-cycle of sufficient length to match the length of Jessie[1]. Do you think is feasible or acceptable to maintain Jenkins in jessie-updates suite instead? I am not entirely convinced that Jenkins applies to stable-updates criteria[1]. However, I am leaving the final call on that to the SRMs. As someone who was involved in the initial setup of stable-updates, I'm afraid that I'm not convinced either. Packages such as clamav get updated to new upstream versions via stable-updates, but that's mostly because the (anti-)malware landscape changes sufficiently quickly that it's often not feasible to make small updates to the existing version in order to remain viable and we serve our users better by making newer engines available to them. Apologies if I'm missing something, but that really doesn't seem to be the case for Jenkins. https://wiki.jenkins-ci.org/display/JENKINS/LTS+Release+Line suggests that long-term means supported for three months. I'm struggling to combine those two ideas, particularly in the context of a Debian stable release. (Similarly battle-tested — meaning those commits that have already been a part of a main line release for more than a week.) I do wonder whether backports might be suitable, but I can't and won't speak on behalf of the backports team. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1428531981.7798.30.ca...@adam-barratt.org.uk
Bug#781829: wheezy-pu: package dpkg/1.16.16
Hi! On Wed, 2015-04-08 at 20:58:02 +0100, Adam D. Barratt wrote: Those look okay too, assuming that the structs aren't used outside of dpkg itself. They are part of libdpkg, which is only ever shipped as a static library, so this should be safe. It seems I forgot another commit, attached. :( Sorry. This should be the last one. Thanks, Guillem From 742072b318a062702dd499f8dbc841d0095992a4 Mon Sep 17 00:00:00 2001 From: Jae Junh jaej...@embian.com Date: Mon, 21 Jul 2014 00:55:40 +0200 Subject: [PATCH] Add powerpcel support to cputable Cherry picked from commit fd8934117860821c3a5ddb11c51eb86b25ad97c0. Signed-off-by: Guillem Jover guil...@debian.org --- cputable | 1 + debian/changelog | 1 + 2 files changed, 2 insertions(+) diff --git a/cputable b/cputable index 506083e..1f299f9 100644 --- a/cputable +++ b/cputable @@ -33,6 +33,7 @@ mips64 mips64 mips64 64 big mips64el mips64el mips64el 64 little or1k or1k or1k 32 big powerpc powerpc (powerpc|ppc) 32 big +powerpcel powerpcle powerpcle 32 little ppc64 powerpc64 (powerpc|ppc)64 64 big ppc64el powerpc64le powerpc64le 64 little s390 s390 s390 32 big diff --git a/debian/changelog b/debian/changelog index 0c94fdd..59c9250 100644 --- a/debian/changelog +++ b/debian/changelog @@ -34,6 +34,7 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low * Fix out-of-bounds buffer read accesses when parsing field and trigger names or checking package ownership of conffiles and directories. Reported by Joshua Rogers megaman...@gmail.com. + * Add powerpcel support to cputable. Thanks to Jae Junh jaej...@embian.com. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) -- 2.2.1.209.g41e5f3a
Bug#779523: RE
-- Achtung jeder Körper, Hier kommt ein Unternehmen, bieten ein Darlehen zu niedrigen Zinssatz von 3% zu kommen, haben Sie leiden für die finanzielle Hilfe? Sie müssen eine dringende Darlehen zu zahlen Sie Ihre Rechnungen? Wir bieten alle Arten von Krediten. bei Interesse mailen Sie uns bitte via wernermiller...@hotmail.com Motor: Ihre Fortschritte ist unser Cosinus -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAFuY0OP+v=yj8-b-mvdyxnhowmj9or0hxjhtoe5mklz34cb...@mail.gmail.com
Proposal to do regular jenkins updates via jessie-updates (Was: Re: Removing Jenkins from Jessie)
On 2015-04-08 22:45, Miguel Landaeta wrote: On Wed, 08 Apr 2015 18:17:59 +0200, Niels Thykier escribió: [...] I had a chat with James Page and Emmanuel Bourg about Jenkins over IRC. We concluded that it was infeasible for Debian to maintain Jenkins due to the lack of upstream commitment to a LTS release-cycle of sufficient length to match the length of Jessie[1]. Do you think is feasible or acceptable to maintain Jenkins in jessie-updates suite instead? I am not entirely convinced that Jenkins applies to stable-updates criteria[1]. However, I am leaving the final call on that to the SRMs. My view on this: * There are several jenkins-* packages that will (presumably) need to be updated as often as Jenkins itself. * Doing this will imply pulling a new Jenkins LTS release almost immediately (the current one have several critical security flaws and is probably EOL). - NB: Jenkins LTS is supported for 3 or 6 as far as I recall - but [citation missing]. * I would do with an assessment of how like you think it is that the Jenkins packages (jenkins + jenkins-*) will remain buildable, supportable, and installable in Jessie (at least 3 years) without needing to do updates to other packages (or introduce new packages). - 5 if you want to support it for a possible jessie-lts (ignoring for a moment that jessie-lts is technically handled by a separate team). * We would probably want to add a disclaimer in the release-notes if we were to do this. If only to say that security updates are bundled with new upstream releases as we cannot reliably backport minimal fixes. I have put my removal on hold for now until the SRMs have had a chance to look at this. Thanks, ~Niels [1] https://lists.debian.org/debian-devel-announce/2011/03/msg00010.html I suspect it would have to fall under the Packages that need to be current to be useful (e.g. clamav).-clause if Jenkins was applicable. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/55259eb7.5040...@thykier.net
Bug#782143: pre-approval unblock: stunnel4/3:5.06-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock This is a pre-approval request for unblocking a RC bugfix upload of stunnel4 that will fix two RC bugs: - #771421 - makes stunnel unusable for some users in certain configurations; not for everyone, but still, it happens too often to be ignored - #782030 - makes stunnel start and stop properly, checking whether the action has actually succeeded The full debdiff between version 3:5.06-2 (currently in unstable and testing) and the proposed 3:5.06-3 is attached. unblock stunnel4/3:5.06-3 Thanks in advance, and thanks for all your work! G'luck, Peter -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru stunnel4-5.06/debian/changelog stunnel4-5.06/debian/changelog --- stunnel4-5.06/debian/changelog 2014-10-20 11:49:07.0 +0300 +++ stunnel4-5.06/debian/changelog 2015-04-08 14:00:56.0 +0300 @@ -1,3 +1,15 @@ +stunnel4 (3:5.06-3) unstable; urgency=medium + + * Add the 17-upstream-hangup patch to fix prematurely closed +connections when there is still data to be written. +Thanks to Joachim Falk for backporting the patch! +Closes: #771241 + * Add the 18-lsb-startup patch to make the daemons' startup consistent +with the way things are done in Debian. +Among other things, Closes: #782030 + + -- Peter Pentchev r...@ringlet.net Wed, 08 Apr 2015 14:00:54 +0300 + stunnel4 (3:5.06-2) unstable; urgency=medium * Limit the systemd build dependency to Linux architectures only, diff -Nru stunnel4-5.06/debian/patches/17-upstream-hangup.patch stunnel4-5.06/debian/patches/17-upstream-hangup.patch --- stunnel4-5.06/debian/patches/17-upstream-hangup.patch 1970-01-01 02:00:00.0 +0200 +++ stunnel4-5.06/debian/patches/17-upstream-hangup.patch 2015-04-08 12:45:17.0 +0300 @@ -0,0 +1,74 @@ +Description: Fix premature data truncation in the POLLRDHUP handling +DebianBug: https://bugs.debian.org/771241 +Origin: upstream; https://www.stunnel.org/pipermail/stunnel-users/2014-November/004860.html +Last-Update: 2015-03-04 + +--- a/src/client.c b/src/client.c +@@ -515,6 +515,11 @@ + int write_wants_read=0, write_wants_write=0; + /* actual conditions on file descriptors */ + int sock_can_rd, sock_can_wr, ssl_can_rd, ssl_can_wr; ++#ifdef USE_WIN32 ++unsigned long bytes; ++#else ++int bytes; ++#endif + + c-sock_ptr=c-ssl_ptr=0; + +@@ -810,32 +815,44 @@ + } + + /** check for hangup conditions */ +-if(s_poll_rdhup(c-fds, c-sock_rfd-fd)) { +-s_log(LOG_INFO, Read socket closed (hangup)); ++/* http://marc.info/?l=linux-manm=128002066306087 */ ++/* readsocket() must be the last sock_rfd operation before FIONREAD */ ++if(sock_open_rd s_poll_rdhup(c-fds, c-sock_rfd-fd) ++(ioctlsocket(c-sock_rfd-fd, FIONREAD, bytes) || !bytes)) { ++s_log(LOG_INFO, Read socket closed (read hangup)); + sock_open_rd=0; + } +-if(s_poll_hup(c-fds, c-sock_wfd-fd)) { ++if(sock_open_wr s_poll_hup(c-fds, c-sock_wfd-fd)) { + if(c-ssl_ptr) { + s_log(LOG_ERR, +-Write socket closed (hangup) with %d unsent byte(s), ++Write socket closed (write hangup) with %d unsent byte(s), + c-ssl_ptr); + longjmp(c-err, 1); /* reset the socket */ + } +-s_log(LOG_INFO, Write socket closed (hangup)); ++s_log(LOG_INFO, Write socket closed (write hangup)); + sock_open_wr=0; + } +-if(s_poll_hup(c-fds, c-ssl_rfd-fd) || +-s_poll_hup(c-fds, c-ssl_wfd-fd)) { ++/* SSL_read() must be the last ssl_rfd operation before FIONREAD */ ++if(!(SSL_get_shutdown(c-ssl)SSL_RECEIVED_SHUTDOWN) ++s_poll_rdhup(c-fds, c-ssl_rfd-fd) ++(ioctlsocket(c-ssl_rfd-fd, FIONREAD, bytes) || !bytes)) { + /* hangup - buggy (e.g. Microsoft) peer: + * SSL socket closed without close_notify alert */ ++s_log(LOG_INFO, SSL socket closed (read hangup)); ++SSL_set_shutdown(c-ssl, ++SSL_get_shutdown(c-ssl)|SSL_RECEIVED_SHUTDOWN); ++} ++if(!(SSL_get_shutdown(c-ssl)SSL_SENT_SHUTDOWN) ++s_poll_hup(c-fds, c-ssl_wfd-fd)) { + if(c-sock_ptr || write_wants_write) { + s_log(LOG_ERR, +-SSL socket closed (hangup) with %d unsent byte(s), ++SSL socket closed (write hangup) with %d unsent
Bug#782144: unblock: sysvinit/2.88dsf-59
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package sysvinit As shown in the bugs referenced in the changelog, there are cases where an init script can be installed, but systemd ends up unaware of it until after reboot. This is entirely suboptimal, and the fix for this is covered mostly here in this sysvinit change. There is another corner case that's more easily handled by a systemd trigger, and that is covered in an upcoming systemd upload, but both are independant and can happen without the other's involvement. ... Adam diff -Nru sysvinit-2.88dsf/debian/changelog sysvinit-2.88dsf/debian/changelog --- sysvinit-2.88dsf/debian/changelog 2014-11-11 12:34:28.0 -0700 +++ sysvinit-2.88dsf/debian/changelog 2015-04-06 12:10:53.0 -0600 @@ -1,3 +1,10 @@ +sysvinit (2.88dsf-59) unstable; urgency=medium + + * Call 'systemctl daemon-reload' after any insserv call if systemd +is the system init to pick up changes (Closes: #766429, #774799) + + -- Adam Conrad adcon...@debian.org Mon, 06 Apr 2015 10:44:47 -0600 + sysvinit (2.88dsf-58) unstable; urgency=low * Fix typo in invoke-rc.d breaking upstart installations (Closes: diff -Nru sysvinit-2.88dsf/debian/src/sysv-rc/sbin/update-rc.d sysvinit-2.88dsf/debian/src/sysv-rc/sbin/update-rc.d --- sysvinit-2.88dsf/debian/src/sysv-rc/sbin/update-rc.d2014-10-25 15:15:12.0 -0600 +++ sysvinit-2.88dsf/debian/src/sysv-rc/sbin/update-rc.d2015-04-06 10:43:52.0 -0600 @@ -63,6 +63,12 @@ map { push @dirs, $_; mkdir join('/', @dirs), 0755; } @path; } +sub systemd_reload { +if (-d /run/systemd/system) { +system(systemctl, daemon-reload); +} +} + # Creates the necessary links to enable/disable the service (equivalent of an # initscript) in systemd. sub make_systemd_links { @@ -92,17 +98,9 @@ } else { unlink($service_link) if -e $service_link; } -$changed_sth = 1; } } close($fh); - -# If we changed anything and this machine is running systemd, tell -# systemd to reload so that it will immediately pick up our -# changes. -if ($changed_sth -d /run/systemd/system) { -system(systemctl, daemon-reload); -} } } @@ -182,6 +180,7 @@ remove_last_action($scriptname); } error_code($rc, insserv rejected the script header) if $rc; +systemd_reload; exit $rc; } else { # insserv removes all dangling symlinks, no need to tell it @@ -191,6 +190,7 @@ remove_last_action($scriptname); } error_code($rc, insserv rejected the script header) if $rc; +systemd_reload; exit $rc; } } elsif (defaults eq $action || start eq $action || @@ -208,6 +208,7 @@ save_last_action($scriptname, @orig_argv); } error_code($rc, insserv rejected the script header) if $rc; +systemd_reload; exit $rc; } else { error(initscript does not exist: /etc/init.d/$scriptname); @@ -224,6 +225,7 @@ save_last_action($scriptname, @orig_argv); } error_code($rc, insserv rejected the script header) if $rc; +systemd_reload; exit $rc; } else { usage(); unblock sysvinit/2.88dsf-59 -- System Information: Debian Release: jessie/sid APT prefers vivid-updates APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-11-generic (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150408114135.1728.11452.reportbug@cthulhu
Bug#782131: (pre-approval) unblock: apt/1.0.9.8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-CC: de...@lists.debian.org Hi release team, I had hoped it wouldn't come to this, but to my dismay I have to propose yet another upgrade to apt as to be shipped in jessie. The update is intended to fix two ways of triggering a false-positive security (themed) warning by apt-transport-https (see 777565, 781509) and a crash in aptdaemon caused by dangling pointer usage (see 781858). Also included are four more fixes for: two (small) regressions and two more-or-less esoteric issues which aren't a problem for Debian per-se, but might be for derivatives. Not worthed it alone (even through their reporters likely disagree), but as we prepare an update anyway… The patches are heavily optimized for less line-change. A regression potentially realistically only exists for the https-change, but even there isn't much opportunity and its considered for backporting further. More details for each change individually in the commit messages as attached generated by git log -p 1.0.9.7..debian/jessie or cgit: https://anonscm.debian.org/cgit/apt/apt.git/log/?h=debian/jessie Thanks for considering an: unblock apt/1.0.9.8 and best regards David Kalnischkies (for the APT team) commit d5cf8851753dde4f45bfd3b48fcdf34247a8752a Author: David Kalnischkies da...@kalnischkies.de Date: Tue Apr 7 22:34:34 2015 +0200 keyids in apt-key del should be case-insensitive gnupg is case-insensitive about keyids, so back then apt-key called it directly any keyid was accepted, but now that we work more with the keyid ourself we regressed to require uppercase keyids by accident. This is also inconsistent with other apt-key commands which still use gnupg directly. A single case-insensitive grep and we are fine again. Closes: 781696 diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index b4e0710..1da311d 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -180,7 +180,7 @@ update() { remove_key_from_keyring() { local GPG=$GPG_CMD --keyring $1 # check if the key is in this keyring: the key id is in the 5 column at the end -if ! $GPG --with-colons --list-keys 21 | grep -q ^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]*$2:; then +if ! $GPG --with-colons --list-keys 21 | grep -iq ^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]*$2:; then return fi if [ ! -w $1 ]; then diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key index 47230cb..b4f823e 100755 --- a/test/integration/test-apt-key +++ b/test/integration/test-apt-key @@ -111,3 +111,9 @@ cleanplate cp -a keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg testsuccess --nomsg aptkey --fakeroot del 5A90D141DBAC8DAE testempty aptkey list + +msgtest 'Test key removal with' 'lowercase key ID' #keylength somewher between 8byte and short +cleanplate +cp -a keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg +testsuccess --nomsg aptkey --fakeroot del d141dbac8dae +testempty aptkey list commit 7e9b7ea8236a79580c4ca47712558096d66bad53 Author: David Kalnischkies da...@kalnischkies.de Date: Tue Apr 7 18:31:12 2015 +0200 demote VectorizeString gcc attribute from const to pure g++-5 generates a slightly broken libapt which doesn't split architecture configurations correctly resulting in e.g. Packages files requested for the bogus architecture 'amd64,i386' instead of for amd64 and i386. The reason is an incorrectly applied attribute marking the function as const, while functions with pointer arguments are not allowed to be declared as such (note that char is a char* in disguise). Demoting the attribute to pure fixes this issue – better would be dropping the from char but that is an API change… Neither earlier g++ versions nor clang use this attribute to generate broken code, so we don't need a rebuild of dependencies or anything and g++-5 isn't even included in jessie, but the effect is so strange and apt popular enough to consider avoiding this problem anyhow. diff --git a/apt-pkg/contrib/strutl.h b/apt-pkg/contrib/strutl.h index 185cdc3..f4f8083 100644 --- a/apt-pkg/contrib/strutl.h +++ b/apt-pkg/contrib/strutl.h @@ -79,7 +79,7 @@ bool TokSplitString(char Tok,char *Input,char **List, unsigned long ListMax); // split a given string by a char -std::vectorstd::string VectorizeString(std::string const haystack, char const split) APT_CONST; +std::vectorstd::string VectorizeString(std::string const haystack, char const split) APT_PURE; /* \brief Return a vector of strings from string input where sep * is used as the delimiter string. commit 3af3768e1a0ae8519ac85fbe1eb4494eeb076fa2 Author: Michael Vogt m...@debian.org Date: Tue Apr 7 12:20:56 2015 +0200 fix crash in order writing in pkgDPkgPM::WriteApportReport() libapt can be configured to write various bits of information to a file
Bug#782128: unblock: ruby-kramdown/1.4.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear Release Team, Please unblock ruby-kramdown 1.4.2-2 which fixes RC bug #774661. (This was only discovered to be RC during the current team sprint, sorry for that.) Full debdiff: diff -Nru ruby-kramdown-1.4.2/debian/changelog ruby-kramdown-1.4.2/debian/changelog --- ruby-kramdown-1.4.2/debian/changelog2014-09-29 23:33:37.0 +0200 +++ ruby-kramdown-1.4.2/debian/changelog2015-04-08 10:59:01.0 +0200 @@ -1,3 +1,10 @@ +ruby-kramdown (1.4.2-2) unstable; urgency=medium + + * Team upload. + * Install missing data files (Closes: #774661) + + -- Christian Hofstaedtler z...@debian.org Wed, 08 Apr 2015 10:56:27 +0200 + ruby-kramdown (1.4.2-1) unstable; urgency=medium * Team upload diff -Nru ruby-kramdown-1.4.2/debian/ruby-kramdown.install ruby-kramdown-1.4.2/debian/ruby-kramdown.install --- ruby-kramdown-1.4.2/debian/ruby-kramdown.install1970-01-01 01:00:00.0 +0100 +++ ruby-kramdown-1.4.2/debian/ruby-kramdown.install2015-04-08 10:54:49.0 +0200 @@ -0,0 +1 @@ +data/kramdown usr/share Thanks, Christian unblock ruby-kramdown/1.4.2-2 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150408091440.22948.89251.report...@sxl.home.zeha.at
Removing Jenkins from Jessie
Hi, I had a chat with James Page and Emmanuel Bourg about Jenkins over IRC. We concluded that it was infeasible for Debian to maintain Jenkins due to the lack of upstream commitment to a LTS release-cycle of sufficient length to match the length of Jessie[1]. Accordingly, we agreed to remove the package from Jessie. ~Niels [1] From memory, the Jenkins LTS is at most 6 months. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/552554b7.7070...@thykier.net
Bug#782146: marked as done (unblock: mailman/1:2.1.18-2)
Your message dated Wed, 08 Apr 2015 16:58:17 +0200 with message-id 55254209.6030...@thykier.net and subject line Re: Bug#782146: unblock: mailman/1:2.1.18-2 has caused the Debian Bug report #782146, regarding unblock: mailman/1:2.1.18-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 782146: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782146 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package mailman. The diff is a security fix for CVE-2015-2775. unblock mailman/1:2.1.18-2 Thanks, Thijs diff -Nru mailman-2.1.18/debian/changelog mailman-2.1.18/debian/changelog --- mailman-2.1.18/debian/changelog 2014-07-10 18:01:59.0 + +++ mailman-2.1.18/debian/changelog 2015-04-06 15:37:32.0 + @@ -1,3 +1,13 @@ +mailman (1:2.1.18-2) unstable; urgency=high + + * Fix security issue: path traversal through local_part. +Affects installations which use an Exim or Postfix transport +instead of fixed aliases; attacker needs to be able to place +files on the local filesystem. +(CVE-2015-2775, Closes: 781626) + + -- Thijs Kinkhorst th...@debian.org Mon, 06 Apr 2015 15:36:15 + + mailman (1:2.1.18-1) unstable; urgency=medium * New upstream release. diff -Nru mailman-2.1.18/debian/config mailman-2.1.18/debian/config --- mailman-2.1.18/debian/config 2012-06-16 09:50:23.0 + +++ mailman-2.1.18/debian/config 2015-04-06 15:30:32.0 + @@ -1,5 +1,5 @@ #! /bin/sh -e -# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/config $ +# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/config $ # $Id: config 693 2011-10-08 15:30:38Z thijs $ . /usr/share/debconf/confmodule diff -Nru mailman-2.1.18/debian/control mailman-2.1.18/debian/control --- mailman-2.1.18/debian/control 2014-07-10 18:19:25.0 + +++ mailman-2.1.18/debian/control 2015-04-06 15:30:32.0 + @@ -4,7 +4,6 @@ Maintainer: Mailman for Debian pkg-mailman-hack...@lists.alioth.debian.org Uploaders: Lionel Elie Mamane lmam...@debian.org, Thijs Kinkhorst th...@debian.org, - Thorsten Glaser t...@mirbsd.de, Hector Garcia hec...@debian.org Build-Depends: debhelper (= 7), autoconf, python-dev (= 2.6.6-3~), gettext, python-dnspython Standards-Version: 3.9.5 diff -Nru mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch --- mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch 1970-01-01 00:00:00.0 + +++ mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch 2015-04-06 15:44:18.0 + @@ -0,0 +1,34 @@ +From: Mark Sapiro m...@msapiro.net +Subject: Fix path traversal through local_part (CVE-2015-2775) +Origin: upstream, https://launchpadlibrarian.net/201407944/p +Bug: https://bugs.launchpad.net/mailman/+bug/1437145 +Bug-Debian: http://bugs.debian.org/781626 + +diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in +--- mailman-2.1.18.orig/Mailman/Defaults.py.in 2014-05-03 17:37:22.0 + mailman-2.1.18/Mailman/Defaults.py.in 2015-04-06 15:43:20.0 + +@@ -138,7 +138,7 @@ + + # A Python regular expression character class which defines the characters + # allowed in list names. Lists cannot be created with names containing any +-# character that doesn't match this class. ++# character that doesn't match this class. Do not include '/' in this list. + ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' + + +diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py +--- mailman-2.1.18.orig/Mailman/Utils.py 2014-05-03 17:37:22.0 + mailman-2.1.18/Mailman/Utils.py 2015-04-06 15:43:20.0 + +@@ -99,6 +99,12 @@ + # + # The former two are for 2.1alpha3 and beyond, while the latter two are + # for all earlier versions. ++# ++# But first ensure the list name doesn't contain a path traversal ++# attack. ++if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) 0: ++syslog('mischief', 'Hostile listname: %s', listname) ++return False + basepath = Site.get_listpath(listname) + for ext in ('.pck', '.pck.last', '.db', '.db.last'): + dbfile = os.path.join(basepath, 'config' + ext) diff -Nru mailman-2.1.18/debian/patches/series mailman-2.1.18/debian/patches/series --- mailman-2.1.18/debian/patches/series 2014-07-10 17:59:41.0 + +++ mailman-2.1.18/debian/patches/series 2015-04-06
Bug#781829: wheezy-pu: package dpkg/1.16.16
Hi! On Sat, 2015-04-04 at 08:58:01 +0100, Adam D. Barratt wrote: Control: tags -1 -moreinfo +confirmed As far as I can see, the fixes all look okay to me (and assuming they've been tested on a wheezy system). Thanks. Although, sorry, I've realized I had forgotten about two other fixes. Are the attached patches fine to include too? They have been in unstable/jessie for a while (and approved for jessie while frozen). Note that the second patch fixes the first one too. Trying to fix the first problem requires pulling in most of the second patch, and I didn't want to merge them into a single commit, to keep them as independent fixes. Thanks, Guillem From 07434a794527d37f1bec62aee3b69bd4cb671d6f Mon Sep 17 00:00:00 2001 From: Guillem Jover guil...@debian.org Date: Tue, 11 Nov 2014 17:37:04 +0100 Subject: [PATCH 1/2] libdpkg: Do not match partial field names in control files Cherry picked from commit 611305ef0e85092cc24887e040c19e9e808dd633. There is currently no instance of any misspelled field names known to dpkg in Debian. Only known field names are possibly affected. Regression introduced in commit 864e230e90de1cef94c81f10582e6d99717d593b. Closes: #769119 --- debian/changelog | 2 ++ lib/dpkg/parse.c | 6 -- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 9c29d6f..d7751ab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -29,6 +29,8 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low and they come from the package fields, which are under user control. Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485 Reported by Joshua Rogers megaman...@gmail.com. + * Do not match partial field names in control files. Closes: #769119 +Regression introduced in dpkg 1.10. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/lib/dpkg/parse.c b/lib/dpkg/parse.c index b51ca1b..446805b 100644 --- a/lib/dpkg/parse.c +++ b/lib/dpkg/parse.c @@ -130,7 +130,8 @@ pkg_parse_field(struct parsedb_state *ps, struct field_state *fs, } for (fip = fieldinfos, ip = fs-fieldencountered; fip-name; fip++, ip++) -if (strncasecmp(fip-name, fs-fieldstart, fs-fieldlen) == 0) +if (strncasecmp(fip-name, fs-fieldstart, fs-fieldlen) == 0 +fip-name[fs-fieldlen] == '\0') break; if (fip-name) { if ((*ip)++) @@ -151,7 +152,8 @@ pkg_parse_field(struct parsedb_state *ps, struct field_state *fs, fs-fieldlen, fs-fieldstart); larpp = pkg_obj-pkgbin-arbs; while ((arp = *larpp) != NULL) { - if (strncasecmp(arp-name, fs-fieldstart, fs-fieldlen) == 0) + if (strncasecmp(arp-name, fs-fieldstart, fs-fieldlen) == 0 + arp-name[fs-fieldlen] == '\0') parse_error(ps, _(duplicate value for user-defined field `%.*s'), fs-fieldlen, fs-fieldstart); -- 2.2.1.209.g41e5f3a From ece3ccdf17da15989c2c9f031c09cce114bce666 Mon Sep 17 00:00:00 2001 From: Guillem Jover guil...@debian.org Date: Sat, 29 Nov 2014 15:56:15 +0100 Subject: [PATCH 2/2] libdpkg, dpkg: Fix out-of-bounds read accesses Cherry picked from commit fa1cfce24dc7c0659cb16b4a6ff09f660e318731. Limit the buffer accesses to the size of the buffer being accessed. This affects reads done when parsing field and trigger names, or checking the package ownership of conffiles and directories. Use a new length member for struct fieldinfo and nickname to avoid recomputing the same known length over and over again, but use strlen() instead for arbitrary fields, conffiles and directories to avoid increaseing the memory footprint too much. Reported-by: Joshua Rogers megaman...@gmail.com --- debian/changelog | 3 ++ lib/dpkg/parse.c | 84 +-- lib/dpkg/parsedump.h | 6 lib/dpkg/pkg-format.c | 10 +++--- lib/dpkg/triglib.c| 4 +-- src/help.c| 3 +- 6 files changed, 60 insertions(+), 50 deletions(-) diff --git a/debian/changelog b/debian/changelog index d7751ab..0c94fdd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -31,6 +31,9 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low Reported by Joshua Rogers megaman...@gmail.com. * Do not match partial field names in control files. Closes: #769119 Regression introduced in dpkg 1.10. + * Fix out-of-bounds buffer read accesses when parsing field and trigger +names or checking package ownership of conffiles and directories. +Reported by Joshua Rogers megaman...@gmail.com. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/lib/dpkg/parse.c b/lib/dpkg/parse.c index 446805b..e790ec5 100644 --- a/lib/dpkg/parse.c +++ b/lib/dpkg/parse.c @@ -51,49 +51,49 @@ */ const struct fieldinfo fieldinfos[]= { /* Note: Capitalization of field name strings is important. */ - { Package, f_name,w_name
Bug#782147: unblock: mediawiki/1:1.19.20+dfsg-2.3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package mediawiki. The only change is an addition of an upstream patch for this release branch which fixes a number of security issues. unblock mediawiki/1:1.19.20+dfsg-2.3 Thanks, Thijs diff -Nru mediawiki-1.19.20+dfsg/debian/changelog mediawiki-1.19.20+dfsg/debian/changelog --- mediawiki-1.19.20+dfsg/debian/changelog 2014-12-21 12:11:10.0 + +++ mediawiki-1.19.20+dfsg/debian/changelog 2015-04-06 16:55:57.0 + @@ -1,3 +1,21 @@ +mediawiki (1:1.19.20+dfsg-2.3) unstable; urgency=high + + * Non-maintainer upload. + * Add patch fixing several security issues: +- (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that + contain XML entities, to prevent various DoS attacks. +- (bug T88310) SECURITY: Always expand xml entities when checking + SVG's. +- (bug T73394) SECURITY: Escape in Html::expandAttributes to + prevent XSS. +- (bug T85855) SECURITY: Don't execute another user's CSS or JS + on preview. +- (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues + fixed in SVG filtering to prevent XSS and protect viewer's + privacy. + + -- Thijs Kinkhorst th...@debian.org Mon, 06 Apr 2015 16:53:54 + + mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch --- mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch 1970-01-01 00:00:00.0 + +++ mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch 2015-04-06 17:03:41.0 + @@ -0,0 +1,636 @@ +From: Mediawiki +Subject: Fix security issues as fixed in upstream security fix release 1.19.24: +(bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. +(bug T88310) SECURITY: Always expand xml entities when checking SVG's. +(bug T73394) SECURITY: Escape in Html::expandAttributes to prevent XSS. +(bug T85855) SECURITY: Don't execute another user's CSS or JS on preview. +(bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy. +Origin: upstream, https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html + +diff -Nruw -x '*~' -x '.js*' -x '.git*' -x '*.xcf' -x '#*#' -x '.#*' -x '.rubocop*' -x .travis.yml -x package.json -x messages -x Gemfile -x '*.png' -x '*.jpg' -x '*.xcf' -x '*.gif' -x '*.svg' -x '*.tiff' -x '*.zip' -x '*.xmp' mediawiki-1.19.23/includes/EditPage.php mediawiki-1.19.24/includes/EditPage.php +--- mediawiki-1.19.23/includes/EditPage.php 2015-03-31 13:24:03.0 + mediawiki-1.19.24/includes/EditPage.php 2015-03-31 13:23:38.0 + +@@ -1988,14 +1988,19 @@ + if ( $this-isWrongCaseCssJsPage ) { + $wgOut-wrapWikiMsg( div class='error' id='mw-userinvalidcssjstitle'\n$1\n/div, array( 'userinvalidcssjstitle', $this-mTitle-getSkinFromCssJsSubpage() ) ); + } ++if ( $this-getTitle()-isSubpageOf( $wgUser-getUserPage() ) ) { + if ( $this-formtype !== 'preview' ) { +- if ( $this-isCssSubpage ) ++ if ( $this-isCssSubpage ) { + $wgOut-wrapWikiMsg( div id='mw-usercssyoucanpreview'\n$1\n/div, array( 'usercssyoucanpreview' ) ); +- if ( $this-isJsSubpage ) ++ } ++ ++ if ( $this-isJsSubpage ) { + $wgOut-wrapWikiMsg( div id='mw-userjsyoucanpreview'\n$1\n/div, array( 'userjsyoucanpreview' ) ); + } + } + } ++ } ++ } + + if ( $this-mTitle-getNamespace() != NS_MEDIAWIKI $this-mTitle-isProtected( 'edit' ) ) { + # Is the title semi-protected? +diff -Nruw -x '*~' -x '.js*' -x '.git*' -x '*.xcf' -x '#*#' -x '.#*' -x '.rubocop*' -x .travis.yml -x package.json -x messages -x Gemfile -x '*.png' -x '*.jpg' -x '*.xcf' -x '*.gif' -x '*.svg' -x '*.tiff' -x '*.zip' -x '*.xmp' mediawiki-1.19.23/includes/Html.php mediawiki-1.19.24/includes/Html.php +--- mediawiki-1.19.23/includes/Html.php 2015-03-31 13:24:03.0 + mediawiki-1.19.24/includes/Html.php 2015-03-31 13:23:38.0 + +@@ -525,17 +525,20 @@ + } else { + # Apparently we need to entity-encode \n, \r, \t, although the + # spec doesn't mention that. Since we're doing strtr() anyway, +-# and we don't need escaped here, we may as well not call +-# htmlspecialchars(). ++# we may as well not call htmlspecialchars(). + # @todo FIXME: Verify that we actually need to + # escape \n\r\t here, and explain why, exactly. + # + # We could call Sanitizer::encodeAttribute() for this, but we + # don't because we're stubborn and like our marginal savings on + # byte size from not having to encode unnecessary quotes. ++# The only difference between this transform and the one by ++# Sanitizer::encodeAttribute() is '' is only
Bug#781249: unblock (pre-approval): openconnect/6.00-2
On Sat, Mar 28, 2015 at 16:21:11 -0400, Mike Miller wrote: On Sat, Mar 28, 2015 at 08:32:53 +0100, Niels Thykier wrote: Ack, please go ahead. Uploaded, thanks. Ping, openconnect is ready to migrate to testing, can it be unblocked? Thanks, -- mike -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150408132410.gb14...@xps14z.home.local
Bug#782146: unblock: mailman/1:2.1.18-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package mailman. The diff is a security fix for CVE-2015-2775. unblock mailman/1:2.1.18-2 Thanks, Thijs diff -Nru mailman-2.1.18/debian/changelog mailman-2.1.18/debian/changelog --- mailman-2.1.18/debian/changelog 2014-07-10 18:01:59.0 + +++ mailman-2.1.18/debian/changelog 2015-04-06 15:37:32.0 + @@ -1,3 +1,13 @@ +mailman (1:2.1.18-2) unstable; urgency=high + + * Fix security issue: path traversal through local_part. +Affects installations which use an Exim or Postfix transport +instead of fixed aliases; attacker needs to be able to place +files on the local filesystem. +(CVE-2015-2775, Closes: 781626) + + -- Thijs Kinkhorst th...@debian.org Mon, 06 Apr 2015 15:36:15 + + mailman (1:2.1.18-1) unstable; urgency=medium * New upstream release. diff -Nru mailman-2.1.18/debian/config mailman-2.1.18/debian/config --- mailman-2.1.18/debian/config 2012-06-16 09:50:23.0 + +++ mailman-2.1.18/debian/config 2015-04-06 15:30:32.0 + @@ -1,5 +1,5 @@ #! /bin/sh -e -# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/config $ +# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/config $ # $Id: config 693 2011-10-08 15:30:38Z thijs $ . /usr/share/debconf/confmodule diff -Nru mailman-2.1.18/debian/control mailman-2.1.18/debian/control --- mailman-2.1.18/debian/control 2014-07-10 18:19:25.0 + +++ mailman-2.1.18/debian/control 2015-04-06 15:30:32.0 + @@ -4,7 +4,6 @@ Maintainer: Mailman for Debian pkg-mailman-hack...@lists.alioth.debian.org Uploaders: Lionel Elie Mamane lmam...@debian.org, Thijs Kinkhorst th...@debian.org, - Thorsten Glaser t...@mirbsd.de, Hector Garcia hec...@debian.org Build-Depends: debhelper (= 7), autoconf, python-dev (= 2.6.6-3~), gettext, python-dnspython Standards-Version: 3.9.5 diff -Nru mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch --- mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch 1970-01-01 00:00:00.0 + +++ mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch 2015-04-06 15:44:18.0 + @@ -0,0 +1,34 @@ +From: Mark Sapiro m...@msapiro.net +Subject: Fix path traversal through local_part (CVE-2015-2775) +Origin: upstream, https://launchpadlibrarian.net/201407944/p +Bug: https://bugs.launchpad.net/mailman/+bug/1437145 +Bug-Debian: http://bugs.debian.org/781626 + +diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in +--- mailman-2.1.18.orig/Mailman/Defaults.py.in 2014-05-03 17:37:22.0 + mailman-2.1.18/Mailman/Defaults.py.in 2015-04-06 15:43:20.0 + +@@ -138,7 +138,7 @@ + + # A Python regular expression character class which defines the characters + # allowed in list names. Lists cannot be created with names containing any +-# character that doesn't match this class. ++# character that doesn't match this class. Do not include '/' in this list. + ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' + + +diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py +--- mailman-2.1.18.orig/Mailman/Utils.py 2014-05-03 17:37:22.0 + mailman-2.1.18/Mailman/Utils.py 2015-04-06 15:43:20.0 + +@@ -99,6 +99,12 @@ + # + # The former two are for 2.1alpha3 and beyond, while the latter two are + # for all earlier versions. ++# ++# But first ensure the list name doesn't contain a path traversal ++# attack. ++if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) 0: ++syslog('mischief', 'Hostile listname: %s', listname) ++return False + basepath = Site.get_listpath(listname) + for ext in ('.pck', '.pck.last', '.db', '.db.last'): + dbfile = os.path.join(basepath, 'config' + ext) diff -Nru mailman-2.1.18/debian/patches/series mailman-2.1.18/debian/patches/series --- mailman-2.1.18/debian/patches/series 2014-07-10 17:59:41.0 + +++ mailman-2.1.18/debian/patches/series 2015-04-06 15:36:11.0 + @@ -10,3 +10,4 @@ 79_archiver_slash.patch 90_gettext_errors.patch 91_utf8.patch +92_CVE-2015-2775.patch diff -Nru mailman-2.1.18/debian/postinst mailman-2.1.18/debian/postinst --- mailman-2.1.18/debian/postinst 2012-06-16 09:50:23.0 + +++ mailman-2.1.18/debian/postinst 2015-04-06 15:30:32.0 + @@ -7,7 +7,7 @@ # Other modifications 2004-2007 by other maintainers of the Debian package: # Lionel Elie Mamane, Thijs Kinkhorst, Riccardo Setti, Matej Vela, Hector Garcia, László Böszörményi, Bernd S. Brentrup, ... # -# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postinst $ +# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postinst $ # $Id: postinst 693 2011-10-08 15:30:38Z thijs $ # . /usr/share/debconf/confmodule diff -Nru
Bug#782128: marked as done (unblock: ruby-kramdown/1.4.2-2)
Your message dated Wed, 08 Apr 2015 16:56:33 +0200 with message-id 552541a1.6020...@thykier.net and subject line Re: Bug#782128: unblock: ruby-kramdown/1.4.2-2 has caused the Debian Bug report #782128, regarding unblock: ruby-kramdown/1.4.2-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 782128: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782128 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear Release Team, Please unblock ruby-kramdown 1.4.2-2 which fixes RC bug #774661. (This was only discovered to be RC during the current team sprint, sorry for that.) Full debdiff: diff -Nru ruby-kramdown-1.4.2/debian/changelog ruby-kramdown-1.4.2/debian/changelog --- ruby-kramdown-1.4.2/debian/changelog2014-09-29 23:33:37.0 +0200 +++ ruby-kramdown-1.4.2/debian/changelog2015-04-08 10:59:01.0 +0200 @@ -1,3 +1,10 @@ +ruby-kramdown (1.4.2-2) unstable; urgency=medium + + * Team upload. + * Install missing data files (Closes: #774661) + + -- Christian Hofstaedtler z...@debian.org Wed, 08 Apr 2015 10:56:27 +0200 + ruby-kramdown (1.4.2-1) unstable; urgency=medium * Team upload diff -Nru ruby-kramdown-1.4.2/debian/ruby-kramdown.install ruby-kramdown-1.4.2/debian/ruby-kramdown.install --- ruby-kramdown-1.4.2/debian/ruby-kramdown.install1970-01-01 01:00:00.0 +0100 +++ ruby-kramdown-1.4.2/debian/ruby-kramdown.install2015-04-08 10:54:49.0 +0200 @@ -0,0 +1 @@ +data/kramdown usr/share Thanks, Christian unblock ruby-kramdown/1.4.2-2 ---End Message--- ---BeginMessage--- On 2015-04-08 11:14, Christian Hofstaedtler wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear Release Team, Please unblock ruby-kramdown 1.4.2-2 which fixes RC bug #774661. (This was only discovered to be RC during the current team sprint, sorry for that.) Full debdiff: [...] Thanks, Christian unblock ruby-kramdown/1.4.2-2 Unblocked, thanks. ~Niels---End Message---
Bug#781249: marked as done (unblock (pre-approval): openconnect/6.00-2)
Your message dated Wed, 08 Apr 2015 16:55:35 +0200 with message-id 55254167.9090...@thykier.net and subject line Re: Bug#781249: unblock (pre-approval): openconnect/6.00-2 has caused the Debian Bug report #781249, regarding unblock (pre-approval): openconnect/6.00-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 781249: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781249 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear Release Team, I would like to upload openconnect 6.00-2 for jessie, via unstable, which applies a minimally invasive upstream patch to fix #781240. This bug makes 6.00-1 currently in jessie unusable for certain classes of users. It's currently marked severity important, but I think it could be considered borderline serious. The debdiff for the proposed upload is included inline below. Please consider allowing this into jessie. Thanks for all your hard work, -- mike diff -Nru openconnect-6.00/debian/changelog openconnect-6.00/debian/changelog --- openconnect-6.00/debian/changelog 2014-07-08 22:33:35.0 -0400 +++ openconnect-6.00/debian/changelog 2015-03-26 08:34:15.0 -0400 @@ -1,3 +1,10 @@ +openconnect (6.00-2) unstable; urgency=medium + + * 01_fix-double-free.patch: Fix double free when PKCS#11 token does +not include CA certs. (Closes: #781240) + + -- Mike Miller mtmil...@debian.org Thu, 26 Mar 2015 08:34:14 -0400 + openconnect (6.00-1) unstable; urgency=medium * New upstream release, upload to unstable. diff -Nru openconnect-6.00/debian/patches/01_fix-double-free.patch openconnect-6.00/debian/patches/01_fix-double-free.patch --- openconnect-6.00/debian/patches/01_fix-double-free.patch1969-12-31 19:00:00.0 -0500 +++ openconnect-6.00/debian/patches/01_fix-double-free.patch2015-03-26 08:29:53.0 -0400 @@ -0,0 +1,39 @@ +From: Paul Donohue g...@paulsd.com +Subject: Fix invalid/double free if PKCS#11 token does not include CA certs +Origin: upstream, http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/3215c30539daf96d4ee9f358e2b6c67f8b01dfdd +Bug-Debian: https://bugs.debian.org/781240 + +Fix invalid/double free if PKCS#11 token does not include CA certs + +Commit b06b862f5 (Include supporting certificates from PKCS#11 tokens) +calls gnutls_free() on an invalid 't.data' value if +gnutls_pkcs11_get_raw_issuer() returns an error, and calls +gnutls_x509_crt_deinit() twice on 'issuer' if gnutls_x509_crt_import() +returns an error. + +If the Issuer cert is not available on the PKCS#11 token, +then gnutls_pkcs11_get_raw_issuer() fails and the call to +gnutls_free(t.data) causes libc to print the following message then +kill the process: +--- a/gnutls.c b/gnutls.c +@@ -1506,7 +1506,10 @@ static int load_certificate(struct openc + err = gnutls_x509_crt_import(issuer, t, GNUTLS_X509_FMT_DER); + if (err) + gnutls_x509_crt_deinit(issuer); ++ else ++ free_issuer = 1; + } ++ gnutls_free(t.data); + } + if (err) { + vpn_progress(vpninfo, PRG_ERR, +@@ -1517,8 +1520,6 @@ static int load_certificate(struct openc + vpn_progress(vpninfo, PRG_ERR, +_(Got next CA '%s' from PKCS11\n), name); + } +- free_issuer = 1; +- gnutls_free(t.data); + } + #endif + if (err) diff -Nru openconnect-6.00/debian/patches/series openconnect-6.00/debian/patches/series --- openconnect-6.00/debian/patches/series 1969-12-31 19:00:00.0 -0500 +++ openconnect-6.00/debian/patches/series 2015-03-26 08:19:55.0 -0400 @@ -0,0 +1 @@ +01_fix-double-free.patch ---End Message--- ---BeginMessage--- On 2015-04-08 15:24, Mike Miller wrote: On Sat, Mar 28, 2015 at 16:21:11 -0400, Mike Miller wrote: On Sat, Mar 28, 2015 at 08:32:53 +0100, Niels Thykier wrote: Ack, please go ahead. Uploaded, thanks. Ping, openconnect is ready to migrate to testing, can it be unblocked?
Bug#782147: marked as done (unblock: mediawiki/1:1.19.20+dfsg-2.3)
Your message dated Wed, 08 Apr 2015 17:08:41 +0200 with message-id 55254479.9060...@thykier.net and subject line Re: Bug#782147: unblock: mediawiki/1:1.19.20+dfsg-2.3 has caused the Debian Bug report #782147, regarding unblock: mediawiki/1:1.19.20+dfsg-2.3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 782147: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782147 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package mediawiki. The only change is an addition of an upstream patch for this release branch which fixes a number of security issues. unblock mediawiki/1:1.19.20+dfsg-2.3 Thanks, Thijs diff -Nru mediawiki-1.19.20+dfsg/debian/changelog mediawiki-1.19.20+dfsg/debian/changelog --- mediawiki-1.19.20+dfsg/debian/changelog 2014-12-21 12:11:10.0 + +++ mediawiki-1.19.20+dfsg/debian/changelog 2015-04-06 16:55:57.0 + @@ -1,3 +1,21 @@ +mediawiki (1:1.19.20+dfsg-2.3) unstable; urgency=high + + * Non-maintainer upload. + * Add patch fixing several security issues: +- (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that + contain XML entities, to prevent various DoS attacks. +- (bug T88310) SECURITY: Always expand xml entities when checking + SVG's. +- (bug T73394) SECURITY: Escape in Html::expandAttributes to + prevent XSS. +- (bug T85855) SECURITY: Don't execute another user's CSS or JS + on preview. +- (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues + fixed in SVG filtering to prevent XSS and protect viewer's + privacy. + + -- Thijs Kinkhorst th...@debian.org Mon, 06 Apr 2015 16:53:54 + + mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch --- mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch 1970-01-01 00:00:00.0 + +++ mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch 2015-04-06 17:03:41.0 + @@ -0,0 +1,636 @@ +From: Mediawiki +Subject: Fix security issues as fixed in upstream security fix release 1.19.24: +(bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. +(bug T88310) SECURITY: Always expand xml entities when checking SVG's. +(bug T73394) SECURITY: Escape in Html::expandAttributes to prevent XSS. +(bug T85855) SECURITY: Don't execute another user's CSS or JS on preview. +(bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy. +Origin: upstream, https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html + +diff -Nruw -x '*~' -x '.js*' -x '.git*' -x '*.xcf' -x '#*#' -x '.#*' -x '.rubocop*' -x .travis.yml -x package.json -x messages -x Gemfile -x '*.png' -x '*.jpg' -x '*.xcf' -x '*.gif' -x '*.svg' -x '*.tiff' -x '*.zip' -x '*.xmp' mediawiki-1.19.23/includes/EditPage.php mediawiki-1.19.24/includes/EditPage.php +--- mediawiki-1.19.23/includes/EditPage.php 2015-03-31 13:24:03.0 + mediawiki-1.19.24/includes/EditPage.php 2015-03-31 13:23:38.0 + +@@ -1988,14 +1988,19 @@ + if ( $this-isWrongCaseCssJsPage ) { + $wgOut-wrapWikiMsg( div class='error' id='mw-userinvalidcssjstitle'\n$1\n/div, array( 'userinvalidcssjstitle', $this-mTitle-getSkinFromCssJsSubpage() ) ); + } ++if ( $this-getTitle()-isSubpageOf( $wgUser-getUserPage() ) ) { + if ( $this-formtype !== 'preview' ) { +- if ( $this-isCssSubpage ) ++ if ( $this-isCssSubpage ) { + $wgOut-wrapWikiMsg( div id='mw-usercssyoucanpreview'\n$1\n/div, array( 'usercssyoucanpreview' ) ); +- if ( $this-isJsSubpage ) ++ } ++ ++ if ( $this-isJsSubpage ) { + $wgOut-wrapWikiMsg( div id='mw-userjsyoucanpreview'\n$1\n/div, array( 'userjsyoucanpreview' ) ); + } + } + } ++ } ++ } + + if ( $this-mTitle-getNamespace() != NS_MEDIAWIKI $this-mTitle-isProtected( 'edit' ) ) { + # Is the title semi-protected? +diff -Nruw -x '*~' -x '.js*' -x '.git*' -x '*.xcf' -x '#*#' -x '.#*' -x '.rubocop*' -x .travis.yml -x package.json -x messages -x Gemfile -x '*.png' -x '*.jpg' -x '*.xcf' -x '*.gif' -x '*.svg' -x '*.tiff' -x '*.zip' -x '*.xmp' mediawiki-1.19.23/includes/Html.php mediawiki-1.19.24/includes/Html.php +--- mediawiki-1.19.23/includes/Html.php 2015-03-31
Processed: Re: Bug#782072: unblock: flash-kernel/3.35
Processing control commands: tag -1 d-i confirmed Bug #782072 [release.debian.org] unblock: flash-kernel/3.35 Added tag(s) d-i and confirmed. -- 782072: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782072 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b782072.142852110816301.transcr...@bugs.debian.org
Bug#782072: unblock: flash-kernel/3.35
Control: tag -1 d-i confirmed Karsten Merker mer...@debian.org (2015-04-07): Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package flash-kernel (both deb and udeb). We have received a report on debian-arm (see https://lists.debian.org/debian-arm/2015/04/msg00016.html and bug #782016) that running d-i on a Cubox-i4pro (armhf system) worked without problems on a serial console, but that the installed system did not appear to come up. The source of the problem was that the boot script which is installed by flash-kernel into the final system on Cubox hardware does not pass the u-boot console variable to the kernel, so the kernel actually boots, but the user has no way to interact with it. The boot script used by the installer itself passes the console variable, which is why running the installer worked without problems. Checking the other boot scripts used by flash-kernel showed that the boot script for the Wandboard has the same issue, therefore bootscr.cubox-i and bootscr.wandboard have been amended to pass the u-boot console variable to the kernel. The changes have been tested on the Cubox-i4pro (by Rick Thomas, the original reporter) and on the Wandboard (by Vagrant Cascadian). While Vagrant was doing tests on different Wandboard models, we found that the flash-kernel machine database has an entry for the Wandboard Quad, but not for the Wandboard Solo/Dual Lite (same baseboard, but using a stripped-down single/dual-core variant of the i.MX6 SoC). Vagrant has supplied an appropriate machine stanza (which covers both the Solo and the Dual Lite) and I have included it. As the machine db entry does not influence any existing code, I conside this addition suitable for Jessie despite the freeze. That certainly looks like useful things to have in Jessie, so I'm happy to d-i-ack them with the above-set tags. Mraw, KiBi. signature.asc Description: Digital signature
Bug#782158: unblock: xen/4.4.1-9
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock xen/4.4.1-9. It fixes four security bugs. xen (4.4.1-9) unstable; urgency=high * Explicitly disable graphics for qemu. (closes: #780975) CVE-2015-2152 * Update fix for insufficient permissions checks on arm. CVE-2014-3969 * Break apart long latenty MMIO operations. (closes: #781620) CVE-2015-2752 * Disallow certain domain control operations. (closes: #781620) CVE-2015-2751 unblock xen/4.4.1-9 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150408172621.9258.53760.report...@rockhammer.waldi.eu.org
Re: Bug#780056: network-manager: fails to restore DNS settings and default route on resume
Hi maintainers of package network-manager, I got no human reply for my bug report since a month, so I just wanted to remind you that I am still waiting for it. My bug is still reliably reproducible, and I wonder whether it qualifies as release critical for Jessie. I really need more instructions on how to proceed with debugging. Cheers, Micha -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/55256efe.4040...@debian.org
Bug#782158: marked as done (unblock: xen/4.4.1-9)
Your message dated Wed, 08 Apr 2015 20:17:42 +0200 with message-id 552570c6.7010...@thykier.net and subject line Re: Bug#782158: unblock: xen/4.4.1-9 has caused the Debian Bug report #782158, regarding unblock: xen/4.4.1-9 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 782158: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782158 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock xen/4.4.1-9. It fixes four security bugs. xen (4.4.1-9) unstable; urgency=high * Explicitly disable graphics for qemu. (closes: #780975) CVE-2015-2152 * Update fix for insufficient permissions checks on arm. CVE-2014-3969 * Break apart long latenty MMIO operations. (closes: #781620) CVE-2015-2752 * Disallow certain domain control operations. (closes: #781620) CVE-2015-2751 unblock xen/4.4.1-9 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) ---End Message--- ---BeginMessage--- On 2015-04-08 19:26, Bastian Blank wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock xen/4.4.1-9. It fixes four security bugs. xen (4.4.1-9) unstable; urgency=high * Explicitly disable graphics for qemu. (closes: #780975) CVE-2015-2152 * Update fix for insufficient permissions checks on arm. CVE-2014-3969 * Break apart long latenty MMIO operations. (closes: #781620) CVE-2015-2752 * Disallow certain domain control operations. (closes: #781620) CVE-2015-2751 unblock xen/4.4.1-9 [...] Unblocked, thanks. ~Niels---End Message---
Bug#782072: marked as done (unblock: flash-kernel/3.35)
Your message dated Wed, 08 Apr 2015 21:30:59 +0200 with message-id 552581f3.4010...@thykier.net and subject line Re: Bug#782072: unblock: flash-kernel/3.35 has caused the Debian Bug report #782072, regarding unblock: flash-kernel/3.35 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 782072: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782072 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package flash-kernel (both deb and udeb). We have received a report on debian-arm (see https://lists.debian.org/debian-arm/2015/04/msg00016.html and bug #782016) that running d-i on a Cubox-i4pro (armhf system) worked without problems on a serial console, but that the installed system did not appear to come up. The source of the problem was that the boot script which is installed by flash-kernel into the final system on Cubox hardware does not pass the u-boot console variable to the kernel, so the kernel actually boots, but the user has no way to interact with it. The boot script used by the installer itself passes the console variable, which is why running the installer worked without problems. Checking the other boot scripts used by flash-kernel showed that the boot script for the Wandboard has the same issue, therefore bootscr.cubox-i and bootscr.wandboard have been amended to pass the u-boot console variable to the kernel. The changes have been tested on the Cubox-i4pro (by Rick Thomas, the original reporter) and on the Wandboard (by Vagrant Cascadian). While Vagrant was doing tests on different Wandboard models, we found that the flash-kernel machine database has an entry for the Wandboard Quad, but not for the Wandboard Solo/Dual Lite (same baseboard, but using a stripped-down single/dual-core variant of the i.MX6 SoC). Vagrant has supplied an appropriate machine stanza (which covers both the Solo and the Dual Lite) and I have included it. As the machine db entry does not influence any existing code, I conside this addition suitable for Jessie despite the freeze. Following is the debdiff between flash-kernel 3.34 and 3.35: diff -Nru flash-kernel-3.34/bootscript/bootscr.cubox-i flash-kernel-3.35/bootscript/bootscr.cubox-i --- flash-kernel-3.34/bootscript/bootscr.cubox-i2015-03-26 22:37:26.0 +0100 +++ flash-kernel-3.35/bootscript/bootscr.cubox-i2015-04-06 15:34:11.0 +0200 @@ -2,6 +2,15 @@ setenv device mmc setenv partition ${mmcdev}:${mmcpart} + +if test ${console} = ttymxc0 test -n ${baudrate}; then + setenv console ${console},${baudrate} +fi + +if test -n ${console}; then + setenv bootargs ${bootargs} console=${console} +fi + setenv bootargs ${bootargs} @@LINUX_KERNEL_CMDLINE@@ image_locations='/boot/ /' diff -Nru flash-kernel-3.34/bootscript/bootscr.wandboard flash-kernel-3.35/bootscript/bootscr.wandboard --- flash-kernel-3.34/bootscript/bootscr.wandboard 2015-03-26 22:37:26.0 +0100 +++ flash-kernel-3.35/bootscript/bootscr.wandboard 2015-04-06 15:34:11.0 +0200 @@ -5,6 +5,15 @@ if test -z ${ramdiskaddr} ; then setenv ramdiskaddr 0x1300 fi + +if test ${console} = ttymxc0 test -n ${baudrate}; then + setenv console ${console},${baudrate} +fi + +if test -n ${console}; then + setenv bootargs ${bootargs} console=${console} +fi + setenv bootargs ${bootargs} @@LINUX_KERNEL_CMDLINE@@ image_locations='/boot/ /' diff -Nru flash-kernel-3.34/db/all.db flash-kernel-3.35/db/all.db --- flash-kernel-3.34/db/all.db 2015-03-26 22:37:26.0 +0100 +++ flash-kernel-3.35/db/all.db 2015-04-07 00:19:51.0 +0200 @@ -614,6 +614,13 @@ Android-Boot-Device: /dev/mmcblk0 Required-Packages: abootimg +Machine: Wandboard i.MX6 Dual Lite Board +Kernel-Flavors: armmp +DTB-Id: imx6dl-wandboard.dtb +Boot-Script-Path: /boot/boot.scr +U-Boot-Script-Name: bootscr.wandboard +Required-Packages: u-boot-tools + Machine: Wandboard i.MX6 Quad Board Kernel-Flavors: armmp DTB-Id: imx6q-wandboard.dtb diff -Nru flash-kernel-3.34/debian/changelog flash-kernel-3.35/debian/changelog --- flash-kernel-3.34/debian/changelog 2015-03-26 22:37:26.0 +0100 +++ flash-kernel-3.35/debian/changelog 2015-04-07 00:33:25.0 +0200 @@ -1,3 +1,15 @@ +flash-kernel (3.35) unstable; urgency=medium + + * Team upload. + + [ Karsten Merker ] + * Pass the u-boot console variable to the kernel in bootscr.cubox-i +and bootscr.wandboard. (Closes: #782016) + * Add a machine db entry for the Wandboard Dual
Bug#782165: wheezy-pu: package debootstrap/1.0.48+deb7u3
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Hello release people, finally time to get some stable updates… Here's the bug report I'd like to address in wheezy: “debootstrap: host's /run/shm gets unmounted after debootstrap run” (https://bugs.debian.org/753442). I'll have to check it inside a VM soon-ish (because I don't seem to have any hosts running wheezy at the moment), but given the change that got backported and the fact we've had the fix in testing, and in backports for quite a while, I don't seem to have so many doubts about it. Here's the changelog, full patch attached. | debootstrap (1.0.48+deb7u3) wheezy; urgency=medium | | [ Colin Watson ] | * Resolve mount point symlinks relative to the target chroot before | unmounting them (closes: #702861, #703037, #704744, #753442). | | -- Cyril Brulebois k...@debian.org Wed, 08 Apr 2015 21:41:26 +0200 Thanks for your time. Mraw, KiBi. diff -Nru debootstrap-1.0.48+deb7u2/debian/changelog debootstrap-1.0.48+deb7u3/debian/changelog --- debootstrap-1.0.48+deb7u2/debian/changelog 2014-11-07 13:56:39.0 +0100 +++ debootstrap-1.0.48+deb7u3/debian/changelog 2015-04-08 21:45:22.0 +0200 @@ -1,3 +1,11 @@ +debootstrap (1.0.48+deb7u3) wheezy; urgency=medium + + [ Colin Watson ] + * Resolve mount point symlinks relative to the target chroot before +unmounting them (closes: #702861, #703037, #704744, #753442). + + -- Cyril Brulebois k...@debian.org Wed, 08 Apr 2015 21:41:26 +0200 + debootstrap (1.0.48+deb7u2) wheezy; urgency=low [ Cyril Brulebois ] diff -Nru debootstrap-1.0.48+deb7u2/functions debootstrap-1.0.48+deb7u3/functions --- debootstrap-1.0.48+deb7u2/functions 2014-10-23 17:32:52.0 +0200 +++ debootstrap-1.0.48+deb7u3/functions 2015-04-08 21:40:31.0 +0200 @@ -953,8 +953,11 @@ UMOUNT_DIRS= umount_exit_function () { + local realdir for dir in $UMOUNT_DIRS; do - ( cd / ; umount $TARGET/${dir#/} ) || true + realdir=$(in_target_nofail readlink -f $dir) + [ $realdir ] || continue + ( cd / ; umount $TARGET/${realdir#/} ) || true done }
Bug#782115: marked as done (unblock: whois/5.2.7)
Your message dated Wed, 08 Apr 2015 21:00:44 +0100 with message-id 1428523244.7798.13.ca...@adam-barratt.org.uk and subject line Re: Bug#782115: unblock: whois/5.2.7 has caused the Debian Bug report #782115, regarding unblock: whois/5.2.7 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 782115: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782115 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package whois. Some data updates which significantly improve detection of disclaimer strings and a little tweak to the state machine to support them. The mkpasswd.c bug fix is not relevant on Linux. Full history at https://github.com/rfc1036/whois/commits . diff -Nru whois-5.2.5/data.h whois-5.2.7/data.h --- whois-5.2.5/data.h 2015-01-09 03:49:00.0 +0100 +++ whois-5.2.7/data.h 2015-03-25 23:04:07.0 +0100 @@ -1,8 +1,6 @@ /* * RIPE-like servers. * All of them do not understand -V2.0Md with the exception of RA and RIPN. - * 6bone-derived servers will accept the flag with a warning (the flag must - * match /^V [a-zA-Z]{1,4}\d+[\d\.]{0,5}$/). */ /* servers which accept the new syntax (-V XXn.n) */ @@ -24,31 +22,28 @@ }; const char *hide_strings[] = { -NOTICE AND TERMS OF USE: You, ,/* NetSol */ -NOTICE: The expiration date, reserves the right, /* crsnic */ -The data in Register, ,/* Register.Com */ -The Data in the Tucows, RECORD DOES NOT, -The information in this whois database, , /* DOTSTER */ -This whois service currently only, top-level domains., /* NameSecure */ -The Data in Gabia, you agree to abide, -The data contained in GoDaddy.com, is not the registrant, -Disclaimer: The Global Name Registry, for any commercial, -Access to America Online, time. By accessing, /* AOL */ -# Access and use restricted, , /* GANDI */ -% The data in the WHOIS database of 11 Internet, , -The data in this whois database is, NULL, /* enom, activeregistrar.com */ -The Data in Moniker's WHOIS database, of Moniker., -The Data in OnlineNIC, By starting this query, -Interdomain's WHOIS, DOES NOT SIGNIFY, -The Data provided by Stargate Holdings, (2) enable any, -; This data is provided by domaindiscount24.com, , -%% NOTICE: Access to this information is provided, %% By submitting, /* bookmyname.com */ -% NOTICE: Access to the domains information, % this query, /* CORE */ -The Data in MarkMonitor.com's, --, /* MarkMonitor */ +The data in Networksolutions.com's WHOIS database, NULL, +/* Some registrars like .wang copied the first paragraph of this + * disclaimer, so the detection here needs to be split in two parts. */ +NOTICE: The expiration date, , /* crsnic */ +TERMS OF USE: You are not authorized, reserves the right, /* crsnic */ +The data in Register.com's WHOIS database, NULL, +The Data in the Tucows Registrar WHOIS database, NULL, +The data in NameSecure.com's WHOIS database, NULL, +The Data in Gabia's WHOIS database, NULL, +The data contained in GoDaddy.com, NULL, +Personal data access and use are governed by French, NULL, /* GANDI */ +The data in this whois database is provided to you, NULL,/* enom */ +; Please register your domains at; http://www.;, NULL, /* key-systems.net */ +%% NOTICE: Access to this information is provided, NULL, /* bookmyname.com */ +% NOTICE: Access to the domains information, NULL, /* CORE */ +The Data in MarkMonitor.com's, NULL, /* MarkMonitor */ Corporation Service Company(c) (CSC) The Trusted Partner, Register your domain name at, /* CSC */ -The data in Networksolutions.com's, By submitting this query, /* Networksolutions */ -% Copyright (c)2003 by Deutsche Telekom AG, % DOMAIN full, /* Deutsche Telekom */ -# Welcome to the OVH WHOIS Server, # soumettant une, /* ovh */ +The data in Networksolutions.com's, NULL,/* Networksolutions */ +# Welcome to the OVH WHOIS Server, , /* ovh */ +TERMS OF USE OF MELBOURNE IT WHOIS DATABASE, NULL, +The data contained in this Registrar's Whois, NULL, /* wildwestdomains.com */ +The data in the FastDomain Inc. WHOIS database, NULL, /* gTLDs */ Access to .AERO WHOIS information, , @@ -56,13 +51,13 @@ The .coop registry WHOIS, VERIFICATION, NOR DO,
Bug#781829: wheezy-pu: package dpkg/1.16.16
On Wed, 2015-04-08 at 19:23 +0200, Guillem Jover wrote: Hi! On Sat, 2015-04-04 at 08:58:01 +0100, Adam D. Barratt wrote: Control: tags -1 -moreinfo +confirmed As far as I can see, the fixes all look okay to me (and assuming they've been tested on a wheezy system). Thanks. Although, sorry, I've realized I had forgotten about two other fixes. Are the attached patches fine to include too? They have been in unstable/jessie for a while (and approved for jessie while frozen). Those look okay too, assuming that the structs aren't used outside of dpkg itself. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1428523082.7798.12.ca...@adam-barratt.org.uk
Bug#782144: marked as done (unblock: sysvinit/2.88dsf-59)
Your message dated Wed, 08 Apr 2015 21:02:20 +0100 with message-id 1428523340.7798.15.ca...@adam-barratt.org.uk and subject line Re: Bug#782144: unblock: sysvinit/2.88dsf-59 has caused the Debian Bug report #782144, regarding unblock: sysvinit/2.88dsf-59 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 782144: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782144 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package sysvinit As shown in the bugs referenced in the changelog, there are cases where an init script can be installed, but systemd ends up unaware of it until after reboot. This is entirely suboptimal, and the fix for this is covered mostly here in this sysvinit change. There is another corner case that's more easily handled by a systemd trigger, and that is covered in an upcoming systemd upload, but both are independant and can happen without the other's involvement. ... Adam diff -Nru sysvinit-2.88dsf/debian/changelog sysvinit-2.88dsf/debian/changelog --- sysvinit-2.88dsf/debian/changelog 2014-11-11 12:34:28.0 -0700 +++ sysvinit-2.88dsf/debian/changelog 2015-04-06 12:10:53.0 -0600 @@ -1,3 +1,10 @@ +sysvinit (2.88dsf-59) unstable; urgency=medium + + * Call 'systemctl daemon-reload' after any insserv call if systemd +is the system init to pick up changes (Closes: #766429, #774799) + + -- Adam Conrad adcon...@debian.org Mon, 06 Apr 2015 10:44:47 -0600 + sysvinit (2.88dsf-58) unstable; urgency=low * Fix typo in invoke-rc.d breaking upstart installations (Closes: diff -Nru sysvinit-2.88dsf/debian/src/sysv-rc/sbin/update-rc.d sysvinit-2.88dsf/debian/src/sysv-rc/sbin/update-rc.d --- sysvinit-2.88dsf/debian/src/sysv-rc/sbin/update-rc.d2014-10-25 15:15:12.0 -0600 +++ sysvinit-2.88dsf/debian/src/sysv-rc/sbin/update-rc.d2015-04-06 10:43:52.0 -0600 @@ -63,6 +63,12 @@ map { push @dirs, $_; mkdir join('/', @dirs), 0755; } @path; } +sub systemd_reload { +if (-d /run/systemd/system) { +system(systemctl, daemon-reload); +} +} + # Creates the necessary links to enable/disable the service (equivalent of an # initscript) in systemd. sub make_systemd_links { @@ -92,17 +98,9 @@ } else { unlink($service_link) if -e $service_link; } -$changed_sth = 1; } } close($fh); - -# If we changed anything and this machine is running systemd, tell -# systemd to reload so that it will immediately pick up our -# changes. -if ($changed_sth -d /run/systemd/system) { -system(systemctl, daemon-reload); -} } } @@ -182,6 +180,7 @@ remove_last_action($scriptname); } error_code($rc, insserv rejected the script header) if $rc; +systemd_reload; exit $rc; } else { # insserv removes all dangling symlinks, no need to tell it @@ -191,6 +190,7 @@ remove_last_action($scriptname); } error_code($rc, insserv rejected the script header) if $rc; +systemd_reload; exit $rc; } } elsif (defaults eq $action || start eq $action || @@ -208,6 +208,7 @@ save_last_action($scriptname, @orig_argv); } error_code($rc, insserv rejected the script header) if $rc; +systemd_reload; exit $rc; } else { error(initscript does not exist: /etc/init.d/$scriptname); @@ -224,6 +225,7 @@ save_last_action($scriptname, @orig_argv); } error_code($rc, insserv rejected the script header) if $rc; +systemd_reload; exit $rc; } else { usage(); unblock sysvinit/2.88dsf-59 -- System Information: Debian Release: jessie/sid APT prefers vivid-updates APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-11-generic (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) ---End Message--- ---BeginMessage--- On Wed, 2015-04-08 at 05:41 -0600, Adam Conrad wrote: Please unblock package sysvinit As shown in the bugs referenced in the changelog, there are cases where an init
Bug#782064: marked as done (unblock: virt-manager/1:1.0.1-5)
Your message dated Wed, 08 Apr 2015 22:36:57 +0200 with message-id 55259169.5010...@thykier.net and subject line Re: Bug#782064: unblock: virt-manager/1:1.0.1-5 has caused the Debian Bug report #782064, regarding unblock: virt-manager/1:1.0.1-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 782064: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782064 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package virt-manager This fixes these issues: * Make sure we don't use incompatible VTE versions (#781127) * virtinst: only depend on QEMU utils. When merging vrtinst with virt-manager this got broken again. (Closes #644196 again) * Also ship virt-xml. A simple python script to validate libvirt XML. (#775399). Another victim of the virtinst - virt-manager merger in early 2014. The debdiff is attached. Cheers, -- Guido unblock virt-manager/1:1.0.1-5 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-rc6 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff --git a/debian/changelog b/debian/changelog index c0bb905..e258a47 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +virt-manager (1:1.0.1-5) unstable; urgency=medium + + * [b58bb6a] Add virt-xml (Closes: #775399) + * [44b9a97] Switch qemu recommendation to qemu-utils. We only need the +command line tools. + * [5eabe1d] Make sure we use a binary compatible version of vte. Thanks to +Vincent Danjean for the detailed report (Closes: #781127) + + -- Guido Günther a...@sigxcpu.org Wed, 25 Mar 2015 15:09:09 +0100 + virt-manager (1:1.0.1-4) unstable; urgency=medium * [8b6f491] Drop Gtk2 only python-spice-client-gtk diff --git a/debian/control b/debian/control index e4d2afd..1c0ef5a 100644 --- a/debian/control +++ b/debian/control @@ -47,7 +47,7 @@ Package: virtinst Architecture: all Depends: ${python:Depends}, ${shlibs:Depends}, ${misc:Depends}, python-libvirt (= 0.4.6), python-libxml2, python-urlgrabber -Recommends: virt-viewer, qemu +Recommends: virt-viewer, qemu-utils Description: Programs to create and clone virtual machines Virtinst is a set of commandline tools to create virtual machines using libvirt: diff --git a/debian/patches/Make-sure-we-use-a-binary-compatible-version-of-vte.patch b/debian/patches/Make-sure-we-use-a-binary-compatible-version-of-vte.patch new file mode 100644 index 000..2d047b8 --- /dev/null +++ b/debian/patches/Make-sure-we-use-a-binary-compatible-version-of-vte.patch @@ -0,0 +1,22 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= a...@sigxcpu.org +Date: Wed, 25 Mar 2015 15:00:26 +0100 +Subject: Make sure we use a binary compatible version of vte + +Closes: #781127 +--- + virtManager/serialcon.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/virtManager/serialcon.py b/virtManager/serialcon.py +index 96e3d2f..ef4a394 100644 +--- a/virtManager/serialcon.py b/virtManager/serialcon.py +@@ -29,6 +29,8 @@ import logging + from gi.repository import Gdk + from gi.repository import GLib + from gi.repository import Gtk ++import gi ++gi.require_version('Vte', '2.90') + from gi.repository import Vte + # pylint: enable=E0611 + diff --git a/debian/patches/series b/debian/patches/series index 7930bea..79062f3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ Move-GConf-values-to-GSettings.patch fix-removable-drive-support.patch details-Fix-changing-graphics-type-bz-1083903.patch Make-SpiceClientGtk-optional.patch +Make-sure-we-use-a-binary-compatible-version-of-vte.patch diff --git a/debian/virtinst.install b/debian/virtinst.install index e011fbf..c74898c 100644 --- a/debian/virtinst.install +++ b/debian/virtinst.install @@ -2,15 +2,18 @@ usr/bin/virt-clone usr/bin/virt-convert usr/bin/virt-image usr/bin/virt-install +usr/bin/virt-xml usr/share/man/man5/virt-image.5 usr/share/man/man1/virt-install.1 usr/share/man/man1/virt-image.1 usr/share/man/man1/virt-convert.1 usr/share/man/man1/virt-clone.1 +usr/share/man/man1/virt-xml.1 usr/share/virt-manager/virt-clone usr/share/virt-manager/virt-convert usr/share/virt-manager/virt-image usr/share/virt-manager/virt-install +usr/share/virt-manager/virt-xml
Re: Removing Jenkins from Jessie
On Wed, 08 Apr 2015 18:17:59 +0200, Niels Thykier escribió: [...] I had a chat with James Page and Emmanuel Bourg about Jenkins over IRC. We concluded that it was infeasible for Debian to maintain Jenkins due to the lack of upstream commitment to a LTS release-cycle of sufficient length to match the length of Jessie[1]. Do you think is feasible or acceptable to maintain Jenkins in jessie-updates suite instead? -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. Faith means not wanting to know what is true. -- Nietzsche signature.asc Description: Digital signature
Bug#782165: wheezy-pu: package debootstrap/1.0.48+deb7u3
Control: tags -1 + confirmed On Wed, 2015-04-08 at 21:51 +0200, Cyril Brulebois wrote: finally time to get some stable updates… Here's the bug report I'd like to address in wheezy: “debootstrap: host's /run/shm gets unmounted after debootstrap run” (https://bugs.debian.org/753442). I'll have to check it inside a VM soon-ish (because I don't seem to have any hosts running wheezy at the moment), but given the change that got backported and the fact we've had the fix in testing, and in backports for quite a while, I don't seem to have so many doubts about it. Please feel free to go ahead, thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1428524526.7798.16.ca...@adam-barratt.org.uk
Processed: Re: Bug#782165: wheezy-pu: package debootstrap/1.0.48+deb7u3
Processing control commands: tags -1 + confirmed Bug #782165 [release.debian.org] wheezy-pu: package debootstrap/1.0.48+deb7u3 Added tag(s) confirmed. -- 782165: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782165 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b782165.14285245344388.transcr...@bugs.debian.org