NEW changes in stable-new
Processing changes file: ruby2.1_2.1.5-2+deb8u3_mipsel.changes ACCEPT
NEW changes in stable-new
Processing changes file: libdevel-declare-perl_0.006017-1+deb8u1_arm64.changes ACCEPT Processing changes file: libdevel-declare-perl_0.006017-1+deb8u1_armel.changes ACCEPT Processing changes file: libdevel-declare-perl_0.006017-1+deb8u1_armhf.changes ACCEPT Processing changes file: libdevel-declare-perl_0.006017-1+deb8u1_i386.changes ACCEPT Processing changes file: libdevel-declare-perl_0.006017-1+deb8u1_mips.changes ACCEPT Processing changes file: libdevel-declare-perl_0.006017-1+deb8u1_mipsel.changes ACCEPT Processing changes file: libdevel-declare-perl_0.006017-1+deb8u1_powerpc.changes ACCEPT Processing changes file: libdevel-declare-perl_0.006017-1+deb8u1_ppc64el.changes ACCEPT Processing changes file: libdevel-declare-perl_0.006017-1+deb8u1_s390x.changes ACCEPT Processing changes file: ruby2.1_2.1.5-2+deb8u3_arm64.changes ACCEPT Processing changes file: ruby2.1_2.1.5-2+deb8u3_armel.changes ACCEPT Processing changes file: ruby2.1_2.1.5-2+deb8u3_armhf.changes ACCEPT Processing changes file: ruby2.1_2.1.5-2+deb8u3_i386.changes ACCEPT Processing changes file: ruby2.1_2.1.5-2+deb8u3_mips.changes ACCEPT Processing changes file: ruby2.1_2.1.5-2+deb8u3_powerpc.changes ACCEPT Processing changes file: ruby2.1_2.1.5-2+deb8u3_ppc64el.changes ACCEPT Processing changes file: ruby2.1_2.1.5-2+deb8u3_s390x.changes ACCEPT
NEW changes in stable-new
Processing changes file: zabbix_2.2.7+dfsg-2+deb8u1_mipsel.changes ACCEPT
NEW changes in stable-new
Processing changes file: zabbix_2.2.7+dfsg-2+deb8u1_arm64.changes ACCEPT Processing changes file: zabbix_2.2.7+dfsg-2+deb8u1_armel.changes ACCEPT Processing changes file: zabbix_2.2.7+dfsg-2+deb8u1_armhf.changes ACCEPT Processing changes file: zabbix_2.2.7+dfsg-2+deb8u1_i386.changes ACCEPT Processing changes file: zabbix_2.2.7+dfsg-2+deb8u1_mips.changes ACCEPT Processing changes file: zabbix_2.2.7+dfsg-2+deb8u1_powerpc.changes ACCEPT Processing changes file: zabbix_2.2.7+dfsg-2+deb8u1_ppc64el.changes ACCEPT Processing changes file: zabbix_2.2.7+dfsg-2+deb8u1_s390x.changes ACCEPT
Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
On Tue, Jun 07, 2016 at 07:30:33PM +0100, Adam D. Barratt wrote: > > It's on my to-do list to review. > > fwiw there's not been any need to formally acknowledge NMUs via closing > bugs in the changelog since the BTS gained version-tracking some years > ago, so long as the changelog for the subsequent upload incorporates the > stanza from the NMU. OK, I'll wait for you to give me a formal review of things you'd like change, and then I'll re-upload at that time. Thanks, - Ted
NEW changes in stable-new
Processing changes file: expat_2.1.0-6+deb8u3_amd64.changes ACCEPT Processing changes file: expat_2.1.0-6+deb8u3_arm64.changes ACCEPT Processing changes file: expat_2.1.0-6+deb8u3_armel.changes ACCEPT Processing changes file: expat_2.1.0-6+deb8u3_armhf.changes ACCEPT Processing changes file: expat_2.1.0-6+deb8u3_i386.changes ACCEPT Processing changes file: expat_2.1.0-6+deb8u3_mips.changes ACCEPT Processing changes file: expat_2.1.0-6+deb8u3_mipsel.changes ACCEPT Processing changes file: expat_2.1.0-6+deb8u3_powerpc.changes ACCEPT Processing changes file: expat_2.1.0-6+deb8u3_ppc64el.changes ACCEPT Processing changes file: expat_2.1.0-6+deb8u3_s390x.changes ACCEPT Processing changes file: libdevel-declare-perl_0.006017-1+deb8u1_merged.changes ACCEPT Processing changes file: ruby2.1_2.1.5-2+deb8u3_amd64.changes ACCEPT
Bug#825699: jessie-pu: package glibc/2.19-18+deb8u5
On 2016-05-29 17:19, Adam D. Barratt wrote: > Control: tags -1 -moreinfo +confirmed > > On Sun, 2016-05-29 at 17:53 +0200, Aurelien Jarno wrote: > > > Can we get this into jessie-proposed-updates just after the 8.5 release, > > so that it doesn't happen again for 8.6? Most of these changes were > > ready in our git repository for over a month, it's just I didn't got time > > this week to finish preparing the final upload. > > That sounds like a good plan. Now that the 8.5 release is out, I would like to upload glibc version 2.19-18+deb8u5 to jessie-proposed-updates. You will find the diff below, it only differs to the previous one by the addition of the CVE-2016-4429 fix. Regards, Aurelien diff --git a/debian/changelog b/debian/changelog index db98ce0..b619b11 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +glibc (2.19-18+deb8u5) UNRELEASED; urgency=medium + + [ Aurelien Jarno ] + * Update from upstream stable branch: +- Drop debian/patches/any/local-CVE-2015-7547.diff. +- Refresh debian/patches/any/cvs-resolv-first-query-failure.diff. +- Fix assertion failure with unconnectable name server addresses. + (regression introduced by CVE-2015-7547). Closes: #816669. +- Fix *context functions on s390x. +- Fix a buffer overflow in the glob function (CVE-2016-1234). +- Fix a stack overflow in nss_dns_getnetbyname_r (CVE-2016-3075). +- Fix a stack overflow in getaddrinfo function (CVE-2016-3706). +- Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429). + + -- Aurelien Jarno Sun, 01 May 2016 16:38:48 +0200 + glibc (2.19-18+deb8u4) stable; urgency=medium [ Aurelien Jarno ] diff --git a/debian/patches/any/cvs-resolv-first-query-failure.diff b/debian/patches/any/cvs-resolv-first-query-failure.diff index d99e636..856d850 100644 --- a/debian/patches/any/cvs-resolv-first-query-failure.diff +++ b/debian/patches/any/cvs-resolv-first-query-failure.diff @@ -44,11 +44,11 @@ diff --git a/resolv/res_send.c b/resolv/res_send.c if (recvresp1 || (buf2 != NULL && recvresp2)) { *resplen2 = 0; return resplen; -@@ -1368,7 +1369,6 @@ send_dg(res_state statp, +@@ -1527,7 +1528,6 @@ send_dg(res_state statp, goto wait; } - next_ns: - __res_iclose(statp, false); /* don't retry if called from dig */ if (!statp->pfcode) + return close_and_return_error (statp, resplen2); diff --git a/debian/patches/any/local-CVE-2015-7547.diff b/debian/patches/any/local-CVE-2015-7547.diff deleted file mode 100644 index 0a93cd5..000 --- a/debian/patches/any/local-CVE-2015-7547.diff +++ /dev/null @@ -1,541 +0,0 @@ a/resolv/nss_dns/dns-host.c -+++ b/resolv/nss_dns/dns-host.c -@@ -1052,7 +1052,10 @@ - int h_namelen = 0; - - if (ancount == 0) --return NSS_STATUS_NOTFOUND; -+{ -+ *h_errnop = HOST_NOT_FOUND; -+ return NSS_STATUS_NOTFOUND; -+} - - while (ancount-- > 0 && cp < end_of_message && had_error == 0) - { -@@ -1229,7 +1232,14 @@ - /* Special case here: if the resolver sent a result but it only - contains a CNAME while we are looking for a T_A or T_ record, - we fail with NOTFOUND instead of TRYAGAIN. */ -- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; -+ if (canon != NULL) -+{ -+ *h_errnop = HOST_NOT_FOUND; -+ return NSS_STATUS_NOTFOUND; -+} -+ -+ *h_errnop = NETDB_INTERNAL; -+ return NSS_STATUS_TRYAGAIN; - } - - -@@ -1243,11 +1253,101 @@ - - enum nss_status status = NSS_STATUS_NOTFOUND; - -+ /* Combining the NSS status of two distinct queries requires some -+ compromise and attention to symmetry (A or queries can be -+ returned in any order). What follows is a breakdown of how this -+ code is expected to work and why. We discuss only SUCCESS, -+ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns -+ that apply (though RETURN and MERGE exist). We make a distinction -+ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable). -+ A recoverable TRYAGAIN is almost always due to buffer size issues -+ and returns ERANGE in errno and the caller is expected to retry -+ with a larger buffer. -+ -+ Lastly, you may be tempted to make significant changes to the -+ conditions in this code to bring about symmetry between responses. -+ Please don't change anything without due consideration for -+ expected application behaviour. Some of the synthesized responses -+ aren't very well thought out and sometimes appear to imply that -+ IPv4 responses are always answer 1, and IPv6 responses are always -+ answer 2, but that's not true (see the implemetnation of send_dg -+ and send_vc to see response can arrive in any order, particlarly -+ for UDP). Howev
Re: [Stretch] Status for architecture qualification
On 07/06/16 19:38, Martin Michlmayr wrote: * Steve McIntyre [2016-06-06 15:14]: However, I will admit (again) that armel is starting to lose upstream support in some cases. I'm tempted to suggest that Stretch should be the last release for armel for that reason. Which upstream problems do you see? A big concern going forward is C++11 atomics. AIUI (unless something has changed recently) these are unimplemented on armel causing code that uses them to FTBFS. Right now very little code uses them but if a major peice of infrastructure starts using them it could put armel in a very sticky sitution. armv4t doesn't really have good atomic instructions (there is "swp" but it has to be emulated on later architectures and i'm not sure it's enough to support the normal range of operations) . AIUI there are kernel helpers available but it would need someone with good knowlage of the subject to implement the C++11 atomics in terms of the kernel helpers.
Processed: Re: Bug#826348: jessie-pu: package ruby2.1/2.1.5-2+deb8u3
Processing control commands: > tags -1 + pending Bug #826348 [release.debian.org] jessie-pu: package ruby2.1/2.1.5-2+deb8u3 Added tag(s) pending. -- 826348: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826348 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#826622: jessie-pu: package libdevel-declare-perl/0.006017-1+deb8u1
Processing control commands: > tags -1 + pending Bug #826622 [release.debian.org] jessie-pu: package libdevel-declare-perl/0.006017-1+deb8u1 Added tag(s) pending. -- 826622: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826622 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826622: jessie-pu: package libdevel-declare-perl/0.006017-1+deb8u1
Control: tags -1 + pending On Tue, 2016-06-07 at 09:11 +0100, Dominic Hargreaves wrote: > As per #826563 the recent perl update broke libdevel-declare-perl. > I've uploaded 0.006017-1+deb8u1 which I recommend is released through > the stable-updates channel. Flagged for acceptance. Regards, Adam
Bug#826348: jessie-pu: package ruby2.1/2.1.5-2+deb8u3
Control: tags -1 + pending On Tue, 2016-06-07 at 12:36 +0200, Petter Reinholdtsen wrote: > [Adam D. Barratt] > > Judging from the seecurity tracker, CVE-2015-7551 is fixed in any Ruby > > versions that exist in unstable, so please go ahead. > > Very good. I uploaded the package a few seconds ago. Flagged for acceptance. Regards, Adam
NEW changes in stable-new
Processing changes file: zabbix_2.2.7+dfsg-2+deb8u1_amd64.changes ACCEPT
Processed: Re: Bug#826443: jessie-pu: package zabbix/1:2.2.7+dfsg-2+deb8u1
Processing control commands: > tags -1 + pending Bug #826443 [release.debian.org] jessie-pu: package zabbix/1:2.2.7+dfsg-2+deb8u1 Added tag(s) pending. -- 826443: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826443 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826443: jessie-pu: package zabbix/1:2.2.7+dfsg-2+deb8u1
Control: tags -1 + pending On Sun, 2016-06-05 at 17:36 +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Mon, 2016-06-06 at 01:45 +1000, Dmitry Smirnov wrote: > > I'd like to upload fix for > > > > CVE-2016-4338 / ZBX-10741: mysql.size shell command injection > > in zabbix-agent (Closes: #823329). > > Please go ahead. Uploaded and flagged for acceptance. Regards, Adam
Re: [Stretch] Status for architecture qualification
* Steve McIntyre [2016-06-06 15:14]: > However, I will admit (again) that armel is starting to lose upstream > support in some cases. I'm tempted to suggest that Stretch should be > the last release for armel for that reason. Which upstream problems do you see? And do you know how long ARM/Linaro are planning to support it upstream? I'm torn at the moment. On the one hand, we have a lot of armel users and mainstream armel hardware was sold until fairly recently. On the other hand, assuming LTS jessie will support armel, that might be long enough for the hardware to get mostly (or finally :) obsolete. I definitely think we should make a decision one or the other way and document it appropriately if we intend to drop armel after stretch. -- Martin Michlmayr http://www.cyrius.com/
Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
On Tue, 2016-06-07 at 14:00 -0400, Theodore Ts'o wrote: > Could I get some direction from the release team what you would > prefer? I can remove the Hurd diff if you like. It's on my to-do list to review. fwiw there's not been any need to formally acknowledge NMUs via closing bugs in the changelog since the BTS gained version-tracking some years ago, so long as the changelog for the subsequent upload incorporates the stanza from the NMU. > I guess if you want > me to re-upload, since I uploaded first, would you need to reject the > current upload so it exits the queue and then I can re-upload, with > the preferred version number if that is what you would like? No, multiple distinct versions of the package can happily co-exist in the queue. If the package version is re-used then that can't occur until after the initial version has been rejected, but an upload with a different version is fine. Regards, Adam
Bug#825342: mips/mipsel: make sure all packages built with fpxx enabled
After the 1st step of binNMU of mipsel (mips is still running), We still have these package having problem: adasockets: build-dep problem apq: build-dep problem dbusada: build-dep problem dico: ftbfs dlz-ldap-enum: ftbfs gccxml: still building with gcc-4.9 geoclue: give up libalog: ftbfs libc++: clang not enable FPXX by default libcorelinux: ftbfs libdbusmenu: ftbfs libexplain: ftbfs libflorist: build-dep problem libgnatcoll: build-dep problem libgtkada: build-dep problem libhtp: give up liblog4ada: build-dep problem libncursesada: build-dep problem libvisca: ftbfs libxkbcommon: ftbfs libxmlezout: ftbfs linbox: ftbfs lua-discount: ftbfs mozjs24: build-dep problem osptoolkit: ftbfs pcscada: build-dep problem polyorb: build-dep problem Non of the above packages make big problems for the next step, So that I think we can start rebuilding the other non-fpxx package. The attachment is the list --- more than 3000 packages. Sorry for the previous wrong estimation. On Thu, Jun 2, 2016 at 1:52 AM, Emilio Pozuelo Monfort wrote: > On 01/06/16 11:27, YunQiang Su wrote: >> On Wed, Jun 1, 2016 at 4:24 PM, Emilio Pozuelo Monfort >> wrote: >>> On 28/05/16 14:31, YunQiang Su wrote: Oh, I need to remove gcc-4.9/gcc-5/gcc-6/gnat-4.9. >>> >>> Is gcc-snapshot needed? >> >> It is not needed. Sorry forget to exclude it. >> >>> >>> BTW are these the ones with affected static libraries, or all of them? Per >>> your >>> email, we should do the packages with static libraries first, and only then >>> do >>> the rest, IIUC. >>> >> >> These are all about static libraries, aka some static libraries from >> them are still not >> fpxx-enabled. >> >>> If that's too cumbersome to find, we can do all now and then rebuild the >>> ones >>> that are still using the old ABI because of static linking. Those shouldn't >>> be >>> too many anyway as we don't use static linking much. >> >> It is not difficult to detect static libraries. > > OK. I have scheduled them all, with a lower priority so other uploads can be > built as well. > > There were some problems though: > > W: can't get version info for firedns/mips > W: can't get version info for firedns/mipsel > W: can't get version info for geoclue/mips > W: can't get version info for geoclue/mipsel > W: can't get version info for libhtp/mips > W: can't get version info for libhtp/mipsel > > Are those the right package names? For geoclue you may have meant geoclue-2. > src:geoclue is no longer in unstable/testing. > > Cheers, > Emilio -- YunQiang Su mipsel.source Description: Binary data
Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
Could I get some direction from the release team what you would prefer? I can remove the Hurd diff if you like. I guess if you want me to re-upload, since I uploaded first, would you need to reject the current upload so it exits the queue and then I can re-upload, with the preferred version number if that is what you would like? Thanks, - Ted
Processed: Re: Bug#826662: jessie-pu: package cmake/3.0.2-1+deb8u1
Processing control commands: > tags -1 + confirmed Bug #826662 [release.debian.org] jessie-pu: package cmake/3.0.2-1+deb8u1 Added tag(s) confirmed. -- 826662: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826662 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826662: jessie-pu: package cmake/3.0.2-1+deb8u1
Control: tags -1 + confirmed On 2016-06-07 16:22, Felix Geyer wrote: The openssl 1.0.1t stable update broke the FindOpenSSL module in cmake. It really seems like there should be a better way of implementing that logic... Please go ahead. Regards, Adam
Bug#826662: jessie-pu: package cmake/3.0.2-1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, The openssl 1.0.1t stable update broke the FindOpenSSL module in cmake. I'd like to fix that module in jessie. Attached is a debdiff that contains the necessary backported patches. Cheers, Felix diff -Nru cmake-3.0.2/debian/changelog cmake-3.0.2/debian/changelog --- cmake-3.0.2/debian/changelog 2014-09-14 19:16:52.0 +0200 +++ cmake-3.0.2/debian/changelog 2016-06-07 16:55:44.0 +0200 @@ -1,3 +1,11 @@ +cmake (3.0.2-1+deb8u1) jessie; urgency=medium + + * Fix FindOpenSSL module to detect OpenSSL 1.0.1t. (Closes: #826656) +- Add FindOpenSSL-fix-detection-of-OpenSSL-1.0.2.patch +- Add FindOpenSSL-Tolerate-tabs-in-header-while-parsing-ve.patch + + -- Felix Geyer Tue, 07 Jun 2016 16:50:32 +0200 + cmake (3.0.2-1) unstable; urgency=medium * New upstream release. diff -Nru cmake-3.0.2/debian/patches/FindOpenSSL-fix-detection-of-OpenSSL-1.0.2.patch cmake-3.0.2/debian/patches/FindOpenSSL-fix-detection-of-OpenSSL-1.0.2.patch --- cmake-3.0.2/debian/patches/FindOpenSSL-fix-detection-of-OpenSSL-1.0.2.patch 1970-01-01 01:00:00.0 +0100 +++ cmake-3.0.2/debian/patches/FindOpenSSL-fix-detection-of-OpenSSL-1.0.2.patch 2016-06-07 16:57:17.0 +0200 @@ -0,0 +1,25 @@ +From c5d9a8283cfac15b4a5a07f18d5eb10c1f388505 Mon Sep 17 00:00:00 2001 +From: Guillaume Belz +Date: Tue, 27 Jan 2015 22:53:54 +0100 +Subject: [PATCH] FindOpenSSL: fix detection of OpenSSL 1.0.2 + +--- + Modules/FindOpenSSL.cmake | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Modules/FindOpenSSL.cmake b/Modules/FindOpenSSL.cmake +index 340b417..6b4f985 100644 +--- a/Modules/FindOpenSSL.cmake b/Modules/FindOpenSSL.cmake +@@ -279,7 +279,7 @@ if (OPENSSL_INCLUDE_DIR) + set(OPENSSL_VERSION "${_OPENSSL_VERSION}") + elseif(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h") + file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str +- REGEX "^#define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*") ++ REGEX "^# *define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*") + + # The version number is encoded as 0xMNNFFPPS: major minor fix patch status + # The status gives if this is a developer or prerelease and is ignored here. +-- +2.8.1 + diff -Nru cmake-3.0.2/debian/patches/FindOpenSSL-Tolerate-tabs-in-header-while-parsing-ve.patch cmake-3.0.2/debian/patches/FindOpenSSL-Tolerate-tabs-in-header-while-parsing-ve.patch --- cmake-3.0.2/debian/patches/FindOpenSSL-Tolerate-tabs-in-header-while-parsing-ve.patch 1970-01-01 01:00:00.0 +0100 +++ cmake-3.0.2/debian/patches/FindOpenSSL-Tolerate-tabs-in-header-while-parsing-ve.patch 2016-06-07 16:57:32.0 +0200 @@ -0,0 +1,27 @@ +From 6b575dec8d393c4a38c587ee97afa068eeb4b432 Mon Sep 17 00:00:00 2001 +From: Wayne Stambaugh +Date: Sat, 3 Oct 2015 11:40:00 -0400 +Subject: [PATCH] FindOpenSSL: Tolerate tabs in header while parsing version + (#15765) + +Tolerate tabs instead of spaces in the "# define" line. +--- + Modules/FindOpenSSL.cmake | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Modules/FindOpenSSL.cmake b/Modules/FindOpenSSL.cmake +index a0f4c52..3aea695 100644 +--- a/Modules/FindOpenSSL.cmake b/Modules/FindOpenSSL.cmake +@@ -325,7 +325,7 @@ endfunction() + set(OPENSSL_VERSION "${_OPENSSL_VERSION}") + elseif(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h") + file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str +- REGEX "^# *define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*") ++ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*") + + # The version number is encoded as 0xMNNFFPPS: major minor fix patch status + # The status gives if this is a developer or prerelease and is ignored here. +-- +2.8.1 + diff -Nru cmake-3.0.2/debian/patches/series cmake-3.0.2/debian/patches/series --- cmake-3.0.2/debian/patches/series 2014-09-13 15:41:36.0 +0200 +++ cmake-3.0.2/debian/patches/series 2016-06-07 16:55:34.0 +0200 @@ -7,3 +7,5 @@ fix-hdf5-hl.patch FindJNI_ppc64le.diff hurd_host_system_processor.diff +FindOpenSSL-fix-detection-of-OpenSSL-1.0.2.patch +FindOpenSSL-Tolerate-tabs-in-header-while-parsing-ve.patch
Bug#826348: jessie-pu: package ruby2.1/2.1.5-2+deb8u3
[Adam D. Barratt] > Judging from the seecurity tracker, CVE-2015-7551 is fixed in any Ruby > versions that exist in unstable, so please go ahead. Very good. I uploaded the package a few seconds ago. -- Happy hacking Petter Reinholdtsen
Processed: Re: Bug#826348: jessie-pu: package ruby2.1/2.1.5-2+deb8u3
Processing control commands: > tags -1 + confirmed Bug #826348 [release.debian.org] jessie-pu: package ruby2.1/2.1.5-2+deb8u3 Added tag(s) confirmed. -- 826348: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826348 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826348: jessie-pu: package ruby2.1/2.1.5-2+deb8u3
Control: tags -1 + confirmed On 2016-06-07 10:21, Petter Reinholdtsen wrote: Control: tags -1 - confirmed [Adam D. Barratt] We'd generally prefer a bit more testing than "should solve the problem", although I agree that the patch looks sane enough as someone who knows practically nothing about Ruby... Please go ahead. Thank you. I agree that a bit more testing was needed, but had to struggle a bit to find test code to verify the fix. In the process I discovered that this fix was only fixing half the problem, and added a patch for CVE-2015-7551 and the fiddle code as well. The new and better tested code is attached. The fiddle patch from upstream even had a testsuite fragment to verify its correctness. :) Still OK to upload? Asking again as the changes became twice as large. :) Judging from the seecurity tracker, CVE-2015-7551 is fixed in any Ruby versions that exist in unstable, so please go ahead. Regards, Adam
Processed: Re: Bug#826348: jessie-pu: package ruby2.1/2.1.5-2+deb8u3
Processing control commands: > tags -1 - confirmed Bug #826348 [release.debian.org] jessie-pu: package ruby2.1/2.1.5-2+deb8u3 Removed tag(s) confirmed. -- 826348: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826348 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826348: jessie-pu: package ruby2.1/2.1.5-2+deb8u3
Control: tags -1 - confirmed [Adam D. Barratt] > We'd generally prefer a bit more testing than "should solve the > problem", although I agree that the patch looks sane enough as someone > who knows practically nothing about Ruby... > > Please go ahead. Thank you. I agree that a bit more testing was needed, but had to struggle a bit to find test code to verify the fix. In the process I discovered that this fix was only fixing half the problem, and added a patch for CVE-2015-7551 and the fiddle code as well. The new and better tested code is attached. The fiddle patch from upstream even had a testsuite fragment to verify its correctness. :) Still OK to upload? Asking again as the changes became twice as large. :) -- Happy hacking Petter Reinholdtsen >From fdd5802560badf7c4ed0fdbb566dea598ef342a9 Mon Sep 17 00:00:00 2001 From: Petter Reinholdtsen Date: Tue, 7 Jun 2016 07:31:34 +0200 Subject: [PATCH] Fix CVE-2009-5147 and CVE-2015-7551. Closes: #796344 --- debian/changelog | 12 debian/patches/CVE-2009-5147.patch | 33 +++ debian/patches/CVE-2015-7551.patch | 110 + debian/patches/series | 2 + 4 files changed, 157 insertions(+) create mode 100644 debian/patches/CVE-2009-5147.patch create mode 100644 debian/patches/CVE-2015-7551.patch diff --git a/debian/changelog b/debian/changelog index 13a9637..465f534 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +ruby2.1 (2.1.5-2+deb8u3) jessie; urgency=low + + * Non-maintainer upload to fix security problem. + * Fix CVE-2009-5147: DL::dlopen should not open a library with +tainted library name in safe mode (Closes: #796344). Based on +patch used in DLA-299-1, which was pulled from upstream. + * Fix CVE-2015-7551: Fiddle handles should not call functions with +tainted function names (Closes: #796344). Patch pulled from +upstream. + + -- Petter Reinholdtsen Tue, 07 Jun 2016 11:00:04 +0200 + ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high * Apply upstream patches to fix Request hijacking vulnerability in Rubygems diff --git a/debian/patches/CVE-2009-5147.patch b/debian/patches/CVE-2009-5147.patch new file mode 100644 index 000..8bdc1d1 --- /dev/null +++ b/debian/patches/CVE-2009-5147.patch @@ -0,0 +1,33 @@ +Description: CVE-2009-5147: DL::dlopen could open a library with tainted library name +Origin: upstream, https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b +Debian-Bug: https://bugs.debian.org/796344 +Reviewed-by: Santiago R.R. +Reviewed-by: Petter Reinholdtsen + +Index: ruby2.1-2.1.5/ext/dl/handle.c +=== +--- ruby2.1-2.1.5.orig/ext/dl/handle.c 2016-06-07 07:02:28.284056469 +0200 ruby2.1-2.1.5/ext/dl/handle.c 2016-06-07 07:02:28.284056469 +0200 +@@ -5,6 +5,8 @@ + #include + #include "dl.h" + ++#define SafeStringValuePtr(v) (rb_string_value(&v), rb_check_safe_obj(v), RSTRING_PTR(v)) ++ + VALUE rb_cDLHandle; + + #ifdef _WIN32 +@@ -132,11 +134,11 @@ + cflag = RTLD_LAZY | RTLD_GLOBAL; + break; + case 1: +- clib = NIL_P(lib) ? NULL : StringValuePtr(lib); ++ clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib); + cflag = RTLD_LAZY | RTLD_GLOBAL; + break; + case 2: +- clib = NIL_P(lib) ? NULL : StringValuePtr(lib); ++ clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib); + cflag = NUM2INT(flag); + break; + default: diff --git a/debian/patches/CVE-2015-7551.patch b/debian/patches/CVE-2015-7551.patch new file mode 100644 index 000..a0a1fd8 --- /dev/null +++ b/debian/patches/CVE-2015-7551.patch @@ -0,0 +1,110 @@ +Description: CVE-2015-7551: Add checks to Fiddle for tainted string arguments + Include test case to verify the fix. +Origin: upstream, https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a +Debian-Bug: https://bugs.debian.org/796344 +Reviewed-by: Petter Reinholdtsen + +diff --git a/ext/fiddle/handle.c b/ext/fiddle/handle.c +index 36970a2..fa207ef 100644 +--- a/ext/fiddle/handle.c b/ext/fiddle/handle.c +@@ -1,6 +1,8 @@ + #include + #include + ++#define SafeStringValueCStr(v) (rb_check_safe_obj(rb_string_value(&v)), StringValueCStr(v)) ++ + VALUE rb_cHandle; + + struct dl_handle { +@@ -143,11 +145,11 @@ rb_fiddle_handle_initialize(int argc, VALUE argv[], VALUE self) + cflag = RTLD_LAZY | RTLD_GLOBAL; + break; + case 1: +- clib = NIL_P(lib) ? NULL : StringValuePtr(lib); ++ clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib); + cflag = RTLD_LAZY | RTLD_GLOBAL; + break; + case 2: +- clib = NIL_P(lib) ? NULL : StringValuePtr(lib); ++ clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib); + cflag = NUM2INT(flag); + break; + default: +@@ -263,7 +265,7 @@ rb_fiddle_handle_to_i(VALUE self) + return PTR2NUM(fiddle_handle); + } + +-static VALUE fiddle_handle_sym(void *handle, const char *symbol); ++static VALUE fiddle_handle_sym(void *handle, VALUE s
Bug#826622: jessie-pu: package libdevel-declare-perl/0.006017-1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu As per #826563 the recent perl update broke libdevel-declare-perl. I've uploaded 0.006017-1+deb8u1 which I recommend is released through the stable-updates channel. Thanks for the help, and sorry for the hassle. Best wishes, Dominic.
Bug#825908: marked as done (transition: libkscreen)
Your message dated Tue, 7 Jun 2016 10:05:52 +0200 with message-id and subject line Re: Bug#825908: transition: libkscreen has caused the Debian Bug report #825908, regarding transition: libkscreen to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825908: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825908 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello release team. libkscreen bumped its soversion from 6 to 7, this change affects some kde packages (kscreen, powerdevil and plasma-workspace) that are currently in experimental and lxqt-config that requires no changes in order to use the newer version. Happy hacking, Ben file: title = "libkscreen"; is_affected = .depends ~ /\b(libkf5screen6|libkscreen\-dbg)\b/ | .depends ~ /\b(libkf5screen\-bin|libkf5screen7)\b/; is_good = .depends ~ /\b(libkf5screen\-bin|libkf5screen7)\b/; is_bad = .depends ~ /\b(libkf5screen6|libkscreen\-dbg)\b/; Probably the one in: https://release.debian.org/transitions/html/auto-libkscreen.html is better, though - -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJXTWHEAAoJEMcZdpmymyMqNnMQAJtC7F5IkjnouhXA/RmhYR6K mKkyfdQdBIcJF6B24oGqSd3AWq36fHdLonlN3GSiNGu4SPoxiAW678V24R984HCh V00yisLVIuLMQ9STIcDxll808xWFuClQToHC40Ii5hgM8OiHfPwl07uRZ7Qn7Sm+ nJmqNHBJOLZwicMzIdqsPUWHqGE0rkuSVa9Cwlt3Hz3KOI+u2IQUhKPuY50AP3yB paAUoLkR06hqB9RLFlw8eZ8aEDn2NxsZhrUsqeVYqTd0CynbvHv79evIB96Gy/3d RTeknOnG/TUuM/2uHJybY8V7JWqegwfxe/PSIaB+XZYHnZaWtI+tQHkQBlO9QhSr KX/WIS6G1loEX+qovptPrrNUL8XVQLX3CEjiPbTsMx1L7A8EPsJoSIuGwtl5eCit 4YH5UNSLW212zUL1dA1UxtjZ4pLLQlPEQCvGefmApqlGFeSrX81FxSSd5FAL4Y20 6x/Cl2jIruT+6IAL92wj8CTPo3R4lBpjz4RFfk3FAf8iYoHqglXyVsiJ0r403zvz zMnK+CRfGTAjDoBXvgxX4PPSmmxiYT70F1ZBpJBuHyziHoiS8EsQXPrBdaeqRTXT fGXBiXfvSCfE6hnnglnGCwuZ/bdNd0RHrOGfOOVBbG5C6/FTiT6g/W348Z3K/b2/ 23/SPLtr3Wu7Ra8vq9sl =qLR5 -END PGP SIGNATURE- --- End Message --- --- Begin Message --- On 31/05/16 17:04, Emilio Pozuelo Monfort wrote: > Control: tags -1 confirmed > > On 31/05/16 12:05, Maximiliano Curia wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: transition >> >> Hello release team. >> >> libkscreen bumped its soversion from 6 to 7, this change affects some kde >> packages (kscreen, powerdevil and plasma-workspace) that are currently in >> experimental and lxqt-config that requires no changes in order to use the >> newer version. > > Go ahead. This is over now. Emilio--- End Message ---
Re: [Stretch] Status for architecture qualification
On 2016-06-05 12:01, Niels Thykier wrote: * amd64, i386, armel, armhf, arm64, mips, mipsel, powerpc, ppc64el, s390x - *No* blockers at this time from RT, DSA nor security. - s390, ppc64el and all arm ports have DSA concerns. What is the current DSA concern about s390x? Kind regards and thanks Philipp Kern