Bug#848942: Acknowledgement (jessie-pu: package most/5.0.0a-2.3)
Greetings! I forgot to mention that I've discussed this with the security team and uploading to stable-proposed-updates was their suggestion and recommendation. Regards, Mako -- Benjamin Mako Hill http://mako.cc/ Creativity can be a social contribution, but only in so far as society is free to use the results. --GNU Manifesto signature.asc Description: PGP signature
Bug#848942: jessie-pu: package most/5.0.0a-2.3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu There was a recent non-critical CVE issued for most: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848132 https://security-tracker.debian.org/tracker/CVE-2016-1253 The fix (a debdiff is attached) is this on-liner that changes single quotes to double quotes. Regards, Mako -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -u most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog --- most-5.0.0a/debian/changelog +++ most-5.0.0a/debian/changelog @@ -1,3 +1,11 @@ +most (5.0.0a-2.3+deb8u1) stable-proposed-updates; urgency=high + + * lzma-support.patch: +- Fix CVE-2016-1253: shell injection attack when opening + lzma-compressed files (Closes: #848132) + + -- Benjamin Mako HillTue, 20 Dec 2016 16:52:16 -0800 + most (5.0.0a-2.3) unstable; urgency=low * Non-maintainer upload. diff -u most-5.0.0a/src/file.h most-5.0.0a/src/file.h --- most-5.0.0a/src/file.h +++ most-5.0.0a/src/file.h @@ -22,7 +22,7 @@ #define MOST_MAX_FILES 4096 #define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\"" #define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\"" -#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'" +#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\"" extern void most_reread_file (void); extern void most_read_to_line (int);
Bug#848937: nmu: beignet_1.2.1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu beignet_1.2.1-1 . amd64 i386 . unstable . -m "Rebuild against llvm 3.9 to match mesa." Mixing OpenCL ICD built against libllvm3.8 (beignet) and libllvm3.9 (mesa) in one application leads to frequent crashes. The packaging depends on both llvm 3.8 and llvm 3.9 and picks the one used by mesa at build time. Andreas
Re: 8.7 planning
On Mon, 2016-12-19 at 14:19 +0100, Julien Cristau wrote: > Jan 7th/8th > > Jan 14th/15th Both look okay. > Jan 21st/22nd I could do the Saturday until around lunchtime but will be AFK after that and unlikely to be around on Sunday morning at least. (So on the whole, NACK.) > Jan 28th/29th - Cambridge BSP, probably not ideal Unlikely to work, for that reason. > Feb 4th/5th - FOSDEM, probably not great either > > Feb 11th/12th Both like fine for me. Regards, Adam
Processed: Re: Bug#848610: jessie-pu: package pgpdump/0.28-1+deb8u1
Processing control commands: > tags -1 + confirmed Bug #848610 [release.debian.org] jessie-pu: package pgpdump/0.28-1+deb8u1 Added tag(s) confirmed. -- 848610: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848610 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1
Processing control commands: > tags -1 + confirmed Bug #848908 [release.debian.org] jessie-pu: package shutter/0.92-0.1+deb8u1 Added tag(s) confirmed. -- 848908: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848908 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#848610: jessie-pu: package pgpdump/0.28-1+deb8u1
Control: tags -1 + confirmed On Sun, 2016-12-18 at 23:42 +0100, Christoph Biedl wrote: > CVE-2016-4021[1] hasn't been handled in jessie yet. The security team > suggested to use an upcoming point release for this, this got ACKed > by the stable security team. The pgpdump maintainer Jose Luis Rivas > (CC'd) has agreed to this procedure. Please go ahead. Regards, Adam
Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1
Control: tags -1 + confirmed On Tue, 2016-12-20 at 19:12 +0100, Christoph Biedl wrote: > CVE-2015-0854[1] hasn't been handled in jessie yet. The security team > ACKed to use an upcoming point release for this. The shutter maintainer > Ryan Niebur is in Cc:. Please go ahead. Regards, Adam
Bug#848926: jessie-pu: package libclamunrar/0.99-0+deb8u2
Control: tags -1 + confirmed On Tue, 2016-12-20 at 22:17 +0100, Sebastian Andrzej Siewior wrote: > This update contains four patches which I noticed in upstream's git. > They appeared in July and the last fix (for a fix) was done last week. I > have no idea when 0.99.3 will appear and the changes in the debdiff are > the only (functional changes) in libclamunrar* since the 0.99. > > The fixes look like bugs found by afl (or other fuzzer) while throwing > .rar files at clamav. Please go ahead. Regards, Adam
Processed: Re: Bug#848926: jessie-pu: package libclamunrar/0.99-0+deb8u2
Processing control commands: > tags -1 + confirmed Bug #848926 [release.debian.org] jessie-pu: package libclamunrar/0.99-0+deb8u2 Added tag(s) confirmed. -- 848926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848926 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#848926: jessie-pu: package libclamunrar/0.99-0+deb8u2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: jessie Severity: normal This update contains four patches which I noticed in upstream's git. They appeared in July and the last fix (for a fix) was done last week. I have no idea when 0.99.3 will appear and the changes in the debdiff are the only (functional changes) in libclamunrar* since the 0.99. The fixes look like bugs found by afl (or other fuzzer) while throwing .rar files at clamav. Sebastian diff -Nru libclamunrar-0.99/debian/changelog libclamunrar-0.99/debian/changelog --- libclamunrar-0.99/debian/changelog 2016-02-03 22:10:12.0 +0100 +++ libclamunrar-0.99/debian/changelog 2016-12-16 21:38:26.0 +0100 @@ -1,3 +1,10 @@ +libclamunrar (0.99-0+deb8u2) stable; urgency=medium + + * Add patches from upstream bugzilla bb11600 and bb11601 to fix out of band +access. + + -- Sebastian Andrzej SiewiorFri, 16 Dec 2016 21:38:26 +0100 + libclamunrar (0.99-0+deb8u1) stable; urgency=medium [ Scott Kitterman ] @@ -10,7 +17,7 @@ * switch from libclamunrar6 to libclamunrar7 * copy clamav's watch file * add pkg-config to dependencies so autoreconf does not break - * don't links against libpcre if available. + * don't link against libpcre if available. -- Sebastian Andrzej Siewior Wed, 03 Feb 2016 21:52:51 +0100 diff -Nru libclamunrar-0.99/debian/.git-dpm libclamunrar-0.99/debian/.git-dpm --- libclamunrar-0.99/debian/.git-dpm 2016-02-03 22:09:03.0 +0100 +++ libclamunrar-0.99/debian/.git-dpm 2016-12-16 21:38:26.0 +0100 @@ -1,8 +1,8 @@ # see git-dpm(1) from git-dpm package -1256542cf41587e62a048e687097f23cef1511f0 -1256542cf41587e62a048e687097f23cef1511f0 -1256542cf41587e62a048e687097f23cef1511f0 -1256542cf41587e62a048e687097f23cef1511f0 -libclamunrar_0.98.5.orig.tar.xz -6d4a3441e142002ffdaa76ad313bc018985e1999 -304828 +e677e64787390c59bdb925be08113ebf47aed869 +e677e64787390c59bdb925be08113ebf47aed869 +87f93791ab6959fd522bdf0b1211ff0480cff4c7 +87f93791ab6959fd522bdf0b1211ff0480cff4c7 +libclamunrar_0.99.orig.tar.xz +3299e943affefb7a1aea0cada292f1c4ec039aed +311248 diff -Nru libclamunrar-0.99/debian/patches/bb11600.patch libclamunrar-0.99/debian/patches/bb11600.patch --- libclamunrar-0.99/debian/patches/bb11600.patch 1970-01-01 01:00:00.0 +0100 +++ libclamunrar-0.99/debian/patches/bb11600.patch 2016-12-16 21:38:26.0 +0100 @@ -0,0 +1,24 @@ +From 5a04072c135be7b49279792401f10d7b4f723ab5 Mon Sep 17 00:00:00 2001 +From: Steven Morgan +Date: Tue, 12 Jul 2016 12:36:29 -0400 +Subject: bb11600 - fix out of bounds stack read. + +Patch-Name: bb11600.patch +--- + libclamunrar/unrar20.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libclamunrar/unrar20.c b/libclamunrar/unrar20.c +index ecfe40cf32f3..d938c472e1d8 100644 +--- a/libclamunrar/unrar20.c b/libclamunrar/unrar20.c +@@ -117,7 +117,8 @@ static int read_tables20(int fd, unpack_data_t *unpack_data) + n = (rar_getbits(unpack_data) >> 14) + 3; + rar_addbits(unpack_data, 2); + while ((n-- > 0) && (i < table_size)) { +- table[i] = table[i-1]; ++ if (i>0) ++ table[i] = table[i-1]; + i++; + } + } else { diff -Nru libclamunrar-0.99/debian/patches/bb11600_pt2.patch libclamunrar-0.99/debian/patches/bb11600_pt2.patch --- libclamunrar-0.99/debian/patches/bb11600_pt2.patch 1970-01-01 01:00:00.0 +0100 +++ libclamunrar-0.99/debian/patches/bb11600_pt2.patch 2016-12-16 21:38:26.0 +0100 @@ -0,0 +1,24 @@ +From 6c667e29a8980bef06544bb2c931a18512aaf745 Mon Sep 17 00:00:00 2001 +From: Steven Morgan +Date: Tue, 12 Jul 2016 14:31:38 -0400 +Subject: fix possible out of bounds stack read. + +Patch-Name: bb11600_pt2.patch +--- + libclamunrar/unrar.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libclamunrar/unrar.c b/libclamunrar/unrar.c +index 456da4d6fef9..40a3d63cbd3e 100644 +--- a/libclamunrar/unrar.c b/libclamunrar/unrar.c +@@ -469,7 +469,8 @@ static int read_tables(int fd, unpack_data_t *unpack_data) + rar_addbits(unpack_data, 7); + } + while (n-- > 0 && i < table_size) { +- table[i] = table[i-1]; ++ if (i>0) ++ table[i] = table[i-1]; + i++; + } + } else { diff -Nru libclamunrar-0.99/debian/patches/bb11601.patch libclamunrar-0.99/debian/patches/bb11601.patch --- libclamunrar-0.99/debian/patches/bb11601.patch 1970-01-01 01:00:00.0 +0100 +++
Let autopkgtests be gating for testing migration in Buster: heads-up and brain-dump
Hi all, I already started this discussion on IRC (in both #debci and #debian-release), but for future reference, and some brain-dump I want to continue on the lists. As most of you have probably noticed by now, I have taken up the task to have Debian let debci/autopkgtest results be gating for unstable-to-testing migration (very similar to what Ubuntu already does for -proposed-to- migration). I would really love to see this happen early in the Buster release cycle. I have started a wiki page¹ to document the requirements and the (outcome of the) discussions. I'll try to keep that up-to-date with as we progress. As it is a wiki, feel free to contribute anything that isn't controversial. As I currently see it, from discussion with multiple of you, there are three pieces that need to play together in Debian: 1) autopkgtest: the testing platform 2) debci: the Debian CI worker 3) britney: where the migration policy is implemented and enforced Currently debci is testing packages in unstable. But similar to what Ubuntu is doing, I think that for this purpose we actually want to test in testing with only the possible candidate (and if needed it's dependencies) from unstable. Luckily, autopkgtest is nearly able to do that, except it needs to support Debian suites instead of only Ubuntu's "pockets". Apart from testing testing (no typo), and again copying Ubuntu, I think we want to run the test suites of the candidate *and* of all the reverse dependencies that have test suites. This way, you'll see when a candidate deteriorates testing. For this, debci need some changes: it needs a testing suite environment and it needs to call autopkgtest with the additional arguments. To enable debci to know *what* should be tested, britney must communicate to debci. Finally, of course, britney needs to be aware of debci results and take them into account during judgment. I think the logical order to for me to tackle (I mean, create the code) this is: 0) figure out how to test all of this without breaking the real instances (hints more than welcome). 1) fix autopkgtest to enable --apt-suite (next to the current --apt-pocket) In parallel: 2a) getting a testing suite up for debci and extend debci to be aware of the additional arguments for autopkgtest 2b) let britney generate a list of tests it would like to perform 2c) align on the transfer mechanism between britney(1) and debci 3) enable debci to swallow the commands from britney 4) enable the policy in britney Opinions? Other ideas? If not too many objections, I'll start with 0 and 1. And I sincerely hope that Antonio wants to help with 2a, but I'd like to hear his thoughts first. I already had a extensive discussion with pitti and he is guiding me through the Ubuntu code, which I think serves as a great example. I'll probably be back to you way before we are past point 2a. Paul PS: as default on Debian mail-lists, no need to CC me, I am subscribed to the autopkgtest-devel list. ¹ https://wiki.debian.org/debci/britneyIntegration signature.asc Description: OpenPGP digital signature
Re: MariaDB 10.2 into Debian in December
Hello! This plan didn't hold as the release of 10.2 by upstream seems delayed. I have therefore started preparing MariaDB 10.1 for Debian and I am almost complete now, so I can upload it (first to experimental) very soon. The differences between 10.0 and 10.1 are quite small from dependant packages point of view, so I don't expect any hickups during the upgrade. 2016-10-04 0:18 GMT+03:00 Otto Kekäläinen: > Hello! > > MariaDB 10.2 is now in beta and about to be released in December. > Considering the announced freeze dates, is there something I should > consider before preparing and uploading mariadb-10.2 to replace > mariadb-10.0? > > Can mariadb-10.0 to mariadb-10.2 upgrade be considered as a transition > and thus forbidden after November 5th? In my opinion no, but I guess > it is better to check from you first. > > Stretch key dates > [2016-Nov-05] Transition freeze > [2016-Dec-05] Mandatory 10-day migrations > [2017-Jan-05] Soft freeze (no new packages, no re-entry, 10-day migrations) > [2017-Feb-05] Full freeze > > My plan is to upload 10.2 beta into experimental soon, and the final > 10.2 to unstable when released. This will also mean the > default-mysql-* metapackages will be updated to point to mariadb-10.2 > derived binary packages. > > (And yes, I am skipping 10.1 and going directly to 10.2)
Bug#848610: jessie-pu: package pgpdump/0.28-1+deb8u1
Christoph "I had a cold" Biedl wrote... > CVE-2016-4021[1] hasn't been handled in jessie yet. The security team > suggested to use an upcoming point release for this, this got ACKed > by the stable security team. Well, you guess: The security team ACKed to use an upcoming point release for this. Christoph signature.asc Description: Digital signature
Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello release team, CVE-2015-0854[1] hasn't been handled in jessie yet. The security team ACKed to use an upcoming point release for this. The shutter maintainer Ryan Niebur is in Cc:. Find attached a debdiff based on the fixed stretch version 0.93.1-1, the original patch triggered a Perl error. Testing confirmed the described exploit no longer works then. Regards, Christoph [1] https://security-tracker.debian.org/tracker/CVE-2015-0854 diff -Nru shutter-0.92/debian/changelog shutter-0.92/debian/changelog --- shutter-0.92/debian/changelog 2014-08-10 17:51:22.0 +0200 +++ shutter-0.92/debian/changelog 2016-12-20 19:00:20.0 +0100 @@ -1,3 +1,9 @@ +shutter (0.92-0.1+deb8u1) jessie; urgency=high + + * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854] + + -- Christoph BiedlTue, 20 Dec 2016 19:00:20 +0100 + shutter (0.92-0.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru shutter-0.92/debian/patches/CVE-2015-0854.patch shutter-0.92/debian/patches/CVE-2015-0854.patch --- shutter-0.92/debian/patches/CVE-2015-0854.patch 1970-01-01 01:00:00.0 +0100 +++ shutter-0.92/debian/patches/CVE-2015-0854.patch 2016-12-20 18:59:57.0 +0100 @@ -0,0 +1,18 @@ +Description: Fix insecure use of system() +Author: Luke Faraone +ID: CVE-2015-0854 +Bug: https://bugs.launchpad.net/shutter/+bug/1495163 +Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862 + +--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm +@@ -53,7 +53,8 @@ + + sub xdg_open { + my ( $self, $dialog, $link, $user_data ) = @_; +- system("xdg-open $link"); ++ my @args = ("xdg-open", $link); ++ system(@args); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"), diff -Nru shutter-0.92/debian/patches/series shutter-0.92/debian/patches/series --- shutter-0.92/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ shutter-0.92/debian/patches/series 2016-12-20 18:40:00.0 +0100 @@ -0,0 +1 @@ +CVE-2015-0854.patch signature.asc Description: Digital signature
Re: Bug#846385: imagemagick: Potential ABI break upstream (without SONAME change)
BTW feel free to NMU imagemagick during a short break I take in the next two days. Bastien
Re: Bug#846385: imagemagick: Potential ABI break upstream (without SONAME change)
On Tue, Dec 20, 2016 at 4:22 PM, roucaries bastienwrote: > On Wed, Dec 14, 2016 at 1:29 PM, roucaries bastien > wrote: >> On Wed, Dec 14, 2016 at 1:28 PM, roucaries bastien >> wrote: >>> On Tue, Dec 13, 2016 at 12:21 AM, Emilio Pozuelo Monfort >>> wrote: On 09/12/16 22:37, roucaries bastien wrote: > control: forwarded -1 > https://github.com/ImageMagick/ImageMagick/issues/320 > > Dear realease team, > > What is the next step? In which version was the ABI break introduced? >>> >>> It was introduced more than 2 years ago ( 6.9.2-10). One version after >>> jessie what lie in unstable before jessie release. In general I would prefer the change to be reverted, but depending on how long this has been in the archive, and in order to stay up to date for security fixes, it may be best to do the soname bump. >>> >>> From a security point of view, I prefer recent version. I do not want >>> to keep jessie version with huge patch queue for Can you check if your rdeps build fine against a new imagemagick? > > libmagick++ rdeps build fine except traficserver due to a sphinx error > (unreleated to imagemagick) > libmagickwand rdeps build fine except rss-glx due to unreleated build > conflict (#838800) > libmagickcore rdeps build fine except dx due to missing .mak file > (unlikely imagemagick) trafficserver is - #848800 dx #848894 > > Will rebuild traficserver and dx under sid chroot and report FTBFS. > > Seems it is ok > > Bastien >>> >>> What i will do i will set on unstable the newer version with so dump >>> and will begin to rebuilt on pbuilder. Normally it will be fine. >> >> s/unstable/experimental/g >>> >>> I wish to have abi checker on the debian side >>> >>> Bastien Emilio
Re: Bug#846385: imagemagick: Potential ABI break upstream (without SONAME change)
On Wed, Dec 14, 2016 at 1:29 PM, roucaries bastienwrote: > On Wed, Dec 14, 2016 at 1:28 PM, roucaries bastien > wrote: >> On Tue, Dec 13, 2016 at 12:21 AM, Emilio Pozuelo Monfort >> wrote: >>> On 09/12/16 22:37, roucaries bastien wrote: control: forwarded -1 https://github.com/ImageMagick/ImageMagick/issues/320 Dear realease team, What is the next step? >>> >>> In which version was the ABI break introduced? >> >> It was introduced more than 2 years ago ( 6.9.2-10). One version after >> jessie what lie in unstable before jessie release. >>> >>> In general I would prefer the change to be reverted, but depending on how >>> long >>> this has been in the archive, and in order to stay up to date for security >>> fixes, it may be best to do the soname bump. >> >> From a security point of view, I prefer recent version. I do not want >> to keep jessie version with huge patch queue for >>> >>> Can you check if your rdeps build fine against a new imagemagick? libmagick++ rdeps build fine except traficserver due to a sphinx error (unreleated to imagemagick) libmagickwand rdeps build fine except rss-glx due to unreleated build conflict (#838800) libmagickcore rdeps build fine except dx due to missing .mak file (unlikely imagemagick) Will rebuild traficserver and dx under sid chroot and report FTBFS. Seems it is ok Bastien >> >> What i will do i will set on unstable the newer version with so dump >> and will begin to rebuilt on pbuilder. Normally it will be fine. > > s/unstable/experimental/g >> >> I wish to have abi checker on the debian side >> >> Bastien >>> >>> Emilio
Bug#794194: release.debian.org: Update Ubuntu patch
Package: release.debian.org Followup-For: Bug #794194 User: release.debian@packages.debian.org Usertags: britney Control: tags 794194 -moreinfo -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 While diving into debci/britney integration, I noticed that the Ubuntu patch to fix this issue isn't up-to-date anymore in this bug. It seems that the current implementation in Ubuntu is answering the concerns. Paul P.s. I may try to commit the fix myself to the GitHub archive, but I try to focus a little bit, so I thought to at least let this bug know. - -- System Information: Debian Release: stretch/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAlhZDAgACgkQnFyZ6wW9 dQoI4Af+OCo5a5Bs9NEsj5gW/in6W9rub1cGDeP5yCxw3vXdX4R8xzbVAEXi4r6j fYZOtoOdCU4Q+Mtp+AYwKqeG3cqtAwC9jhSje/8/5tAMbDCDl2e/EJvoJAA78udJ b9b0TJI0SEk1vuYf1AXDKpednm4U1lhR+6N1JhEUZylsgbgv6ppPJpZr1Ufq8CvP sI4wKpXBOAx5vq7/N+PqgOA1Is6/a9/1dc+5b206gH1UpU9t7Rp/KqpAbu++4RT2 YRKGzyTx0+IoHQtBNKALt+nJjoUNOo7XcUHeZlaV8CV1l3f1dBGN+n16iU8svcQE WIFByifN0uvgRQrNoBdDDf7Vfj/eIw== =AxHY -END PGP SIGNATURE- >From e5f306c5f5997d2455c6f3df56887070ac07b249 Mon Sep 17 00:00:00 2001 From: Martin PittDate: Tue, 12 Jul 2016 09:21:15 +0200 Subject: [PATCH] Consider packages with M-A qualifiers for reverse dependencies Strip of Multi-Arch qualifiers ":any" and ":native" when building the dependency fields, as they are not part of the package name. This will fix cases like Package: ipython3 Depends: python3:any (>= 3) and include ipython3 in python3's reverse dependencies. Closes: #794194 --- britney.py | 8 britney2/installability/builder.py | 18 -- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/britney.py b/britney.py index b3f2d45..684f20d 100755 --- a/britney.py +++ b/britney.py @@ -195,7 +195,7 @@ from britney2 import SuiteInfo, SourcePackage, BinaryPackageId, BinaryPackage from britney2.consts import (SOURCE, SOURCEVER, ARCHITECTURE, CONFLICTS, DEPENDS, PROVIDES, MULTIARCH) from britney2.excuse import Excuse from britney2.hints import HintParser -from britney2.installability.builder import build_installability_tester +from britney2.installability.builder import build_installability_tester, ma_parse_depends from britney2.migrationitem import MigrationItem from britney2.policies.policy import AgePolicy, RCBugPolicy, PiupartsPolicy, PolicyVerdict from britney2.utils import (old_libraries_format, undo_changes, @@ -711,7 +711,7 @@ class Britney(object): return sources def _parse_provides(self, pkg_id, provides_raw): -parts = apt_pkg.parse_depends(provides_raw, False) +parts = ma_parse_depends(provides_raw) nprov = [] for or_clause in parts: if len(or_clause) != 1: # pragma: no cover @@ -1004,7 +1004,7 @@ class Britney(object): binary_u = binaries_s_a[pkg] # local copies for better performance -parse_depends = apt_pkg.parse_depends +parse_depends = ma_parse_depends # analyze the dependency fields (if present) deps = binary_u.depends @@ -1014,7 +1014,7 @@ class Britney(object): # for every dependency block (formed as conjunction of disjunction) -for block, block_txt in zip(parse_depends(deps, False), deps.split(',')): +for block, block_txt in zip(parse_depends(deps), deps.split(',')): # if the block is satisfied in testing, then skip the block packages = get_dependency_solvers(block, binaries_t_a, provides_t_a) if packages: diff --git a/britney2/installability/builder.py b/britney2/installability/builder.py index 034a18f..94e3ecb 100644 --- a/britney2/installability/builder.py +++ b/britney2/installability/builder.py @@ -21,6 +21,20 @@ from britney2.utils import ifilter_except, iter_except, get_dependency_solvers from britney2.installability.solver import InstallabilitySolver +def ma_parse_depends(dep_str): +"""Parse a dependency string into a list of triples + +This is like apt_pkg.parse_depends but filters out :any and :native +Multi-Arch prefixes. We don't use apt_pkg.parse_depends(dep_str, True) +as that would also filter out arch specific dependencies like :amd64. +""" +res = apt_pkg.parse_depends(dep_str, False) +filtered = [] +for or_clause in res: +filtered.append([(p.replace(':any', '').replace(':native', ''), v, r) for (p, v, r) in or_clause]) +return filtered + + def build_installability_tester(binaries, archs): """Create the installability tester""" @@ -43,10 +57,10 @@ def
Processed: release.debian.org: Update Ubuntu patch
Processing control commands: > tags 794194 -moreinfo Bug #794194 [release.debian.org] britney: Strip off Multi-Arch qualifiers in reverse dependency calculation Removed tag(s) moreinfo. -- 794194: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794194 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#845254: unblock: win32-loader/0.8.0
On 20/12/16 10:14, Ansgar Burchardt wrote: > Didier 'OdyX' Raboud writes: >> Le lundi, 21 novembre 2016, 23.30:52 h CET Cyril Brulebois a écrit : >>> so feel free to let this package get into testing when it's copied over >>> by ftpmasters. >> >> Le lundi, 21 novembre 2016, 21.09:46 h CET Didier 'OdyX' Raboud a écrit : >>> 0.8.0 is long overdue in stretch, please let it migrate. ftpmaster: please >>> copy debian/tools/win32-loader/unstable into …/testing >> >> ftpmasters: ping ? > > tools/win32-loader/testing/ now has win32-loader from Apr 21 2016. Sorry > for forgetting about this :/ And unblocked. It should migrate in the next britney run. Emilio
Bug#845254: unblock: win32-loader/0.8.0
Didier 'OdyX' Raboud writes: > Le lundi, 21 novembre 2016, 23.30:52 h CET Cyril Brulebois a écrit : >> so feel free to let this package get into testing when it's copied over >> by ftpmasters. > > Le lundi, 21 novembre 2016, 21.09:46 h CET Didier 'OdyX' Raboud a écrit : >> 0.8.0 is long overdue in stretch, please let it migrate. ftpmaster: please >> copy debian/tools/win32-loader/unstable into …/testing > > ftpmasters: ping ? tools/win32-loader/testing/ now has win32-loader from Apr 21 2016. Sorry for forgetting about this :/ Ansgar
Bug#845254: unblock: win32-loader/0.8.0
Le lundi, 21 novembre 2016, 23.30:52 h CET Cyril Brulebois a écrit : > so feel free to let this package get into testing when it's copied over > by ftpmasters. Le lundi, 21 novembre 2016, 21.09:46 h CET Didier 'OdyX' Raboud a écrit : > 0.8.0 is long overdue in stretch, please let it migrate. ftpmaster: please > copy debian/tools/win32-loader/unstable into …/testing ftpmasters: ping ? -- Cheers, OdyX signature.asc Description: This is a digitally signed message part.
Processed: Re: Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1
Processing control commands: > tag -1 -moreinfo Bug #840643 [release.debian.org] jessie-pu: package cups/1.7.5-11+deb8u1 Removed tag(s) moreinfo. -- 840643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840643 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1
Control: tag -1 -moreinfo Le samedi, 17 décembre 2016, 11.38:59 h CET Julien Cristau a écrit : > > - and debdiff > > cups_1.7.5-11+deb8u2.debdiff > > The debdiff is the one we tend to look at, but it looks like it was not > attached. Indeed, sorry. Here it comes. -- Cheers, OdyXdiff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog --- cups-1.7.5/debian/changelog 2015-06-09 09:45:50.0 +0200 +++ cups-1.7.5/debian/changelog 2016-10-10 10:05:10.0 +0200 @@ -1,3 +1,13 @@ +cups (1.7.5-11+deb8u2) jessie-security; urgency=high + + * Disable SSLv3 and RC4 by default to address POODLE vulnerability +(Closes: #839226) +- Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4 + respectively + * Refresh patches + + -- Didier RaboudMon, 10 Oct 2016 10:05:10 +0200 + cups (1.7.5-11+deb8u1) jessie-security; urgency=high * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch --- cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch 2015-06-09 09:36:38.0 +0200 +++ cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch 2016-10-10 09:55:05.0 +0200 @@ -27,7 +27,7 @@ LaunchdTimeout = 10; --- a/scheduler/conf.h +++ b/scheduler/conf.h -@@ -246,6 +246,9 @@ +@@ -248,6 +248,9 @@ /* SSL/TLS options */ #endif /* HAVE_SSL */ diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch --- cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch 2015-06-09 09:36:38.0 +0200 +++ cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch 2016-10-10 09:55:10.0 +0200 @@ -21,7 +21,7 @@ LaunchdTimeout = 10; --- a/scheduler/conf.h +++ b/scheduler/conf.h -@@ -251,6 +251,9 @@ +@@ -253,6 +253,9 @@ VAR int IdleExitTimeout VALUE(0); /* Time after which an idle cupsd will exit */ @@ -51,7 +51,7 @@ #endif /* HAVE_SYSTEMD */ --- a/man/cupsd.conf.man.in +++ b/man/cupsd.conf.man.in -@@ -521,6 +521,12 @@ +@@ -528,6 +528,12 @@ "notify-events", "notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and "notify-user-data". .TP 5 diff -Nru cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch --- cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch 2015-06-09 09:36:38.0 +0200 +++ cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch 2016-10-10 09:55:09.0 +0200 @@ -13,7 +13,7 @@ LogTimeFormat= CUPSD_TIME_STANDARD; --- a/scheduler/conf.h +++ b/scheduler/conf.h -@@ -166,7 +166,7 @@ +@@ -168,7 +168,7 @@ /* Allow overrides? */ ConfigFilePerm VALUE(0640), /* Permissions for config files */ diff -Nru cups-1.7.5/debian/patches/pidfile.patch cups-1.7.5/debian/patches/pidfile.patch --- cups-1.7.5/debian/patches/pidfile.patch 2015-06-09 09:36:38.0 +0200 +++ cups-1.7.5/debian/patches/pidfile.patch 2016-10-10 09:55:08.0 +0200 @@ -24,7 +24,7 @@ if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf")) PrintcapFormat = PRINTCAP_SOLARIS; -@@ -,6 +3335,7 @@ +@@ -3370,6 +3372,7 @@ !_cups_strcasecmp(line, "SystemGroup") || !_cups_strcasecmp(line, "SystemGroupAuthKey") || !_cups_strcasecmp(line, "TempDir") || @@ -34,7 +34,7 @@ cupsdLogMessage(CUPSD_LOG_INFO, --- a/scheduler/conf.h +++ b/scheduler/conf.h -@@ -245,6 +245,8 @@ +@@ -247,6 +247,8 @@ VAR int SSLOptions VALUE(CUPSD_SSL_NONE); /* SSL/TLS options */ #endif /* HAVE_SSL */ diff -Nru cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch --- cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch 2015-06-09 09:36:38.0 +0200 +++ cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch 2016-10-10 09:55:07.0 +0200 @@ -11,7 +11,7 @@ --- a/scheduler/ipp.c +++ b/scheduler/ipp.c -@@ -8249,6 +8249,11 @@ +@@ -8206,6 +8206,11 @@ ipp_attribute_t *attr, /* Current attribute */ *attr2, /* Job attribute */ *prev2; /* Previous job attribute */ @@ -23,7 +23,7 @@ /* -@@ -8310,6 +8315,85 @@ +@@ -8267,6 +8272,85 @@ } /* diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series --- cups-1.7.5/debian/patches/series 2015-06-09 09:36:38.0 +0200 +++ cups-1.7.5/debian/patches/series 2016-10-10 09:54:51.0 +0200 @@ -6,6 +6,7 @@ str4500-cupsGetPPD3-Only-use-symlink-if-file-is-readable-STR.patch str4551-fix-buffer-overflow-in-cupsRasterReadPixels.patch