Re: embedding openssl source in sslcan

[Moritz Mühlenhoff]

On Thu, Jan 05, 2017 at 09:39:16PM +0100, Sebastian Andrzej Siewior wrote:
> On 2016-12-31 17:35:47 [+0100], Julien Cristau wrote:
> > Is this really something we need to be shipping?  If yes, I'd personally
> > really like this to get an explicit exemption from normal policy by the
> > security team, so please talk to them (debian-security@ldo is not it).
> 
> I have been made aware of my mistake and I bounced the original email to
> security@d.o with no response yet. I haven't got any response from them
> yet so it looks like sslscan will link against libssl1.0.

I did reply to you (as did Thijs), but as mentioned before there's no
need for that code copy in _stretch_, since 1.0.2 should still provide
ample legacy support.

Cheers,
Moritz

Re: embedding openssl source in sslcan

[Sebastian Andrzej Siewior]

On 2016-12-31 17:35:47 [+0100], Julien Cristau wrote:
> Is this really something we need to be shipping?  If yes, I'd personally
> really like this to get an explicit exemption from normal policy by the
> security team, so please talk to them (debian-security@ldo is not it).

I have been made aware of my mistake and I bounced the original email to
security@d.o with no response yet. I haven't got any response from them
yet so it looks like sslscan will link against libssl1.0.

> Cheers,
> Julien

Sebastian

Bug#847273: jessie-pu: package mapserver/6.4.1-5

[Sebastiaan Couwenberg]

On 01/05/2017 09:04 PM, Adam D. Barratt wrote:
> On Tue, 2016-12-06 at 22:00 +0100, Sebastiaan Couwenberg wrote:
>> Sorry for the outdated debdiff, for p-u the distribution has been
>> changed to stable.
> 
> Please go ahead.

Thanks!

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Processed: retitle 850105 to RM: sogo -- RoST; multiple security issues, tagging 850105

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 850105 RM: sogo -- RoST; multiple security issues
Bug #850105 [release.debian.org] RM: sogo/2.2.9+git20141017-1
Changed Bug title to 'RM: sogo -- RoST; multiple security issues' from 'RM: 
sogo/2.2.9+git20141017-1'.
> tags 850105 + pending
Bug #850105 [release.debian.org] RM: sogo -- RoST; multiple security issues
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
850105: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850105
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: retitle 844695 to RM: dotclear -- RoST; multiple security issues, tagging 844695

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 844695 RM: dotclear -- RoST; multiple security issues
Bug #844695 [release.debian.org] RM: dotclear/2.6.4+dfsg-1
Changed Bug title to 'RM: dotclear -- RoST; multiple security issues' from 'RM: 
dotclear/2.6.4+dfsg-1'.
> tags 844695 + pending
Bug #844695 [release.debian.org] RM: dotclear -- RoST; multiple security issues
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
844695: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844695
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #841724 [release.debian.org] jessie-pu: package guile-2.0/2.0.11+1-9
Removed tag(s) moreinfo.
Bug #841724 [release.debian.org] jessie-pu: package guile-2.0/2.0.11+1-9
Added tag(s) confirmed.

-- 
841724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841724
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Sat, 2016-10-22 at 14:11 -0500, Rob Browning wrote:
> "Adam D. Barratt"  writes:
> 
> > Control: tags -1 + moreinfo
> > Control: severity -1 normal
> >
> > On Sat, 2016-10-22 at 13:10 -0500, Rob Browning wrote:
> >> I'd like to propose an update for jessie as described by the attached
> >> debdiff.  Though the final upload/diff might be slightly different
> >> (i.e. the dpm hashes).
> >> 
> >> Both of the changes (patches) have been cherry-picked from upstream as
> >> described in the patch headers.
> >
> > The security tracker indicates that both issues - CVE-2016-8605 and
> > CVE-2016-8606 - still affect the guile-2.0 packages in unstable. Is that
> > correct? If so then that would be a prerequisite to applying the fixes
> > in stable.
> 
> Hmm, well I'm also preparing 2.0.13+1-1 packages for unstable that include
> (upstream) both fixes.  Should I upload those first?

That happened in the meantime, so please feel free to go ahead with the
upload to stable.

Regards,

Adam

Bug#829136: jessie-pu: package harfbuzz/0.9.35-2+deb8u1

[Adam D. Barratt]

On Tue, 2016-09-06 at 22:21 +0200, Moritz Mühlenhoff wrote:
> On Sat, Aug 13, 2016 at 10:33:32AM +0200, Julien Cristau wrote:
> > Control: tag -1 moreinfo
> > 
> > On Thu, Jun 30, 2016 at 22:19:11 +0200, Moritz Muehlenhoff wrote:
> > 
> > > Package: release.debian.org
> > > Severity: normal
> > > Tags: jessie
> > > User: release.debian@packages.debian.org
> > > Usertags: pu
> > > 
> > > Attached debdiff fixes a non-severe security issue in harfbuzz.
> > > I've been using that for a few weeks on my jessie desktop.
> > > 
> > > Cheers,
> > > Moritz
> > > 
> > > diff -Nru harfbuzz-0.9.35/debian/changelog 
> > > harfbuzz-0.9.35/debian/changelog
> > > --- harfbuzz-0.9.35/debian/changelog  2014-10-30 13:58:05.0 
> > > +0100
> > > +++ harfbuzz-0.9.35/debian/changelog  2016-05-30 23:50:45.0 
> > > +0200
> > > @@ -1,3 +1,10 @@
> > > +harfbuzz (0.9.35-2+deb8u1) jessie; urgency=medium
> > > +
> > > +  * Backport upstream commit 613e630617074eb9b62b794cc37c9b42a7fb079b to 
> > > address
> > > +CVE-2016-2052
> > > +
> > > + -- Moritz Mühlenhoff   Mon, 30 May 2016 23:49:46 +0200
> > > +
> > >  harfbuzz (0.9.35-2) unstable; urgency=medium
> > >  
> > >* debain/clean: Remove test/shaping/*.pyc during clean
> > 
> > According to https://bugzilla.redhat.com/show_bug.cgi?id=1301553#c6
> > CVE-2016-2052 is linked to a different commit, can you clarify?
> 
> Hmm, there seems to have been some reshuffling of CVE mappings, also another
> minor issue came up. I'll revise.

Any news on that?

Regards,

Adam

Bug#842929: jessie-pu: package modsecurity-crs/2.2.9-1

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Mon, 2016-11-28 at 17:17 +0100, Alberto Gonzalez Iniesta wrote:
> Thanks for the corrections. Please find attached the debdiff file in the
> right direction. #838009 as marked as fixed in unstable/testing and
> #826710 will be marked accordingly if this upload happens.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#842929: jessie-pu: package modsecurity-crs/2.2.9-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #842929 [release.debian.org] jessie-pu: package modsecurity-crs/2.2.9-1
Removed tag(s) moreinfo.
Bug #842929 [release.debian.org] jessie-pu: package modsecurity-crs/2.2.9-1
Added tag(s) confirmed.

-- 
842929: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842929
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote:

> Request for uploading to stable, as there is posted a CVE for a bug in 
> mactelnet-client.
> This update is a backport of the fix that is done upstream, that fixes only 
> the mentioned bug.
> 
> Mor information here: 
> https://security-tracker.debian.org/tracker/CVE-2016-7115
> and here: https://bugs.debian.org/836320

+mactelnet (0.4.0-2) stable; urgency=low

The version should be 0.4.0-1+deb8u1. With that change, please go ahead.

Regards,

Adam

Processed: Re: Bug#837458: jessie-pu: package mactelnet/0.4.0-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #837458 [release.debian.org] jessie-pu: package mactelnet/0.4.0-1
Added tag(s) confirmed.

-- 
837458: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#847273: jessie-pu: package mapserver/6.4.1-5

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2016-12-06 at 22:00 +0100, Sebastiaan Couwenberg wrote:
> Sorry for the outdated debdiff, for p-u the distribution has been
> changed to stable.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#847273: jessie-pu: package mapserver/6.4.1-5

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #847273 [release.debian.org] jessie-pu: package mapserver/6.4.1-5
Added tag(s) confirmed.

-- 
847273: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847273
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#849698: jessie-pu: package python-crypto/2.6.1-5+deb8u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2017-01-03 at 14:05 +0100, Sebastian Ramacher wrote:
> Hi
> 
> On 2017-01-03 11:05:40, Sebastian Ramacher wrote:
> > On 2017-01-01 20:55:40, Sebastian Ramacher wrote:
[..]
> > > > 
> > > > On Thu, 2016-12-29 at 23:15 +0100, Sebastian Ramacher wrote:
> > > > > I'd like to fix CVE-2013-7459 (#849495) in jessie via the next point 
> > > > > release.
> > > > > The issue was marked as no-dsa.
> > > > > 
> > > > > The proposed debdiff is attached. The same patch was applied to the 
> > > > > package in
> > > > > unstable.
> > > > 
> > > > +  * Throw exception when IV is used with ECB or CTR (CVE-2013-7459)
[...]
> > Seems like python-paramiko broke in wheezy-lts (#850025). I will come back 
> > to
> > you once I've checked if stable is affected as well.
> 
> New debdiff is attached. Instead of throwing an exception the IV is simply
> ignored and a warning is displayed.

The patch itself still refers to exceptions in its metadata, fwiw.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#849698: jessie-pu: package python-crypto/2.6.1-5+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #849698 [release.debian.org] jessie-pu: package python-crypto/2.6.1-5+deb8u1
Added tag(s) confirmed.

-- 
849698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849698
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#850154: jessie-pu: package nvidia-graphics-modules/340.101+3.16.0+1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2017-01-04 at 14:19 +0100, Andreas Beckmann wrote:
> As a followup to updating nvidia-graphics-drivers to a new upstream
> release, we also need to update the prebuilt kernel modules.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#850154: jessie-pu: package nvidia-graphics-modules/340.101+3.16.0+1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #850154 [release.debian.org] jessie-pu: package 
nvidia-graphics-modules/340.101+3.16.0+1
Added tag(s) confirmed.

-- 
850154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850154
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#849865: jessie-pu: package postgresql-common/165+deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #849865 [release.debian.org] jessie-pu: package postgresql-common/165+deb8u2
Added tag(s) confirmed.

-- 
849865: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849865
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#849865: jessie-pu: package postgresql-common/165+deb8u2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2017-01-01 at 18:53 +0100, Christoph Berg wrote:
> I would like to upload postgresql-common/165+deb8u2 with the diff
> quoted below to jessie. It's fixing a data-loss bug, and a security
> issue. The issues are already addresses in unstable (both in 178).

Please go ahead.

Regards,

Adam

Processed: Re: Bug#849869: jessie-pu: package unrtf/0.21.5-3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #849869 [release.debian.org] jessie-pu: package unrtf/0.21.5-3
Added tag(s) confirmed.

-- 
849869: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849869
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#849869: jessie-pu: package unrtf/0.21.5-3

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2017-01-01 at 19:59 +0100, Willi Mann wrote:
> As per request of the security team, I intend to upload a security fix 
> (CVE-2016-10091) of the unrtf package for the next jessie point release.
> 
> The changelog is:
> unrtf (0.21.5-3+deb8u1) stable; urgency=medium
> 
>   * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
> cmd_ functions) closes: 849705

Please go ahead.

Regards,

Adam

Processed: Re: Bug#850084: jessie-pu: package asterisk/1:11.13.1~dfsg-2+deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #850084 [release.debian.org] jessie-pu: package 
asterisk/1:11.13.1~dfsg-2+deb8u2
Added tag(s) confirmed.

-- 
850084: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850084
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#850084: jessie-pu: package asterisk/1:11.13.1~dfsg-2+deb8u2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2017-01-04 at 00:05 +0100, Bernhard Schmidt wrote:
> I would like to fix CVE-2016-9938 (Bug #847668) with the upcoming point 
> release. 
> The issue has been categorized no-dsa by the security team before.

Please go ahead.

Regards,

Adam

Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2017-01-02 at 17:27 +, Gianfranco Costamagna wrote:
> CVE-2016-10087 is not worth a DSA, Security Team asked for a point release 
> update.
> 
> diff -Nru libpng-1.2.50/debian/changelog libpng-1.2.50/debian/changelog
> --- libpng-1.2.50/debian/changelog  2016-01-07 20:39:14.0 +0100
> +++ libpng-1.2.50/debian/changelog  2017-01-02 18:24:35.0 +0100
> @@ -1,3 +1,10 @@
> +libpng (1.2.50-2+deb8u3) jessie; urgency=medium
> +
> +  * debian/patches/CVE-2016-10087.patch:
> +- cherry-pick upstream fix for CVE-2016-10087

Please go ahead.

Regards,

Adam

Processed: Re: Bug#849967: jessie-pu: package exim4/4.84.2-2+deb8u3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #849967 [release.debian.org] jessie-pu: package exim4/4.84.2-2+deb8u3
Added tag(s) confirmed.

-- 
849967: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849967
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #849962 [release.debian.org] jessie-pu: package libpng/1.2.50-2+deb8u3
Added tag(s) confirmed.

-- 
849962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849962
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#849967: jessie-pu: package exim4/4.84.2-2+deb8u3

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2017-01-02 at 19:44 +0100, Andreas Metzler wrote:
> I (and Heiko from exim upstream) would like to fix #845569 in jessie.
> sid/testing already include the fix, it was part of 4.88~RC6.
> 
> The issue is a memleak in the GnuTLS code, the patch is a towo line
> change. Heiko has provided a very nice writeup in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845569#20

Please go ahead.

Regards,

Adam

Bug#850287: RM: readline6 -- remove from testing

[Emilio Pozuelo Monfort]

user release.debian@packages.debian.org
usertags 850287 + rm
thanks

On 05/01/17 18:26, Matthias Klose wrote:
> Package: release.debian.org
> 
> According to #840397, readline6 can now be removed from testing.

emilio@tatooine:~$ dak rm -Rn -s testing readline6
[...]
Checking reverse dependencies...
# Broken Depends:
bashdb: bashdb
heimdal: heimdal-clients [amd64]
 heimdal-kdc [amd64]
 libsl0-heimdal [amd64]
sdb: sdb

sdb and bashdb are scheduled for auto-removal because of this. But heimdal is
blocked on the binutils/mips* bug...

Cheers,
Emilio

Bug#850287: RM: readline6 -- remove from testing

[Matthias Klose]

Package: release.debian.org

According to #840397, readline6 can now be removed from testing.

Bug#849020: jessie-pu: package systemd/215-17+deb8u6

[Michael Biebl]

Am 05.01.2017 um 07:18 schrieb Adam D. Barratt:
> Michael, please feel free to upload. 

Thanks. done

(I'm assuming that the resulting
> package has had at least some testing on a jessie system already.)

I did test the invididual fixes in a jessie VM and lxc container, which
included installing and running the final version of systemd_215-17+deb8u6.

Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#848341: jessie-pu: package intel-microcode/3.20161104.1~deb8u1

[Henrique de Moraes Holschuh]

On Thu, 05 Jan 2017, Adam D. Barratt wrote:
> On Fri, 2016-12-16 at 10:17 -0200, Henrique de Moraes Holschuh wrote:
> > I would like to update the intel-microcode packages in stable to address
> > several critical errata in newer Intel processors.
> > 
> > The updated packages being proposed in this bug report are identical to
> > the ones in unstable/testing and jessie-backports, other than
> > debian/changelog and version numbering.
> > 
> > These changes have been tested in unstable since 2016-11-09, in testing
> > since 2016-11-15, and in jessie-backports since 2016-11-17, without any
> > issues being reported.
> 
> Please go ahead.

Uploaded.

Thank you!

-- 
  Henrique Holschuh

Re: pbseqlib testing migration

[Emilio Pozuelo Monfort]

On 05/01/17 07:16, Afif Elghraoui wrote:
> I'd like to follow-up on this. I will try for an executive summary in
> case my original message was too long:
> 
> * pbseqlib builds three arch:any libraries as well as the arch:all
> libpbseq-dev that depends on all of their -dev packages
> 
> * pbseqlib has a new build dependency that does not build on 32-bit
> architectures (all old pbseqlib binaries have already been removed)
> 
> * the un-installability of libpbseq-dev on i386 is preventing testing
> migration.
> 
> I believe this needs a force-hint. This is also somewhat urgent because
> some rdeps with fixed RC bugs cannot migrate without this one going first.

I have added a force-hint. The package should migrate in ~12 hours.

Cheers,
Emilio

Bug#848365: jessie-pu: package coquelicot/0.9.2-4+deb8u1

[Jérémy Bobbio]

Adam D. Barratt:
> Control: tags -1 + moreinfo
> 
> On Fri, 2016-12-16 at 18:31 +0100, Jérémy Bobbio wrote:
> > I would like to important issues affecting coquelicot in jessie:
> > 
> > #809351: properly run coquelicot under the 'coquelicot' user and not
> > as root. It was always intended that way, that's why the cron is running
> > under the coquelicot user already. The issue has been fixed a while ago
> > for stretch (in 0.9.4-1, uploaded September 2015). This backports the
> > changes from the unstable branch which switched to using
> > init-d-script(5).
> > 
> > #808018: silence deprecation warnings coming from cron. While the
> > warnings actually come from ruby-fast-gettext, they make the garbage
> > collection cron send an email on every run.
> 
> + sysvinit-utils (>= 2.88dsf-50),
> 
> What's that for? sysvinit-utils is Essential:yes.
> 
> Hmmm, so the answer appears to be "because that's when init-d-script(5)
> was added". That doesn't really seem like a minimal change for fixing
> the user that the daemon is running as.

You are right. I agree it's not a minimal change but the initscript
using init-d-script has been in Stretch for more than a year. I thought
it would be safer to use a version that has received more testing than
to patch the older one. I could still do that if you'd prefer.

-- 
Lunar.''`. 
lu...@debian.org: :Ⓐ  :  # apt-get install anarchism
`. `'` 
  `-   


signature.asc
Description: Digital signature

Processed: severity of 850196 is normal

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 850196 normal
Bug #850196 {Done: Niels Thykier } [release.debian.org] 
unblock: dgit/2.14
Severity set to 'normal' from 'grave'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
850196: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850196
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems