Bug#862945: unblock: jbig2dec/0.13-4.1

[Salvatore Bonaccorso]

On Fri, May 19, 2017 at 07:22:12AM +0200, Salvatore Bonaccorso wrote:
> The full debdiff is attached t othis mail as debdiff against the current
> version in testing.

Or not...

Salvatore
diff -Nru jbig2dec-0.13/debian/changelog jbig2dec-0.13/debian/changelog
--- jbig2dec-0.13/debian/changelog  2017-01-23 21:13:34.0 +0100
+++ jbig2dec-0.13/debian/changelog  2017-05-16 20:08:21.0 +0200
@@ -1,3 +1,13 @@
+jbig2dec (0.13-4.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Prevent integer overflow vulnerability (CVE-2017-7885) (Closes: #860460)
+  * Prevent SEGV due to integer overflow (CVE-2017-7975) (Closes: #860788)
+  * Bounds check before reading from image source data (CVE-2017-7976)
+(Closes: #860787)
+
+ -- Salvatore Bonaccorso   Tue, 16 May 2017 20:08:21 +0200
+
 jbig2dec (0.13-4) unstable; urgency=medium
 
   * Add patches cherry-picked upstream to squash signed/unsigned
diff -Nru jbig2dec-0.13/debian/patches/020170426~5e57e48.patch 
jbig2dec-0.13/debian/patches/020170426~5e57e48.patch
--- jbig2dec-0.13/debian/patches/020170426~5e57e48.patch1970-01-01 
01:00:00.0 +0100
+++ jbig2dec-0.13/debian/patches/020170426~5e57e48.patch2017-05-16 
20:08:21.0 +0200
@@ -0,0 +1,26 @@
+Description: Bug 697693: Prevent SEGV due to integer overflow.
+ While building a Huffman table, the start and end points were susceptible
+ to integer overflow.
+ .
+Thank you to Jiaqi for finding this issue and suggesting a patch.
+Origin: upstream, 
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e57e483298dae8b
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697693
+Bug-Debian: https://bugs.debian.org/860788
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7975
+Forwarded: not-needed
+Author: Shailesh Mistry 
+Last-Update: 2017-05-16
+
+--- a/jbig2_huffman.c
 b/jbig2_huffman.c
+@@ -422,8 +422,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx,
+ 
+ if (PREFLEN == CURLEN) {
+ int RANGELEN = lines[CURTEMP].RANGELEN;
+-int start_j = CURCODE << shift;
+-int end_j = (CURCODE + 1) << shift;
++uint32_t start_j = CURCODE << shift;
++uint32_t end_j = (CURCODE + 1) << shift;
+ byte eflags = 0;
+ 
+ if (end_j > max_j) {
diff -Nru jbig2dec-0.13/debian/patches/020170503~b184e78.patch 
jbig2dec-0.13/debian/patches/020170503~b184e78.patch
--- jbig2dec-0.13/debian/patches/020170503~b184e78.patch1970-01-01 
01:00:00.0 +0100
+++ jbig2dec-0.13/debian/patches/020170503~b184e78.patch2017-05-16 
20:08:21.0 +0200
@@ -0,0 +1,27 @@
+Description: Bug 697703: Prevent integer overflow vulnerability.
+ Add extra check for the offset being greater than the size
+ of the image and hence reading off the end of the buffer.
+ .
+ Thank you to Dai Ge for finding this issue and suggesting a patch.
+Origin: upstream, 
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=b184e783702246e15
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697703
+Bug-Debian: https://bugs.debian.org/860460
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7885
+Forwarded: not-needed
+Author: Shailesh Mistry 
+Last-Update: 2017-05-16
+---
+ jbig2dec/jbig2_symbol_dict.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/jbig2_symbol_dict.c
 b/jbig2_symbol_dict.c
+@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ byte *dst = image->data;
+ 
+ /* SumatraPDF: prevent read access violation */
+-if (size - jbig2_huffman_offset(hs) < image->height * stride) 
{
++if ((size - jbig2_huffman_offset(hs) < image->height * 
stride) || (size < jbig2_huffman_offset(hs))) {
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, 
"not enough data for decoding (%d/%d)", image->height * stride,
+ size - jbig2_huffman_offset(hs));
+ jbig2_image_release(ctx, image);
diff -Nru jbig2dec-0.13/debian/patches/020170510~ed6c513.patch 
jbig2dec-0.13/debian/patches/020170510~ed6c513.patch
--- jbig2dec-0.13/debian/patches/020170510~ed6c513.patch1970-01-01 
01:00:00.0 +0100
+++ jbig2dec-0.13/debian/patches/020170510~ed6c513.patch2017-05-16 
20:08:21.0 +0200
@@ -0,0 +1,28 @@
+Description: Bug 697683: Bounds check before reading from image source data.
+ Add extra check to prevent reading off the end of the image source
+ data buffer.
+ .
+ Thank you to Dai Ge for finding this issue and suggesting a patch.
+Origin: upstream, 
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ed6c5133a1004ce8d
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697683
+Bug-Debian: https://bugs.debian.org/860787
+Bug-Debian-Security: 

Bug#862945: unblock: jbig2dec/0.13-4.1

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi


Please unblock package jbig2dec

It fixes three CVEs (which as well were addressed in a DSA):

https://www.debian.org/security/2017/dsa-3855

+jbig2dec (0.13-4.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Prevent integer overflow vulnerability (CVE-2017-7885) (Closes: #860460)
+  * Prevent SEGV due to integer overflow (CVE-2017-7975) (Closes: #860788)
+  * Bounds check before reading from image source data (CVE-2017-7976)
+(Closes: #860787)
+
+ -- Salvatore Bonaccorso   Tue, 16 May 2017 20:08:21 +0200

unblock jbig2dec/0.13-4.1

The full debdiff is attached t othis mail as debdiff against the current
version in testing.

Thanks in advance already,

Regards,
Salvatore

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Bug#862941: binNMUs needed for multiple arm64 packages (#850814)

[Steve McIntyre]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hey folks,

As first discussed a while back, we've had a bug in gold which caused
some broken builds of some arm64 packages. These were mostly in
backports, with a few example in the early life of stretch. Now that
#850814 is fixed and we have an updated binutils in stable too, I've
re-scanned the archive for arm64 binaries with broken alignment. Please
binNMU the following (I hope I got the syntax right!):

Backports:

 nmu haskell-cabal_1.22.4.0-2~bpo8+1 . arm64 . jessie-backports -m "Rebuild 
with fixed binutils"
 nmu haskell-hierarchical-clustering_0.4.6-1~bpo8+1 . arm64 . jessie-backports 
-m "Rebuild with fixed binutils"
 nmu haskell-http_4000.2.20-3~bpo8+1 . arm64 . jessie-backports . -m "Rebuild 
with fixed binutils"
 nmu haskell-mtl_2.2.1-2~bpo8+1 . arm64 . jessie-backports . -m "Rebuild with 
fixed binutils"
 nmu haskell-network_2.6.2.1-3~bpo8+1 . arm64 . jessie-backports . -m "Rebuild 
with fixed binutils"
 nmu haskell-network-uri_2.6.0.3-3~bpo8+1 . arm64 . jessie-backports . -m 
"Rebuild with fixed binutils"
 nmu haskell-old-locale_1.0.0.7-2~bpo8+1 . arm64 . jessie-backports . -m 
"Rebuild with fixed binutils"
 nmu haskell-old-time_1.1.0.3-2~bpo8+1 . arm64 . jessie-backports . -m "Rebuild 
with fixed binutils"
 nmu haskell-parsec_3.1.9-4~bpo8+1 . arm64 . jessie-backports . -m "Rebuild 
with fixed binutils"
 nmu haskell-prettyclass_1.0.0.0-4~bpo8+1 . arm64 . jessie-backports . -m 
"Rebuild with fixed binutils"
 nmu haskell-random_1.1-3~bpo8+1 . arm64 . jessie-backports . -m "Rebuild with 
fixed binutils"
 nmu haskell-stm_2.4.4-4~bpo8+1 . arm64 . jessie-backports . -m "Rebuild with 
fixed binutils"
 nmu haskell-text_1.2.1.3-2~bpo8+1 . arm64 . jessie-backports . -m "Rebuild 
with fixed binutils"
 nmu haskell-zlib_0.5.4.2-4~bpo8+1 . arm64 . jessie-backports . -m "Rebuild 
with fixed binutils"
 nmu systemd_230-7~bpo8+2 . arm64 . jessie-backports . -m "Rebuild with fixed 
binutils"
 nmu wine-development_2.0.3~bpo8+1 . arm64 . jessie-backports . -m "Rebuild 
with fixed binutils"

Unstable:

 nmu wine-development_2.0.3 . arm64 . -m "Rebuild with fixed binutils"

Experimental:

 nmu wine-development_2.8-1 . arm64 . experimental . -m "Rebuild with fixed 
binutils"
 nmu wine-2.0.1-1 . arm64 . experimental . -m "Rebuild with fixed binutils"

I'm *guessing* all the Haskell packages might involve triggering more
rebuild of all the rdeps too, not sure...


-- System Information:
Debian Release: 8.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#862864: Bug#861612: pixbros: level designs appear to be non-free

[Steve Cotton]

On Fri, May 12, 2017 at 11:03:24PM +0200, Markus Koschany wrote:
> What we need to check is: Does the game comply with the DFSG and does it
> infringe the copyright of another programmer/artist. In my opinion that
> is not the case here because the license is DFSG-compatible and the game
> looks and works differently in style and artwork. We are not aware of a
> verdict which states that the level resemblance infringes the rights of
> another party.

Hi Markus,

To clarify, I think it's a copyright violation.  The copyrights in
question are the layout of the levels, the level designers' choices of
where the platforms are.  For a simple level like level 30 it would be
unremarkable for games in the same genre to have a similar level, but
not the complex designs of most of the levels from 31 to 49.

> This whole bug report reminds me of Giana Sisters, ...

> On the other hand we have many open source games that try to clone an
> older game but they look and behave often differently and use their own
> graphics or they just reinvent the engine and then use the original
> artwork (hence why those games are shipped in contrib)

But the ones in contrib using original artwork only have the DFSG
parts in contrib, the copy of the original artwork isn't in contrib.

> Look at Pathological which is obviously a clone of Logical or Tuxpuck
> which very much resembles the Shuffle Puck Cafe game. Are they non-free
> too? I don't think so because I have played the original games and I can
> tell you that the older games had both better graphics, more levels and
> were more feature complete. They resemble each other but they are not on
> a par and the risk that some company sues Debian just for distributing
> them is highly unlikely because we make no money with them either.

Just as they used new artwork, Pathological used (AFAIK) new level
designs. The first level looks like a level of Logical, but that's
forced by the genre, there's a limited set of level designs for a
tutorial level that introduces the concept of the game.

With tuxpuck the level design seems to be a rectangular table, with a
rectangular area of that table that the player can move the bat to.

Neither of these games seems to have a direct copy from the game that
inspired them.

Regards,
Steve

Bug#861686: unblock: openssl/1.1.0e-2

[Cyril Brulebois]

Sebastian Andrzej Siewior  (2017-05-18):
> On 2017-05-07 16:39:00 [+], Niels Thykier wrote:
> > Sebastian Andrzej Siewior:
> > > uploaded and built on all releases architectures.
> > 
> > Ack/RT unblock, CC'ing KiBi for a d-i ack.
> 
> I don't want to rush or anything but in case it got forgotten, we are
> still waiting for the d-i ack.

Thanks for prodding, I indeed missed the request initially…

No objections, and sorry for the lag.


KiBi.


signature.asc
Description: Digital signature

Bug#862937: unblock: firejail/0.9.44.8-2

[Reiner Herrmann]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package firejail

Version 0.9.44.8-2 includes a cherry-picked patch that fixes a memory
corruption which leads to a crash when firejail is called with certain
options (#862083).

Kind regards,
  Reiner

unblock firejail/0.9.44.8-2
diff -Nru firejail-0.9.44.8/debian/changelog firejail-0.9.44.8/debian/changelog
--- firejail-0.9.44.8/debian/changelog  2017-01-19 23:14:35.0 +0100
+++ firejail-0.9.44.8/debian/changelog  2017-05-09 21:15:19.0 +0200
@@ -1,3 +1,10 @@
+firejail (0.9.44.8-2) unstable; urgency=medium
+
+  * Cherry-pick upstream patch for memory corruption in noblacklist
+processing (Closes: #862083).
+
+ -- Reiner Herrmann   Tue, 09 May 2017 21:15:19 +0200
+
 firejail (0.9.44.8-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru 
firejail-0.9.44.8/debian/patches/0001-bugfix-ugly-memory-corruption-in-noblacklist-process.patch
 
firejail-0.9.44.8/debian/patches/0001-bugfix-ugly-memory-corruption-in-noblacklist-process.patch
--- 
firejail-0.9.44.8/debian/patches/0001-bugfix-ugly-memory-corruption-in-noblacklist-process.patch
1970-01-01 01:00:00.0 +0100
+++ 
firejail-0.9.44.8/debian/patches/0001-bugfix-ugly-memory-corruption-in-noblacklist-process.patch
2017-05-09 21:10:12.0 +0200
@@ -0,0 +1,241 @@
+From: netblue30 
+Subject: [PATCH] bugfix: ugly memory corruption in noblacklist processing
+Origin: upstream, 
https://github.com/netblue30/firejail/commit/ad51fb7489a148ed87abe367a82e0d25203b2d28
+Debian-Bug: https://bugs.debian.org/862083
+
+diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
+index 13be6b11..d1445ea3 100644
+--- a/src/firejail/firejail.h
 b/src/firejail/firejail.h
+@@ -631,6 +631,7 @@ void run_symlink(int argc, char **argv);
+ 
+ // paths.c
+ char **build_paths(void);
++unsigned int count_paths(void);
+ 
+ // fs_mkdir.c
+ void fs_mkdir(const char *name);
+diff --git a/src/firejail/fs.c b/src/firejail/fs.c
+index 3ea4725b..3efaae93 100644
+--- a/src/firejail/fs.c
 b/src/firejail/fs.c
+@@ -436,26 +436,35 @@ void fs_blacklist(void) {
+ 
+   // Process noblacklist command
+   if (strncmp(entry->data, "noblacklist ", 12) == 0) {
+-  char **paths = build_paths();
+-
+-  char *enames[sizeof(paths)+1] = {0};
+-  int i = 0;
++  char **enames;
++  int i;
+ 
+   if (strncmp(entry->data + 12, "${PATH}", 7) == 0) {
+   // expand ${PATH} macro
+-  while (paths[i] != NULL) {
+-  if (asprintf([i], "%s%s", 
paths[i], entry->data + 19) == -1)
++  char **paths = build_paths();
++  unsigned int npaths = count_paths();
++  enames = calloc(npaths, sizeof(char *));
++  if (!enames)
++  errExit("calloc");
++
++  for (i = 0; paths[i]; i++) {
++  if (asprintf([i], "%s%s", 
paths[i],
++  entry->data + 19) == -1)
+   errExit("asprintf");
+-  i++;
+   }
+-  } else {
++  assert(enames[npaths-1] == 0);
++
++  }
++  else {
+   // expand ${HOME} macro if found or pass as is
++  enames = calloc(2, sizeof(char *));
++  if (!enames)
++  errExit("calloc");
+   enames[0] = expand_home(entry->data + 12, 
homedir);
+-  enames[1] = NULL;
++  assert(enames[1] == 0);
+   }
+ 
+-  i = 0;
+-  while (enames[i] != NULL) {
++  for (i = 0; enames[i]; i++) {
+   if (noblacklist_c >= noblacklist_m) {
+   noblacklist_m *= 2;
+   noblacklist = realloc(noblacklist, 
sizeof(*noblacklist) * noblacklist_m);
+@@ -463,12 +472,9 @@ void fs_blacklist(void) {
+   errExit("failed increasing 
memory for noblacklist entries");
+   }
+   noblacklist[noblacklist_c++] = enames[i];
+-  i++;
+   }
+ 
+-  while (enames[i] != NULL) {
+-  free(enames[i]);
+- 

Bug#862598: marked as done (unblock: udfclient/0.8.8-1)

[Debian Bug Tracking System]

Your message dated Thu, 18 May 2017 20:08:00 +
with message-id <8c8150a1-8e11-c339-431b-c8be57f87...@thykier.net>
and subject line Re: Bug#862598: unblock: udfclient/0.8.7-1
has caused the Debian Bug report #862598,
regarding unblock: udfclient/0.8.8-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862598: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862598
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package udfclient

New upstream version fixes CVE-2017-8305 (Buffer overflow in strlcpy
implementation), debian bug #861347. As protection for buffer overflows,
package has now enabled hardening. Source debdiff is attached.

unblock udfclient/0.8.7-1

-- 
Pali Rohár
pali.ro...@gmail.com
diff -Nru udfclient-0.8.7/cd_disect.c udfclient-0.8.8/cd_disect.c
--- udfclient-0.8.7/cd_disect.c	2017-01-16 15:35:03.0 +0100
+++ udfclient-0.8.8/cd_disect.c	2017-04-03 11:38:13.0 +0200
@@ -2,7 +2,7 @@
 
 /*
  * File "cd_disect.c" is part of the UDFclient toolkit.
- * File $Id: cd_disect.c,v 1.80 2016/04/25 20:55:30 reinoud Exp $ $Name:  $
+ * File $Id: cd_disect.c,v 1.81 2017/04/03 08:48:51 reinoud Exp $ $Name:  $
  *
  * Copyright (c) 2003, 2004, 2005, 2006, 2011
  * 	Reinoud Zandijk 
@@ -211,7 +211,7 @@
 		if (cntrl & 1) strcat(scrap, "; incremental  "); else strcat(scrap, "; uninterrupted");
 	} else {
 		strcat(scrap, "audio track");
-		if (cntrl & 1) strcat(scrap, "; pre-emphasis of 50/15 µs"); else strcat(scrap, "; no pre-emphasis");
+		if (cntrl & 1) strcat(scrap, "; pre-emphasis of 50/15 microseconds"); else strcat(scrap, "; no pre-emphasis");
 	}
 	if (cntrl & 2) strcat(scrap, "; copy prohibited");
 
@@ -1384,7 +1384,7 @@
 if (cntrl & 1) printf("; incremental  "); else printf("; uninterrupted");
 			} else {
 printf("audio track");
-if (cntrl & 1) printf("; pre-emphasis of 50/15 µs"); else printf("; no pre-emphasis");
+if (cntrl & 1) printf("; pre-emphasis of 50/15 microseconds"); else printf("; no pre-emphasis");
 			}
 			if (cntrl & 2) printf("; copy prohibited");
 			printf(")\n");
diff -Nru udfclient-0.8.7/configure udfclient-0.8.8/configure
--- udfclient-0.8.7/configure	2017-01-16 15:35:03.0 +0100
+++ udfclient-0.8.8/configure	2017-04-03 11:38:13.0 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for udfclient 0.8.7.
+# Generated by GNU Autoconf 2.69 for udfclient 0.8.8.
 #
 # Report bugs to .
 #
@@ -580,8 +580,8 @@
 # Identity of this package.
 PACKAGE_NAME='udfclient'
 PACKAGE_TARNAME='udfclient'
-PACKAGE_VERSION='0.8.7'
-PACKAGE_STRING='udfclient 0.8.7'
+PACKAGE_VERSION='0.8.8'
+PACKAGE_STRING='udfclient 0.8.8'
 PACKAGE_BUGREPORT='rein...@netbsd.org'
 PACKAGE_URL=''
 
@@ -1239,7 +1239,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures udfclient 0.8.7 to adapt to many kinds of systems.
+\`configure' configures udfclient 0.8.8 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1304,7 +1304,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of udfclient 0.8.7:";;
+ short | recursive ) echo "Configuration of udfclient 0.8.8:";;
esac
   cat <<\_ACEOF
 
@@ -1384,7 +1384,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-udfclient configure 0.8.7
+udfclient configure 0.8.8
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1810,7 +1810,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by udfclient $as_me 0.8.7, which was
+It was created by udfclient $as_me 0.8.8, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4537,7 +4537,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by udfclient $as_me 0.8.7, which was
+This file was extended by udfclient $as_me 0.8.8, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -4590,7 +4590,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 

Bug#862615: marked as done (unblock: postgresql-9.6/9.6.3-1)

[Debian Bug Tracking System]

Your message dated Thu, 18 May 2017 20:00:00 +
with message-id <5828b72f-130f-5623-a8eb-750c95a38...@thykier.net>
and subject line Re: Bug#862615: unblock: postgresql-9.6/9.6.3-1
has caused the Debian Bug report #862615,
regarding unblock: postgresql-9.6/9.6.3-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862615: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862615
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package postgresql-9.6:

postgresql-9.6 (9.6.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream version.

+ Restrict visibility of pg_user_mappings.umoptions, to protect passwords
  stored as user mapping options (CVE-2017-7486)
+ Prevent exposure of statistical information via leaky operators
  (CVE-2017-7484)
+ Restore libpq's recognition of the PGREQUIRESSL environment variable
  (CVE-2017-7485)

  * debian/rules: Add stub to enable cassert builds (disabled by default).

 -- Christoph Berg   Tue, 09 May 2017 13:00:11 +0200


unblock postgresql-9.6/9.6.3-1


Thanks,
Christoph


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Christoph Berg:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package postgresql-9.6:
> 
> postgresql-9.6 (9.6.3-1) unstable; urgency=medium
> 
>   * Team upload.
>   * New upstream version.
> 
> + Restrict visibility of pg_user_mappings.umoptions, to protect passwords
>   stored as user mapping options (CVE-2017-7486)
> + Prevent exposure of statistical information via leaky operators
>   (CVE-2017-7484)
> + Restore libpq's recognition of the PGREQUIRESSL environment variable
>   (CVE-2017-7485)
> 
>   * debian/rules: Add stub to enable cassert builds (disabled by default).
> 
>  -- Christoph Berg   Tue, 09 May 2017 13:00:11 
> +0200
> 
> 
> unblock postgresql-9.6/9.6.3-1
> 
> 
> Thanks,
> Christoph
> 

Unblocked, thanks.

~Niels--- End Message ---

Bug#861686: unblock: openssl/1.1.0e-2

[Sebastian Andrzej Siewior]

On 2017-05-07 16:39:00 [+], Niels Thykier wrote:
> Sebastian Andrzej Siewior:
> > uploaded and built on all releases architectures.
> 
> Ack/RT unblock, CC'ing KiBi for a d-i ack.

I don't want to rush or anything but in case it got forgotten, we are
still waiting for the d-i ack.

> Thanks,
> ~Niels

Sebastian

Bug#862914: nmu: veusz_1.21.1-1

[Adrian Bunk]

On Thu, May 18, 2017 at 07:00:00PM +, Niels Thykier wrote:
> Control: block -1 by 831860
> 
> Adrian Bunk:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: binnmu
> > 
> > nmu veusz_1.21.1-1 . ANY . unstable . -m "rebuild with sip-api-11.3"
> > nmu python-poppler-qt4_0.24.0-1 . ANY . unstable . -m "rebuild with 
> > sip-api-11.3"
> > 
> > See #831860 for background.
> > 
> 
> Thanks,
> 
> If I read this correctly, we should wait with carrying these binNMUs out
> until #831860 has been fixed, so we are sure that the rebuilds depends
> on the correct sip API.

They will get the latest API automatically when rebuilt.

> Thanks,
> ~Niels

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Bug#862865: marked as done (unblock: cross-toolchain-base*)

[Debian Bug Tracking System]

Your message dated Thu, 18 May 2017 19:19:00 +
with message-id 
and subject line Re: Bug#862865: unblock: cross-toolchain-base*
has caused the Debian Bug report #862865,
regarding unblock: cross-toolchain-base*
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862865: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862865
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock cross-toolchain-base/18 and cross-toolchain-base-ports/11, fixing
a build error on i386. The packages are built using gcc-6 6.3.0-18, which is not
yet in testing, however they should build with -16 as well.
--- End Message ---
--- Begin Message ---
Matthias Klose:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock cross-toolchain-base/18 and cross-toolchain-base-ports/11, 
> fixing
> a build error on i386.

Unblocked, thanks.

> The packages are built using gcc-6 6.3.0-18, which is not
> yet in testing, however they should build with -16 as well.
> 

Not with a B-D on gcc-6-source (>= 6.3.0-18~), but I have unblocked
gcc-6 as well.

Thanks,
~Niels--- End Message ---

Bug#862898: marked as done (unblock: ntirpc/1.4.4-1)

[Debian Bug Tracking System]

Your message dated Thu, 18 May 2017 18:52:00 +
with message-id 
and subject line Re: Bug#862898: unblock: ntirpc/1.4.4-1
has caused the Debian Bug report #862898,
regarding unblock: ntirpc/1.4.4-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862898: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862898
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package ntirpc

Hi,

ntirpc/1.4.4-1, which was uploaded some days ago to unstable fixes
release critical CVE-2017-8779 bug #861836.

Thanks

Christoph
-- 

Christoph Martin, Leiter Unix-Systeme
Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Anselm Franz von Bentzel-Weg 12, 55128 Mainz
 Telefon: +49(6131)3926337
 Instant-Messaging: Jabber: mar...@jabber.uni-mainz.de
  (Siehe http://www.zdv.uni-mainz.de/4010.php)
diff -Nru ntirpc-1.4.3/CMakeLists.txt ntirpc-1.4.4/CMakeLists.txt
--- ntirpc-1.4.3/CMakeLists.txt 2016-10-25 20:15:56.0 +0200
+++ ntirpc-1.4.4/CMakeLists.txt 2017-05-05 21:07:02.0 +0200
@@ -15,7 +15,7 @@
 # version numbers
 set(NTIRPC_MAJOR_VERSION 1)
 set(NTIRPC_MINOR_VERSION 4)
-set(NTIRPC_PATCH_LEVEL 3)
+set(NTIRPC_PATCH_LEVEL 4)
 set(VERSION_COMMENT
   "Full-duplex and bi-directional ONC RPC on TCP."
 )
diff -Nru ntirpc-1.4.3/debian/changelog ntirpc-1.4.4/debian/changelog
--- ntirpc-1.4.3/debian/changelog   2017-04-07 13:54:21.0 +0200
+++ ntirpc-1.4.4/debian/changelog   2017-05-15 09:53:09.0 +0200
@@ -1,3 +1,11 @@
+ntirpc (1.4.4-1) unstable; urgency=high
+
+  [ Christoph Martin ]
+  * Imported Upstream version 1.4.4
+  * fixes rpcbomb CVE-2017-8779 (closes: #861836)
+
+ -- Christoph Martin   Mon, 15 May 2017 09:53:09 +0200
+
 ntirpc (1.4.3-3) unstable; urgency=medium
 
   * link with libatomic if necessary (closes: #859689)
diff -Nru ntirpc-1.4.3/debian/libntirpc1.4.symbols 
ntirpc-1.4.4/debian/libntirpc1.4.symbols
--- ntirpc-1.4.3/debian/libntirpc1.4.symbols2017-04-07 13:54:21.0 
+0200
+++ ntirpc-1.4.4/debian/libntirpc1.4.symbols2017-05-15 09:53:09.0 
+0200
@@ -1,253 +1,253 @@
 libntirpc.so.1.4 libntirpc1.4 #MINVER#
- NTIRPC_1.4.3@NTIRPC_1.4.3 1.4.3
+ NTIRPC_1.4.4@NTIRPC_1.4.4 1.4.4
  NTIRPC_PRIVATE@NTIRPC_PRIVATE 1.4.3
- __ntirpc_pkg_params@NTIRPC_1.4.3 1.4.3
- __rpc_createerr@NTIRPC_1.4.3 1.4.3
- __rpc_dtbsize@NTIRPC_1.4.3 1.4.3
- __rpc_endconf@NTIRPC_1.4.3 1.4.3
- __rpc_fd2sockinfo@NTIRPC_1.4.3 1.4.3
- __rpc_fixup_addr@NTIRPC_1.4.3 1.4.3
- __rpc_get_a_size@NTIRPC_1.4.3 1.4.3
- __rpc_get_local_uid@NTIRPC_1.4.3 1.4.3
- __rpc_get_t_size@NTIRPC_1.4.3 1.4.3
- __rpc_getconf@NTIRPC_1.4.3 1.4.3
- __rpc_getconfip@NTIRPC_1.4.3 1.4.3
- __rpc_nconf2fd@NTIRPC_1.4.3 1.4.3
- __rpc_nconf2fd_flags@NTIRPC_1.4.3 1.4.3
- __rpc_nconf2sockinfo@NTIRPC_1.4.3 1.4.3
- __rpc_rawcombuf@NTIRPC_1.4.3 1.4.3
- __rpc_seman2socktype@NTIRPC_1.4.3 1.4.3
- __rpc_setconf@NTIRPC_1.4.3 1.4.3
- __rpc_sockinfo2netid@NTIRPC_1.4.3 1.4.3
- __rpc_sockisbound@NTIRPC_1.4.3 1.4.3
- __rpc_socktype2seman@NTIRPC_1.4.3 1.4.3
- __rpc_taddr2uaddr_af@NTIRPC_1.4.3 1.4.3
- __rpc_uaddr2taddr_af@NTIRPC_1.4.3 1.4.3
- __rpcgettp@NTIRPC_1.4.3 1.4.3
- _get_next_token@NTIRPC_1.4.3 1.4.3
- _null_auth@NTIRPC_1.4.3 1.4.3
- _rpc_dtablesize@NTIRPC_1.4.3 1.4.3
- _seterr_reply@NTIRPC_1.4.3 1.4.3
- _svcauth_gss@NTIRPC_1.4.3 1.4.3
- _svcauth_none@NTIRPC_1.4.3 1.4.3
- _svcauth_short@NTIRPC_1.4.3 1.4.3
- _svcauth_unix@NTIRPC_1.4.3 1.4.3
- authgss_get_private_data@NTIRPC_1.4.3 1.4.3
- authgss_ncreate@NTIRPC_1.4.3 1.4.3
- authgss_ncreate_default@NTIRPC_1.4.3 1.4.3
- authgss_service@NTIRPC_1.4.3 1.4.3
- authnone_ncreate@NTIRPC_1.4.3 1.4.3
- authunix_ncreate@NTIRPC_1.4.3 1.4.3
- authunix_ncreate_default@NTIRPC_1.4.3 1.4.3
- bindresvport@NTIRPC_1.4.3 1.4.3
- bindresvport_sa@NTIRPC_1.4.3 1.4.3
- callrpc@NTIRPC_1.4.3 1.4.3
- clnt_broadcast@NTIRPC_1.4.3 1.4.3
- clnt_dg_ncreate@NTIRPC_1.4.3 1.4.3
- clnt_ncreate@NTIRPC_1.4.3 1.4.3
- clnt_ncreate_timed@NTIRPC_1.4.3 1.4.3
- clnt_ncreate_vers@NTIRPC_1.4.3 1.4.3
- clnt_ncreate_vers_timed@NTIRPC_1.4.3 1.4.3
- clnt_pcreateerror@NTIRPC_1.4.3 1.4.3
- clnt_perrno@NTIRPC_1.4.3 1.4.3
- clnt_perror@NTIRPC_1.4.3 1.4.3
- clnt_raw_ncreate@NTIRPC_1.4.3 1.4.3
- clnt_spcreateerror@NTIRPC_1.4.3 1.4.3
- clnt_sperrno@NTIRPC_1.4.3 1.4.3
- clnt_sperror@NTIRPC_1.4.3 1.4.3
- clnt_tp_ncreate@NTIRPC_1.4.3 1.4.3
- 

Processed: Re: Bug#862914: nmu: veusz_1.21.1-1

[Debian Bug Tracking System]

Processing control commands:

> block -1 by 831860
Bug #862914 [release.debian.org] nmu: veusz_1.21.1-1 + 
python-poppler-qt4_0.24.0-1
862914 was not blocked by any bugs.
862914 was not blocking any bugs.
Added blocking bug(s) of 862914: 831860 and 846956

-- 
862914: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862914
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862914: nmu: veusz_1.21.1-1

[Niels Thykier]

Control: block -1 by 831860

Adrian Bunk:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: binnmu
> 
> nmu veusz_1.21.1-1 . ANY . unstable . -m "rebuild with sip-api-11.3"
> nmu python-poppler-qt4_0.24.0-1 . ANY . unstable . -m "rebuild with 
> sip-api-11.3"
> 
> See #831860 for background.
> 

Thanks,

If I read this correctly, we should wait with carrying these binNMUs out
until #831860 has been fixed, so we are sure that the rebuilds depends
on the correct sip API.

Thanks,
~Niels

Bug#862904: marked as done (unblock: dblatex/0.3.9-2)

[Debian Bug Tracking System]

Your message dated Thu, 18 May 2017 18:56:00 +
with message-id 
and subject line Re: Bug#862904: unblock: dblatex/0.3.9-2
has caused the Debian Bug report #862904,
regarding unblock: dblatex/0.3.9-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862904: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862904
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package dblatex

While working on the stretch version of the Debian Handbook, I recently
discovered a regression in the way dblatex renders some inline elements
( and  among others).

I filed this as #862332 and with the maintainer we uploaded a fix to sid.
Please let it migrate to stretch so that we don't lose spaces when using
stretch's dblatex...

unblock dblatex/0.3.9-2

Debdiff is here:

diff -Nru dblatex-0.3.9/debian/changelog dblatex-0.3.9/debian/changelog
--- dblatex-0.3.9/debian/changelog  2016-10-11 08:58:13.0 +0200
+++ dblatex-0.3.9/debian/changelog  2017-05-16 20:42:07.0 +0200
@@ -1,3 +1,11 @@
+dblatex (0.3.9-2) unstable; urgency=low
+
+  * 20_preserve_spaces.patch:
+Preserve spaces in  and  elements.
+Thanks to Raphaël Hertzog for reporting and for his patch.  Closes: #862332
+
+ -- Andreas Hoenen   Tue, 16 May 2017 20:42:07 
+0200
+
 dblatex (0.3.9-1) unstable; urgency=low
 
   * New upstream release
diff -Nru dblatex-0.3.9/debian/patches/10_dblatex_version.patch 
dblatex-0.3.9/debian/patches/10_dblatex_version.patch
--- dblatex-0.3.9/debian/patches/10_dblatex_version.patch   2016-10-08 
10:04:59.0 +0200
+++ dblatex-0.3.9/debian/patches/10_dblatex_version.patch   2017-05-16 
17:48:08.0 +0200
@@ -8,6 +8,6 @@
  
 -->
  
 -0.3.9
-+0.3.9-1
++0.3.9-2
  
  
diff -Nru dblatex-0.3.9/debian/patches/20_preserve_spaces.patch 
dblatex-0.3.9/debian/patches/20_preserve_spaces.patch
--- dblatex-0.3.9/debian/patches/20_preserve_spaces.patch   1970-01-01 
01:00:00.0 +0100
+++ dblatex-0.3.9/debian/patches/20_preserve_spaces.patch   2017-05-16 
17:52:59.0 +0200
@@ -0,0 +1,14 @@
+Author: Raphaël Hertzog 
+Description: Hotfix for BTS report #862332:
+Preserve spaces in  and  elements.
+--- a/lib/dbtexmf/dblatex/texhyphen.py
 b/lib/dbtexmf/dblatex/texhyphen.py
+@@ -49,7 +49,7 @@
+ existing latex styles.
+ """
+ def __init__(self, codec=None,
+- h_sep="\penalty0 ", h_char="\penalty5000 ",
++ h_sep="\penalty0{}", h_char="\penalty5000{}",
+  h_start=3, h_stop=3):
+ self.codec = codec
+ self.seps = r":/\@=?#;-."
diff -Nru dblatex-0.3.9/debian/patches/series 
dblatex-0.3.9/debian/patches/series
--- dblatex-0.3.9/debian/patches/series 2016-10-09 18:43:00.0 +0200
+++ dblatex-0.3.9/debian/patches/series 2017-05-16 17:49:11.0 +0200
@@ -4,3 +4,4 @@
 20_subtitle_handling.patch
 20_db2latex_title_page.patch
 20_xmultirow.patch
+20_preserve_spaces.patch

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 
'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Raphaël Hertzog:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package dblatex
> 
> While working on the stretch version of the Debian Handbook, I recently
> discovered a regression in the way dblatex renders some inline elements
> ( and  among others).
> 
> I filed this as #862332 and with the maintainer we uploaded a fix to sid.
> Please let it migrate to stretch so that we don't lose spaces when using
> stretch's dblatex...
> 
> unblock dblatex/0.3.9-2
> 
> Debdiff is here:
> 
> [...]
> 

Unblocked, thanks.

~Niels--- End Message ---

Bug#862889: marked as done (unblock: python-iptables/0.11.0-4)

[Debian Bug Tracking System]

Your message dated Thu, 18 May 2017 18:54:00 +
with message-id 
and subject line Re: Bug#862889: unblock: python-iptables/0.11.0-4
has caused the Debian Bug report #862889,
regarding unblock: python-iptables/0.11.0-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862889: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862889
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package python-iptables

fixes a "grave" bug.
the original fix for #860986 (backported from upstream) to support xtables-v12
was incomplete.
therefore, this upload includes another fix backported from upstream, that
should make xtables-v12 support complete.

unblock python-iptables/0.11.0-4

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru python-iptables-0.11.0/debian/changelog 
python-iptables-0.11.0/debian/changelog
--- python-iptables-0.11.0/debian/changelog 2017-04-28 22:41:39.0 
+0200
+++ python-iptables-0.11.0/debian/changelog 2017-05-18 00:24:18.0 
+0200
@@ -1,3 +1,9 @@
+python-iptables (0.11.0-4) unstable; urgency=medium
+
+  * Backported xtables_match_v12 (Closes: #862741)
+
+ -- IOhannes m zmölnig (Debian/GNU)   Thu, 18 May 2017 
00:24:18 +0200
+
 python-iptables (0.11.0-3) unstable; urgency=medium
 
   * Backported IPv6 mask fix from upstream
diff -Nru python-iptables-0.11.0/debian/.git-dpm 
python-iptables-0.11.0/debian/.git-dpm
--- python-iptables-0.11.0/debian/.git-dpm  2017-04-28 22:41:39.0 
+0200
+++ python-iptables-0.11.0/debian/.git-dpm  2017-05-18 00:24:18.0 
+0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-cf0621ca9b7eda22832f0a0a9990e34daa3056d3
-cf0621ca9b7eda22832f0a0a9990e34daa3056d3
+532972c390ceeb2ecaa67a91850348a28e16155a
+532972c390ceeb2ecaa67a91850348a28e16155a
 d1928747ee94401684d6e26211e733b585418e64
 d1928747ee94401684d6e26211e733b585418e64
 python-iptables_0.11.0.orig.tar.gz
diff -Nru 
python-iptables-0.11.0/debian/patches/0005-Backported-xtables_match_v12.patch 
python-iptables-0.11.0/debian/patches/0005-Backported-xtables_match_v12.patch
--- 
python-iptables-0.11.0/debian/patches/0005-Backported-xtables_match_v12.patch   
1970-01-01 01:00:00.0 +0100
+++ 
python-iptables-0.11.0/debian/patches/0005-Backported-xtables_match_v12.patch   
2017-05-18 00:24:18.0 +0200
@@ -0,0 +1,76 @@
+From 532972c390ceeb2ecaa67a91850348a28e16155a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?IOhannes=20m=20zm=C3=B6lnig=20=28Debian/GNU=29?=
+ 
+Date: Thu, 18 May 2017 00:23:15 +0200
+Subject: Backported xtables_match_v12
+
+Closes: #862741
+---
+ iptc/xtables.py | 54 +-
+ 1 file changed, 53 insertions(+), 1 deletion(-)
+
+diff --git a/iptc/xtables.py b/iptc/xtables.py
+index 54ba0e4..4546bc1 100644
+--- a/iptc/xtables.py
 b/iptc/xtables.py
+@@ -411,7 +411,59 @@ class _xtables_match_v10(ct.Structure):
+ 
+ 
+ _xtables_match_v11 = _xtables_match_v10
+-_xtables_match_v12 = _xtables_match_v10
++
++
++class _xtables_match_v12(ct.Structure):
++_fields_ = [("version", ct.c_char_p),
++("next", ct.c_void_p),
++("name", ct.c_char_p),
++("real_name", ct.c_char_p),
++("revision", ct.c_uint8),
++("ext_flags", ct.c_uint8),
++("family", ct.c_uint16),
++("size", ct.c_size_t),
++("userspacesize", ct.c_size_t),
++("help", ct.CFUNCTYPE(None)),
++("init", ct.CFUNCTYPE(None, ct.POINTER(xt_entry_match))),
++# fourth parameter entry is struct ipt_entry for example
++# int (*parse)(int c, char **argv, int invert, unsigned int
++# *flags, const void *entry, struct xt_entry_match **match)
++("parse", ct.CFUNCTYPE(ct.c_int, ct.c_int,
++   ct.POINTER(ct.c_char_p), ct.c_int,
++   ct.POINTER(ct.c_uint), ct.c_void_p,
++  

Bug#862541: Pre-approval request, unblock: caffe/1.0.0-2

[Lumin]

Hi jmw,

The difference between the 1.0.0~rc4 version and the 1.0.0 version
is 162 git commits. I went through these git commits, and
these commits are about:

  1 documentation update / fix
  2 code grooming
  3 bug fix
  4 add tests
  5 support cudnn v6  (does not affect this package)
  6 update docker scripts  (does not affect this package)

i.e. There is no major code / feature change from the 1.0.0~rc4 tag
 -> 1.0.0 tag.

I've read the freeze policy but still want to apply for an unblock.
This is a machine learning application which has no rdepends,
and the latest stable version 1.0.0 more favorable to users and it's
more convenient for upstream to support. Although the rc4 version
works fine too.

Apart from the upstream stable release, I will add one more patch
to the packaging directory, which was already approved and merged
by upstream:

https://github.com/BVLC/caffe/commit/91b09280f5233cafc62954c98ce8bc4c204e7475

The patch will change a ambiguous static library name, and hence
fixing the bug mentioned previously won't introduce more trouble.

The 1.0.0-2 version was already prepared in the git repo:

https://anonscm.debian.org/cgit/debian-science/packages/caffe.git/log/

If this change could be approved, I'll upload the 1.0.0-2 version
to unstable, and wait for it to migrate.

If not, can I upload 1.0.0~rc4-2 simply with the patch above
applied and the fix for the bug mentioned above?


Thank you :-)


FYI:
files changed

git diff 1.0.0-rc4 1.0 --stat | cat   Thu 18 May
2017 03:49:46 PM UTC
 .gitignore  |   1 +
 CMakeLists.txt  |  42 +-
 CONTRIBUTORS.md |   2 +-
 LICENSE |   4 +-
 Makefile|   8 +-
 Makefile.config.example |  14 +-
 README.md   |   6 +-
 cmake/ConfigGen.cmake   |  67 +--
 cmake/Cuda.cmake|  14 +-
 cmake/Dependencies.cmake| 109 +++--
 cmake/External/glog.cmake   |   1 +
 cmake/Modules/FindAtlas.cmake   |   4 +-
 cmake/Modules/FindNCCL.cmake|  26 ++
 cmake/Modules/FindvecLib.cmake  |   2 +-
 cmake/ProtoBuf.cmake|   4 +-
 cmake/Summary.cmake |   1 +
 cmake/Targets.cmake |   6 +-
 cmake/Templates/CaffeConfig.cmake.in|  15 +-
 cmake/Templates/caffe_config.h.in   |  32 +-
 cmake/Uninstall.cmake.in|  26 ++
 docker/Makefile |  50 ---
 docker/README.md|  69 ++-
 docker/{standalone => }/cpu/Dockerfile  |  13 +-
 docker/{standalone => }/gpu/Dockerfile  |  16 +-
 docker/templates/Dockerfile.template|  42 --
 docs/_layouts/default.html  |   2 +-
 docs/development.md |   4 +-
 docs/index.md   |  47 +-
 docs/install_apt.md |   6 +-
 docs/install_apt_debian.md  | 161 +++
 docs/installation.md|   7 +-
 docs/model_zoo.md   |  24 +-
 docs/multigpu.md|   4 +-
 docs/performance_hardware.md|  73 ---
 docs/tutorial/interfaces.md |   4 +-
 docs/tutorial/layers.md | 562 
 docs/tutorial/layers/absval.md  |  22 +
 docs/tutorial/layers/accuracy.md|  20 +
 docs/tutorial/layers/argmax.md  |  18 +
 docs/tutorial/layers/batchnorm.md   |  20 +
 docs/tutorial/layers/batchreindex.md|  16 +
 docs/tutorial/layers/bias.md|  19 +
 docs/tutorial/layers/bnll.md|  25 ++
 docs/tutorial/layers/concat.md  |  40 ++
 docs/tutorial/layers/contrastiveloss.md |  20 +
 docs/tutorial/layers/convolution.md |  63 +++
 docs/tutorial/layers/crop.md|  20 +
 docs/tutorial/layers/data.md|  29 ++
 docs/tutorial/layers/deconvolution.md   |  22 +
 docs/tutorial/layers/dropout.md |  20 +
 docs/tutorial/layers/dummydata.md   |  20 +
 docs/tutorial/layers/eltwise.md |  20 +
 docs/tutorial/layers/elu.md |  25 ++
 docs/tutorial/layers/embed.md   |  20 +
 docs/tutorial/layers/euclideanloss.md   |  16 +
 docs/tutorial/layers/exp.md |  24 +
 docs/tutorial/layers/filter.md  |  15 +
 docs/tutorial/layers/flatten.md |  21 +
 docs/tutorial/layers/hdf5data.md|  20 +
 

Processed: Mention both packages in the bug title

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 862914 nmu: veusz_1.21.1-1 + python-poppler-qt4_0.24.0-1
Bug #862914 [release.debian.org] nmu: veusz_1.21.1-1
Changed Bug title to 'nmu: veusz_1.21.1-1 + python-poppler-qt4_0.24.0-1' from 
'nmu: veusz_1.21.1-1'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
862914: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862914
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862914: nmu: veusz_1.21.1-1

[Adrian Bunk]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

nmu veusz_1.21.1-1 . ANY . unstable . -m "rebuild with sip-api-11.3"
nmu python-poppler-qt4_0.24.0-1 . ANY . unstable . -m "rebuild with 
sip-api-11.3"

See #831860 for background.

Bug#862871: unblock: intel-microcode/3.20170511.1

[Henrique de Moraes Holschuh]

On Thu, 18 May 2017, Jonathan Wiltshire wrote:
> On 2017-05-17 22:44, Henrique de Moraes Holschuh wrote:
> >Please unblock package intel-microcode.
> 
> Unblocked.

Thank you!

-- 
  Henrique Holschuh

Bug#862871: marked as done (unblock: intel-microcode/3.20170511.1)

[Debian Bug Tracking System]

Your message dated Thu, 18 May 2017 16:25:54 +0100
with message-id <2fad778396f8516979e757615a5bd...@debian.org>
and subject line Re: Bug#862871: unblock: intel-microcode/3.20170511.1
has caused the Debian Bug report #862871,
regarding unblock: intel-microcode/3.20170511.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862871: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862871
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package intel-microcode.


The new upstream release by Intel (dated 2017-05-11) fixes nasty issues
on the recent Intel desktop/mobile/server processors, including some
very-high-end server processors.

It also sets a new baseline microcode for Linux, by the virtue of making
the LAPIC TSC-deadline mode far more reliable on machines where either
the operating system or the BIOS/UEFI wrote to the IA32_TSC_ADJUST MSR
(3BH).  This feature (which is used by Linux) was somewhat broken in
just about every processor of the Core family since (at least) Haswell,
here's a partial list of errata numbers: HSM183/BDM128/SKL142/
KBL092/BDF89/SKW137.

This update is known to fix an issue on some models of the Xeon E7v4
(and possibly also of the Xeon E5v4) that would cause such processors to
sometimes(?) hang during boot if a previous version of the intel-microcode
package is installed.  Erratum BDF90/BDX90.

This Xeon E7v4/E5v4 boot hang would be a severity grave bug, if not for
the fact that the number of users running Debian + intel-microcode on
bare-metal with these very expensive (and still somewhat rare)
processors must be really low right now... but the number of potential
victims of this issue could increase given enough time if those server's
BIOS/UEFI is not updated.  This issue is being tracked in Debian bug
#862606.

The new upstream update also likely fixes several critical errata on
Skylake, including one that I would consider terrifying (SKL150/SKW144),
if not for the fact that this specific erratum must be low-hitting for
some reason, or Skylake would have been dubbed Crashlake.

It likely fixes several other critical and severe errata that result in
unpredictable behavior, system hangs, and iGPU misbehavior at least on
Skylake.


I have attached the abridged source package debdiff between the release
in testing (3.20161104.1) and the release in unstable (3.20170511.1).
The abridged debdiff removes the noise caused by the removal of upstream
file microcode-20161104.dat, and addition of the new upstream file
microcode-20170511.dat.

There are no packaging changes: just an update of the upstream microcode
data file, and the changelogs.

Note: the new upstream "releasenote" file is _not_ shipped in the binary
packages, since it has either incorrect, or mostly useless information.


Full diffstat:
 changelog  |   13 
 debian/changelog   |   42 
 microcode-20161104.dat |61630 
 microcode-20170511.dat |61886 +
 releasenote|   41 
 5 files changed, 61982 insertions(+), 61630 deletions(-)

Abridged diffstat:
 changelog|   13 +
 debian/changelog |   42 ++
 releasenote  |   41 +
 3 files changed, 96 insertions(+)


Thank you!


unblock intel-microcode/3.20170511.1

-- 
  Henrique Holschuh
diff -Nru intel-microcode-3.20161104.1/changelog 
intel-microcode-3.20170511.1/changelog
--- intel-microcode-3.20161104.1/changelog  2016-11-09 20:35:10.0 
-0200
+++ intel-microcode-3.20170511.1/changelog  2017-05-13 20:09:28.0 
-0300
@@ -1,3 +1,16 @@
+2017-05-11:
+  * Updated Microcodes:
+sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528
+sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408
+sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768
+sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384
+sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480
+sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576
+sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264
+sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304
+sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb21, size 26624
+sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304
+
 2016-11-04:
   * New Microcodes:
 

Bug#862891: jessie-pu: package flightgear/3.0.0-5+deb8u2

[Adam D. Barratt]

On 2017-05-18 14:25, Markus Wanner wrote:
[...]

On 05/18/2017 03:07 PM, Adam D. Barratt wrote:
So far as I can tell, having looked at the BTS and Security Tracker, 
and

the description of the CVE, this issue also affects the flightgear
package in unstable and is not yet fixed there.

[...]

I focused on stable, first, thinking of it as a security issue.


We don't differentiate between types of fixes in that way for uploads 
going via p-u. If a security issue is urgent enough to need fixing in 
stable first then it should really be published via the security archive 
- that's rather its point, after all :-).



The fix
for unstable is somewhat different, but also being prepared. I'll 
report

back when it's fixed, there.


Thanks.

Regards,

Adam

Bug#862904: unblock: dblatex/0.3.9-2

[Raphaël Hertzog]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package dblatex

While working on the stretch version of the Debian Handbook, I recently
discovered a regression in the way dblatex renders some inline elements
( and  among others).

I filed this as #862332 and with the maintainer we uploaded a fix to sid.
Please let it migrate to stretch so that we don't lose spaces when using
stretch's dblatex...

unblock dblatex/0.3.9-2

Debdiff is here:

diff -Nru dblatex-0.3.9/debian/changelog dblatex-0.3.9/debian/changelog
--- dblatex-0.3.9/debian/changelog  2016-10-11 08:58:13.0 +0200
+++ dblatex-0.3.9/debian/changelog  2017-05-16 20:42:07.0 +0200
@@ -1,3 +1,11 @@
+dblatex (0.3.9-2) unstable; urgency=low
+
+  * 20_preserve_spaces.patch:
+Preserve spaces in  and  elements.
+Thanks to Raphaël Hertzog for reporting and for his patch.  Closes: #862332
+
+ -- Andreas Hoenen   Tue, 16 May 2017 20:42:07 
+0200
+
 dblatex (0.3.9-1) unstable; urgency=low
 
   * New upstream release
diff -Nru dblatex-0.3.9/debian/patches/10_dblatex_version.patch 
dblatex-0.3.9/debian/patches/10_dblatex_version.patch
--- dblatex-0.3.9/debian/patches/10_dblatex_version.patch   2016-10-08 
10:04:59.0 +0200
+++ dblatex-0.3.9/debian/patches/10_dblatex_version.patch   2017-05-16 
17:48:08.0 +0200
@@ -8,6 +8,6 @@
  
 -->
  
 -0.3.9
-+0.3.9-1
++0.3.9-2
  
  
diff -Nru dblatex-0.3.9/debian/patches/20_preserve_spaces.patch 
dblatex-0.3.9/debian/patches/20_preserve_spaces.patch
--- dblatex-0.3.9/debian/patches/20_preserve_spaces.patch   1970-01-01 
01:00:00.0 +0100
+++ dblatex-0.3.9/debian/patches/20_preserve_spaces.patch   2017-05-16 
17:52:59.0 +0200
@@ -0,0 +1,14 @@
+Author: Raphaël Hertzog 
+Description: Hotfix for BTS report #862332:
+Preserve spaces in  and  elements.
+--- a/lib/dbtexmf/dblatex/texhyphen.py
 b/lib/dbtexmf/dblatex/texhyphen.py
+@@ -49,7 +49,7 @@
+ existing latex styles.
+ """
+ def __init__(self, codec=None,
+- h_sep="\penalty0 ", h_char="\penalty5000 ",
++ h_sep="\penalty0{}", h_char="\penalty5000{}",
+  h_start=3, h_stop=3):
+ self.codec = codec
+ self.seps = r":/\@=?#;-."
diff -Nru dblatex-0.3.9/debian/patches/series 
dblatex-0.3.9/debian/patches/series
--- dblatex-0.3.9/debian/patches/series 2016-10-09 18:43:00.0 +0200
+++ dblatex-0.3.9/debian/patches/series 2017-05-16 17:49:11.0 +0200
@@ -4,3 +4,4 @@
 20_subtitle_handling.patch
 20_db2latex_title_page.patch
 20_xmultirow.patch
+20_preserve_spaces.patch

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 
'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Re: [d-i/stretch] Status on Installation guide and Release notes (from a d-i PoV)

[Baptiste Jammet]

Hello, 

Dixit Niels Thykier, le 03/04/2017 :

>Please let reply to this thread once the changes have been done, so I
>can mark them as done in my checklist. :)
Doing so, see
https://lists.debian.org/debian-boot/2017/04/msg00336.html
and 
https://lists.debian.org/debian-doc/2017/05/msg00012.html

>Minor remark about the wording: "[...], allowing to download packages
>from https mirrors.", perhaps consider "[...], enabling download of
>packages from https mirrors."   (From experience, the English review
>team has a thing for flagging "allow to" as being incorrect).
Corrected, thanks.

Baptiste


pgpIiZkYOzZus.pgp
Description: OpenPGP digital signature

Bug#862891: jessie-pu: package flightgear/3.0.0-5+deb8u2

[Markus Wanner]

Adam,

thank you for your feedback.

On 05/18/2017 03:07 PM, Adam D. Barratt wrote:
> So far as I can tell, having looked at the BTS and Security Tracker, and
> the description of the CVE, this issue also affects the flightgear
> package in unstable and is not yet fixed there. 

That's correct, yes.

> Assuming that's correct,
> please ensure that unstable is fixed first and then come back to us; if
> it's not correct, please get the metadata fixed.

I focused on stable, first, thinking of it as a security issue. The fix
for unstable is somewhat different, but also being prepared. I'll report
back when it's fixed, there.

> Indeed, because the main archive rejected the upload before it made it
> as far as the p-u-new queue. I don't remember why and it was
> suffficiently long ago that the data files are no longer publicly
> available in order to check.

I think that was the PGP key deprecation issue on my side.

Kind Regards

Markus Wanner




signature.asc
Description: OpenPGP digital signature

Bug#862891: jessie-pu: package flightgear/3.0.0-5+deb8u2

[Adam D. Barratt]

Control: tags -1 + moreinfo

On 2017-05-18 8:38, Markus Wanner wrote:

as per Salvatore Bonaccorso, the current security fix for flightgear
doesn't warrant a DSA on its own (see below). Is it okay to upload to
'stable'?


So far as I can tell, having looked at the BTS and Security Tracker, and 
the description of the CVE, this issue also affects the flightgear 
package in unstable and is not yet fixed there. Assuming that's correct, 
please ensure that unstable is fixed first and then come back to us; if 
it's not correct, please get the metadata fixed.



A debdiff against the current version in stable-sec (3.0.0-5+deb8u1) is
attached. Please note that stable itself is still at 3.0.0-5 and 
doesn't

offer the first (and related) security fix.


Indeed, because the main archive rejected the upload before it made it 
as far as the p-u-new queue. I don't remember why and it was 
suffficiently long ago that the data files are no longer publicly 
available in order to check.


Regards,

Adam

Processed: Re: Bug#862891: jessie-pu: package flightgear/3.0.0-5+deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #862891 [release.debian.org] jessie-pu: package flightgear/3.0.0-5+deb8u2
Added tag(s) moreinfo.

-- 
862891: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862891
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862864: unblock: pixbros/0.6.3+dfsg-0.1

[Markus Koschany]

Am 18.05.2017 um 13:40 schrieb Steve Cotton:
> On Wed, May 17, 2017 at 11:12:52PM +0300, Adrian Bunk wrote:
>> Usertags: unblock
>>
>> +  * Repackaged to remove generated files and copyright violations
>> +from the upstream sources. (Closes: #861612)
> 
> Hi Adrian, Markus and the Release Team,
> 
> I'm sorry to be a spoilsport, but I ask the Release Team to review bug
> #861612 before unblocking Pixbros, particularly the comparisons in
> .
> 
> Please note that both Adrian and Markus Koschany disagree with me.

I still believe I gave you a reasonable explanation in [1] why pixbros
is not non-free. You also have not commented on my note that, according
to your reasoning, games like Pathological or Tuxpuck would also be
affected. I could continue with this list. Did you ever play pacman [2]?

You use Policy 2.3 as a justification for your severity. Which concrete
law in which country would we break by distributing pixbros? Where is
the evidence that distributing the game is harmful for Debian?



[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861612#35
[2] https://packages.debian.org/sid/pacman



signature.asc
Description: OpenPGP digital signature

Bug#862864: unblock: pixbros/0.6.3+dfsg-0.1

[Steve Cotton]

On Wed, May 17, 2017 at 11:12:52PM +0300, Adrian Bunk wrote:
> Usertags: unblock
>
> +  * Repackaged to remove generated files and copyright violations
> +from the upstream sources. (Closes: #861612)

Hi Adrian, Markus and the Release Team,

I'm sorry to be a spoilsport, but I ask the Release Team to review bug
#861612 before unblocking Pixbros, particularly the comparisons in
.

Please note that both Adrian and Markus Koschany disagree with me.

Thanks,
Steve

Bug#862864: unblock: pixbros/0.6.3+dfsg-0.1

[Adrian Bunk]

On Thu, May 18, 2017 at 01:40:28PM +0200, Steve Cotton wrote:
> On Wed, May 17, 2017 at 11:12:52PM +0300, Adrian Bunk wrote:
> > Usertags: unblock
> >
> > +  * Repackaged to remove generated files and copyright violations
> > +from the upstream sources. (Closes: #861612)
> 
> Hi Adrian, Markus and the Release Team,
> 
> I'm sorry to be a spoilsport, but I ask the Release Team to review bug
> #861612 before unblocking Pixbros, particularly the comparisons in
> .

The correct people to review would be the FTP team (added to Cc).

> Please note that both Adrian and Markus Koschany disagree with me.

I actually don't have a settled opinion on that.

The part of my upload I was personally interested in was the 
architecture change to allow building on the buildds, and
Markus asked me to also include this change.

> Thanks,
> Steve

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Bug#862449: marked as done (unblock: drbd-utils/8.9.10-2)

[Debian Bug Tracking System]

Your message dated Thu, 18 May 2017 12:57:16 +0100
with message-id <13a4ec7e31d663d5efcab1cd5148d...@debian.org>
and subject line Re: Bug#862449: unblock: drbd-utils/8.9.10-2
has caused the Debian Bug report #862449,
regarding unblock: drbd-utils/8.9.10-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862449: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862449
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock package drbd-utils.

The version currently in Stretch has a serious bug (#862248) that 
prevents the service from being disabled/enabled using update-rc.d.  
Furthermore, during the investigation of this issue, I realized that 
upgrades from previous versions might leave stale systemd links around.
The package in unstable fixes both issues.

Furthermore, in order to better align with upstream, the drbd service is 
disabled by default on new installations; upstream recommends using a 
cluster management software to control the DRBD service and has disabled 
the initscript in their own packages.

Full debdiff attached.

Regards,
Apollon

unblock drbd-utils/8.9.10-2
diff -Nru drbd-utils-8.9.10/debian/changelog drbd-utils-8.9.10/debian/changelog
--- drbd-utils-8.9.10/debian/changelog	2016-12-23 17:41:42.0 +0200
+++ drbd-utils-8.9.10/debian/changelog	2017-05-12 15:05:39.0 +0300
@@ -1,3 +1,22 @@
+drbd-utils (8.9.10-2) unstable; urgency=medium
+
+  * Fix the service enable/disable logic (broken since 8.9.8-1, closes:
+#862248):
++ Add Default-Start runlevels to the initscript so that it can be
+  enabled/disabled again (broken since 8.9.8-1, see #862248).
++ Clean up stale systemd state on upgrade from versions that shipped a
+  native systemd unit.
+  * Disable the service by default on new installations, following upstream's
+policy.
++ Document disabling the service in debian/NEWS.
++ Override lintian error about duplicate update-rc.d calls.
+  * Do not restart the drbd service on upgrade; kernel reconfiguration is not
+needed when the tools change.
+  * d/NEWS: use the new source name and drop the epoch, to avoid displaying
+existing notices on every upgrade.
+
+ -- Apollon Oikonomopoulos   Fri, 12 May 2017 15:05:39 +0300
+
 drbd-utils (8.9.10-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru drbd-utils-8.9.10/debian/drbd-utils.lintian-overrides drbd-utils-8.9.10/debian/drbd-utils.lintian-overrides
--- drbd-utils-8.9.10/debian/drbd-utils.lintian-overrides	1970-01-01 02:00:00.0 +0200
+++ drbd-utils-8.9.10/debian/drbd-utils.lintian-overrides	2017-05-12 15:05:39.0 +0300
@@ -0,0 +1 @@
+drbd-utils: duplicate-updaterc.d-calls-in-postinst drbd
diff -Nru drbd-utils-8.9.10/debian/drbd-utils.postinst drbd-utils-8.9.10/debian/drbd-utils.postinst
--- drbd-utils-8.9.10/debian/drbd-utils.postinst	1970-01-01 02:00:00.0 +0200
+++ drbd-utils-8.9.10/debian/drbd-utils.postinst	2017-05-12 15:05:39.0 +0300
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+# Cleanup the old systemd unit state, if applicable
+if dpkg --compare-versions "$2" lt-nl "8.9.5-1~"; then
+	if deb-systemd-helper debian-installed drbd.service; then
+		deb-systemd-helper purge drbd.service >/dev/null
+		deb-systemd-helper unmask drbd.service >/dev/null
+	fi
+fi
+
+# Disable the DRBD service by default on new installations
+if [ -z "$2" ]; then
+	update-rc.d drbd defaults >/dev/null || true
+	update-rc.d drbd disable >/dev/null || true
+fi
+
+#DEBHELPER#
diff -Nru drbd-utils-8.9.10/debian/NEWS drbd-utils-8.9.10/debian/NEWS
--- drbd-utils-8.9.10/debian/NEWS	2015-04-30 15:53:09.0 +0300
+++ drbd-utils-8.9.10/debian/NEWS	2017-05-12 15:05:39.0 +0300
@@ -1,4 +1,22 @@
-drbd8 (2:8.4.4-1) unstable; urgency=low
+drbd-utils (8.9.10-2) unstable; urgency=medium
+
+  The drbd service is now disabled by default on new installations. Upstream
+  recommends that a cluster management software be used to control DRBD
+  instead. If your setup relies on the drbd service however, you can still
+  enable it using
+
+systemctl enable drbd.service
+
+  or
+
+update-rc.d drbd enable
+
+  Again, this applies only to new installations of the package, upgrades from
+  older versions will leave the service intact.
+
+ -- Apollon Oikonomopoulos   Fri, 12 May 2017 20:15:24 +0300
+
+drbd-utils (8.4.4-1) unstable; urgency=low
 
   DRBD 8.4 includes a number of 

Processed: Re: Bug#862541: Pre-approval request, unblock: caffe/1.0.0-2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #862541 [release.debian.org] Pre-approval request, unblock: caffe/1.0.0-2
Added tag(s) moreinfo.

-- 
862541: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862541
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862541: Pre-approval request, unblock: caffe/1.0.0-2

[Jonathan Wiltshire]

Control: tag -1 moreinfo

Hi,

On 2017-05-14 13:43, lumin wrote:

I'm working on bug #862528 for adding a missing file back,
and the fix will be shipped in 1.0.0-2 (i.e. not uploaded yet).

However the caffe package in testing is 1.0.0~rc4-1 ,
and I wish stretch to ship the 1.0.0 version [1] instead
of an upstream RC version.

I wonder whether this update can be approved. Thanks.


It's impossible to say without more information about the proposed 
changes.


I also note that the bug you're fixing is only severity:important, which 
this close to release is not really what we're looking for any longer.


Thanks,

--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

 i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits

Bug#862561: marked as done (unblock: debian-reference/2.68)

[Debian Bug Tracking System]

Your message dated Thu, 18 May 2017 12:51:50 +0100
with message-id <539322a8d23805408e8546f55e281...@debian.org>
and subject line Re: Bug#862561: unblock: debian-reference/2.68
has caused the Debian Bug report #862561,
regarding unblock: debian-reference/2.68
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862561: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package debian-reference

(explain the reason for the unblock here)
* Added PDF (This is also for updating www.debian.org page)
  * Local browser script updated.
* Updated translation
  * Many ES and zh-cn updates.
  * Improved zh-tw translation by making opencc as the back up method 
other than the manual PO updates.

(include/attach the debdiff against the package in testing)
Attached after removing PO

unblock debian-reference/2.68

-- System Information:
Debian Release: 9.0
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing'), (98, 
'experimental'), (98, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-rc6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---

On 2017-05-14 17:07, Osamu Aoki wrote:

Please unblock package debian-reference

(explain the reason for the unblock here)
* Added PDF (This is also for updating www.debian.org page)
  * Local browser script updated.
* Updated translation
  * Many ES and zh-cn updates.
  * Improved zh-tw translation by making opencc as the back up method
other than the manual PO updates.


Unblocked.

Thanks,

--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

 i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits--- End Message ---

Bug#861953: unblock: runc/0.1.1+dfsg1-3

[Jonathan Wiltshire]

Control: tag -1 wontfix moreinfo

Hi,

On 2017-05-08 00:40, Roger Shimizu wrote:

Since you say it should fix unstable first, then stretch or t-p-u,
now I think we may just leave runc/0.1.1+dfsg1-2 (current in stretch)
as it is in stretch. Because it builds OK (without FTBFS) for stretch.
The #858250 FTBFS only occurs on unstable.


If runc currently builds in stretch, there is no need to touch it (and 
#858250 should be tagged 'sid').


It's not clear from #858250 if that is actually the case or not though.


--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

 i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits

Processed: Re: Bug#861953: unblock: runc/0.1.1+dfsg1-3

[Debian Bug Tracking System]

Processing control commands:

> tag -1 wontfix moreinfo
Bug #861953 [release.debian.org] unblock: runc/0.1.1+dfsg1-3
Added tag(s) moreinfo and wontfix.

-- 
861953: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861953
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: severity of 862898 is normal

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 862898 normal
Bug #862898 [release.debian.org] unblock: ntirpc/1.4.4-1
Severity set to 'normal' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
862898: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862898
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862900: unblock (pre-upload): python-x2go/0.5.0.4-3

[Mike Gabriel]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please consider unblocking (pre-upload) package python-x2go.

In X2Go upstream we fixed an issue lately that occurs with gevent 1.1. As
I switched to Debian testing only lately with my daily-work machine, this
issue slipped through my fingers, so far.

.debdiff is attached. 

Thanks!
Mike

unblock python-x2go/0.5.0.4-3

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru python-x2go-0.5.0.4/debian/changelog 
python-x2go-0.5.0.4/debian/changelog
--- python-x2go-0.5.0.4/debian/changelog2016-11-30 12:58:26.0 
+0100
+++ python-x2go-0.5.0.4/debian/changelog2017-05-18 13:10:48.0 
+0200
@@ -1,3 +1,13 @@
+python-x2go (0.5.0.4-3) unstable; urgency=medium
+
+  * debian/control:
++ Add to B-D: dh-python.
+  * debian/patches:
++ Add 0001_check-lock-state-before-releasing.patch. Required for flawless
+  operation with gevent 1.1. (Closes: #862896).
+
+ -- Mike Gabriel   Thu, 18 May 2017 13:10:48 +0200
+
 python-x2go (0.5.0.4-2) unstable; urgency=medium
 
   * debian/control:
diff -Nru python-x2go-0.5.0.4/debian/control python-x2go-0.5.0.4/debian/control
--- python-x2go-0.5.0.4/debian/control  2016-11-30 12:58:26.0 +0100
+++ python-x2go-0.5.0.4/debian/control  2017-05-18 13:10:48.0 +0200
@@ -6,6 +6,7 @@
  Mike Gabriel ,
 Build-Depends: 
  debhelper (>= 9),
+ dh-python,
  python (>= 2.6.6-14~),
  python-setuptools,
  python-epydoc,
diff -Nru 
python-x2go-0.5.0.4/debian/patches/0001_check-lock-state-before-releasing.patch 
python-x2go-0.5.0.4/debian/patches/0001_check-lock-state-before-releasing.patch
--- 
python-x2go-0.5.0.4/debian/patches/0001_check-lock-state-before-releasing.patch 
1970-01-01 01:00:00.0 +0100
+++ 
python-x2go-0.5.0.4/debian/patches/0001_check-lock-state-before-releasing.patch 
2017-05-18 13:08:17.0 +0200
@@ -0,0 +1,102 @@
+commit 3ed4fed3465e02c605c80e057c265ca4a5d4b2ac
+Author: Mike Gabriel 
+Date:   Tue May 9 12:24:20 2017 +0200
+
+Don't blindly release gevent locked. We need to checked if a semaphore is 
locked in some case and only then release it. (Fixes: #1016).
+
+#diff --git a/debian/changelog b/debian/changelog
+#index aeca116..cd549f0 100644
+#--- a/debian/changelog
+#+++ b/debian/changelog
+#@@ -3,6 +3,9 @@ python-x2go (0.5.0.5-0x2go1) UNRELEASED; urgency=low
+#   [ Mike Gabriel ]
+#   * New upstream version (0.5.0.5):
+# - documentation: Fix wording in docstring.
+#+- Don't blindly release gevent locked. We need to checked if a
+#+  semaphore is locked in some case and only then release it.
+#+  (Fixes: #1016).
+# 
+#   [ Mihai Moldovan ]
+#   * New upstream version (0.5.0.5):
+diff --git a/x2go/backends/control/plain.py b/x2go/backends/control/plain.py
+index 73807e5..3dcc3ef 100644
+--- a/x2go/backends/control/plain.py
 b/x2go/backends/control/plain.py
+@@ -324,7 +324,8 @@ class X2GoControlSession(paramiko.SSHClient):
+ timer.cancel()
+ 
+ self.sftp_client = None
+-self._transport_lock.release()
++if self._transport_lock.locked():
++self._transport_lock.release()
+ 
+ def _x2go_sftp_write(self, remote_path, content, timeout=20):
+ """
+@@ -380,7 +381,8 @@ class X2GoControlSession(paramiko.SSHClient):
+ timer.cancel()
+ 
+ self.sftp_client = None
+-self._transport_lock.release()
++if self._transport_lock.locked():
++self._transport_lock.release()
+ 
+ def _x2go_sftp_remove(self, remote_path, timeout=20):
+ """
+@@ -431,7 +433,8 @@ class X2GoControlSession(paramiko.SSHClient):
+ timer.cancel()
+ 
+ self.sftp_client = None
+-self._transport_lock.release()
++if self._transport_lock.locked():
++self._transport_lock.release()
+ 
+ def _x2go_exec_command(self, cmd_line, loglevel=log.loglevel_INFO, 
timeout=20, **kwargs):
+ """
+@@ -520,7 +523,8 @@ class X2GoControlSession(paramiko.SSHClient):
+ self._transport_lock.release()
+ raise x2go_exceptions.X2GoControlSessionException('the X2Go 
control session is not connected (while issuing SSH command=%s)' % cmd)
+ 
+-self._transport_lock.release()
++if self._transport_lock.locked():
++self._transport_lock.release()
+ 
+ # sanitized X2Go relevant data, protect against data injection via 
.bashrc files
+ (_stdin, _stdout, _stderr) = _retval
+@@ -1204,7 +1208,8 @@ class 

Bug#862898: unblock: ntirpc/1.4.4-1

[Christoph Martin]

Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package ntirpc

Hi,

ntirpc/1.4.4-1, which was uploaded some days ago to unstable fixes
release critical CVE-2017-8779 bug #861836.

Thanks

Christoph
-- 

Christoph Martin, Leiter Unix-Systeme
Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Anselm Franz von Bentzel-Weg 12, 55128 Mainz
 Telefon: +49(6131)3926337
 Instant-Messaging: Jabber: mar...@jabber.uni-mainz.de
  (Siehe http://www.zdv.uni-mainz.de/4010.php)
diff -Nru ntirpc-1.4.3/CMakeLists.txt ntirpc-1.4.4/CMakeLists.txt
--- ntirpc-1.4.3/CMakeLists.txt 2016-10-25 20:15:56.0 +0200
+++ ntirpc-1.4.4/CMakeLists.txt 2017-05-05 21:07:02.0 +0200
@@ -15,7 +15,7 @@
 # version numbers
 set(NTIRPC_MAJOR_VERSION 1)
 set(NTIRPC_MINOR_VERSION 4)
-set(NTIRPC_PATCH_LEVEL 3)
+set(NTIRPC_PATCH_LEVEL 4)
 set(VERSION_COMMENT
   "Full-duplex and bi-directional ONC RPC on TCP."
 )
diff -Nru ntirpc-1.4.3/debian/changelog ntirpc-1.4.4/debian/changelog
--- ntirpc-1.4.3/debian/changelog   2017-04-07 13:54:21.0 +0200
+++ ntirpc-1.4.4/debian/changelog   2017-05-15 09:53:09.0 +0200
@@ -1,3 +1,11 @@
+ntirpc (1.4.4-1) unstable; urgency=high
+
+  [ Christoph Martin ]
+  * Imported Upstream version 1.4.4
+  * fixes rpcbomb CVE-2017-8779 (closes: #861836)
+
+ -- Christoph Martin   Mon, 15 May 2017 09:53:09 +0200
+
 ntirpc (1.4.3-3) unstable; urgency=medium
 
   * link with libatomic if necessary (closes: #859689)
diff -Nru ntirpc-1.4.3/debian/libntirpc1.4.symbols 
ntirpc-1.4.4/debian/libntirpc1.4.symbols
--- ntirpc-1.4.3/debian/libntirpc1.4.symbols2017-04-07 13:54:21.0 
+0200
+++ ntirpc-1.4.4/debian/libntirpc1.4.symbols2017-05-15 09:53:09.0 
+0200
@@ -1,253 +1,253 @@
 libntirpc.so.1.4 libntirpc1.4 #MINVER#
- NTIRPC_1.4.3@NTIRPC_1.4.3 1.4.3
+ NTIRPC_1.4.4@NTIRPC_1.4.4 1.4.4
  NTIRPC_PRIVATE@NTIRPC_PRIVATE 1.4.3
- __ntirpc_pkg_params@NTIRPC_1.4.3 1.4.3
- __rpc_createerr@NTIRPC_1.4.3 1.4.3
- __rpc_dtbsize@NTIRPC_1.4.3 1.4.3
- __rpc_endconf@NTIRPC_1.4.3 1.4.3
- __rpc_fd2sockinfo@NTIRPC_1.4.3 1.4.3
- __rpc_fixup_addr@NTIRPC_1.4.3 1.4.3
- __rpc_get_a_size@NTIRPC_1.4.3 1.4.3
- __rpc_get_local_uid@NTIRPC_1.4.3 1.4.3
- __rpc_get_t_size@NTIRPC_1.4.3 1.4.3
- __rpc_getconf@NTIRPC_1.4.3 1.4.3
- __rpc_getconfip@NTIRPC_1.4.3 1.4.3
- __rpc_nconf2fd@NTIRPC_1.4.3 1.4.3
- __rpc_nconf2fd_flags@NTIRPC_1.4.3 1.4.3
- __rpc_nconf2sockinfo@NTIRPC_1.4.3 1.4.3
- __rpc_rawcombuf@NTIRPC_1.4.3 1.4.3
- __rpc_seman2socktype@NTIRPC_1.4.3 1.4.3
- __rpc_setconf@NTIRPC_1.4.3 1.4.3
- __rpc_sockinfo2netid@NTIRPC_1.4.3 1.4.3
- __rpc_sockisbound@NTIRPC_1.4.3 1.4.3
- __rpc_socktype2seman@NTIRPC_1.4.3 1.4.3
- __rpc_taddr2uaddr_af@NTIRPC_1.4.3 1.4.3
- __rpc_uaddr2taddr_af@NTIRPC_1.4.3 1.4.3
- __rpcgettp@NTIRPC_1.4.3 1.4.3
- _get_next_token@NTIRPC_1.4.3 1.4.3
- _null_auth@NTIRPC_1.4.3 1.4.3
- _rpc_dtablesize@NTIRPC_1.4.3 1.4.3
- _seterr_reply@NTIRPC_1.4.3 1.4.3
- _svcauth_gss@NTIRPC_1.4.3 1.4.3
- _svcauth_none@NTIRPC_1.4.3 1.4.3
- _svcauth_short@NTIRPC_1.4.3 1.4.3
- _svcauth_unix@NTIRPC_1.4.3 1.4.3
- authgss_get_private_data@NTIRPC_1.4.3 1.4.3
- authgss_ncreate@NTIRPC_1.4.3 1.4.3
- authgss_ncreate_default@NTIRPC_1.4.3 1.4.3
- authgss_service@NTIRPC_1.4.3 1.4.3
- authnone_ncreate@NTIRPC_1.4.3 1.4.3
- authunix_ncreate@NTIRPC_1.4.3 1.4.3
- authunix_ncreate_default@NTIRPC_1.4.3 1.4.3
- bindresvport@NTIRPC_1.4.3 1.4.3
- bindresvport_sa@NTIRPC_1.4.3 1.4.3
- callrpc@NTIRPC_1.4.3 1.4.3
- clnt_broadcast@NTIRPC_1.4.3 1.4.3
- clnt_dg_ncreate@NTIRPC_1.4.3 1.4.3
- clnt_ncreate@NTIRPC_1.4.3 1.4.3
- clnt_ncreate_timed@NTIRPC_1.4.3 1.4.3
- clnt_ncreate_vers@NTIRPC_1.4.3 1.4.3
- clnt_ncreate_vers_timed@NTIRPC_1.4.3 1.4.3
- clnt_pcreateerror@NTIRPC_1.4.3 1.4.3
- clnt_perrno@NTIRPC_1.4.3 1.4.3
- clnt_perror@NTIRPC_1.4.3 1.4.3
- clnt_raw_ncreate@NTIRPC_1.4.3 1.4.3
- clnt_spcreateerror@NTIRPC_1.4.3 1.4.3
- clnt_sperrno@NTIRPC_1.4.3 1.4.3
- clnt_sperror@NTIRPC_1.4.3 1.4.3
- clnt_tp_ncreate@NTIRPC_1.4.3 1.4.3
- clnt_tp_ncreate_timed@NTIRPC_1.4.3 1.4.3
- clnt_vc_ncreate2@NTIRPC_1.4.3 1.4.3
- clnt_vc_ncreate@NTIRPC_1.4.3 1.4.3
- clnt_vc_ncreate_svc@NTIRPC_1.4.3 1.4.3
- clntraw_ncreate@NTIRPC_1.4.3 1.4.3
- clnttcp_ncreate@NTIRPC_1.4.3 1.4.3
- clntudp_nbufcreate@NTIRPC_1.4.3 1.4.3
- clntudp_ncreate@NTIRPC_1.4.3 1.4.3
- clntunix_ncreate@NTIRPC_1.4.3 1.4.3
- endnetconfig@NTIRPC_1.4.3 1.4.3
- endnetpath@NTIRPC_1.4.3 1.4.3
- endrpcent@NTIRPC_1.4.3 1.4.3
- free_rpc_msg@NTIRPC_1.4.3 1.4.3
- freenetconfigent@NTIRPC_1.4.3 1.4.3
- get_myaddress@NTIRPC_1.4.3 1.4.3
- getnetconfig@NTIRPC_1.4.3 1.4.3
- getnetconfigent@NTIRPC_1.4.3 1.4.3
- getnetpath@NTIRPC_1.4.3 1.4.3
- getrpcent@NTIRPC_1.4.3 1.4.3
- getrpcport@NTIRPC_1.4.3 1.4.3
- nc_perror@NTIRPC_1.4.3 1.4.3
- nc_sperror@NTIRPC_1.4.3 1.4.3
- opr_rbtree_first@NTIRPC_1.4.3 1.4.3
- opr_rbtree_init@NTIRPC_1.4.3 1.4.3
- 

Processed: waiting for unblock

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> block 862329 by 862384
Bug #862329 {Done: Pirate Praveen } [gitlab] gitlab: fails 
gitlab install on stretch with alternative gitlab user while configuring 
dbconfig-common
862329 was not blocked by any bugs.
862329 was not blocking any bugs.
Added blocking bug(s) of 862329: 862384
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
862329: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862329
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862891: jessie-pu: package flightgear/3.0.0-5+deb8u2

[Markus Wanner]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Dear Release Team,

as per Salvatore Bonaccorso, the current security fix for flightgear
doesn't warrant a DSA on its own (see below). Is it okay to upload to
'stable'?

A debdiff against the current version in stable-sec (3.0.0-5+deb8u1) is
attached. Please note that stable itself is still at 3.0.0-5 and doesn't
offer the first (and related) security fix.

Kind Regards

Markus Wanner

On 05/17/2017 08:57 AM, Salvatore Bonaccorso wrote:
> Hi,
>
> On Wed, May 17, 2017 at 08:49:19AM +0200, Moritz Muehlenhoff wrote:
>> On Wed, May 17, 2017 at 07:20:15AM +0200, Salvatore Bonaccorso wrote:
>>> Hi Markus,
>>>
>>> On Fri, May 12, 2017 at 07:57:23PM +0200, Markus Wanner wrote:
 Florent,

 On 05/12/2017 07:33 PM, Florent Rougon wrote:
> We'd like to draw your attention on the following fix for FlightGear:

 thanks for your heads-up, I'll take care of preparing an upload for the
 affected Debian packages.
>>>
>>> Thanks. Filled as well #862689 in the BTS in meanwhile.
>>>
>>> For stable: We think this does need a DSA on its own, can you schedule
>> ^ not
>>
>> :-)
>
> Autsch, yes of course ... sorry for confusion caused (hope this still
> was clear from context :)).
>
> Regards,
> Salvatore
diff -Nru flightgear-3.0.0/debian/changelog flightgear-3.0.0/debian/changelog
--- flightgear-3.0.0/debian/changelog   2016-12-14 09:43:00.0 +
+++ flightgear-3.0.0/debian/changelog   2017-05-17 10:46:18.0 +
@@ -1,3 +1,11 @@
+flightgear (3.0.0-5+deb8u2) stable; urgency=high
+
+  * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent
+overriding arbitrary files from the "save-flightplan" FGCommand.
+Closes: #862689 (CVE-2017-8921).
+
+ -- Markus Wanner   Tue, 16 May 2017 21:37:27 +0200
+
 flightgear (3.0.0-5+deb8u1) jessie-security; urgency=high
 
   * Add patch route-manager-secu-fix-280cd5.patch (security fix preventing
diff -Nru 
flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch 
flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch
--- 
flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch  
1970-01-01 00:00:00.0 +
+++ 
flightgear-3.0.0/debian/patches/restrict-save-flightplan-secu-fix-faf872.patch  
2017-05-17 09:16:50.0 +
@@ -0,0 +1,36 @@
+Description: Security fix: don't allow overwriting arbitrary files
+ the previous fix 280cd523 missed commandSaveFlightPlan
+ .
+ backported from faf872e7, fixes CVE-2017-8921.
+Author: Rebecca N. Palmer 
+ Florent Rougon 
+Origin: upstream, 
https://sourceforge.net/p/flightgear/flightgear/ci/c8250b10bb9a116889f831d2299678b0ef70fec2/
+
+--- a/src/Autopilot/route_mgr.cxx
 b/src/Autopilot/route_mgr.cxx
+@@ -75,7 +75,24 @@
+ {
+   FGRouteMgr* self = (FGRouteMgr*) globals->get_subsystem("route-manager");
+   SGPath path(arg->getStringValue("path"));
+-  return self->saveRoute(path);
++  const std::string authorizedPath = fgValidatePath(path.realpath(),
++true /* write */);
++
++  if (!authorizedPath.empty()) {
++return self->saveRoute(SGPath(authorizedPath));
++  } else {
++const SGPath proposedPath = SGPath(globals->get_fg_home()) / "Export";
++std::string msg =
++  "The route manager was asked to write the flightplan to '" +
++  path.str() + "', but this path is not authorized for writing. " +
++  "Please choose another location, for instance in the $FG_HOME/Export "
++  "folder (" + proposedPath.str() + ").";
++
++SG_LOG(SG_AUTOPILOT, SG_ALERT, msg);
++modalMessageBox("FlightGear", "Unable to write to the specified file",
++msg);
++return false;
++  }
+ }
+ 
+ static bool commandActivateFlightPlan(const SGPropertyNode* arg)
diff -Nru flightgear-3.0.0/debian/patches/series 
flightgear-3.0.0/debian/patches/series
--- flightgear-3.0.0/debian/patches/series  2016-12-14 09:13:44.0 
+
+++ flightgear-3.0.0/debian/patches/series  2017-05-16 20:18:39.0 
+
@@ -5,3 +5,4 @@
 6a30e7.patch
 route-manager-secu-fix-280cd5.patch
 fix-missing-lX11-in-link-commands.patch
+restrict-save-flightplan-secu-fix-faf872.patch


signature.asc
Description: OpenPGP digital signature