Bug#863689: unblock: cracklib2/2.9.2-5

[Niels Thykier]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi KiBi (X-CC'ed),

I would like to unblock cracklib2 as it fixes #854554.  To my knowlegde, it
has no changes that affects its udeb, the diff being:

"""
diff -Nru cracklib2-2.9.2/debian/changelog cracklib2-2.9.2/debian/changelog
--- cracklib2-2.9.2/debian/changelog2017-04-08 11:25:28.0 +
+++ cracklib2-2.9.2/debian/changelog2017-05-27 09:41:18.0 +
@@ -1,3 +1,10 @@
+cracklib2 (2.9.2-5) unstable; urgency=medium
+
+  * Add Breaks: cracklib-runtime (<< 2.9.2-4) to libcrack2 to configure
+cracklib-runtime in the correct order (Closes: #854554)
+
+ -- Jan Dittberner   Sat, 27 May 2017 11:41:18 +0200
+
 cracklib2 (2.9.2-4) unstable; urgency=medium
 
   * Migrate triggers to interest-noawait to avoid trigger-cycles (Closes:
diff -Nru cracklib2-2.9.2/debian/control cracklib2-2.9.2/debian/control
--- cracklib2-2.9.2/debian/control  2017-04-08 11:25:28.0 +
+++ cracklib2-2.9.2/debian/control  2017-05-27 09:06:18.0 +
@@ -28,6 +28,7 @@
 Pre-Depends: ${misc:Pre-Depends}
 Depends: ${misc:Depends}, ${shlibs:Depends}
 Recommends: cracklib-runtime
+Breaks: cracklib-runtime (<< 2.9.2-4)
 Description: pro-active password checker library
  Shared library for cracklib2 which contains a C function which may be
  used in a passwd like program. The idea is simple: try to prevent
"""

unblock cracklib2/2.9.2-5

I would age it so it migrates before this weekend.


Thanks,
~Niels

Bug#863682: jessie-pu: package intel-microcode/3.20170511.1~deb8u1

[Henrique de Moraes Holschuh]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I'd like to update the intel-microcode package in Debian jessie.

Usually, I'd wait for an extra month before sending this request,
however I have received word from the OCamn community that this
microcode update fixes an extremely serious erratum...  and that OCaml
code compiled with the gcc backend (including the OCaml compiler itself)
could trivially trigger it.

The OCaml bug report is here:
https://caml.inria.fr/mantis/view.php?id=7452

>From the intel-microcode package changelog:

   SKL150 - Short loops using both the AH/BH/CH/DH registers and
   the corresponding wide register *may* result in unpredictable
   system behavior.  Requires both logical processors of the same
   core (i.e. sibling hyperthreads) to be active to trigger, as
   well as a "complex set of micro-architectural conditions"

This microcode update also fixes other important errata, including one
that makes it safe to have intel-microcode installed on some recent
high-end models of the E7v4 and possibly E5v4 Xeons (previous versions
of intel-microcode are likely to hang these processors during boot,
refer to bug #862606 for details[1])... but the SKL150 fix takes the
cake.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862606


As usual, I have removed the noise caused by the binary blob changes
from upstream from the debdiff output for clarity.  The abridged debdiff
is attached.

Full diffstat:
 changelog  |   13 
 debian/changelog   |   58 
 microcode-20161104.dat |61630 
 microcode-20170511.dat |61886 +
 releasenote|   41 
 5 files changed, 61998 insertions(+), 61630 deletions(-)

Abridged diffstat:
 changelog|   13 
 debian/changelog |   58 +++
 releasenote  |   41 ++
 3 files changed, 112 insertions(+)

Other than the microcode blob, the changes are only to documentation and
the changelogs.

Please note that the new upstream "releasenote" file is not going to be
shipped in the binary packages, since it has way too much incorrect
information.  It is present only in the source package.

Thank you!

-- 
  Henrique Holschuh
diff -Nru intel-microcode-3.20161104.1~deb8u1/changelog 
intel-microcode-3.20170511.1~deb8u1/changelog
--- intel-microcode-3.20161104.1~deb8u1/changelog   2016-12-16 
08:53:58.0 -0200
+++ intel-microcode-3.20170511.1~deb8u1/changelog   2017-05-26 
08:24:17.0 -0300
@@ -1,3 +1,16 @@
+2017-05-11:
+  * Updated Microcodes:
+sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528
+sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408
+sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768
+sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384
+sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480
+sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576
+sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264
+sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304
+sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb21, size 26624
+sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304
+
 2016-11-04:
   * New Microcodes:
 sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x70d, size 20480
diff -Nru intel-microcode-3.20161104.1~deb8u1/debian/changelog 
intel-microcode-3.20170511.1~deb8u1/debian/changelog
--- intel-microcode-3.20161104.1~deb8u1/debian/changelog2016-12-16 
09:42:12.0 -0200
+++ intel-microcode-3.20170511.1~deb8u1/debian/changelog2017-05-29 
19:06:07.0 -0300
@@ -1,3 +1,61 @@
+intel-microcode (3.20170511.1~deb8u1) stable; urgency=high
+
+  * This is the same package as 3.20170511.1 from unstable/testing and
+3.20170511.1~bpo8+1, from jessie-backports.  It has been present in
+unstable since 2017-05-15, testing since 2017-05-26, and jessie-backports
+since 2017-05-29.
+  * Urgency updated to high:
++ Confirmed fix: nightmare-level Skylake erratum SKL150
++ Confirmed: gcc may generate the code patterns that trigger SKL150
+  (unpredictable behavior).  The OCaml community was hit by this erratum
+  and has been investigating the issue since 2017-01.  It affected the
+  OCaml compiler, and OCaml programs when gcc was used as the backend.
+  https://caml.inria.fr/mantis/view.php?id=7452
+
+ -- Henrique de Moraes Holschuh   Mon, 29 May 2017 19:06:06 
-0300
+
+intel-microcode (3.20170511.1) unstable; urgency=medium
+
+  * New upstream microcode datafile 20170511
++ Updated Microcodes:
+  sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528
+  sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, 

Processed: sorry I typoed a bug number… (Re: Processed: wishlist)

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 863660 normal
Bug #863660 [release.debian.org] unblock: reportbug/7.1.7
Severity set to 'normal' from 'wishlist'
> severity 863636 wishlist
Bug #863636 [diffoscope] diffoscope: usage of FIFOs causes pair-comparisons to 
not run in parallel, wasting performance by about 1/2
Severity set to 'wishlist' from 'normal'
> # sorry for the noise
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863636: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863636
863660: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863660
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: wishlist

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 863660 wishlist
Bug #863660 [release.debian.org] unblock: reportbug/7.1.7
Severity set to 'wishlist' from 'normal'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863660: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863660
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863634: unblock (pre-approval): systemd/232-24

[Jonathan Wiltshire]

Control: tag -1 confirmed moreinfo

On 2017-05-29 15:37, Michael Biebl wrote:

I'd like to make another upload of systemd if possible.
It fixes a remote DoS in resolved (#863277). We don't enable resolved
by default in Debian, so this bug is not super critical.
But since an (upstream) fix exists, I would prefer to have this fix in
stretch. The attached debdiff also has two smaller fixes which have
piled up in the stretch branch in the mean time.

Please let me know if I can proceed with the upload.
If you want me to postpone that for 9.1, I'm fine as well. Uploading it
now would have the benefit though of at least some testing in unstable.


Please go ahead and remove the moreinfo tag when it is ready to be 
unblocked.


Thanks,

--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

 i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits

Processed: Re: Bug#863634: unblock (pre-approval): systemd/232-24

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed moreinfo
Bug #863634 [release.debian.org] unblock (pre-approval): systemd/232-24
Added tag(s) confirmed and moreinfo.

-- 
863634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863634
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863634: unblock (pre-approval): systemd/232-24

[Cyril Brulebois]

Michael Biebl  (2017-05-29):
> I'd like to make another upload of systemd if possible.
> It fixes a remote DoS in resolved (#863277). We don't enable resolved
> by default in Debian, so this bug is not super critical.
> But since an (upstream) fix exists, I would prefer to have this fix in
> stretch. The attached debdiff also has two smaller fixes which have
> piled up in the stretch branch in the mean time.
> 
> Please let me know if I can proceed with the upload.
> If you want me to postpone that for 9.1, I'm fine as well. Uploading it
> now would have the benefit though of at least some testing in unstable.
> 
> The changes don't touch d-i, but I've CCed debian-boot@ anyway for an
> ack.
> 
> Full debdiff attached.

Changes look fine to me, be it for r0 or r1. If that's candidate for r0,
it needs to have migrated a few days before the last week, so that d-i
can be prepared with all components from testing.


KiBi.


signature.asc
Description: Digital signature

Bug#863667: unblock: hexchat (pre-approval)

[Mattia Rizzolo]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Upstream contact me about sevaral (apparently too many) users having
issues with an hexchat external plugin being too noisy [1] and causing
other issues for unexperienced users.

All considered probably such barely maintained plugin shouldn't be
instaled by default indeed, therefore I'm asking for permission to
upload the following debdiff and having it in stretch.

[1] "OTR: Error saving instance tags: No such file or directory
(gcrypt)" for every query started if not configured


diff --git a/debian/changelog b/debian/changelog
index ea6265b..2052824 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+hexchat (2.12.4-3) UNRELEASED; urgency=medium
+
+  * Demote hexchat-otr from Recommends to Suggests.
+It reportely causes noise and problems for unexperienced users, and it's
+mostly unmaintained plugin, so don't install it by default.
+
+ -- Mattia Rizzolo   Mon, 29 May 2017 22:45:42 +0200
+
 hexchat (2.12.4-2) unstable; urgency=medium
 
   * Also apply patch 4c178782a779f013fafab476506f7d4dae372b8a.patch on ubuntu.
diff --git a/debian/control b/debian/control
index a221a8a..bec6ba4 100644
--- a/debian/control
+++ b/debian/control
@@ -33,11 +33,11 @@ Depends:
  ${shlibs:Depends},
 Recommends:
  gvfs-bin,
- hexchat-otr,
  hexchat-perl,
  hexchat-plugins,
  hexchat-python3,
 Suggests:
+ hexchat-otr,
  unifont,
 Description: IRC client for X based on X-Chat 2
  HexChat is a graphical IRC client with a GTK+ GUI. Features include Python


-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#863660: unblock: reportbug/7.1.7

[Sandro Tosi]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package reportbug

This is the final upload for stretch: it contains several bugfixes and
improvement that would make reportbug in stretch much more robust for our users.

A source packages diff is attached

unblock reportbug/7.1.7

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru reportbug-7.1.6/bin/querybts reportbug-7.1.7/bin/querybts
--- reportbug-7.1.6/bin/querybts2017-04-18 21:12:02.0 -0400
+++ reportbug-7.1.7/bin/querybts2017-05-29 16:00:17.0 -0400
@@ -168,16 +168,16 @@
 url = debbugs.get_report_url(options.system, num, 
options.archived, mbox=True)
 try:
 report = urlutils.open_url(url, 
timeout=options.timeout)
-sys.stdout.write(report.read())
-except urlutils.urllib2.URLError as ex:
+sys.stdout.write(report)
+except NoNetwork as ex:
 print("Error while accessing mbox report (%s)." % ex, 
file=sys.stderr)
 else:
 num = int(m.group(1))
 url = debbugs.get_report_url(options.system, num, 
options.archived, mbox=True)
 try:
 report = urlutils.open_url(url, timeout=options.timeout)
-sys.stdout.write(report.read())
-except urlutils.urllib2.URLError as ex:
+sys.stdout.write(report)
+except NoNetwork as ex:
 print("Error while accessing mbox report (%s)." % ex, 
file=sys.stderr)
 sys.exit(1)
 return
diff -Nru reportbug-7.1.6/bin/reportbug reportbug-7.1.7/bin/reportbug
--- reportbug-7.1.6/bin/reportbug   2017-04-18 21:12:02.0 -0400
+++ reportbug-7.1.7/bin/reportbug   2017-05-29 16:00:17.0 -0400
@@ -1051,7 +1051,7 @@
 if options.draftpath:
 options.draftpath = os.path.expanduser(options.draftpath)
 if not os.path.exists(options.draftpath):
-print("The directory % does not exist; exiting." % 
options.draftpath)
+ewrite("The directory %s does not exist; exiting.\n" % 
options.draftpath)
 sys.exit(1)
 
 if options.mua and not options.template:
diff -Nru reportbug-7.1.6/debian/changelog reportbug-7.1.7/debian/changelog
--- reportbug-7.1.6/debian/changelog2017-04-18 21:12:02.0 -0400
+++ reportbug-7.1.7/debian/changelog2017-05-29 16:00:17.0 -0400
@@ -1,3 +1,51 @@
+reportbug (7.1.7) unstable; urgency=medium
+
+  * reportbug/utils.py
+- fix description regex to match only textual description (and not the 
MD5);
+  patch by Nis Martensen; Closes: #863322
+- switch to use apt-cache instead of dpkg --print-avail; patch by Nis
+  Martensen
+- get_command_output() doesnt strip a trailing new-line, so deal with that
+  behavior when running lsb_release and dpkg --print-architecture; patch by
+  Nis Martensen; Closes: #861153
+- update suites names: fade out squeeze (wheezy is now oldoldstable) and
+  introduce buster (testing), bullseye (next-testing); Closes: #862801
+- in search_path_for, split PATH directories using ':'; patch by Kamaraju
+  Kusumanchi; Closes: #827088
+- strip arch-qualifier when looking up dependencies information; patch by
+  Nis Martensen; Closes: #749884
+- fix a crash when parsing the config files lines in the package
+  information; patch by Nis Martensen; Closes: #857013, #846053, #826534
+  * reportbug/debbugs.py
+- add manpages.debian.org to pseudo-packages list; Closes: #861859
+  * debian/control
+- update emacs dependencies to emacs24 (default) and emacs25 (alternative)
+- remove Chris Lawrence from Uploaders, thanks for all you've done for
+  reportbug!!
+- switch Vcs-* URLs to HTTPS
+  * remove double imports
+  * debian/desktop
+- add Danish translation to desktop file; patch by scootergrisen;
+  Closes: #855973
+  * reportbug/bugreport.py
+- add LANGUAGE env var to locales bugreport section; Closes: #840898
+  * bin/querybts
+- url_open() now returns a string, no need to read() it anymore; also
+  replace URLError exception handling with NoNetwork; Closes: #859274
+  * reportbug/debbugs.py, reportbug/utils.py
+- Finish open_url return type conversion: url_open() now returns a string
+  and no longer an HTTPRespons object; patch by Nis Martensen; extends the
+  fix for #859274
+  * bin/reportbug

Bug#863645: unblock: cqrlog 2.0.2-1.1

[Gianfranco Costamagna]

Hi,
>> unblock cqrlog/2.0.2-1.1
>
>Doesn't seem to be in the archive?


this is true, I forgot to mention this is in deferred/2, so you can see it as a
pre-approval bug (this is an NMU for an RC I just opened)


We might even avoid to pull the compatibility package by cherry-picking this 
upstream commit
https://github.com/ok2cqr/cqrlog/commit/3f2dd3d0025658b57b03715f3cc60919b661eed2#diff-b8baf5712e548bba85056ce31a9d3df9

your choice, probably the upstream fix is better because it pulls one less 
package from the archive :)
G.

Bug#863645: unblock: cqrlog 2.0.2-1.1

[Jonathan Wiltshire]

Control: tag -1 moreinfo

On Mon, May 29, 2017 at 05:13:01PM +, Gianfranco Costamagna wrote:
> Package: release.debian.org
> 
> User: release.debian@packages.debian.org
> 
> Usertags: unblock
> 

Your useragent has done odd things, so the tags didn't work out...


> Please unblock package cqrlog
> 
> unblock cqrlog/2.0.2-1.1

Doesn't seem to be in the archive?

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#863645: unblock: cqrlog 2.0.2-1.1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863645 [release.debian.org] unblock: cqrlog/2.0.2-1.1
Added tag(s) moreinfo.

-- 
863645: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863645
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: retitle 863645 to unblock: cqrlog/2.0.2-1.1, user release.debian....@packages.debian.org ...

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 863645 unblock: cqrlog/2.0.2-1.1
Bug #863645 [release.debian.org] unblock: cqrlog 2.0.2-1.1
Changed Bug title to 'unblock: cqrlog/2.0.2-1.1' from 'unblock: cqrlog 
2.0.2-1.1'.
> user release.debian@packages.debian.org
Setting user to release.debian@packages.debian.org (was j...@debian.org).
> usertags 863645 unblock
There were no usertags set.
Usertags are now: unblock.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863645: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863645
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863522: marked as done (unblock: python-numpy/1:1.12.1-3)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 18:52:38 +0100
with message-id <20170529175238.l5klg47tt5yf2...@powdarrmonkey.net>
and subject line Re: Bug#863522: unblock: python-numpy/1:1.12.1-3
has caused the Debian Bug report #863522,
regarding unblock: python-numpy/1:1.12.1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863522: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863522
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package python-numpy

This upload fixes a bug when using numpy.abs() on numpy.nan on some
architectures; the bug is minor, but a user noticed nonetheless, the patch comes
directly from upstream and it's just a one-liner with extensive tests.

Source debdiff is attached

unblock python-numpy/1:1.12.1-3

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru python-numpy-1.12.1/debian/changelog 
python-numpy-1.12.1/debian/changelog
--- python-numpy-1.12.1/debian/changelog2017-04-05 06:26:43.0 
-0400
+++ python-numpy-1.12.1/debian/changelog2017-05-27 19:44:59.0 
-0400
@@ -1,3 +1,10 @@
+python-numpy (1:1.12.1-3) unstable; urgency=medium
+
+  * debian/patches/0007-BUG-Don-t-signal-FP-exceptions-in-np.absolute.patch
+- fix RuntimeWarning on numpy.abs(numpy.nan) on some archs; Closes: #863192
+
+ -- Sandro Tosi   Sat, 27 May 2017 19:44:59 -0400
+
 python-numpy (1:1.12.1-2) unstable; urgency=medium
 
   * Team upload
diff -Nru python-numpy-1.12.1/debian/.git-dpm 
python-numpy-1.12.1/debian/.git-dpm
--- python-numpy-1.12.1/debian/.git-dpm 2017-04-04 12:49:56.0 -0400
+++ python-numpy-1.12.1/debian/.git-dpm 2017-05-27 19:44:59.0 -0400
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-4b26915f32eec3afa476d678bc7831ab7b1899c1
-4b26915f32eec3afa476d678bc7831ab7b1899c1
+285b463e037cd9aeaf37ccc90ccf3349cc84b88a
+285b463e037cd9aeaf37ccc90ccf3349cc84b88a
 db9ad0d21c51a5a4983387c232c00bd6f844e406
 db9ad0d21c51a5a4983387c232c00bd6f844e406
 python-numpy_1.12.1.orig.tar.gz
diff -Nru 
python-numpy-1.12.1/debian/patches/0007-BUG-Don-t-signal-FP-exceptions-in-np.absolute.patch
 
python-numpy-1.12.1/debian/patches/0007-BUG-Don-t-signal-FP-exceptions-in-np.absolute.patch
--- 
python-numpy-1.12.1/debian/patches/0007-BUG-Don-t-signal-FP-exceptions-in-np.absolute.patch
 1969-12-31 19:00:00.0 -0500
+++ 
python-numpy-1.12.1/debian/patches/0007-BUG-Don-t-signal-FP-exceptions-in-np.absolute.patch
 2017-05-27 19:44:59.0 -0400
@@ -0,0 +1,89 @@
+From 285b463e037cd9aeaf37ccc90ccf3349cc84b88a Mon Sep 17 00:00:00 2001
+From: James Cowgill 
+Date: Tue, 7 Mar 2017 11:39:01 +
+Subject: BUG: Don't signal FP exceptions in np.absolute
+
+Fixes #8686
+
+This PR centers around this piece of code in 
`numpy/core/src/umath/loops.c.src`:
+```c
+UNARY_LOOP {
+const @type@ in1 = *(@type@ *)ip1;
+const @type@ tmp = in1 > 0 ? in1 : -in1;
+/* add 0 to clear -0.0 */
+*((@type@ *)op1) = tmp + 0;
+}
+```
+
+If in1 is `NaN`, the C99 standard requires that the comparison `in1 > 0`
+signals `FE_INVALID`, but the usual semantics for the absolute function are
+that no FP exceptions should be generated (eg compare to C `fabs` and Python
+`abs`). This was probably never noticed due to a bug in GCC x86 where all
+floating point comparisons do not signal exceptions, however Clang on x86 and
+GCC on other architectures (including ARM and MIPS) do signal an FP exception
+here.
+
+Fix by clearing the floating point exceptions after the loop has
+finished. The alternative of rewriting the loop to use `npy_fabs`
+instead would also work but has performance issues because that function
+is not inlined. The `test_abs_neg_blocked` is adjusted not to ignore
+`FE_INVALID` errors because now both absolute and negate should never
+produce an FP exceptions.
+---
+ numpy/core/src/umath/loops.c.src |  1 +
+ numpy/core/tests/test_umath.py   | 30 ++
+ 2 files changed, 15 insertions(+), 16 deletions(-)
+
+diff --git a/numpy/core/src/umath/loops.c.src 
b/numpy/core/src/umath/loops.c.src
+index 3c11908..7e683ab 100644
+--- 

Bug#863628: unblock: apt-mirror/0.5.4-1

[Jonathan Wiltshire]

Control: tag -1 moreinfo

On Mon, May 29, 2017 at 02:45:31PM +0200, Benjamin Drung wrote:
> apt-mirror 0.5.4 is a very small bug-fix release for stretch. It fixes
> the warning about the use of uninitialized value $config{"options"}
> (which hits most users).

That is not all though, is it? Could you provide some background to the
other changes?

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#863628: unblock: apt-mirror/0.5.4-1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863628 [release.debian.org] unblock: apt-mirror/0.5.4-1
Added tag(s) moreinfo.

-- 
863628: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863628
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 863573

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863573 - moreinfo
Bug #863573 [release.debian.org] unblock: diamond/4.0.515-4
Removed tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863573: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863573
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863573: marked as done (unblock: diamond/4.0.515-4)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 18:45:27 +0100
with message-id 
and subject line Re: Bug#863573: unblock: diamond/4.0.515-4
has caused the Debian Bug report #863573,
regarding unblock: diamond/4.0.515-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863573: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863573
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package diamond

This upload improves (even if only slightly, as a proper solution is still being
worked on by upstream) the stop/restart time of diamond, by setting the systemd
killmode to mixed.

A source debdiff is attached

unblock diamond/4.0.515-4

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru diamond-4.0.515/debian/changelog diamond-4.0.515/debian/changelog
--- diamond-4.0.515/debian/changelog2017-01-22 17:28:37.0 -0500
+++ diamond-4.0.515/debian/changelog2017-05-28 15:48:29.0 -0400
@@ -1,3 +1,10 @@
+diamond (4.0.515-4) unstable; urgency=medium
+
+  * debian/diamond.service
+- set KillMode to `mixed`; Closes: #854842
+
+ -- Sandro Tosi   Sun, 28 May 2017 15:48:29 -0400
+
 diamond (4.0.515-3) unstable; urgency=medium
 
   * debian/control
diff -Nru diamond-4.0.515/debian/diamond.service 
diamond-4.0.515/debian/diamond.service
--- diamond-4.0.515/debian/diamond.service  2016-02-16 09:29:38.0 
-0500
+++ diamond-4.0.515/debian/diamond.service  2017-05-28 15:48:15.0 
-0400
@@ -4,6 +4,7 @@
 [Service]
 ExecStart=/usr/bin/python /usr/bin/diamond --log-stdout --foreground
 Restart=on-abort
+KillMode=mixed
 
 [Install]
 WantedBy=multi-user.target
--- End Message ---
--- Begin Message ---

On 2017-05-29 15:43, Sandro Tosi wrote:
On Mon, May 29, 2017 at 8:20 AM, Jonathan Wiltshire  
wrote:

Control: tag -1 moreinfo

On Sun, May 28, 2017 at 03:58:13PM -0400, Sandro Tosi wrote:
This upload improves (even if only slightly, as a proper solution is 
still being
worked on by upstream) the stop/restart time of diamond, by setting 
the systemd

killmode to mixed.


I'm not sure how comfortable I am about this. Is the change to 
KillMode

upstream advice?


sorry for not reporting it first, there is a long discussion with
upstream at https://github.com/python-diamond/Diamond/issues/595 -
their initial solution was to change the internal process management
logic and then use KillMode=process but paravoid had better result
with `mixed` without changing any code (since that procs mgmt change
still isnt 100% completed)


Ok, I'll take the workaround for now but it would be nice to fix this 
properly for buster. Thanks for the additional information.


Unblocked and aged to 5.

--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

 i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits--- End Message ---

Processed: severity of 863629 is normal

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # its unlikely an unblock bug is ever more than normal...
> severity 863629 normal
Bug #863629 [release.debian.org] unblock: cfengine3/3.9.1-4.2
Severity set to 'normal' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863629: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863629
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863629: marked as done (unblock: cfengine3/3.9.1-4.2)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 18:38:19 +0100
with message-id <20170529173819.wvyrc6p2a6bna...@powdarrmonkey.net>
and subject line Re: Bug#863629: unblock: cfengine3/3.9.1-4.2
has caused the Debian Bug report #863629,
regarding unblock: cfengine3/3.9.1-4.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863629: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863629
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package cfengine3

Hi,

cfengine3/3.9.1-4.2, which was uploaded some days ago to unstable fixes
release critical bug #852675 and bug #862903.

#852675 makes cfengine3 completely unusable because it distributes only
the distribution templates and not the local changes to the clients.

#862903 reverses the openssl1.1 patch which made cfengine crash when
contacted from cfengine3 version 3.6. Upstream says, they have big
problems with the openssl1.1 patch and that the patch is not finished.

Thanks

Christoph
-- 

Christoph Martin, Leiter Unix-Systeme
Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Anselm Franz von Bentzel-Weg 12, 55128 Mainz
 Telefon: +49(6131)3926337
 Instant-Messaging: Jabber: mar...@jabber.uni-mainz.de
  (Siehe http://www.zdv.uni-mainz.de/4010.php)

diff -Nru cfengine3-3.9.1/debian/changelog cfengine3-3.9.1/debian/changelog
--- cfengine3-3.9.1/debian/changelog2017-01-18 15:09:03.0 +0100
+++ cfengine3-3.9.1/debian/changelog2017-05-18 14:14:45.0 +0200
@@ -1,3 +1,11 @@
+cfengine3 (3.9.1-4.2) unstable; urgency=medium
+
+  * fix masterdir configuration (closes: 852675)
+  * revert ssl1.1 patch which leads to segfaults with older clients
+(closes: #862903)
+
+ -- Christoph Martin   Thu, 18 May 2017 14:14:45 +0200
+
 cfengine3 (3.9.1-4.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cfengine3-3.9.1/debian/control cfengine3-3.9.1/debian/control
--- cfengine3-3.9.1/debian/control  2017-01-17 01:50:04.0 +0100
+++ cfengine3-3.9.1/debian/control  2017-05-18 14:14:45.0 +0200
@@ -2,7 +2,7 @@
 Section: admin
 Priority: optional
 Maintainer: Antonio Radici 
-Build-Depends: debhelper (>= 7.0.50), autotools-dev, libssl-dev (>= 1.1),
+Build-Depends: debhelper (>= 7.0.50), autotools-dev, libssl1.0-dev | 
libssl-dev (<< 1.1),
  flex, bison, libpcre3-dev, dh-autoreconf, libvirt-dev, libacl1-dev,
  liblmdb-dev, default-libmysqlclient-dev, libxml2-dev, quilt, libpam0g-dev
 Standards-Version: 3.9.8
diff -Nru cfengine3-3.9.1/debian/patches/series 
cfengine3-3.9.1/debian/patches/series
--- cfengine3-3.9.1/debian/patches/series   2016-12-01 21:55:30.0 
+0100
+++ cfengine3-3.9.1/debian/patches/series   2017-05-18 14:14:45.0 
+0200
@@ -6,4 +6,4 @@
 0007-fix_kfreebsd_build.patch
 0009_disable_spelling_errors.patch
 0010_disable_date_annotation.patch
-0011_build_with_openssl_1.1.patch
+#0011_build_with_openssl_1.1.patch
diff -Nru cfengine3-3.9.1/debian/rules cfengine3-3.9.1/debian/rules
--- cfengine3-3.9.1/debian/rules2016-12-01 21:55:30.0 +0100
+++ cfengine3-3.9.1/debian/rules2017-05-18 14:14:45.0 +0200
@@ -20,7 +20,7 @@
--with-libvirt \
--with-lmdb \
--with-libxml2 \
-   
--with-masterdir=\$${prefix}/share/cfengine3/masterfiles \
+   --with-masterdir=/var/lib/cfengine3/masterfiles \
--with-workdir=/var/lib/cfengine3 \
--with-logdir=/var/log/cfengine3 \
--with-piddir=/var/run/cfengine3 \


signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
On Mon, May 29, 2017 at 02:45:03PM +0200, Christoph Martin wrote:
> cfengine3/3.9.1-4.2, which was uploaded some days ago to unstable fixes
> release critical bug #852675 and bug #862903.

Already unblocked, and merely waiting for age.


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51--- End Message ---

Bug#863645: unblock: cqrlog 2.0.2-1.1

[Gianfranco Costamagna]

Package: release.debian.org

User: release.debian@packages.debian.org

Usertags: unblock


Hi release team


Please unblock package cqrlog

unblock cqrlog/2.0.2-1.1

I found a bug that was preventing the package from working if the mysql compat 
library
was not installed.
The code is doing the pascal "dlopen" call to find libmysqlclient.so, and this 
is not available
anymore since mariadb switch.



Using the compat package brings a symlink that makes the program behave 
correctly.

thanks

G.


diff -Nru cqrlog-2.0.2/debian/changelog cqrlog-2.0.2/debian/changelog

--- cqrlog-2.0.2/debian/changelog2016-09-09 14:58:50.0 +0200

+++ cqrlog-2.0.2/debian/changelog2017-05-29 19:06:55.0 +0200

@@ -1,3 +1,13 @@

+cqrlog (2.0.2-1.1) unstable; urgency=medium

+

+  * Non-maintainer upload.

+  * Depent on virtual mysql server implementation (Closes: #848430)

+  * Depend on default-libmysqlclient-dev, to have the libmysqlclient.so

+symlink available at runtime (function TdmData.GetMySQLLib

+loads it dynamically Closes: #863644.

+

+ -- Gianfranco Costamagna   Mon, 29 May 2017 
17:29:07 +0200

+

cqrlog (2.0.2-1) unstable; urgency=medium


* New upstream bugfix release.

diff -Nru cqrlog-2.0.2/debian/control cqrlog-2.0.2/debian/control

--- cqrlog-2.0.2/debian/control2016-05-03 10:56:29.0 +0200

+++ cqrlog-2.0.2/debian/control2017-05-29 19:05:57.0 +0200

@@ -13,8 +13,8 @@


Package: cqrlog

Architecture: any

-Depends: ${shlibs:Depends}, ${misc:Depends}, libssl-dev, mysql-client | 
mariadb-client, libhamlib2 (>= 1.2.10), libhamlib-utils (>= 1.2.10)

-Recommends: mysql-server | mariadb-server, xplanet

+Depends: ${shlibs:Depends}, ${misc:Depends}, libssl-dev, default-mysql-client 
| virtual-mysql-client, default-libmysqlclient-dev, libhamlib2 (>= 1.2.10), 
libhamlib-utils (>= 1.2.10)

+Recommends: default-mysql-server | virtual-mysql-server, xplanet

Description: Advanced logging program for hamradio operators

CQRLOG is an advanced ham radio logger based on MySQL embedded database. 

Provides radio control based on hamlib libraries (currently support of 140+ 

Bug#863633: marked as done (unblock: mosquitto/1.4.10-3)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 16:02:39 +
with message-id 
and subject line unblock mosquitto
has caused the Debian Bug report #863633,
regarding unblock: mosquitto/1.4.10-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863633: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863633
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package mosquitto

Version 1.4.10-2 currently in testing has a security issue
CVE-2017-7650. This upload fixes that issue.

This upload also fixes #857759, which is a regression against Jessie.

unblock mosquitto/1.4.10-3

-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-71-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

*** /home/roger/mosquitto.debdiff
diff -Nru mosquitto-1.4.10/debian/changelog mosquitto-1.4.10/debian/changelog
--- mosquitto-1.4.10/debian/changelog   2016-11-03 22:38:51.0 +
+++ mosquitto-1.4.10/debian/changelog   2017-05-29 14:38:36.0 +0100
@@ -1,3 +1,16 @@
+mosquitto (1.4.10-3) unstable; urgency=high
+
+  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
+set to '+' or '#'.
+- debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
+  of messages to/from clients with a '+', '#' or '/' in their
+  username/client id.
+- CVE-2017-7650
+  * New patch debian/patches/allow_ipv6_bridges.patch allows bridges to make
+IPv6 connections when using TLS (closes: #857759).
+
+ -- Roger A. Light   Mon, 29 May 2017 13:43:29 +0100
+
 mosquitto (1.4.10-2) unstable; urgency=medium
 
   * Bumped standards version to 3.9.8. No changes needed.
diff -Nru mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch 
mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch
--- mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch1970-01-01 
01:00:00.0 +0100
+++ mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch2017-05-29 
13:50:12.0 +0100
@@ -0,0 +1,22 @@
+Description: Allow bridges to make IPv6 connections when using TLS.
+Author: Roger Light 
+Forwarded: not-needed
+Origin: upstream, 
https://github.com/eclipse/mosquitto/commit/98ea68490626b1d18aee2004b411294c85e62212
+--- a/lib/net_mosq.c
 b/lib/net_mosq.c
+@@ -281,14 +281,7 @@
+ 
+   *sock = INVALID_SOCKET;
+   memset(, 0, sizeof(struct addrinfo));
+-#ifdef WITH_TLS
+-  if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
+-  hints.ai_family = PF_INET;
+-  }else
+-#endif
+-  {
+-  hints.ai_family = PF_UNSPEC;
+-  }
++  hints.ai_family = PF_UNSPEC;
+   hints.ai_flags = AI_ADDRCONFIG;
+   hints.ai_socktype = SOCK_STREAM;
+ 
diff -Nru mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch 
mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch
--- mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch
1970-01-01 01:00:00.0 +0100
+++ mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch
2017-05-28 23:10:06.0 +0100
@@ -0,0 +1,61 @@
+Description: Fix for CVE-207-7650.
+Author: Roger Light 
+Forwarded: not-needed
+Origin: upstream, 
https://mosquitto.org/files/cve/2017-7650/mosquitto-1.4.x_cve-2017-7650.patch
+diff --git a/src/security.c b/src/security.c
+index 6ae9fb9..37ce32b 100644
+--- src/security.c
 b/src/security.c
+@@ -233,6 +233,21 @@
+   {
+   username = context->username;
+   }
++
++  /* Check whether the client id or username contains a +, # or / 
and if
++   * so deny access.
++   *
++   * Do this check for every message regardless, we have to 
protect the
++   * plugins against possible pattern based attacks.
++   */
++  if(username && strpbrk(username, "+#/")){
++  _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL 
denying access to client with dangerous username \"%s\"", username);
++  return 

Bug#863634: unblock (pre-approval): systemd/232-24

[Michael Biebl]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

I'd like to make another upload of systemd if possible.
It fixes a remote DoS in resolved (#863277). We don't enable resolved
by default in Debian, so this bug is not super critical.
But since an (upstream) fix exists, I would prefer to have this fix in
stretch. The attached debdiff also has two smaller fixes which have
piled up in the stretch branch in the mean time.

Please let me know if I can proceed with the upload.
If you want me to postpone that for 9.1, I'm fine as well. Uploading it
now would have the benefit though of at least some testing in unstable.

The changes don't touch d-i, but I've CCed debian-boot@ anyway for an
ack.

Full debdiff attached.

Regards,
Michael


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 2c670e7..68276b7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+systemd (232-24) unstable; urgency=medium
+
+  [ Felipe Sateler ]
+  * Specify nobody user and group.
+Otherwise nss-systemd will translate to group 'nobody', which doesn't
+exist on debian systems.
+
+  [ Michael Biebl ]
+  * Add Depends: procps to systemd.
+It's required by /usr/lib/systemd/user/systemd-exit.service which calls
+/bin/kill to stop the systemd --user instance. (Closes: #862292)
+  * resolved: fix null pointer p->question dereferencing.
+This fixes a bug which allowed a remote DoS (daemon crash) via a crafted
+DNS response with an empty question section.
+Fixes: CVE-2017-9217 (Closes: #863277)
+
+ -- Michael Biebl   Mon, 29 May 2017 16:25:43 +0200
+
 systemd (232-23) unstable; urgency=medium
 
   [ Michael Biebl ]
diff --git a/debian/control b/debian/control
index b48a50a..c4e7db1 100644
--- a/debian/control
+++ b/debian/control
@@ -74,6 +74,7 @@ Depends: ${shlibs:Depends},
  util-linux (>= 2.27.1),
  mount (>= 2.26),
  adduser,
+ procps,
 Breaks: lvm2 (<< 2.02.104-1),
 apparmor (<< 2.9.2-1),
 systemd-shim (<< 10-3~),
diff --git 
a/debian/patches/resolved-bugfix-of-null-pointer-p-question-dereferencing-.patch
 
b/debian/patches/resolved-bugfix-of-null-pointer-p-question-dereferencing-.patch
new file mode 100644
index 000..0d134c1
--- /dev/null
+++ 
b/debian/patches/resolved-bugfix-of-null-pointer-p-question-dereferencing-.patch
@@ -0,0 +1,24 @@
+From: Evgeny Vereshchagin 
+Date: Wed, 24 May 2017 08:56:48 +0300
+Subject: resolved: bugfix of null pointer p->question dereferencing (#6020)
+
+See https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
+(cherry picked from commit a924f43f30f9c4acaf70618dd2a055f8b0f166be)
+---
+ src/resolve/resolved-dns-packet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/resolve/resolved-dns-packet.c 
b/src/resolve/resolved-dns-packet.c
+index 337a8c4..07a761e 100644
+--- a/src/resolve/resolved-dns-packet.c
 b/src/resolve/resolved-dns-packet.c
+@@ -2264,6 +2264,9 @@ int dns_packet_is_reply_for(DnsPacket *p, const 
DnsResourceKey *key) {
+ if (r < 0)
+ return r;
+ 
++if (!p->question)
++return 0;
++
+ if (p->question->n_keys != 1)
+ return 0;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 44daef3..adc86a7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -62,6 +62,7 @@ Adjust-pkgconfig-files-to-point-at-rootlibdir-4584.patch
 journal-fix-up-syslog-facility-when-forwarding-native-mes.patch
 machinectl-make-sure-that-inability-to-get-OS-version-isn.patch
 nspawn-support-ephemeral-boots-from-images.patch
+resolved-bugfix-of-null-pointer-p-question-dereferencing-.patch
 debian/Use-Debian-specific-config-files.patch
 debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch
 debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch
diff --git a/debian/rules b/debian/rules
index 016fc51..d6e984f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -126,7 +126,9 @@ CONFFLAGS = \
--disable-wheel-group \
--with-ntp-servers="$(DEFAULT_NTP_SERVERS)"  \
--with-system-uid-max=999 \
-   --with-system-gid-max=999
+   --with-system-gid-max=999 \
+   --with-nobody-user=nobody \
+   --with-nobody-group=nogroup
 
 # resolved's DNSSEC support is still not mature enough, don't enable it by
 # default on stable Debian/Ubuntu releases

Bug#863573: unblock: diamond/4.0.515-4

[Sandro Tosi]

On Mon, May 29, 2017 at 8:20 AM, Jonathan Wiltshire  wrote:
> Control: tag -1 moreinfo
>
> On Sun, May 28, 2017 at 03:58:13PM -0400, Sandro Tosi wrote:
>> This upload improves (even if only slightly, as a proper solution is still 
>> being
>> worked on by upstream) the stop/restart time of diamond, by setting the 
>> systemd
>> killmode to mixed.
>
> I'm not sure how comfortable I am about this. Is the change to KillMode
> upstream advice?

sorry for not reporting it first, there is a long discussion with
upstream at https://github.com/python-diamond/Diamond/issues/595 -
their initial solution was to change the internal process management
logic and then use KillMode=process but paravoid had better result
with `mixed` without changing any code (since that procs mgmt change
still isnt 100% completed)

-- 
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: imagemagick_6.8.9.9-5+deb8u9_amd64.changes
  ACCEPT
Processing changes file: imagemagick_6.8.9.9-5+deb8u9_arm64.changes
  ACCEPT
Processing changes file: imagemagick_6.8.9.9-5+deb8u9_armel.changes
  ACCEPT
Processing changes file: imagemagick_6.8.9.9-5+deb8u9_armhf.changes
  ACCEPT
Processing changes file: imagemagick_6.8.9.9-5+deb8u9_i386.changes
  ACCEPT
Processing changes file: imagemagick_6.8.9.9-5+deb8u9_mips.changes
  ACCEPT
Processing changes file: imagemagick_6.8.9.9-5+deb8u9_mipsel.changes
  ACCEPT
Processing changes file: imagemagick_6.8.9.9-5+deb8u9_powerpc.changes
  ACCEPT
Processing changes file: imagemagick_6.8.9.9-5+deb8u9_ppc64el.changes
  ACCEPT
Processing changes file: imagemagick_6.8.9.9-5+deb8u9_s390x.changes
  ACCEPT
Processing changes file: libtasn1-6_4.2-3+deb8u3_amd64.changes
  ACCEPT
Processing changes file: libtasn1-6_4.2-3+deb8u3_arm64.changes
  ACCEPT
Processing changes file: libtasn1-6_4.2-3+deb8u3_armel.changes
  ACCEPT
Processing changes file: libtasn1-6_4.2-3+deb8u3_armhf.changes
  ACCEPT
Processing changes file: libtasn1-6_4.2-3+deb8u3_i386.changes
  ACCEPT
Processing changes file: libtasn1-6_4.2-3+deb8u3_mips.changes
  ACCEPT
Processing changes file: libtasn1-6_4.2-3+deb8u3_mipsel.changes
  ACCEPT
Processing changes file: libtasn1-6_4.2-3+deb8u3_powerpc.changes
  ACCEPT
Processing changes file: libtasn1-6_4.2-3+deb8u3_ppc64el.changes
  ACCEPT
Processing changes file: libtasn1-6_4.2-3+deb8u3_s390x.changes
  ACCEPT
Processing changes file: rtmpdump_2.4+20150115.gita107cef-1+deb8u1_amd64.changes
  ACCEPT
Processing changes file: rtmpdump_2.4+20150115.gita107cef-1+deb8u1_arm64.changes
  ACCEPT
Processing changes file: rtmpdump_2.4+20150115.gita107cef-1+deb8u1_armel.changes
  ACCEPT
Processing changes file: rtmpdump_2.4+20150115.gita107cef-1+deb8u1_armhf.changes
  ACCEPT
Processing changes file: rtmpdump_2.4+20150115.gita107cef-1+deb8u1_i386.changes
  ACCEPT
Processing changes file: rtmpdump_2.4+20150115.gita107cef-1+deb8u1_mips.changes
  ACCEPT
Processing changes file: 
rtmpdump_2.4+20150115.gita107cef-1+deb8u1_mipsel.changes
  ACCEPT
Processing changes file: 
rtmpdump_2.4+20150115.gita107cef-1+deb8u1_powerpc.changes
  ACCEPT
Processing changes file: 
rtmpdump_2.4+20150115.gita107cef-1+deb8u1_ppc64el.changes
  ACCEPT
Processing changes file: rtmpdump_2.4+20150115.gita107cef-1+deb8u1_s390x.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_allonly.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_amd64.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_arm64.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_armel.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_armhf.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_i386.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_mips.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_mipsel.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_powerpc.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_ppc64el.changes
  ACCEPT
Processing changes file: samba_4.2.14+dfsg-0+deb8u6_s390x.changes
  ACCEPT
Processing changes file: squirrelmail_1.4.23~svn20120406-2+deb8u1_amd64.changes
  ACCEPT
Processing changes file: tiff_4.0.3-12.3+deb8u3_amd64.changes
  ACCEPT
Processing changes file: tiff_4.0.3-12.3+deb8u3_arm64.changes
  ACCEPT
Processing changes file: tiff_4.0.3-12.3+deb8u3_armel.changes
  ACCEPT
Processing changes file: tiff_4.0.3-12.3+deb8u3_armhf.changes
  ACCEPT
Processing changes file: tiff_4.0.3-12.3+deb8u3_i386.changes
  ACCEPT
Processing changes file: tiff_4.0.3-12.3+deb8u3_mips.changes
  ACCEPT
Processing changes file: tiff_4.0.3-12.3+deb8u3_mipsel.changes
  ACCEPT
Processing changes file: tiff_4.0.3-12.3+deb8u3_powerpc.changes
  ACCEPT
Processing changes file: tiff_4.0.3-12.3+deb8u3_ppc64el.changes
  ACCEPT
Processing changes file: tiff_4.0.3-12.3+deb8u3_s390x.changes
  ACCEPT

Bug#863626: unblock: dns-root-data/2017041101

[Ondřej Surý]

Hi Jonathan,

my mistake. Somehow I thought the 2017020200 has been already unblocked
for testing.

I did the 2017041101 build and unblock bug in parallel, and I have just
uploaded the package to unstable.

So for the 2015052300+h+1 -> 2017020200 changes:

* This fixes FTBFS because:
  a) ICANN/IANA doesn't provide OpenPGP signatures anymore
  b) The parsing was broken with introduction of second key

This includes changes in d/rules + new parse-root-anchors.sh script.

* Several dead-upstream ICANN files were removed from the package:
 - draft-icann-dnssec-trust-anchor.html
 - draft-icann-dnssec-trust-anchor.txt
 - icannbundle.p12
 - icann.pgp
 - root-anchors.p7s

(e.g. in fact it was a removal of ICANN-copyright document)

The licensing on ICANN files was acked by ftp-masters as OK.

$ diffstat dns-root-data_2017020200.debdiff

 /home/ondrej/tmp/wrtzCZn7bu/dns-root-data-2017020200/icann.pgp   
 |binary
 /home/ondrej/tmp/wrtzCZn7bu/dns-root-data-2017020200/icannbundle.p12 
 |binary
 /home/ondrej/tmp/wrtzCZn7bu/dns-root-data-2017020200/root-anchors.p7s
 |binary
 dns-root-data-2017020200/debian/changelog |
   14 
 dns-root-data-2017020200/debian/control   |
5 
 dns-root-data-2017020200/debian/dns-root-data.docs|
2 
 dns-root-data-2017020200/debian/rules |
   18 
 dns-root-data-2017020200/draft-icann-dnssec-trust-anchor.html |
  555 -
 dns-root-data-2017020200/draft-icann-dnssec-trust-anchor.txt  |
  560 --
 dns-root-data-2017020200/icannbundle.pem  |
  200 +--
 dns-root-data-2017020200/parse-root-anchors.sh|
   25 
 dns-root-data-2017020200/root-anchors.asc |
7 
 dns-root-data-2017020200/root-anchors.xml |
8 
 dns-root-data-2017020200/root.hints   |
8 
 dns-root-data-2017020200/root.key |
3 
 15 files changed, 117 insertions(+), 1288 deletions(-)

Cheers,
-- 
Ondřej Surý 
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver

On Mon, May 29, 2017, at 14:47, Jonathan Wiltshire wrote:
> Control: tag -1 moreinfo
> 
> On Mon, May 29, 2017 at 02:17:30PM +0200, Ondřej Surý wrote:
> > the 2017041101 update of dns-root-data package contains:
> > 
> > - fixes to parse_root_data.sh script to unfail the non-dash
> >   shells - closes RC bug #862252 (use printf instead of echo command)
> > - update root.hints to 2017041101 version (no other change then version 
> > though)
> > - update root.key and d/rules to strip any timestamp, so the build is
> >   more or less reproducible (the get_orig_source still depends on
> >   upstream data at the time of the build, but it should be more
> >   reliable)
> > - little fixes to parse_root_data.sh script, as suggested by shellcheck:
> >   + use read -r instead of read on xml2 output data
> >   + use [:upper:]/[:lower:] instead of [A-Z]/[a-z] as tr argument
> >   + use [ a ] || [ b ] syntax instead of [ a -o b ]
> 
> This does not seem to reflect unstable right now; you have:
> 
> dns-root-data | 2015052300+h+1 | testing | source, all
> dns-root-data | 2017020200 | unstable| source, all
> 
> The delta therefore includes many more changes, including addition of an
> ICANN-copyright document with no (obvious) distribution license.
> 
> The RC bug that your request fixes is also still open, which will block
> migration anyway.
> 
> Thanks,
> 
> -- 
> Jonathan Wiltshire  j...@debian.org
> Debian Developer http://people.debian.org/~jmw
> 
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
> 


dns-root-data_2017020200.dsc
Description: Binary data


dns-root-data_2017020200.debdiff
Description: Binary data

Bug#863633: unblock: mosquitto/1.4.10-3

[Roger A. Light]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package mosquitto

Version 1.4.10-2 currently in testing has a security issue
CVE-2017-7650. This upload fixes that issue.

This upload also fixes #857759, which is a regression against Jessie.

unblock mosquitto/1.4.10-3

-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-71-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

*** /home/roger/mosquitto.debdiff
diff -Nru mosquitto-1.4.10/debian/changelog mosquitto-1.4.10/debian/changelog
--- mosquitto-1.4.10/debian/changelog   2016-11-03 22:38:51.0 +
+++ mosquitto-1.4.10/debian/changelog   2017-05-29 14:38:36.0 +0100
@@ -1,3 +1,16 @@
+mosquitto (1.4.10-3) unstable; urgency=high
+
+  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
+set to '+' or '#'.
+- debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
+  of messages to/from clients with a '+', '#' or '/' in their
+  username/client id.
+- CVE-2017-7650
+  * New patch debian/patches/allow_ipv6_bridges.patch allows bridges to make
+IPv6 connections when using TLS (closes: #857759).
+
+ -- Roger A. Light   Mon, 29 May 2017 13:43:29 +0100
+
 mosquitto (1.4.10-2) unstable; urgency=medium
 
   * Bumped standards version to 3.9.8. No changes needed.
diff -Nru mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch 
mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch
--- mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch1970-01-01 
01:00:00.0 +0100
+++ mosquitto-1.4.10/debian/patches/allow_ipv6_bridges.patch2017-05-29 
13:50:12.0 +0100
@@ -0,0 +1,22 @@
+Description: Allow bridges to make IPv6 connections when using TLS.
+Author: Roger Light 
+Forwarded: not-needed
+Origin: upstream, 
https://github.com/eclipse/mosquitto/commit/98ea68490626b1d18aee2004b411294c85e62212
+--- a/lib/net_mosq.c
 b/lib/net_mosq.c
+@@ -281,14 +281,7 @@
+ 
+   *sock = INVALID_SOCKET;
+   memset(, 0, sizeof(struct addrinfo));
+-#ifdef WITH_TLS
+-  if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
+-  hints.ai_family = PF_INET;
+-  }else
+-#endif
+-  {
+-  hints.ai_family = PF_UNSPEC;
+-  }
++  hints.ai_family = PF_UNSPEC;
+   hints.ai_flags = AI_ADDRCONFIG;
+   hints.ai_socktype = SOCK_STREAM;
+ 
diff -Nru mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch 
mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch
--- mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch
1970-01-01 01:00:00.0 +0100
+++ mosquitto-1.4.10/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch
2017-05-28 23:10:06.0 +0100
@@ -0,0 +1,61 @@
+Description: Fix for CVE-207-7650.
+Author: Roger Light 
+Forwarded: not-needed
+Origin: upstream, 
https://mosquitto.org/files/cve/2017-7650/mosquitto-1.4.x_cve-2017-7650.patch
+diff --git a/src/security.c b/src/security.c
+index 6ae9fb9..37ce32b 100644
+--- src/security.c
 b/src/security.c
+@@ -233,6 +233,21 @@
+   {
+   username = context->username;
+   }
++
++  /* Check whether the client id or username contains a +, # or / 
and if
++   * so deny access.
++   *
++   * Do this check for every message regardless, we have to 
protect the
++   * plugins against possible pattern based attacks.
++   */
++  if(username && strpbrk(username, "+#/")){
++  _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL 
denying access to client with dangerous username \"%s\"", username);
++  return MOSQ_ERR_ACL_DENIED;
++  }
++  if(context->id && strpbrk(context->id, "+#/")){
++  _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL 
denying access to client with dangerous client id \"%s\"", context->id);
++  return MOSQ_ERR_ACL_DENIED;
++  }
+   return db->auth_plugin.acl_check(db->auth_plugin.user_data, 
context->id, username, topic, access);
+   }
+ }
+diff --git a/src/security_default.c b/src/security_default.c
+index 64ca846..a41c21f 100644
+--- src/security_default.c
 b/src/security_default.c
+@@ -261,6 +261,26 @@ int mosquitto_acl_check_default(struct mosquitto_db *db, 
struct mosquitto *conte
+   }
+ 
+   acl_root = db->acl_patterns;
++
++  if(acl_root){
++  /* We are using pattern based 

Bug#863519: unblock blockdiag/1.5.3+dfsg-2

[Jonathan Wiltshire]

On 2017-05-29 05:26, Kouhei Maeda wrote:

Hi,

2017-05-28 21:50 GMT+09:00 Jonathan Wiltshire :

On Sun, May 28, 2017 at 08:51:27AM +0900, Kouhei Maeda wrote:

+  * Bumps version debian/compat to 9.
+- Fixes package-uses-deprecated-debhelper-compat-version.


This isn't OK, please remove it.


This means that reverting debian/compat version, and increments debian 
version?


Regards,
--
Kouhei Maeda 
 KeyID 4096R/7E37CE41


Yes please.

Thanks,

--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

 i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits

Bug#863626: unblock: dns-root-data/2017041101

[Jonathan Wiltshire]

Control: tag -1 moreinfo

On Mon, May 29, 2017 at 02:17:30PM +0200, Ondřej Surý wrote:
> the 2017041101 update of dns-root-data package contains:
> 
> - fixes to parse_root_data.sh script to unfail the non-dash
>   shells - closes RC bug #862252 (use printf instead of echo command)
> - update root.hints to 2017041101 version (no other change then version 
> though)
> - update root.key and d/rules to strip any timestamp, so the build is
>   more or less reproducible (the get_orig_source still depends on
>   upstream data at the time of the build, but it should be more
>   reliable)
> - little fixes to parse_root_data.sh script, as suggested by shellcheck:
>   + use read -r instead of read on xml2 output data
>   + use [:upper:]/[:lower:] instead of [A-Z]/[a-z] as tr argument
>   + use [ a ] || [ b ] syntax instead of [ a -o b ]

This does not seem to reflect unstable right now; you have:

dns-root-data | 2015052300+h+1 | testing | source, all
dns-root-data | 2017020200 | unstable| source, all

The delta therefore includes many more changes, including addition of an
ICANN-copyright document with no (obvious) distribution license.

The RC bug that your request fixes is also still open, which will block
migration anyway.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#863626: unblock: dns-root-data/2017041101

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863626 [release.debian.org] unblock: dns-root-data/2017041101
Added tag(s) moreinfo.

-- 
863626: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863626
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863629: unblock: cfengine3/3.9.1-4.2

[Christoph Martin]

Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package cfengine3

Hi,

cfengine3/3.9.1-4.2, which was uploaded some days ago to unstable fixes
release critical bug #852675 and bug #862903.

#852675 makes cfengine3 completely unusable because it distributes only
the distribution templates and not the local changes to the clients.

#862903 reverses the openssl1.1 patch which made cfengine crash when
contacted from cfengine3 version 3.6. Upstream says, they have big
problems with the openssl1.1 patch and that the patch is not finished.

Thanks

Christoph
-- 

Christoph Martin, Leiter Unix-Systeme
Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Anselm Franz von Bentzel-Weg 12, 55128 Mainz
 Telefon: +49(6131)3926337
 Instant-Messaging: Jabber: mar...@jabber.uni-mainz.de
  (Siehe http://www.zdv.uni-mainz.de/4010.php)

diff -Nru cfengine3-3.9.1/debian/changelog cfengine3-3.9.1/debian/changelog
--- cfengine3-3.9.1/debian/changelog2017-01-18 15:09:03.0 +0100
+++ cfengine3-3.9.1/debian/changelog2017-05-18 14:14:45.0 +0200
@@ -1,3 +1,11 @@
+cfengine3 (3.9.1-4.2) unstable; urgency=medium
+
+  * fix masterdir configuration (closes: 852675)
+  * revert ssl1.1 patch which leads to segfaults with older clients
+(closes: #862903)
+
+ -- Christoph Martin   Thu, 18 May 2017 14:14:45 +0200
+
 cfengine3 (3.9.1-4.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cfengine3-3.9.1/debian/control cfengine3-3.9.1/debian/control
--- cfengine3-3.9.1/debian/control  2017-01-17 01:50:04.0 +0100
+++ cfengine3-3.9.1/debian/control  2017-05-18 14:14:45.0 +0200
@@ -2,7 +2,7 @@
 Section: admin
 Priority: optional
 Maintainer: Antonio Radici 
-Build-Depends: debhelper (>= 7.0.50), autotools-dev, libssl-dev (>= 1.1),
+Build-Depends: debhelper (>= 7.0.50), autotools-dev, libssl1.0-dev | 
libssl-dev (<< 1.1),
  flex, bison, libpcre3-dev, dh-autoreconf, libvirt-dev, libacl1-dev,
  liblmdb-dev, default-libmysqlclient-dev, libxml2-dev, quilt, libpam0g-dev
 Standards-Version: 3.9.8
diff -Nru cfengine3-3.9.1/debian/patches/series 
cfengine3-3.9.1/debian/patches/series
--- cfengine3-3.9.1/debian/patches/series   2016-12-01 21:55:30.0 
+0100
+++ cfengine3-3.9.1/debian/patches/series   2017-05-18 14:14:45.0 
+0200
@@ -6,4 +6,4 @@
 0007-fix_kfreebsd_build.patch
 0009_disable_spelling_errors.patch
 0010_disable_date_annotation.patch
-0011_build_with_openssl_1.1.patch
+#0011_build_with_openssl_1.1.patch
diff -Nru cfengine3-3.9.1/debian/rules cfengine3-3.9.1/debian/rules
--- cfengine3-3.9.1/debian/rules2016-12-01 21:55:30.0 +0100
+++ cfengine3-3.9.1/debian/rules2017-05-18 14:14:45.0 +0200
@@ -20,7 +20,7 @@
--with-libvirt \
--with-lmdb \
--with-libxml2 \
-   
--with-masterdir=\$${prefix}/share/cfengine3/masterfiles \
+   --with-masterdir=/var/lib/cfengine3/masterfiles \
--with-workdir=/var/lib/cfengine3 \
--with-logdir=/var/log/cfengine3 \
--with-piddir=/var/run/cfengine3 \


signature.asc
Description: OpenPGP digital signature

Bug#863628: unblock: apt-mirror/0.5.4-1

[Benjamin Drung]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package apt-mirror

apt-mirror 0.5.4 is a very small bug-fix release for stretch. It fixes
the warning about the use of uninitialized value $config{"options"}
(which hits most users).

unblock apt-mirror/0.5.4-1

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.dr...@profitbricks.com
Web: https://www.profitbricks.com

Sitz der Gesellschaft: Berlin.
Registergericht: Amtsgericht Charlottenburg, HRB 125506B.
Geschäftsführer: Achim Weiss.
diff -Nru apt-mirror-0.5.3/apt-mirror apt-mirror-0.5.4/apt-mirror
--- apt-mirror-0.5.3/apt-mirror 2017-01-06 17:26:55.0 +0100
+++ apt-mirror-0.5.4/apt-mirror 2017-05-29 13:28:34.0 +0200
@@ -294,7 +294,7 @@
 if ( $line =~ $pattern_deb_line ) {
 $config{'type'} = $+{type};
 $config{'arch'} = $+{arch};
-$config{'options'} = $+{options};
+$config{'options'} = $+{options} ? $+{options} : "";
 $config{'uri'} = $+{uri};
 $config{'components'} = $+{components};
 if ( $config{'options'} =~ /arch=((?[\w\-]+)[,]*)/g ) {
@@ -666,7 +666,7 @@
 if ( @parts == 3 )
 {
 my ( $sha1, $size, $filename ) = @parts;
-if ( $filename =~ 
m{^$component/dep11/(Components-${arch}\.yml|icons-[^./]+\.tar)\.gz$} )
+if ( $filename =~ 
m{^$component/dep11/(Components-${arch}\.yml|icons-[^./]+\.tar)\.(gz|bz2|xz)$} )
 {
 add_url_to_download( $dist_uri . $filename, $size );
 }
@@ -729,6 +729,8 @@
 open FILES_ALL, ">" . get_variable("var_path") . "/ALL" or die("apt-mirror: 
can't write to intermediate file (ALL)");
 open FILES_NEW, ">" . get_variable("var_path") . "/NEW" or die("apt-mirror: 
can't write to intermediate file (NEW)");
 open FILES_MD5, ">" . get_variable("var_path") . "/MD5" or die("apt-mirror: 
can't write to intermediate file (MD5)");
+open FILES_SHA1, ">" . get_variable("var_path") . "/SHA1" or die("apt-mirror: 
can't write to intermediate file (SHA1)");
+open FILES_SHA256, ">" . get_variable("var_path") . "/SHA256" or 
die("apt-mirror: can't write to intermediate file (SHA256)");
 
 my %stat_cache = ();
 
@@ -813,7 +815,9 @@
 {# Packages index
 $skipclean{ remove_double_slashes( $path . "/" . 
$lines{"Filename:"} ) } = 1;
 print FILES_ALL remove_double_slashes( $path . "/" . 
$lines{"Filename:"} ) . "\n";
-print FILES_MD5 $lines{"MD5sum:"} . "  " . remove_double_slashes( 
$path . "/" . $lines{"Filename:"} ) . "\n";
+print FILES_MD5 $lines{"MD5sum:"} . "  " . remove_double_slashes( 
$path . "/" . $lines{"Filename:"} ) . "\n" if defined $lines{"MD5sum:"};
+print FILES_SHA1 $lines{"SHA1:"} . "  " . remove_double_slashes( 
$path . "/" . $lines{"Filename:"} ) . "\n" if defined $lines{"SHA1:"};
+print FILES_SHA256 $lines{"SHA256:"} . "  " . 
remove_double_slashes( $path . "/" . $lines{"Filename:"} ) . "\n" if defined 
$lines{"SHA256:"};
 if ( need_update( $mirror . "/" . $lines{"Filename:"}, 
$lines{"Size:"} ) )
 {
 print FILES_NEW remove_double_slashes( $uri . "/" . 
$lines{"Filename:"} ) . "\n";
@@ -887,6 +891,8 @@
 close FILES_ALL;
 close FILES_NEW;
 close FILES_MD5;
+close FILES_SHA1;
+close FILES_SHA256;
 
 
##
 ## Main download
diff -Nru apt-mirror-0.5.3/CHANGELOG apt-mirror-0.5.4/CHANGELOG
--- apt-mirror-0.5.3/CHANGELOG  2017-01-06 17:36:37.0 +0100
+++ apt-mirror-0.5.4/CHANGELOG  2017-05-29 13:38:52.0 +0200
@@ -1,3 +1,11 @@
+0.5.4 (2017-05-29)
+  * Add limit_rate to example mirror.list (fixes #72)
+  * Fix use of uninitialized value $config{"options"} warning (fixes #68,
+Debian bug #851979, #859601)
+  * Fix warning on repository without md5sum (fixes #66)
+  * Write SHA1 and SHA256 in addition to MD5
+  * Also download xz-compressed Components-$arch.yml.xz (fixes #69)
+
 0.5.3 (2017-01-06)
   * Add support for 'deb [arch=amd64] ...' format (fixes #32, #65)
   * Create directories including their parents
diff -Nru apt-mirror-0.5.3/debian/changelog apt-mirror-0.5.4/debian/changelog
--- apt-mirror-0.5.3/debian/changelog   2017-01-06 17:46:06.0 +0100
+++ apt-mirror-0.5.4/debian/changelog   2017-05-29 14:02:33.0 +0200
@@ -1,3 +1,14 @@
+apt-mirror (0.5.4-1) unstable; urgency=medium
+
+  * New upstream bug-fix release.
+- Fix use of uninitialized value $config{"options"} warning
+  (Closes: #851979, #859601)
+- Fix warning on repository without md5sum
+- Write SHA1 and SHA256 in addition to MD5
+- Also download xz-compressed Components-$arch.yml.xz
+
+ -- Benjamin Drung   Mon, 29 May 

Bug#863625: marked as done (unblock: botan1.10/1.10.16-1)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:36:13 +0100
with message-id <20170529123613.m4rtm2gho6kxm...@powdarrmonkey.net>
and subject line Re: Bug#863625: unblock: botan1.10/1.10.16-1
has caused the Debian Bug report #863625,
regarding unblock: botan1.10/1.10.16-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863625
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package botan1.10

Dear release team,

botan1.10 1.10.16 contains only the fix for the RC bug #860072
(CVE-2017-2801: Incorrect comparison in X.509 DN strings) (+ changelog
entry + version bump), so I have decided to upload 1.10.16 directly
instead of patching the simple patch on top of 1.10.15.

(+ update to d/watch bundled to make it work again)

diffstat:

 botan_version.py  |6 +++---
 debian/changelog  |8 
 debian/watch  |2 +-
 doc/log.txt   |   10 ++
 src/alloc/alloc_mmap/mmap_mem.cpp |3 +--
 src/utils/parsing.cpp |2 ++
 6 files changed, 25 insertions(+), 6 deletions(-)

unblock botan1.10/1.10.16-1

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.4.0-67-generic (SMP w/24 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 3.0 (quilt)
Source: botan1.10
Binary: botan1.10-dbg, libbotan-1.10-1, libbotan1.10-dev
Architecture: any
Version: 1.10.16-1
Maintainer: Ondřej Surý 
Homepage: http://botan.randombit.net/
Standards-Version: 3.9.6
Vcs-Browser: http://anonscm.debian.org/?p=pkg-nlnetlabs/botan1.10.git
Vcs-Git: git://anonscm.debian.org/pkg-nlnetlabs/botan1.10.git
Build-Depends: debhelper (>= 9), libbz2-dev, libgmp3-dev, python, zlib1g-dev
Package-List:
 botan1.10-dbg deb debug extra arch=any
 libbotan-1.10-1 deb libs optional arch=any
 libbotan1.10-dev deb libdevel optional arch=any
Checksums-Sha1:
 697144c34b1bf77c5b2bc1ff4d08f69ee718782b 2711177 botan1.10_1.10.16.orig.tar.gz
 44fa04f97f5f5af94757774af5048a69f7a5725d 40872 
botan1.10_1.10.16-1.debian.tar.xz
Checksums-Sha256:
 6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52 2711177 
botan1.10_1.10.16.orig.tar.gz
 c30b4631e788e6ec8c256c2eb6e572a4a31075e8563cfa7bcb05e68709e054d3 40872 
botan1.10_1.10.16-1.debian.tar.xz
Files:
 d0c88b523b5aeaaeaf7a3f39dd9d1f3e 2711177 botan1.10_1.10.16.orig.tar.gz
 d446e25344b6e0ad20f4ea390d619d97 40872 botan1.10_1.10.16-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksDBdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwel5Q//WXrxeAk/nkyer1wymmhmlZ9mn79CInfKnvPeeT/OVDaljHfbC72X/W7/
Iphzb26ZBgFzbxXoIUarA4LWw9gz5TkIrW4jr8CO2lSShH9vVJ6IENCvYew9mrRe
ZctPI8mEkQL0NVsE9F//9p77aeuqM6sFhHEuW5HpuOg3HdrUjaRjrbFN1UHvhf0E
YeU3g15pwom6IwWwWpNTTXt/qXz+XGnTrZ6EjAzGX9nFeMUmlOYxZImRJNMW4xIp
++ixgm2AF21buKCqmzpVYe+nltUCcWI6VFC27XFDBZBcAg6kCo+vi2F4671ugRuu
bTLJ8r3+vfcaw1Il+zqUOybW5+d0+gxy9zS4DnnGY7zzbiwqtEPPBQP1c4+eXcoY
zUMeof3TvjNCcx4aViNRL9XXw5x2qKkdFfxND2MzpEaR+/I3bu3UG1+MIqVb1GaF
OqWBa+hx+NN+BhTJWl33LtDCEjw+f17OBKj4mVZgwVCalxSBLC2s7rTrj0DZ2f7L
fBhH7VTmjzbfnyudUnS6Joewu4nFqftUbT8eUJ8tg2ezqTiEw29pCgA5vI6mFQYE
sga1xfA6J1U3ZMgcyEfF7dlXC2Z4qtYXCmbT4KqS7mEA+r5GP9+TFnoSpEp0LCDU
rJBEYF0VnKfWUoQy+2SWKVRgyHSI0/GPhbYd4uP4wVTNjNYlHv0=
=Zz4K
-END PGP SIGNATURE-
diff -Nru botan1.10-1.10.15/botan_version.py botan1.10-1.10.16/botan_version.py
--- botan1.10-1.10.15/botan_version.py  2017-01-13 02:48:25.0 +0100
+++ botan1.10-1.10.16/botan_version.py  2017-04-05 03:07:02.0 +0200
@@ -1,11 +1,11 @@
 
 release_major = 1
 release_minor = 10
-release_patch = 15
+release_patch = 16
 
 release_so_abi_rev = 1
 
 # These are set by the distribution script
-release_vc_rev = 'git:f79e642ab8c09971968abdfe6990df6801711e1f'
-release_datestamp = 20170112
+release_vc_rev = 'git:3756c97d295d06ac19cec6736e05003afb10623e'
+release_datestamp = 20170404
 release_type = 'released'
diff -Nru botan1.10-1.10.15/debian/changelog 

Bug#863624: marked as done (unblock: lua-http/0.1-3)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:33:58 +0100
with message-id <20170529123358.wrw4rhfgtyche...@powdarrmonkey.net>
and subject line Re: Bug#863624: unblock: lua-http/0.1-3
has caused the Debian Bug report #863624,
regarding unblock: lua-http/0.1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863624: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863624
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package lua-http

Dear release team,

the 0.1-3 update fixes two bugs:

- 0.1-1 package contained incorrect Breaks, this was fixed in 0.1-2
  but never uploaded to unstable

- 0.1-3 contains upstream patch to fix RC bug #863286 (HTTP Request
  string failed in non-comma-as-separator locales)

unblock lua-http/0.1-3

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.4.0-67-generic (SMP w/24 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 3.0 (quilt)
Source: lua-http
Binary: lua-http
Architecture: all
Version: 0.1-3
Maintainer: Ondřej Surý 
Homepage: https://github.com/daurnimator/lua-http
Standards-Version: 3.9.8
Vcs-Browser: https://anonscm.debian.org/git/pkg-lua/lua-http.git
Vcs-Git: git://anonscm.debian.org/pkg-lua/lua-http.git
Build-Depends: debhelper (>= 9), dh-lua, pandoc
Package-List:
 lua-http deb interpreters optional arch=all
Checksums-Sha1:
 b03216bb5c903b07678464664c142ff9c76833c0 116507 lua-http_0.1.orig.tar.gz
 36f72780773ad5752ce33568af9b30de0a582664 3452 lua-http_0.1-3.debian.tar.xz
Checksums-Sha256:
 4ba01edc7f02d49f98cf98883d7ad9b47f5e4c11dd95d5149f980f40ba12e546 116507 
lua-http_0.1.orig.tar.gz
 537488d3a5d918be5f5b625ca53582e318e66484f58f4d9cf034744219275696 3452 
lua-http_0.1-3.debian.tar.xz
Files:
 f5da73665fb3a13cd600e8b17e0c1bb9 116507 lua-http_0.1.orig.tar.gz
 2e5cbfb4a8dca99abf5fb33d5d4569fb 3452 lua-http_0.1-3.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksChtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwej0w//aN0E0k7GSSpB4wY/zaZWAG3x1fzY9diWU6HF7QvE+r4WDunVwXG8trW/
/JA1ilJfvCLkuBG9C0sFIiLWtkRVrGaZzudbEcEZvjMB4Q4QfvAbpG6v0SJzH8jA
TGj3YeF6IkSG9qUDB94o4pKTfiGEFIvdAP3UqHeJElsMYTMfN16O/HQ6VLC0C1lr
PG8aLnG+dik5eDtu8oopchRTHEj8iD7A0VMPK/7FN6VagaDpWm4F6+cEOq2IEqTj
gbrW4yJqHYEvc3OMhpQ9PiO+sJ8zHxD+z2fzHeXTz5AZQFLwWsZaPRZ6pC/mcvfx
91vZ0330zJ2Bm/dtZ7LSlUncB8gHTX16YiLc3uZc/A6wDM3x4i6LGaGYcr1DaVVv
hBpM7JoPmPFl31gue/MmY9wPe+JAzVKozPJs2aNoCgsrBFdyT3bUe6ZRkop9ITjb
VU0C2uKdxp7xl2+WDbTyKrkpgxVBI9TDwtwQHDIDZB/5qkLvkhHem0YCJZGBLFxa
yeNV97mOoinQp9haDHeBrbImSgNFY/hy+X+weDI8PfVp2s8AvM/DyfZQK8YafgJK
5m/YOQ4gMWIhPCPMdXy3onmYJuBAa2MehHlq+ZZGH83BrImIUmFqAN+D876NjnSh
MR/uHYAkxZK8njUwc2dRFrHVZ/v2SqAtxahBsXVXlE+nqgD8f+0=
=Wpip
-END PGP SIGNATURE-
diff -Nru lua-http-0.1/debian/changelog lua-http-0.1/debian/changelog
--- lua-http-0.1/debian/changelog   2016-12-19 13:13:38.0 +0100
+++ lua-http-0.1/debian/changelog   2017-05-29 13:39:46.0 +0200
@@ -1,3 +1,16 @@
+lua-http (0.1-3) unstable; urgency=medium
+
+  * Fix request building in locales with comma decimal separator
+(Closes: #863286) (Courtesy of Daurnimator)
+
+ -- Ondřej Surý   Mon, 29 May 2017 13:39:46 +0200
+
+lua-http (0.1-2) unstable; urgency=medium
+
+  * New lua-http breaks knot-resolver-module-http and not knot-resolver
+
+ -- Ondřej Surý   Tue, 20 Dec 2016 11:39:33 +0100
+
 lua-http (0.1-1) unstable; urgency=medium
 
   * Imported Upstream version 0.1
diff -Nru lua-http-0.1/debian/control lua-http-0.1/debian/control
--- lua-http-0.1/debian/control 2016-12-19 13:13:38.0 +0100
+++ lua-http-0.1/debian/control 2017-05-29 13:39:46.0 +0200
@@ -21,7 +21,7 @@
  lua-luaossl (>= 20161208),
  ${misc:Depends},
  ${shlibs:Depends}
-Breaks: knot-resolver (<< 1.2.0~)
+Breaks: knot-resolver-module-http (<< 1.2.0~)
 Provides: ${lua:Provides}
 XB-Lua-Versions: ${lua:Versions}
 Description: HTTP library for Lua
diff -Nru 

Bug#863575: marked as done (unblock: node-concat-stream/1.5.1-2)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:26:19 +0100
with message-id <20170529122619.gon3efu7dep5b...@powdarrmonkey.net>
and subject line Re: Bug#863575: unblock: node-concat-stream/1.5.1-2
has caused the Debian Bug report #863575,
regarding unblock: node-concat-stream/1.5.1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863575: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863575
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package node-concat-stream

Node-concat-stream is vunerable to Uninitialized Memory Exposure (CWE-201).
This was reported in bug https://bugs.debian.org/cgi-
bin/bugreport.cgi?archive=no=863481. This was fixed upstream, and a version
of the fixing commit is included in this version as a patch. The patch has been
tested with the upstream testsuite, which unfortunately has to be disabled as
the testing framework (node-tape) does not exist in testing.

More information can be found in the attached debdiff (between tesing &
unstable), in the patch description.

unblock node-concat-stream/1.5.1-2

-- System Information:
Debian Release: stretch/sid
  APT prefers yakkety-updates
  APT policy: (500, 'yakkety-updates'), (500, 'yakkety-security'), (500,
'yakkety'), (100, 'yakkety-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -Nru node-concat-stream-1.5.1/debian/changelog node-concat-stream-1.5.1/debian/changelog
--- node-concat-stream-1.5.1/debian/changelog	2015-11-08 17:03:58.0 +0100
+++ node-concat-stream-1.5.1/debian/changelog	2017-05-28 16:19:49.0 +0200
@@ -1,3 +1,12 @@
+node-concat-stream (1.5.1-2) unstable; urgency=high
+
+  * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201
+(Closes: #863481)
+  * Use stretch git branch
+  * Use Ubuntu email address
+
+ -- Ross Gammon   Sun, 28 May 2017 16:19:49 +0200
+
 node-concat-stream (1.5.1-1) unstable; urgency=low
 
   * Initial release (Closes: #796351)
diff -Nru node-concat-stream-1.5.1/debian/control node-concat-stream-1.5.1/debian/control
--- node-concat-stream-1.5.1/debian/control	2015-11-08 17:03:58.0 +0100
+++ node-concat-stream-1.5.1/debian/control	2017-05-28 16:19:49.0 +0200
@@ -2,13 +2,13 @@
 Section: web
 Priority: optional
 Maintainer: Debian Javascript Maintainers 
-Uploaders: Ross Gammon 
+Uploaders: Ross Gammon 
 Build-Depends: debhelper (>= 9),
dh-buildinfo,
nodejs
 Standards-Version: 3.9.6
 Homepage: https://github.com/maxogden/concat-stream#readme
-Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git
+Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git -b stretch
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-concat-stream.git
 
 Package: node-concat-stream
diff -Nru node-concat-stream-1.5.1/debian/gbp.conf node-concat-stream-1.5.1/debian/gbp.conf
--- node-concat-stream-1.5.1/debian/gbp.conf	2015-11-08 17:03:58.0 +0100
+++ node-concat-stream-1.5.1/debian/gbp.conf	2017-05-28 16:19:49.0 +0200
@@ -6,7 +6,7 @@
 
 # The default name for the Debian branch is "master".
 # Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
 
 # git-import-orig uses the following names for the upstream tags.
 # Change the value if you are not using git-import-orig
diff -Nru node-concat-stream-1.5.1/debian/patches/series node-concat-stream-1.5.1/debian/patches/series
--- node-concat-stream-1.5.1/debian/patches/series	2015-11-08 17:03:58.0 +0100
+++ node-concat-stream-1.5.1/debian/patches/series	2017-05-28 16:19:49.0 +0200
@@ -1 +1,2 @@
 readable-stream.patch
+to-string_numbers.patch
diff -Nru node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch
--- node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch	1970-01-01 01:00:00.0 +0100
+++ node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch	2017-05-28 16:19:49.0 +0200
@@ -0,0 +1,81 @@
+Description: to-string numbers written to the stream
+ Node-concat-stream is vulnerable to Uninitialized Memory Exposure. This
+ possible memory disclosure vulnerability exists when a 

Bug#863573: unblock: diamond/4.0.515-4

[Jonathan Wiltshire]

Control: tag -1 moreinfo

On Sun, May 28, 2017 at 03:58:13PM -0400, Sandro Tosi wrote:
> This upload improves (even if only slightly, as a proper solution is still 
> being
> worked on by upstream) the stop/restart time of diamond, by setting the 
> systemd
> killmode to mixed.

I'm not sure how comfortable I am about this. Is the change to KillMode
upstream advice?

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug#863626: unblock: dns-root-data/2017041101

[Ondřej Surý]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package dns-root-data

Dear release team,

the 2017041101 update of dns-root-data package contains:

- fixes to parse_root_data.sh script to unfail the non-dash
  shells - closes RC bug #862252 (use printf instead of echo command)
- update root.hints to 2017041101 version (no other change then version though)
- update root.key and d/rules to strip any timestamp, so the build is
  more or less reproducible (the get_orig_source still depends on
  upstream data at the time of the build, but it should be more
  reliable)
- little fixes to parse_root_data.sh script, as suggested by shellcheck:
  + use read -r instead of read on xml2 output data
  + use [:upper:]/[:lower:] instead of [A-Z]/[a-z] as tr argument
  + use [ a ] || [ b ] syntax instead of [ a -o b ]

unblock dns-root-data/2017041101

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.4.0-67-generic (SMP w/24 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 3.0 (native)
Source: dns-root-data
Binary: dns-root-data
Architecture: all
Version: 2017041101
Maintainer: Debian DNS Maintainers 
Uploaders: Ondřej Surý , Robert Edmonds 
Homepage: https://data.iana.org/root-anchors/
Standards-Version: 3.9.6
Vcs-Browser: http://git.debian.org/?p=pkg-dns/dns-root-data.git;a=summary
Vcs-Git: git://git.debian.org/pkg-dns/dns-root-data.git
Build-Depends: debhelper (>= 8.0.0), unbound-anchor, openssl, ldnsutils, xml2
Package-List:
 dns-root-data deb misc optional arch=all
Checksums-Sha1:
 36bfc25763062a4ccc784ced1d821faf8a3f442e 14316 dns-root-data_2017041101.tar.xz
Checksums-Sha256:
 c88bb15f1e16dba1a525928e190999fdc70b16d06e40f2aa9c7b81c4740c30d5 14316 
dns-root-data_2017041101.tar.xz
Files:
 4982844cb0e3b0223fdc93bf9671adc3 14316 dns-root-data_2017041101.tar.xz

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksENtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwf1vA/9HNXfzN7Z8tUuDm40HsXrCR6vK1KfGpcsoYkqZtyqEnkCSwCjzBCpuXzd
IO9bVVzQaUkzvxVK8Gq0hJaKri7BUKmgRTg9v8MmcIoqmmyi3TIxU5NFUbTgFwaj
qy47bq/gNVJUrYGQJssSE70fHv1iCwWT3Y3xHNdNJfkjiOqIgqgJwB7RzXcPZjgF
ZqzUWelV6vDUE1OsOCo2a8hLRGZa11qK/mbZ8eBhYOwVzf6S/z/tZ7L2y2oUEC3J
u2et1PweqCmQPNC2Xs9KRya9XdFBuMRt4x3EPHygG0u8sziioVaHeNgfNP66gU2g
FlADNfrgS7KLTwXlfHkJ1JLW5/9Zbce3HFdfNGBwESxWSPLJRhCVcycN3N/71T/h
aycV57+hG+rHGOsCdNa9c79KrriikrokBilA31NDmOH77wk6g88EhYtvG7TRbd3S
sCAYPdk06aIAz2V8nMOXATag5iLRrtdlcJaqvmpfB2NyrXWXOlgb0mTc912ACY6B
seDPD3OAmVG5ubOUkBSMyQj7tabjOKkHu+ioYOs3AEYVyIlFxfvle4GwPb6XLaze
gaf5ECU4UdZb/7ARKcX3PEL/UQXxIH3F7CExliqQZ/kqqXD0nWcS16I/BuW+YkwP
86k6ofr1/oxiHbdkFEQvSAocbv2GN74jO2R1Q6p7ptv7K4Ey8Og=
=pbH7
-END PGP SIGNATURE-
diff -Nru dns-root-data-2017020200/debian/changelog 
dns-root-data-2017041101/debian/changelog
--- dns-root-data-2017020200/debian/changelog   2017-03-22 09:06:08.0 
+0100
+++ dns-root-data-2017041101/debian/changelog   2017-05-29 14:05:37.0 
+0200
@@ -1,3 +1,12 @@
+dns-root-data (2017041101) unstable; urgency=medium
+
+  * Fix parse-root-anchors.sh in non-dash shells (Closes: #862252)
+  * Update to 2017041101 version of root zone
+  * Remove timestamps from root.key to make the build reproducible
+  * Shell syntax cleanup
+
+ -- Ondřej Surý   Mon, 29 May 2017 14:05:37 +0200
+
 dns-root-data (2017020200) unstable; urgency=medium
 
   * Update to 2016102001 version of the root.zone
diff -Nru dns-root-data-2017020200/debian/rules 
dns-root-data-2017041101/debian/rules
--- dns-root-data-2017020200/debian/rules   2017-03-22 09:06:08.0 
+0100
+++ dns-root-data-2017041101/debian/rules   2017-05-29 14:05:37.0 
+0200
@@ -32,6 +32,6 @@
/usr/sbin/unbound-anchor \
-a $(CURDIR)/root-auto.key \
-c $(CURDIR)/icannbundle.pem || echo "Check the root-auto.key"
-   < root-auto.key grep -Ev "^($$|;)" > root.key
+   < root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > root.key
rm root-auto.key
wget -O $(CURDIR)/root.hints "http://www.internic.net/domain/named.root;
diff -Nru dns-root-data-2017020200/parse-root-anchors.sh 
dns-root-data-2017041101/parse-root-anchors.sh
--- dns-root-data-2017020200/parse-root-anchors.sh  2017-03-22 
09:06:08.0 +0100
+++ dns-root-data-2017041101/parse-root-anchors.sh  2017-05-29 
14:05:37.0 +0200
@@ -5,19 +5,19 @@
 TTL=172800
 
 export 

Processed: Re: Bug#863573: unblock: diamond/4.0.515-4

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863573 [release.debian.org] unblock: diamond/4.0.515-4
Added tag(s) moreinfo.

-- 
863573: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863573
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863453: unblock: acmetool/0.0.59-1

[Jonathan Wiltshire]

Control: tag -1 moreinfo

On Fri, May 26, 2017 at 10:10:57PM -0400, Peter Colberg wrote:
>   * Validate hostnames in 'acmetool want' [1]
>   * Allow environment variables to be passed to challenge hooks [2]
>   * Allow acmeapi to obtain new nonces if nonce pool is depleted [3]
>   * Don't attempt fdb permission tests on non-cgo builds [4]
>   * Add read/write timeouts to redirector server [5]
>   * Allow hidden files within the state directory [6]

None of these issues seem to have corresponding BTS bugs. If they did,
which severity would you choose? (hint: if they're not at least
'serious'...)

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#863453: unblock: acmetool/0.0.59-1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863453 [release.debian.org] unblock: acmetool/0.0.59-1
Added tag(s) moreinfo.

-- 
863453: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863453
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863625: unblock: botan1.10/1.10.16-1

[Ondřej Surý]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package botan1.10

Dear release team,

botan1.10 1.10.16 contains only the fix for the RC bug #860072
(CVE-2017-2801: Incorrect comparison in X.509 DN strings) (+ changelog
entry + version bump), so I have decided to upload 1.10.16 directly
instead of patching the simple patch on top of 1.10.15.

(+ update to d/watch bundled to make it work again)

diffstat:

 botan_version.py  |6 +++---
 debian/changelog  |8 
 debian/watch  |2 +-
 doc/log.txt   |   10 ++
 src/alloc/alloc_mmap/mmap_mem.cpp |3 +--
 src/utils/parsing.cpp |2 ++
 6 files changed, 25 insertions(+), 6 deletions(-)

unblock botan1.10/1.10.16-1

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.4.0-67-generic (SMP w/24 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 3.0 (quilt)
Source: botan1.10
Binary: botan1.10-dbg, libbotan-1.10-1, libbotan1.10-dev
Architecture: any
Version: 1.10.16-1
Maintainer: Ondřej Surý 
Homepage: http://botan.randombit.net/
Standards-Version: 3.9.6
Vcs-Browser: http://anonscm.debian.org/?p=pkg-nlnetlabs/botan1.10.git
Vcs-Git: git://anonscm.debian.org/pkg-nlnetlabs/botan1.10.git
Build-Depends: debhelper (>= 9), libbz2-dev, libgmp3-dev, python, zlib1g-dev
Package-List:
 botan1.10-dbg deb debug extra arch=any
 libbotan-1.10-1 deb libs optional arch=any
 libbotan1.10-dev deb libdevel optional arch=any
Checksums-Sha1:
 697144c34b1bf77c5b2bc1ff4d08f69ee718782b 2711177 botan1.10_1.10.16.orig.tar.gz
 44fa04f97f5f5af94757774af5048a69f7a5725d 40872 
botan1.10_1.10.16-1.debian.tar.xz
Checksums-Sha256:
 6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52 2711177 
botan1.10_1.10.16.orig.tar.gz
 c30b4631e788e6ec8c256c2eb6e572a4a31075e8563cfa7bcb05e68709e054d3 40872 
botan1.10_1.10.16-1.debian.tar.xz
Files:
 d0c88b523b5aeaaeaf7a3f39dd9d1f3e 2711177 botan1.10_1.10.16.orig.tar.gz
 d446e25344b6e0ad20f4ea390d619d97 40872 botan1.10_1.10.16-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksDBdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwel5Q//WXrxeAk/nkyer1wymmhmlZ9mn79CInfKnvPeeT/OVDaljHfbC72X/W7/
Iphzb26ZBgFzbxXoIUarA4LWw9gz5TkIrW4jr8CO2lSShH9vVJ6IENCvYew9mrRe
ZctPI8mEkQL0NVsE9F//9p77aeuqM6sFhHEuW5HpuOg3HdrUjaRjrbFN1UHvhf0E
YeU3g15pwom6IwWwWpNTTXt/qXz+XGnTrZ6EjAzGX9nFeMUmlOYxZImRJNMW4xIp
++ixgm2AF21buKCqmzpVYe+nltUCcWI6VFC27XFDBZBcAg6kCo+vi2F4671ugRuu
bTLJ8r3+vfcaw1Il+zqUOybW5+d0+gxy9zS4DnnGY7zzbiwqtEPPBQP1c4+eXcoY
zUMeof3TvjNCcx4aViNRL9XXw5x2qKkdFfxND2MzpEaR+/I3bu3UG1+MIqVb1GaF
OqWBa+hx+NN+BhTJWl33LtDCEjw+f17OBKj4mVZgwVCalxSBLC2s7rTrj0DZ2f7L
fBhH7VTmjzbfnyudUnS6Joewu4nFqftUbT8eUJ8tg2ezqTiEw29pCgA5vI6mFQYE
sga1xfA6J1U3ZMgcyEfF7dlXC2Z4qtYXCmbT4KqS7mEA+r5GP9+TFnoSpEp0LCDU
rJBEYF0VnKfWUoQy+2SWKVRgyHSI0/GPhbYd4uP4wVTNjNYlHv0=
=Zz4K
-END PGP SIGNATURE-
diff -Nru botan1.10-1.10.15/botan_version.py botan1.10-1.10.16/botan_version.py
--- botan1.10-1.10.15/botan_version.py  2017-01-13 02:48:25.0 +0100
+++ botan1.10-1.10.16/botan_version.py  2017-04-05 03:07:02.0 +0200
@@ -1,11 +1,11 @@
 
 release_major = 1
 release_minor = 10
-release_patch = 15
+release_patch = 16
 
 release_so_abi_rev = 1
 
 # These are set by the distribution script
-release_vc_rev = 'git:f79e642ab8c09971968abdfe6990df6801711e1f'
-release_datestamp = 20170112
+release_vc_rev = 'git:3756c97d295d06ac19cec6736e05003afb10623e'
+release_datestamp = 20170404
 release_type = 'released'
diff -Nru botan1.10-1.10.15/debian/changelog botan1.10-1.10.16/debian/changelog
--- botan1.10-1.10.15/debian/changelog  2017-01-13 09:47:48.0 +0100
+++ botan1.10-1.10.16/debian/changelog  2017-05-29 13:45:02.0 +0200
@@ -1,3 +1,11 @@
+botan1.10 (1.10.16-1) unstable; urgency=high
+
+  * Update d/watch to match new upstream download directory
+  * New upstream version 1.10.16
++ [CVE-2017-2801]: Incorrect comparison in X.509 DN strings
+
+ -- Ondřej Surý   Mon, 29 May 2017 13:45:02 +0200
+
 botan1.10 (1.10.15-1) unstable; urgency=medium
 
   * New upstream version 1.10.15
diff -Nru botan1.10-1.10.15/debian/watch botan1.10-1.10.16/debian/watch
--- botan1.10-1.10.15/debian/watch  2017-01-13 09:47:48.0 +0100
+++ botan1.10-1.10.16/debian/watch  2017-05-29 13:45:02.0 +0200
@@ -1,2 +1,2 @@
 version=3

Bug#863624: unblock: lua-http/0.1-3

[Ondřej Surý]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package lua-http

Dear release team,

the 0.1-3 update fixes two bugs:

- 0.1-1 package contained incorrect Breaks, this was fixed in 0.1-2
  but never uploaded to unstable

- 0.1-3 contains upstream patch to fix RC bug #863286 (HTTP Request
  string failed in non-comma-as-separator locales)

unblock lua-http/0.1-3

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.4.0-67-generic (SMP w/24 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 3.0 (quilt)
Source: lua-http
Binary: lua-http
Architecture: all
Version: 0.1-3
Maintainer: Ondřej Surý 
Homepage: https://github.com/daurnimator/lua-http
Standards-Version: 3.9.8
Vcs-Browser: https://anonscm.debian.org/git/pkg-lua/lua-http.git
Vcs-Git: git://anonscm.debian.org/pkg-lua/lua-http.git
Build-Depends: debhelper (>= 9), dh-lua, pandoc
Package-List:
 lua-http deb interpreters optional arch=all
Checksums-Sha1:
 b03216bb5c903b07678464664c142ff9c76833c0 116507 lua-http_0.1.orig.tar.gz
 36f72780773ad5752ce33568af9b30de0a582664 3452 lua-http_0.1-3.debian.tar.xz
Checksums-Sha256:
 4ba01edc7f02d49f98cf98883d7ad9b47f5e4c11dd95d5149f980f40ba12e546 116507 
lua-http_0.1.orig.tar.gz
 537488d3a5d918be5f5b625ca53582e318e66484f58f4d9cf034744219275696 3452 
lua-http_0.1-3.debian.tar.xz
Files:
 f5da73665fb3a13cd600e8b17e0c1bb9 116507 lua-http_0.1.orig.tar.gz
 2e5cbfb4a8dca99abf5fb33d5d4569fb 3452 lua-http_0.1-3.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksChtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwej0w//aN0E0k7GSSpB4wY/zaZWAG3x1fzY9diWU6HF7QvE+r4WDunVwXG8trW/
/JA1ilJfvCLkuBG9C0sFIiLWtkRVrGaZzudbEcEZvjMB4Q4QfvAbpG6v0SJzH8jA
TGj3YeF6IkSG9qUDB94o4pKTfiGEFIvdAP3UqHeJElsMYTMfN16O/HQ6VLC0C1lr
PG8aLnG+dik5eDtu8oopchRTHEj8iD7A0VMPK/7FN6VagaDpWm4F6+cEOq2IEqTj
gbrW4yJqHYEvc3OMhpQ9PiO+sJ8zHxD+z2fzHeXTz5AZQFLwWsZaPRZ6pC/mcvfx
91vZ0330zJ2Bm/dtZ7LSlUncB8gHTX16YiLc3uZc/A6wDM3x4i6LGaGYcr1DaVVv
hBpM7JoPmPFl31gue/MmY9wPe+JAzVKozPJs2aNoCgsrBFdyT3bUe6ZRkop9ITjb
VU0C2uKdxp7xl2+WDbTyKrkpgxVBI9TDwtwQHDIDZB/5qkLvkhHem0YCJZGBLFxa
yeNV97mOoinQp9haDHeBrbImSgNFY/hy+X+weDI8PfVp2s8AvM/DyfZQK8YafgJK
5m/YOQ4gMWIhPCPMdXy3onmYJuBAa2MehHlq+ZZGH83BrImIUmFqAN+D876NjnSh
MR/uHYAkxZK8njUwc2dRFrHVZ/v2SqAtxahBsXVXlE+nqgD8f+0=
=Wpip
-END PGP SIGNATURE-
diff -Nru lua-http-0.1/debian/changelog lua-http-0.1/debian/changelog
--- lua-http-0.1/debian/changelog   2016-12-19 13:13:38.0 +0100
+++ lua-http-0.1/debian/changelog   2017-05-29 13:39:46.0 +0200
@@ -1,3 +1,16 @@
+lua-http (0.1-3) unstable; urgency=medium
+
+  * Fix request building in locales with comma decimal separator
+(Closes: #863286) (Courtesy of Daurnimator)
+
+ -- Ondřej Surý   Mon, 29 May 2017 13:39:46 +0200
+
+lua-http (0.1-2) unstable; urgency=medium
+
+  * New lua-http breaks knot-resolver-module-http and not knot-resolver
+
+ -- Ondřej Surý   Tue, 20 Dec 2016 11:39:33 +0100
+
 lua-http (0.1-1) unstable; urgency=medium
 
   * Imported Upstream version 0.1
diff -Nru lua-http-0.1/debian/control lua-http-0.1/debian/control
--- lua-http-0.1/debian/control 2016-12-19 13:13:38.0 +0100
+++ lua-http-0.1/debian/control 2017-05-29 13:39:46.0 +0200
@@ -21,7 +21,7 @@
  lua-luaossl (>= 20161208),
  ${misc:Depends},
  ${shlibs:Depends}
-Breaks: knot-resolver (<< 1.2.0~)
+Breaks: knot-resolver-module-http (<< 1.2.0~)
 Provides: ${lua:Provides}
 XB-Lua-Versions: ${lua:Versions}
 Description: HTTP library for Lua
diff -Nru 
lua-http-0.1/debian/patches/0001-http-h1_connection-Fix-request-building-in-locales-w.patch
 
lua-http-0.1/debian/patches/0001-http-h1_connection-Fix-request-building-in-locales-w.patch
--- 
lua-http-0.1/debian/patches/0001-http-h1_connection-Fix-request-building-in-locales-w.patch
 1970-01-01 01:00:00.0 +0100
+++ 
lua-http-0.1/debian/patches/0001-http-h1_connection-Fix-request-building-in-locales-w.patch
 2017-05-29 13:39:46.0 +0200
@@ -0,0 +1,32 @@
+From: daurnimator 
+Date: Thu, 25 May 2017 11:04:32 +1000
+Subject: http/h1_connection: Fix request building in locales with comma
+ decimal separator
+
+Reported at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863286
+---
+ http/h1_connection.lua | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/http/h1_connection.lua b/http/h1_connection.lua
+index 1dd5def..28db038 100644

Bug#863590: marked as done (unblock: libsndfile/1.0.27-3)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 10:37:00 +
with message-id <6b85364d-4118-7e20-0ac2-99560b6bf...@thykier.net>
and subject line Re: Bug#863590: unblock: libsndfile/1.0.27-3
has caused the Debian Bug report #863590,
regarding unblock: libsndfile/1.0.27-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863590: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863590
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libsndfile

this upload backports fixes for a number of security-related bugs
(CVE-2017-7742, CVE-2017-8361 CVE-2017-8362 CVE-2017-8363 CVE-2017-8365) from
upstream.

since libsndfile is a widely used library for reading/writing soundfiles of many
formats, security issues affect quite a number of ordinary desktops.

unblock libsndfile/1.0.27-3

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libsndfile-1.0.27/debian/changelog libsndfile-1.0.27/debian/changelog
--- libsndfile-1.0.27/debian/changelog  2017-04-04 15:33:45.0 +0200
+++ libsndfile-1.0.27/debian/changelog  2017-05-28 22:52:39.0 +0200
@@ -1,3 +1,24 @@
+libsndfile (1.0.27-3) unstable; urgency=medium
+
+  * Mentioned CVEs fixed by fix_bufferoverflows.patch
+(CVE-2017-7741, CVE-2017-7586, CVE-2017-7585)
+  * Backported patch for error handling of malicious/broken FLAC files
+(CVE-2017-7742, CVE-2017-7741, CVE-2017-7585)
+(Closes: #860255)
+  * Backported patch to fix buffer read overflow in FLAC code
+(CVE-2017-8362)
+(Closes: #862204)
+  * Backported patches to fix memory leaks in FLAC code
+(CVE-2017-8363)
+(Closes: #862203)
+  * Backported patch to fix buffer overruns in FLAC-code
+(CVE-2017-8365, CVE-2017-8363, CVE-2017-8361)
+(Closes: #862205, #862203, #862202)
+
+  * Added Vcs-* stanzas to d/control
+
+ -- IOhannes m zmölnig (Debian/GNU)   Sun, 28 May 2017 
22:52:39 +0200
+
 libsndfile (1.0.27-2) unstable; urgency=medium
 
   * Backported fixes for buffer-write overflows from 1.0.28.
diff -Nru libsndfile-1.0.27/debian/control libsndfile-1.0.27/debian/control
--- libsndfile-1.0.27/debian/control2017-04-04 15:33:45.0 +0200
+++ libsndfile-1.0.27/debian/control2017-05-28 22:52:39.0 +0200
@@ -9,6 +9,8 @@
  libasound2-dev [linux-any]
 Standards-Version: 3.9.8
 Homepage: http://www.mega-nerd.com/libsndfile/
+Vcs-Git: https://anonscm.debian.org/git/collab-maint/libsndfile.git
+Vcs-Browser: https://anonscm.debian.org/git/collab-maint/libsndfile.git
 
 Package: libsndfile1-dev
 Section: libdevel
diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch 
libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch
--- libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch1970-01-01 
01:00:00.0 +0100
+++ libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch2017-05-28 
22:52:39.0 +0200
@@ -0,0 +1,89 @@
+Description: more fixes for FLAC error handling
+ fixes CVE-2017-7742, CVE-2017-7741, CVE-2017-7585
+Author: Eric de Castro Lopo
+Origin: upstream
+Applied-Upstream: 
https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libsndfile.orig/src/flac.c
 libsndfile/src/flac.c
+@@ -68,9 +68,9 @@
+   unsigned bufferpos ;
+ 
+   const FLAC__Frame *frame ;
+-  FLAC__bool bufferbackup ;
+ 
+   unsigned compression ;
++
+ } FLAC_PRIVATE ;
+ 
+ typedef struct
+@@ -187,10 +187,9 @@
+ 
+   if (pflac->ptr == NULL)
+   {   /*
+-  **  Not sure why this code is here and not elsewhere.
+-  **  Removing it causes valgrind errors.
++  ** This pointer is reset to NULL each time the current frame 
has been
++  ** decoded. Somehow its used during encoding and decoding.
+   */
+-  pflac->bufferbackup = SF_TRUE ;
+   for (i = 0 ; i < channels ; i++)
+   {
+   if (pflac->rbuffer [i] == NULL)
+@@ -206,6 +205,11 @@
+ 
+   len = SF_MIN (pflac->len, frame->header.blocksize) ;
+ 
++   

Bug#863320: Acknowledgement ((pre-approval) unblock: ganeti/2.15.2-8)

[Apollon Oikonomopoulos]

Control: retitle -1 unblock: ganeti/2.15.2-8

Since we are near the release deadline, I uploaded 2.15.2-8 (including 
two new fixes, see below) to unstable, to gain some time and clear 
piuparts and CI tests.

The upload includes two additional fixes for issues found while 
migrating part of our cluster to Stretch:

 - A fix for a bug in a pre-migration check when migrating between 
   different hypervisor versions. These migrations would always fail on 
   Debian, because of code running on the master node as non-root 
   unintentionally.

 - A fix for instance import/export/move, because of a wrong socat 
   parameter. Instead of renaming the parameter to the new name as 
   upstream did[1], I opted to completely remove it and let 
   socat/OpenSSL pick the best protocol version available (instead of 
   hard-coding good old TLSv1).

Full debdiff attached, interdiff follows.

Regards,
Apollon

[1] 
https://github.com/ganeti/ganeti/commit/d5d747d5e9273e2fbbf99e7f83b313f56f8656bb

Interdiff:

diff -u ganeti-2.15.2/debian/changelog ganeti-2.15.2/debian/changelog
--- ganeti-2.15.2/debian/changelog  2017-05-23 15:49:40.0 +0300
+++ ganeti-2.15.2/debian/changelog  2017-05-23 15:49:40.0 +0300
@@ -11,6 +11,13 @@
   key type/length parameters without running cfgupgrade.
   * Document the new SSH key support in d/NEWS.
   * Update project Homepage (Closes: #862829)
+  * Fix pre-migration check bug causing failure when migrating between 
different
+hypervisor versions and running luxid as non-root. Note that this does not
+mean that migrations between different hypervisor versions are safe and/or
+suppported.
+  * Fix instance import/export/move with current socat versions, by dropping
+the SSL method= socat option and letting socat/OpenSSL pick the best
+available.
   * d/copyright: bump years
 
  -- Apollon Oikonomopoulos   Tue, 23 May 2017 15:49:40 
+0300
diff -u ganeti-2.15.2/debian/patches/series ganeti-2.15.2/debian/patches/series
--- ganeti-2.15.2/debian/patches/series 2017-05-23 15:49:40.0 +0300
+++ ganeti-2.15.2/debian/patches/series 2017-05-23 15:49:40.0 +0300
@@ -15,0 +16,2 @@
+use-hv-class-to-check-for-migration.patch
+do-not-specify-socat-ssl-method.patch
only in patch2:
unchanged:
--- ganeti-2.15.2/debian/patches/do-not-specify-socat-ssl-method.patch  
1970-01-01 02:00:00.0 +0200
+++ ganeti-2.15.2/debian/patches/do-not-specify-socat-ssl-method.patch  
2017-05-23 15:49:40.0 +0300
@@ -0,0 +1,30 @@
+From f8cfc917a890de1d2489ab89775780c41b68a651 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos 
+Date: Fri, 26 May 2017 12:45:41 +0300
+Subject: [PATCH 3/3] impexpd: do not specify SSL method
+
+Recent versions of socat have changed the OpenSSL method name from TLSv1
+to TLS1, making instance import/export fail. Since there is no reason to
+force a specific (old) TLS version now that SSLv3 support has been removed
+from OpenSSL, it makes sense to just let socat choose.
+---
+ lib/impexpd/__init__.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/impexpd/__init__.py b/lib/impexpd/__init__.py
+index f40db31e4..97a9716cc 100644
+--- a/lib/impexpd/__init__.py
 b/lib/impexpd/__init__.py
+@@ -88,8 +88,7 @@ BUFSIZE = 1024 * 1024
+ 
+ # Common options for socat
+ SOCAT_TCP_OPTS = ["keepalive", "keepidle=60", "keepintvl=10", "keepcnt=5"]
+-SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
+-  "cipher=%s" % constants.OPENSSL_CIPHERS]
++SOCAT_OPENSSL_OPTS = ["verify=1", "cipher=%s" % constants.OPENSSL_CIPHERS]
+ 
+ if constants.SOCAT_USE_COMPRESS:
+   # Disables all compression in by OpenSSL. Only supported in patched versions
+-- 
+2.11.0
+
only in patch2:
unchanged:
--- ganeti-2.15.2/debian/patches/use-hv-class-to-check-for-migration.patch  
1970-01-01 02:00:00.0 +0200
+++ ganeti-2.15.2/debian/patches/use-hv-class-to-check-for-migration.patch  
2017-05-23 15:49:40.0 +0300
@@ -0,0 +1,31 @@
+From 93000ef9b540a243e420e73eb860c62a1322d5d8 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos 
+Date: Thu, 25 May 2017 16:13:30 +0300
+Subject: [PATCH 2/3] Do not instantiate an HV object to query for migration
+ safety
+
+hv.VersionsSafeForMigration is a static method. There is no reason to
+instatiate hypervisor objects to query for migration safety, just get
+the class and call the static method. Without this change, hypervisors
+are initialized on the master, causing side-effects (e.g. EnsureDirs)
+that might fail on systems where jobs are not run as root.
+---
+ lib/cmdlib/instance_migration.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/cmdlib/instance_migration.py 
b/lib/cmdlib/instance_migration.py
+index ca64afb35..1e500fdbc 100644
+--- a/lib/cmdlib/instance_migration.py
 b/lib/cmdlib/instance_migration.py
+@@ -738,7 +738,7 @@ class TLMigrateInstance(Tasklet):
+  

Processed: Re: Bug#863320: Acknowledgement ((pre-approval) unblock: ganeti/2.15.2-8)

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 unblock: ganeti/2.15.2-8
Bug #863320 [release.debian.org] (pre-approval) unblock: ganeti/2.15.2-8
Changed Bug title to 'unblock: ganeti/2.15.2-8' from '(pre-approval) unblock: 
ganeti/2.15.2-8'.

-- 
863320: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863320
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Last chance for d-i changes in stretch

[Didier 'OdyX' Raboud]

Le samedi, 27 mai 2017, 17.17:10 h CEST Didier 'OdyX' Raboud a écrit :
> win32-loader should be arch:all-rebuilt (aka uploaded) with a versionned
> Build-Depends on the  latest debian-archive-keyring. It would therefore
> also embed the latest versions of all the other binaries its standalone
> version embeds.

For all packages with the same version in unstable and testing, it's not an 
issue (and doesn't need an explicit B-D version); it's the case for all but 
one of the packages win32-loader has a Built-Using value for: src:gnupg2 is 
currently in 2.1.18-8 version in unstable and -6 in testing.

If I upload win32-loader now, it will embed gpgv-win32 2.1.18-8, no matter 
which gnupg2 version will be part of stretch. There are three alternatives, in 
decreasing order of preference:
* get gnupg2 in testing, upload win32-loader to unstable, migrate it
* upload win32-loader to unstable, upload it _too_ (with a different version?) 
in testing-proposed-updates to get rid of the version discrepancy
* upload win32-loader to unstable, migrate it (and too bad for the version 
difference)

> It also currently uses httpredir.debian.org as only mirror, so we should
> decide if it makes sense to consolidate onto deb.debian.org for win32-
> loader too.

I've staged a change of all mirror references to deb.debian.org. The 
previously-discussed source compression change away from .bz2 would also be 
part of that upload. I'm waiting for directions regarding gnupg2 :-)

Cheers,
OdyX
-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Re: Coordinating Debian Stretch & Tails 3.0 releases?

[intrigeri]

Hi Niels & others,

Niels Thykier:
> intrigeri:
> Apologies for the late reply on our part.

That's totally fine; thanks for caring! :)

> At this point we have now announced our planned release date as June
> 17th (https://lists.debian.org/debian-devel-announce/2017/05/msg2.html)

> I hope that date (still) works for you. :)

Tails 3.0 will be released either on June 13 or on June 17. In any
case, the Debian & Tails releases will be very close to each other :)

I'll let the release + publicity teams know as soon as we've reached
a conclusion on Tails' side:
https://mailman.boum.org/pipermail/tails-dev/2017-May/011451.html

Cheers,
-- 
intrigeri