Bug#864193: unblock: chromium-browser/58.0.3029.96-1

2017-06-04 Thread Michael Gilbert 
package: release.debian.org
user: release.debian@packages.debian.org
usertags: unblock

Please consider unblocking chromium ahead of the stretch window
closing.  This updates corrects a single security issue that could
lead to remote code execution by visiting a malicious web page.

Best wishes,
Mike

unblock chromium-browser/58.0.3029.96-1

Bug#864189: unblock: systemd/232-25

2017-06-04 Thread Michael Biebl 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

please consider unblocking systemd.

The changes include two fixes for selinux, a fix for a dist-upgrade
failure and an important performance regression.

None of those should affect the udev/libudev1 udeb, i.e. the installer.

That said, I've CCed debian-boot for a d-i/KiBi ack.

Here's an annotated changelog


systemd (232-25) unstable; urgency=medium

  * hwdb: Use path_join() to generate the hwdb_bin path.
This ensures /lib/udev/hwdb.bin gets the correct SELinux context. Having
double slashes in the path makes selabel_lookup_raw() return the wrong
context. (Closes: #851933)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=16508bf

I was asked by the SELinux maintainers to fix this for stretch. In the
end, it turned out to be a bug in libselinux (#863854). But the fix for
libselinux is rather invasive so will likely not make it into stretch
and it's easy to avoid triggering the bug, so I've decided to fix/work
around this in systemd.

  * selinux: Enable labeling and access checks for unprivileged users.
Revert commit that inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running
as MANAGER_USER and instead deal with the auditd issue by checking for
the CAP_AUDIT_WRITE capability before opening an audit netlink socket.
(Closes: #863800)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=5088d0

Laurent Bigonville, one of the SELinux maintainers, asked me to pull
those fixes for stretch. He tested the patches and confirmed that they
work. The patches are from upstream.

  * Revert "systemd-sysv: Add Conflicts: systemd-shim"
Under certain conditions this confuses Jessies's apt which then tries to
remove systemd while being the active init system, resulting in a failed
dist-upgrade. While this turned out to be a bug in apt, avoid this
situation by dropping the Conflicts. (Closes: #854041)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=a99075

This is bug which imho is the most important one to get fixed for r0.
It was (sometimes) causing dist-upgrade failures, if prior to the upgrade
systemd-shim was installed. David Kalnischkies identified this as a bug
in apt, but since we can't retroactively fix apt in jessie, I decided to
drop this Conflicts again to avoid this situation.

  * link: Fix offload features initialization.
This fixes a regression introduced in v232 which caused TCP
segmentation offloads being disabled by default, resulting in
significant performance issues under certain conditions. (Closes: #864073)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=551b79

This seemed like a rather straightforward fix which was unfortuantely
only reported the other day. Otherwise I would have pulled it earlier.
The patch is from upstream.

Full debdiff is attached as well.

Regards,
Michael

unblock systemd/232-25

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), 
LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 68276b7..d3789db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,27 @@
+systemd (232-25) unstable; urgency=medium
+
+  * hwdb: Use path_join() to generate the hwdb_bin path.
+This ensures /lib/udev/hwdb.bin gets the correct SELinux context. Having
+double slashes in the path makes selabel_lookup_raw() return the wrong
+context. (Closes: #851933)
+  * selinux: Enable labeling and access checks for unprivileged users.
+Revert commit that inadvertently broke a lot of SELinux related
+functionality for both unprivileged users and systemd instances running
+as MANAGER_USER and instead deal with the auditd issue by checking for
+the CAP_AUDIT_WRITE capability before opening an audit netlink socket.
+(Closes: #863800)
+  * Revert "systemd-sysv: Add Conflicts: systemd-shim"
+Under certain conditions this confuses Jessies's apt which then tries to
+remove systemd while being the active init system, resulting in a failed
+dist-upgrade. While this turned out to be a bug in apt, avoid this
+situation by dropping the Conflicts. (Closes: #854041)
+  * link: Fix offload features initialization.
+This fixes a regression introduced in v232 which caused TCP
+segmentation offloads being disabled by default, resulting in
+significant performance issues under certain conditions. (Closes: #864073)
+
+ -- Michael Biebl   Sun, 04 Jun 2017 22:58:32

Bug#863519: unblock blockdiag/1.5.3+dfsg-2

2017-06-04 Thread Kouhei Maeda 
retitile 863519: unblock blockdiag/1.5.3+dfsg-5

Hi, Niels

2017-06-04 0:30 GMT+09:00 Niels Thykier :
> I am not confident that the "install -d" variant used in the -4 upload
> is entirely safe from this symlink attack.  Furthermore, it still causes
> issues by:
>
>  * It would (still?) cause issues if multiple versions of blockdiag are
>built on the same machine concurrently.
>  * It assumes /tmp rather than using $(TMPDIR) if set (minor issue)
>
> A quick fix to both of these would be to place the temporary directory
> in the "debian" directory (instead of /tmp/).  That
> would solve all of my concerns with the temporary directory used by the
> build.

I changed to use PYBUILD {build_dir} instead of
/tmp/ in the "-5" upload.

Attached is the source debdiff.

Regards,

diff -Nru blockdiag-1.5.3+dfsg/debian/changelog
blockdiag-1.5.3+dfsg/debian/changelog
--- blockdiag-1.5.3+dfsg/debian/changelog2017-05-31 07:19:40.0 +0900
+++ blockdiag-1.5.3+dfsg/debian/changelog2017-06-04 12:08:49.0 +0900
@@ -1,3 +1,21 @@
+blockdiag (1.5.3+dfsg-5) unstable; urgency=medium
+
+  * debian/rules
+- Fixes to use PYBUILD {build_dir} instead of hardcoded temporary directory
+  on PYBUILD_BEFORE_TEST.
+- Updates PYBUILD_AFTER_TEST.
+- Removes overrider_dh_python2 target.
+- Removes copying test image files to testimages directory
+  on overrider_dh_python3.
+  * debian/patches
+- Deletes fixes-ghostscript_not_found_test.patch
+- Updates Fixed-remote-image-resouces.patch.
+  * Removes unnecessary files.
+- debian/python-blockdiag.links
+- debian/python3-blockdiag.links
+
+ -- Kouhei Maeda   Sun, 04 Jun 2017 12:08:49 +0900
+
 blockdiag (1.5.3+dfsg-4) unstable; urgency=medium

   * debian/rules
diff -Nru blockdiag-1.5.3+dfsg/debian/patches/Fixed-remote-image-resouces.patch
blockdiag-1.5.3+dfsg/debian/patches/Fixed-remote-image-resouces.patch
--- blockdiag-1.5.3+dfsg/debian/patches/Fixed-remote-image-resouces.patch
   2017-05-31 07:19:40.0 +0900
+++ blockdiag-1.5.3+dfsg/debian/patches/Fixed-remote-image-resouces.patch
   2017-06-04 11:19:43.0 +0900
@@ -4,25 +4,25 @@

 Index: 
blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/background_url_image.diag
 ===
 
blockdiag-1.5.3+dfsg.orig/src/blockdiag/tests/diagrams/background_url_image.diag
   2017-06-04 11:06:19.475245999 +0900
-+++ blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/background_url_image.diag
   2017-06-04 11:06:50.142572000 +0900
+--- 
blockdiag-1.5.3+dfsg.orig/src/blockdiag/tests/diagrams/background_url_image.diag
   2017-06-04 11:17:13.518449125 +0900
 blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/background_url_image.diag
   2017-06-04 11:19:16.593641793 +0900
 @@ -1,7 +1,8 @@
  {
 -  A [background = "http://python.org/images/python-logo.gif;];
 -  B [background = "http://blockdiag.com/favicon.ico;];
 -  C [background =
"http://upload.wikimedia.org/wikipedia/commons/9/9b/Scalable_Vector_Graphics_Circle2.svg;];
 -  D [background = "http://people.sc.fsu.edu/~jburkardt/data/eps/circle.eps;];
-+  A [background = "/usr/lib/python3.5/idlelib/Icons/python.gif"];
++  A [background = "blockdiag/tests/diagrams/white.gif"];
 +  B [background = "/usr/lib/python3.5/idlelib/Icons/idle.ico"];
-+  C [background = "/usr/lib/python3.5/idlelib/Icons/idle_16.png"];
++  C [background =
"blockdiag/tests/diagrams/debian-logo-256color-palettealpha.png"];
 +  D [background = "circle.eps"];
 +  E [background = "circle.svg"];
Z;
  }
 Index: blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/node_icon.diag
 ===
 blockdiag-1.5.3+dfsg.orig/src/blockdiag/tests/diagrams/node_icon.diag
   2017-06-04 11:06:19.475245999 +0900
-+++ blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/node_icon.diag
  2017-06-04 11:06:19.471244000 +0900
+--- blockdiag-1.5.3+dfsg.orig/src/blockdiag/tests/diagrams/node_icon.diag
   2017-06-04 11:17:13.518449125 +0900
 blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/node_icon.diag
  2017-06-04 11:17:13.514449125 +0900
 @@ -2,5 +2,5 @@
A -> B;

diff -Nru blockdiag-1.5.3+dfsg/debian/python-blockdiag.links
blockdiag-1.5.3+dfsg/debian/python-blockdiag.links
--- blockdiag-1.5.3+dfsg/debian/python-blockdiag.links2014-09-01
07:58:18.0 +0900
+++ blockdiag-1.5.3+dfsg/debian/python-blockdiag.links1970-01-01
09:00:00.0 +0900
@@ -1,2 +0,0 @@
-usr/share/doc/python-blockdiag/testimages/debian-logo-256color-palettealpha.png
usr/lib/python2.7/dist-packages/blockdiag/tests/diagrams/debian-logo-256color-palettealpha.png
-usr/share/doc/python-blockdiag/testimages/white.gif
usr/lib/python2.7/dist-packages/blockdiag/tests/diagrams/white.gif
diff -Nru blockdiag-1.5.3+dfsg/debian/python3-blockdiag.links
blockdiag-1.5.3+dfsg/debian/python3-blockdiag.links
---

Bug#864083: marked as done (unblock: libgcrypt20/1.7.6-2)

2017-06-04 Thread Debian Bug Tracking System 
Your message dated Sun, 04 Jun 2017 21:29:00 +
with message-id <4d0a6a78-53d6-1b69-ffd0-e749a42f4...@thykier.net>
and subject line Re: Bug#864083: unblock: libgcrypt20/1.7.6-2
has caused the Debian Bug report #864083,
regarding unblock: libgcrypt20/1.7.6-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864083: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864083
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libgcrypt20, the upload features the following
changes:
* Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped.
* Pull two fixes from gcrypt 1.7.7 bugfix release:
  + 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch
Fix possible timing attack on EdDSA session key.
  + 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch
Fix long standing bug in secure memory implementation which could lead
to a segv on free.

unblock libgcrypt20/1.7.6-2

Thanks, cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru libgcrypt20-1.7.6/debian/changelog libgcrypt20-1.7.6/debian/changelog
--- libgcrypt20-1.7.6/debian/changelog	2017-01-26 11:58:32.0 +0100
+++ libgcrypt20-1.7.6/debian/changelog	2017-06-03 10:58:36.0 +0200
@@ -1,3 +1,15 @@
+libgcrypt20 (1.7.6-2) unstable; urgency=high
+
+  * Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped.
+  * Pull two fixes from gcrypt 1.7.7 bugfix release:
++ 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch
+  Fix possible timing attack on EdDSA session key.
++ 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch
+  Fix long standing bug in secure memory implementation which could lead
+  to a segv on free.
+
+ -- Andreas Metzler   Sat, 03 Jun 2017 10:58:36 +0200
+
 libgcrypt20 (1.7.6-1) unstable; urgency=medium
 
   * New upstream version, includes
diff -Nru libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch
--- libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch	1970-01-01 01:00:00.0 +0100
+++ libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch	2017-06-03 10:53:37.0 +0200
@@ -0,0 +1,35 @@
+From f9494b3f258e01b6af8bd3941ce436bcc00afc56 Mon Sep 17 00:00:00 2001
+From: Jo Van Bulck 
+Date: Thu, 19 Jan 2017 17:00:15 +0100
+Subject: [PATCH 1/2] ecc: Store EdDSA session key in secure memory.
+
+* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate
+session key.
+--
+
+An attacker who learns the EdDSA session key from side-channel
+observation during the signing process, can easily revover the long-
+term secret key. Storing the session key in secure memory ensures that
+constant time point operations are used in the MPI library.
+
+Signed-off-by: Jo Van Bulck 
+---
+ cipher/ecc-eddsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c
+index f91f8489..813e030d 100644
+--- a/cipher/ecc-eddsa.c
 b/cipher/ecc-eddsa.c
+@@ -603,7 +603,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+   a = mpi_snew (0);
+   x = mpi_new (0);
+   y = mpi_new (0);
+-  r = mpi_new (0);
++  r = mpi_snew (0);
+   ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0,
+  skey->E.p, skey->E.a, skey->E.b);
+   b = (ctx->nbits+7)/8;
+-- 
+2.11.0
+
diff -Nru libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch
--- libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch	1970-01-01 01:00:00.0 +0100
+++ libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch	2017-06-03 10:53:37.0 +0200
@@ -0,0 +1,69 @@
+From 91456759b887e153c4d4ce19538d478df260cab2 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka 
+Date: Fri, 2 Jun 2017 10:34:42 +0900
+Subject: [PATCH 2/2] secmem: Fix SEGV and stat calculation.
+
+* src/secmem (init_pool): Care about the header size.

Bug#864083: unblock: libgcrypt20/1.7.6-2

2017-06-04 Thread Cyril Brulebois 
Cyril Brulebois  (2017-06-04):
> I'm missing cryptsetup test cases right now, so I can't tell in a few
> minutes. I'll try to add one and/or run this manually on monday, but
> not making any promises. At some point, late requests will need to be
> punted for r1. Especially given the current amount and the timing
> getting tighter and tighter.

I actually managed to get that on today's schedule: I had a playbook for
full images (but none for netboot-gtk yet), and after some tweaks I've
confirmed a basic encrypted LVM setup with default encryption settings
still works fine with an updated libgcrypt20-udeb.

ACK.


KiBi.


signature.asc
Description: Digital signature

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-04 Thread Kurt Roeckx 
On Sun, Jun 04, 2017 at 06:53:29PM +0200, Cyril Brulebois wrote:
> Kurt Roeckx  (2017-06-04):
> > So I changed it this instead:
> > dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines
> > 
> > the shlib files now looks like:
> > libcrypto 1.1 libssl1.1 (>= 1.1.0f)
> > libssl 1.1 libssl1.1 (>= 1.1.0f)
> > udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f)
> > udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f)
> > 
> > Since we have symbol files, this does not affect non-udeb
> > packages.
> 
> As discussed on IRC (#debian-devel), the earlier syntax (-V with a
> version) was fine, and more accurate as it only needs to be bumped
> when symbols change. However, using -V without a specific version
> should get us updated dependencies every time; they might be stricter
> than needed, but that's better than forgetting about bumping the
> version IMHO, so fine with me.

So I've uploaded openssl 1.1.0f-2 and openssl1.0 1.0.2l-2


Kurt

Bug#864085: unblock: dnsmasq/2.76-5

2017-06-04 Thread Simon Kelley 


On 04/06/17 16:36, Jonathan Wiltshire wrote:
> Control: tag -1 moreinfo
> 
> On Sun, Jun 04, 2017 at 09:58:44AM +0100, ? wrote:
>> The dnsmasq package in testing has a serious problem when dns-root-data is
>> installed, due to changes in the format of the dns-root-data files.
>> The effect is to render dnsmasq unusable.
> 
> Bother.
> 
>> There are several serious bugs filed to this effect, but they should
>> really be release-critical, eg 863896
>>
>> There are also several bugs in the DNSSEC validation code, which are fixed
>> upstream, and really should be in stretch.
>>
>> Therefore, if we can get dnsmasq-2.77-1, currently in unstable, into Stretch,
>> that would be a Good Thing. If not, it will need a point release.
> 
> The delta from testing to unstable right now is not really suitable this
> late in the process. I would prefer a targetted fix through t-p-u.

I understand.

> 
> However, I wonder if that format change in dns-root-data risks problems in
> other packages. Ondřej, is there any advantage to reverting that (keeping
> the RC fix for parse-root-anchors.sh)?
> 

The patch to fix this in dnsmasq is at :

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=44eb875a5ab2e3b862a6b2bc9fbbb919475d2107

(that regexp handles both old and new formats.)

Cheers,

Simon.

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-04 Thread Cyril Brulebois 
Kurt Roeckx  (2017-06-04):
> So I changed it this instead:
>   dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines
> 
> the shlib files now looks like:
> libcrypto 1.1 libssl1.1 (>= 1.1.0f)
> libssl 1.1 libssl1.1 (>= 1.1.0f)
> udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f)
> udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f)
> 
> Since we have symbol files, this does not affect non-udeb
> packages.

As discussed on IRC (#debian-devel), the earlier syntax (-V with a
version) was fine, and more accurate as it only needs to be bumped
when symbols change. However, using -V without a specific version
should get us updated dependencies every time; they might be stricter
than needed, but that's better than forgetting about bumping the
version IMHO, so fine with me.

Thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#864083: unblock: libgcrypt20/1.7.6-2

2017-06-04 Thread Cyril Brulebois 
Hi,

Niels Thykier  (2017-06-04):
> Ack from here, CC'ing KiBi for a d-i ack - assuming there is still
> time.  Worst case, we will have to defer it to 9.1.

I'm missing cryptsetup test cases right now, so I can't tell in a few
minutes. I'll try to add one and/or run this manually on monday, but
not making any promises. At some point, late requests will need to be
punted for r1. Especially given the current amount and the timing
getting tighter and tighter.


KiBi.


signature.asc
Description: Digital signature

Bug#864076: marked as done (unblock: distro-info-data/0.36)

2017-06-04 Thread Debian Bug Tracking System 
Your message dated Sun, 04 Jun 2017 16:45:06 +
with message-id 
and subject line unblock distro-info-data
has caused the Debian Bug report #864076,
regarding unblock: distro-info-data/0.36
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864076
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package distro-info-data

This is a pre-upload unblock request for distro-info-data, now that the
Jessie release date has been announced.

While I was here, I realised that we didn't have EOL dates for Jessie or
Wheezy yet :( We have a long-standing bug of not including LTS dates
(#782685) so I've maintained the status-quo and did that for these two
as well. Alternatively, I could just extend the support dates out to
include LTS, but that seems like another bad idea :/

So, are you OK with this patch-set, and would you consider allowing it
in, for Stretch?

unblock distro-info-data/0.36

Thanks,

SR

diff --git a/debian.csv b/debian.csv
index c1f0962..b476031 100644
--- a/debian.csv
+++ b/debian.csv
@@ -10,10 +10,10 @@ version,codename,series,created,release,eol
 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31
-7,Wheezy,wheezy,2011-02-06,2013-05-04
-8,Jessie,jessie,2013-05-04,2015-04-25
-9,Stretch,stretch,2015-04-25
-10,Buster,buster,2018-07-01
+7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26
+8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-06
+9,Stretch,stretch,2015-04-25,2017-06-17
+10,Buster,buster,2017-06-17
 11,Bullseye,bullseye,2020-11-05
 ,Sid,sid,1993-08-16
 ,Experimental,experimental,1993-08-16
diff --git a/debian/changelog b/debian/changelog
index cec721c..130df23 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+distro-info-data (0.36) UNRELEASED; urgency=medium
+
+  * Set EOL date for Debian Wheezy. This excludes LTS, which we haven't
+supported in distro-info yet, for Debian, but matches what we did for
+Squeeze.
+  * Set (provisional) EOL date for Debian Jessie.
+  * Set release date for Stretch (and matching creation date for Buster). It
+has been announced.
+
+ -- Stefano Rivera   Sat, 03 Jun 2017 18:07:40 -0700
+
 distro-info-data (0.35) unstable; urgency=medium
 
   * Correct Ubuntu Zesty release date.
--- End Message ---
--- Begin Message ---
Unblocked distro-info-data.--- End Message ---

Bug#864027: unblock: swift/2.10.2-1

2017-06-04 Thread Ondrej Novy 
Hi,

2017-06-04 16:55 GMT+02:00 Jonathan Wiltshire :

> Let's defer this, I'm not comfortable with such changes this close to
> release.
>

so let's wait for p-u and first stretch point release?

-- 
Best regards
 Ondřej Nový

Email: n...@ondrej.org
PGP: 3D98 3C52 EB85 980C 46A5  6090 3573 1255 9D1E 064B

Bug#864085: unblock: dnsmasq/2.76-5

2017-06-04 Thread Jonathan Wiltshire 
Control: tag -1 moreinfo

On Sun, Jun 04, 2017 at 09:58:44AM +0100, ? wrote:
> The dnsmasq package in testing has a serious problem when dns-root-data is
> installed, due to changes in the format of the dns-root-data files.
> The effect is to render dnsmasq unusable.

Bother.

> There are several serious bugs filed to this effect, but they should
> really be release-critical, eg 863896
> 
> There are also several bugs in the DNSSEC validation code, which are fixed
> upstream, and really should be in stretch.
> 
> Therefore, if we can get dnsmasq-2.77-1, currently in unstable, into Stretch,
> that would be a Good Thing. If not, it will need a point release.

The delta from testing to unstable right now is not really suitable this
late in the process. I would prefer a targetted fix through t-p-u.

However, I wonder if that format change in dns-root-data risks problems in
other packages. Ondřej, is there any advantage to reverting that (keeping
the RC fix for parse-root-anchors.sh)?

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#864085: unblock: dnsmasq/2.76-5

2017-06-04 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 moreinfo
Bug #864085 [release.debian.org] unblock: dnsmasq/2.76-5
Added tag(s) moreinfo.

-- 
864085: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864085
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864092: marked as done (unblock: llvm-toolchain-3.8)

2017-06-04 Thread Debian Bug Tracking System 
Your message dated Sun, 4 Jun 2017 16:14:10 +0100
with message-id <20170604151410.jcfukosmjumvb...@powdarrmonkey.net>
and subject line Re: Bug#864092: unblock: llvm-toolchain-3.8
has caused the Debian Bug report #864092,
regarding unblock: llvm-toolchain-3.8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864092: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864092
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package llvm-toolchain-3.8, we fixed the Julia build
(bad arm64 generated code), and also fixed a sanitizer hang on newer kernels
(it is an upstream patch, it might be incomplete, we tested and it worked, but
it hanged again on one buildd)


unblock llvm-toolchain-3.8/1:3.8.1-24

thanks

G.
diff -Nru llvm-toolchain-3.8-3.8.1/debian/changelog 
llvm-toolchain-3.8-3.8.1/debian/changelog
--- llvm-toolchain-3.8-3.8.1/debian/changelog   2017-04-25 19:46:34.0 
+0200
+++ llvm-toolchain-3.8-3.8.1/debian/changelog   2017-06-02 15:15:49.0 
+0200
@@ -1,3 +1,14 @@
+llvm-toolchain-3.8 (1:3.8.1-24) unstable; urgency=medium
+
+  * Team upload
+  * debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch:
+fix relocation issue, preventing Julia from working correctly on
+arm64 (Closes: #862360, #861484)
+  * debian/patches/asan-48bit-VMA-aarch64.patch:
+- fix asan testsuite hang with some arm64 builders.
+
+ -- Gianfranco Costamagna   Fri, 02 Jun 2017 
15:11:29 +0200
+
 llvm-toolchain-3.8 (1:3.8.1-23) unstable; urgency=medium
 
   * Oups, same player try again (wrong package name, sorry)
diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch 
llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch
--- llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch
1970-01-01 01:00:00.0 +0100
+++ llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch
2017-06-02 15:12:44.0 +0200
@@ -0,0 +1,16 @@
+Description: [asan] Enable 48-bit VMA support on aarch64
+Origin: upstream, https://reviews.llvm.org/D22095?id=63084
+Bug-Debian: https://bugs.debian.org/862360
+Author: Adhemerval Zanella 
+Last-Update: 2016-07-07
+--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform.h
 b/compiler-rt/lib/sanitizer_common/sanitizer_platform.h
+@@ -114,6 +114,8 @@
+ // will still work but will consume more memory for TwoLevelByteMap.
+ #if defined(__mips__)
+ # define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 40)
++#elif defined(__aarch64__)
++# define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 48)
+ #else
+ # define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 47)
+ #endif
diff -Nru 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
--- 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
 1970-01-01 01:00:00.0 +0100
+++ 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
 2017-06-02 15:14:37.0 +0200
@@ -0,0 +1,16 @@
+Description: Fix R_AARCH64_MOVW_UABS_G3 relocation
+Origin: upstream, https://reviews.llvm.org/D27609?id=80860
+Bug-Debian: https://bugs.debian.org/862360
+Author: Yichao Yu 
+Last-Update: 2016-12-15
+--- a/lib/ExecutionEngine/RuntimeDyld/RuntimeDyldELF.cpp
 b/lib/ExecutionEngine/RuntimeDyld/RuntimeDyldELF.cpp
+@@ -357,7 +357,7 @@
+ // bits affected by the relocation on entry is garbage.
+ *TargetPtr &= 0xffe0001fU;
+ // Immediate goes in bits 20:5 of MOVZ/MOVK instruction
+-*TargetPtr |= Result >> (48 - 5);
++*TargetPtr |= (Result & 0xULL) >> (48 - 5);
+ // Shift must be "lsl #48", in bits 22:21
+ assert((*TargetPtr >> 21 & 0x3) == 3 && "invalid shift for relocation");
+ break;
diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/series 
llvm-toolchain-3.8-3.8.1/debian/patches/series
--- llvm-toolchain-3.8-3.8.1/debian/patches/series  2017-03-19 
22:10:46.0 +0100
+++ llvm-toolchain-3.8-3.8.1/debian/patches/series  2017-06-02 
15:11:44.0 +0200
@@ -57,3 +57,5 @@
 lldb-server-path.diff
 lldb-server-link.diff
 add_symbols_versioning.patch
+fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
+asan-48bit-VMA-aarch64.patch


signature.asc
Description: OpenPGP

Bug#864152: marked as done (unblock: msgpuck/1.0.3-1.1)

2017-06-04 Thread Debian Bug Tracking System 
Your message dated Sun, 4 Jun 2017 16:11:05 +0100
with message-id <20170604151105.sygj4izgm2bxo...@powdarrmonkey.net>
and subject line Re: Bug#864152: unblock: msgpuck/1.0.3-1.1
has caused the Debian Bug report #864152,
regarding unblock: msgpuck/1.0.3-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864152: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864152
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi

Please unblock package msgpuck

It fixes CVE-2016-9036 (Invalid handling of map16 format in
mp_check()), which is #849212.

unblock msgpuck/1.0.3-1.1

Full debdiff against version in testing attached.

Regards,
Salvatore
diff -Nru msgpuck-1.0.3/debian/changelog msgpuck-1.0.3/debian/changelog
--- msgpuck-1.0.3/debian/changelog  2016-08-09 21:14:15.0 +0200
+++ msgpuck-1.0.3/debian/changelog  2017-06-04 12:49:08.0 +0200
@@ -1,3 +1,10 @@
+msgpuck (1.0.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-9036 (Closes: #849212)
+
+ -- Moritz Muehlenhoff   Sun, 04 Jun 2017 12:49:08 +0200
+
 msgpuck (1.0.3-1) unstable; urgency=medium
 
   * Fix GCC 6.0 and Doxygen warnings
diff -Nru msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch 
msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch
--- msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch1970-01-01 
01:00:00.0 +0100
+++ msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch2017-06-04 
12:49:05.0 +0200
@@ -0,0 +1,186 @@
+From d2c366e27eea4a5a24c6ec36ffcc4f4fd5b361ac Mon Sep 17 00:00:00 2001
+From: Roman Tsisyk 
+Date: Thu, 15 Dec 2016 19:28:23 +0300
+Subject: [PATCH] Fix handling of map16 format in mp_check()
+
+Fixes TALOS-2016-0254
+Fixes CVE-2016-9036
+Fixes #12
+
+[adjusted for 1.0.3]
+--- msgpuck-1.0.3.orig/msgpuck.h
 msgpuck-1.0.3/msgpuck.h
+@@ -1940,7 +1940,7 @@ mp_check(const char **data, const char *
+   case MP_HINT_MAP_16:
+   /* MP_MAP (16) */
+   if (mp_unlikely(*data + sizeof(uint16_t) > end))
+-  return false;
++  return 1;
+   k += 2 * mp_load_u16(data);
+   break;
+   case MP_HINT_MAP_32:
+--- msgpuck-1.0.3.orig/test/msgpuck.c
 msgpuck-1.0.3/test/msgpuck.c
+@@ -771,9 +771,153 @@ test_mp_print()
+   return check_plan();
+ }
+ 
++int
++test_mp_check()
++{
++  plan(65);
++  header();
++
++#define invalid(data, fmt, ...) ({ \
++  const char *p = data; \
++  isnt(mp_check(, p + sizeof(data) - 1), 0, fmt, ## __VA_ARGS__); \
++});
++
++  /* fixmap */
++  invalid("\x81", "invalid fixmap 1");
++  invalid("\x81\x01", "invalid fixmap 2");
++  invalid("\x8f\x01", "invalid fixmap 3");
++
++  /* fixarray */
++  invalid("\x91", "invalid fixarray 1");
++  invalid("\x92\x01", "invalid fixarray 2");
++  invalid("\x9f\x01", "invalid fixarray 3");
++
++  /* fixstr */
++  invalid("\xa1", "invalid fixstr 1");
++  invalid("\xa2\x00", "invalid fixstr 2");
++  invalid("\xbf\x00", "invalid fixstr 3");
++
++  /* bin8 */
++  invalid("\xc4", "invalid bin8 1");
++  invalid("\xc4\x01", "invalid bin8 2");
++
++  /* bin16 */
++  invalid("\xc5", "invalid bin16 1");
++  invalid("\xc5\x00\x01", "invalid bin16 2");
++
++  /* bin32 */
++  invalid("\xc6", "invalid bin32 1");
++  invalid("\xc6\x00\x00\x00\x01", "invalid bin32 2");
++
++  /* ext8 */
++  invalid("\xc7", "invalid ext8 1");
++  invalid("\xc7\x00", "invalid ext8 2");
++  invalid("\xc7\x01\xff", "invalid ext8 3");
++  invalid("\xc7\x02\xff\x00", "invalid ext8 4");
++
++  /* ext16 */
++  invalid("\xc8", "invalid ext16 1");
++  invalid("\xc8\x00\x00", "invalid ext16 2");
++  invalid("\xc8\x00\x01\xff", "invalid ext16 3");
++  invalid("\xc8\x00\x02\xff\x00", "invalid ext16 4");
++
++  /* ext32 */
++  invalid("\xc9", "invalid ext32 1");
++  invalid("\xc9\x00\x00\x00\x00", "invalid ext32 2");
++  invalid("\xc9\x00\x00\x00\x01\xff", "invalid ext32 3");
++  invalid("\xc9\x00\x00\x00\x02\xff\x00", "invalid ext32 4");
++
++  /* float32 */
++  invalid("\xca", "invalid float32 1");
++  invalid("\xca\x00\x00\x00", "invalid float32 2");
++
++  /* float64 */
++  invalid("\xcb", "invalid float64 1");
++  invalid("\xcb\x00\x00\x00\x00\x00\x00\x00", "invalid

Bug#864091: marked as done (unblock: ettercap/1:0.8.2-5)

2017-06-04 Thread Debian Bug Tracking System 
Your message dated Sun, 4 Jun 2017 16:03:12 +0100
with message-id <20170604150312.uuc3cslqtmvqp...@powdarrmonkey.net>
and subject line Re: Bug#864091: unblock: ettercap (CVE)
has caused the Debian Bug report #864091,
regarding unblock: ettercap/1:0.8.2-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864091: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864091
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package ettercap, we fixed CVE 2017-8366

unblock ettercap/1:0.8.2-5

debdiff attached
diff -Nru ettercap-0.8.2/debian/changelog ettercap-0.8.2/debian/changelog
--- ettercap-0.8.2/debian/changelog 2017-03-07 21:28:07.0 +0100
+++ ettercap-0.8.2/debian/changelog 2017-06-04 09:27:11.0 +0200
@@ -1,3 +1,12 @@
+ettercap (1:0.8.2-5) unstable; urgency=high
+
+  [ Alexander Koeppe ]
+  * debian/patches/803.patch: Fix buffer overflow/underflow
+with bad filters (Closes: #861604).
+CVE-2017-8366
+
+ -- Gianfranco Costamagna   Sun, 04 Jun 2017 
09:24:59 +0200
+
 ettercap (1:0.8.2-4) unstable; urgency=high
 
   * debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch:
diff -Nru ettercap-0.8.2/debian/patches/803.patch 
ettercap-0.8.2/debian/patches/803.patch
--- ettercap-0.8.2/debian/patches/803.patch 1970-01-01 01:00:00.0 
+0100
+++ ettercap-0.8.2/debian/patches/803.patch 2017-06-04 09:25:14.0 
+0200
@@ -0,0 +1,210 @@
+From d14d2558da14a33abf7baab28957488a75d16af1 Mon Sep 17 00:00:00 2001
+From: Alexander Koeppe 
+Date: Thu, 1 Jun 2017 08:56:23 +0200
+Subject: [PATCH 1/4] Add ASAN compiler flags in DEBUG build type
+
+---
+ CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: ettercap-0.8.2/CMakeLists.txt
+===
+--- ettercap-0.8.2.orig/CMakeLists.txt
 ettercap-0.8.2/CMakeLists.txt
+@@ -125,7 +125,27 @@
+   # library dir path in our RPATH.
+   set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
+ endif(NOT DISABLE_RPATH)
++
++# set general build flags for debug build-type
+ set(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb3 -DDEBUG -Wall -Wno-pointer-sign 
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wextra 
-Wredundant-decls" CACHE STRING "" FORCE)
++# append ASAN build flags if compiler version has support
++if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
++   if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
++  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address 
-fno-omit-frame-pointer" CACHE STRING "" FORCE)
++  message("Building with ASAN support (GNU compiler)")
++   else (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
++  message("Building without ASAN support (GNU compiler)")
++   endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
++elseif ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang")
++   if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
++  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address 
-fno-omit-frame-pointer" CACHE STRING "" FORCE)
++  message("Building with ASAN support (Clang compiler)")
++   elseif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
++  message("Building without ASAN support (Clang compiler)")
++   endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
++endif ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
++
++# set build flags for release build-type
+ set(CMAKE_C_FLAGS_RELEASE "-O2 -w -D_FORTIFY_SOURCE=2" CACHE STRING "" FORCE)
+ 
+ if(OS_DARWIN)
+Index: ettercap-0.8.2/include/ec_strings.h
+===
+--- ettercap-0.8.2.orig/include/ec_strings.h
 ettercap-0.8.2/include/ec_strings.h
+@@ -40,7 +40,7 @@
+ 
+ EC_API_EXTERN int match_pattern(const char *s, const char *pattern);
+ EC_API_EXTERN int base64_decode(char *bufplain, const char *bufcoded);
+-EC_API_EXTERN int strescape(char *dst, char *src);
++EC_API_EXTERN int strescape(char *dst, char *src, size_t len);
+ EC_API_EXTERN int str_replace(char **text, const char *s, const char *d);   
+ EC_API_EXTERN size_t strlen_utf8(const char *s);
+ EC_API_EXTERN char * ec_strtok(char *s, const char *delim, char **ptrptr);
+Index: ettercap-0.8.2/src/ec_strings.c
+===
+--- ettercap-0.8.2.orig/src/ec_strings.c
 ettercap-0.8.2/src/ec_strings.c
+@@ -167,13 +167,14 @@
+ /* 
+  * convert the escaped string into a binary one
+

Bug#864084: marked as done (unblock: zabbix/1:3.0.7+dfsg-3)

2017-06-04 Thread Debian Bug Tracking System 
Your message dated Sun, 4 Jun 2017 16:01:29 +0100
with message-id <20170604150129.jxkv65qx6bmy3...@powdarrmonkey.net>
and subject line Re: Bug#864084: unblock: zabbix/1:3.0.7+dfsg-3
has caused the Debian Bug report #864084,
regarding unblock: zabbix/1:3.0.7+dfsg-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864084: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864084
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Affects: -1 zabbix
X-Debbugs-CC: j...@debian.org
 
Please unblock zabbix/1:3.0.7+dfsg-3

I would like to accommodate two attached diffs to Stretch please.
One fixes defunctional UI (broken by incompatible libjs-jquery) and
another fixes two security vulnerabilities as per #863584.

Thanks.

-- 
All the best,
 Dmitry Smirnov.


signature.asc
Description: This is a digitally signed message part.
diff --git a/debian/changelog b/debian/changelog
index d570c6d..755bc59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium
+
+  * Frontend-PHP: switch to private jQuery (Closes: #857287).
+
+ -- Dmitry Smirnov   Sun, 21 May 2017 13:56:56 +1000
+
 zabbix (1:3.0.7+dfsg-1) unstable; urgency=medium
 
   * New upstream release [December 2016].
diff --git a/debian/control b/debian/control
index d989f84..c0f275f 100644
--- a/debian/control
+++ b/debian/control
@@ -21,7 +21,7 @@ Build-Depends: debhelper (>= 9), automake, dh-autoreconf, dh-systemd (>= 1.5), d
 ## dh-linktree:
 ,libjs-prototype
 ,libjs-jquery-ui (>= 1.10.1)
-,libjs-jquery (>= 1.10.1)
+#   ,libjs-jquery (>= 1.10.1)
 ## java-gateway deps:
 ,javahelper
 Build-Depends-Indep: default-jdk
diff --git a/debian/zabbix-frontend-php.linktrees b/debian/zabbix-frontend-php.linktrees
index 7308d0c..9dc6cc8 100644
--- a/debian/zabbix-frontend-php.linktrees
+++ b/debian/zabbix-frontend-php.linktrees
@@ -4,5 +4,5 @@ replace  /usr/share/javascript/prototype/prototype.js		/usr/share/zabbix/js/vend
 ## libjs-jquery-ui (1.10.1 vs 1.10.3)
 replace  /usr/share/javascript/jquery-ui/jquery-ui.js		/usr/share/zabbix/js/vendors/jquery-ui.js
 
-## libjs-jquery (1.11.3 vs 1.10.2)
-replace  /usr/share/javascript/jquery/jquery.js			/usr/share/zabbix/js/vendors/jquery.js
+## libjs-jquery (3.1.1 vs 1.10.2)
+#replace  /usr/share/javascript/jquery/jquery.js			/usr/share/zabbix/js/vendors/jquery.js
diff --git a/debian/changelog b/debian/changelog
index 755bc59..d1c4c64 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+zabbix (1:3.0.7+dfsg-3) unstable; urgency=high
+
+  * CVE-2017-2824, CVE-2017-2825: new upstream patches
+"ZBX-12075_r67082.patch", "ZBX-12075_r67270.patch" (Closes: #863584).
+
+ -- Dmitry Smirnov   Sun, 04 Jun 2017 17:14:06 +1000
+
 zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium
 
   * Frontend-PHP: switch to private jQuery (Closes: #857287).
diff --git a/debian/patches/ZBX-12075_r67082.patch b/debian/patches/ZBX-12075_r67082.patch
new file mode 100644
index 000..59bf622
--- /dev/null
+++ b/debian/patches/ZBX-12075_r67082.patch
@@ -0,0 +1,44 @@
+Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075
+From 089f0d90b3d94c577263e8bdfe08ce3f33f9e178 Mon Sep 17 00:00:00 2001
+Origin: upstream
+Date: Wed, 5 Apr 2017 15:31:59 +
+Subject: [DEV-567] added validation of discovered host IP addresses
+
+--- a/src/libs/zbxcommon/misc.c
 b/src/libs/zbxcommon/misc.c
+@@ -1872,17 +1872,9 @@
+  **
+  **/
+ int	is_ip(const char *ip)
+ {
+-	zabbix_log(LOG_LEVEL_DEBUG, "In is_ip() ip:'%s'", ip);
+-
+-	if (SUCCEED == is_ip4(ip))
+-		return SUCCEED;
+-#if defined(HAVE_IPV6)
+-	if (SUCCEED == is_ip6(ip))
+-		return SUCCEED;
+-#endif
+-	return FAIL;
++	return SUCCEED == is_ip4(ip) ? SUCCEED : is_ip6(ip);
+ }
+ 
+ /**
+  **
+--- a/src/libs/zbxdbhigh/proxy.c
 b/src/libs/zbxdbhigh/proxy.c
+@@ -2561,8 +2561,14 @@
+ 
+ 		if (FAIL == zbx_json_value_by_name(_row, ZBX_PROTO_TAG_IP, ip, sizeof(ip)))
+ 			goto json_parse_error;
+ 
++		if (SUCCEED != is_ip(ip))
++		{
++			zabbix_log(LOG_LEVEL_DEBUG, "\"%s\" is not a valid IP address", ip);
++			goto next;
++		}
++
+ 		if (SUCCEED ==

Processed: retitle 864091 to unblock: ettercap/1:0.8.2-5

2017-06-04 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> retitle 864091 unblock: ettercap/1:0.8.2-5
Bug #864091 [release.debian.org] unblock: ettercap/1:0.8.2-5
Ignoring request to change the title of bug#864091 to the same title
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
864091: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864091
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864027: unblock: swift/2.10.2-1

2017-06-04 Thread Jonathan Wiltshire 
Control: tag -1 wontfix

Hi,

On Sat, Jun 03, 2017 at 01:43:54PM +0200, Ondřej Nový wrote:
> This is pre-approval. Please allow unblock of package swift/2.10.2-1
> 
> This is new upstream STABLE (minor version) release. This is only backports of
> fixies from master. I removed 3 patches:
> - Quarantine_malformed_database_schema_SQLite_errors.patch
> - For_any_part_only_one_replica_can_move_in_a_rebalance.patch
> - FTBFS_i386.patch
> because it's applied upstream in this release.

Let's defer this, I'm not comfortable with such changes this close to
release.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#864027: unblock: swift/2.10.2-1

2017-06-04 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 wontfix
Bug #864027 [release.debian.org] unblock: swift/2.10.2-1 (pre-approval)
Added tag(s) wontfix.

-- 
864027: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864027
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864048: Bug#861031: mate-desktop-environment: several minor updates to various MATE 1.16 components

2017-06-04 Thread Mike Gabriel 

HI Vlad, hi Niels,

On  So 04 Jun 2017 14:14:49 CEST, Vlad Orlov wrote:


Hi,

This is great, I see all the listed packages are now in Unstable,  
and all unblock

requests are approved.


The marco/1.16.1-1 unblock approval is still missing.


Niels even lowered the migration delay to 2-3 days for these
packages.


Oh, did not notice that. Cool. Did not even know that this is possible.


However, marco and mate-themes are left with 10 days... maybe contact
Niels about these two?


Doing so, by Cc: the marco unblock request and Niels personally.

I also added a comment on mate-themes unblock just in case, even  
though it's done

already.


Saw that, thanks for seconding my decision to just dput mate-themes  
3.22.11-1 without ACK from the RT. Thanks Niels, for letting it  
through, once more.



Thanks to you and Niels for handling all the updates quickly :)


Same from my side!

Greets,
Mike

--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpZs67qkFcf3.pgp
Description: Digitale PGP-Signatur

Processed: Re: Bug#864088: unblock (pre-approval): sqlite3/3.6.12-4

2017-06-04 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 - moreinfo
Bug #864088 [release.debian.org] unblock (pre-approval): sqlite3/3.6.12-4
Removed tag(s) moreinfo.

-- 
864088: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864088
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864088: unblock (pre-approval): sqlite3/3.6.12-4

2017-06-04 Thread Salvatore Bonaccorso 
Control: tags -1 - moreinfo

Hi

On Sun, Jun 04, 2017 at 11:20:00AM +, Niels Thykier wrote:
> Control: tags -1 confirmed moreinfo
> 
> László Böszörményi (GCS):
> > Package: release.debian.org
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > 
> > Hi Release Team,
> > 
> > I would like to upload a security related update for sqlite3. It contains:
> > - Prevent a possible NULL pointer dereference in the OP_Found opcode
> > that can follow an OOM error. Problem found by OSS-Fuzz[1],
> > - Stack overflow while parsing deeply nested JSON[2],
> > - JSON allows unescaped control characters in strings[3],
> > - JSON extension accepts invalid numeric values[4].
> > 
> > Upstream tagged these as 'code defect' and severity 'severe'. The
> > changes itself are small and the 3.19.2-1 version in experimental
> > contains these fixes.
> > 
> > Debdiff is attached. Thanks for consideration.
> > 
> > Regards,
> > Laszlo/GCS
> > [1] http://www.sqlite.org/src/info/c2de178fe7e2e4e0
> > [2] https://www.sqlite.org/src/info/981329adeef51011052
> > [3] https://www.sqlite.org/src/info/6c9b5514077fed34551
> > [4] https://www.sqlite.org/src/info/b93be8729a895a528e2
> > 
> 
> Ack, please go ahead.  Given the deadlines for migration, ideally this
> upload is completed no later than Monday.

Remvoing the moreinfo tag, since uploaded and built on all release
architectures afaics.

Regards,
Salvatore

Processed: retitle 864091 to unblock: ettercap/1:0.8.2-5

2017-06-04 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> retitle 864091 unblock: ettercap/1:0.8.2-5
Bug #864091 [release.debian.org] unblock ettercap/1:0.8.2-5
Changed Bug title to 'unblock: ettercap/1:0.8.2-5' from 'unblock 
ettercap/1:0.8.2-5'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
864091: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864091
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: retitle 864091 to unblock ettercap/1:0.8.2-5

2017-06-04 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> retitle 864091 unblock ettercap/1:0.8.2-5
Bug #864091 [release.debian.org] unblock: ettercap (CVE)
Changed Bug title to 'unblock ettercap/1:0.8.2-5' from 'unblock: ettercap 
(CVE)'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
864091: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864091
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864152: unblock: msgpuck/1.0.3-1.1

2017-06-04 Thread Salvatore Bonaccorso 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi

Please unblock package msgpuck

It fixes CVE-2016-9036 (Invalid handling of map16 format in
mp_check()), which is #849212.

unblock msgpuck/1.0.3-1.1

Full debdiff against version in testing attached.

Regards,
Salvatore
diff -Nru msgpuck-1.0.3/debian/changelog msgpuck-1.0.3/debian/changelog
--- msgpuck-1.0.3/debian/changelog  2016-08-09 21:14:15.0 +0200
+++ msgpuck-1.0.3/debian/changelog  2017-06-04 12:49:08.0 +0200
@@ -1,3 +1,10 @@
+msgpuck (1.0.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-9036 (Closes: #849212)
+
+ -- Moritz Muehlenhoff   Sun, 04 Jun 2017 12:49:08 +0200
+
 msgpuck (1.0.3-1) unstable; urgency=medium
 
   * Fix GCC 6.0 and Doxygen warnings
diff -Nru msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch 
msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch
--- msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch1970-01-01 
01:00:00.0 +0100
+++ msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch2017-06-04 
12:49:05.0 +0200
@@ -0,0 +1,186 @@
+From d2c366e27eea4a5a24c6ec36ffcc4f4fd5b361ac Mon Sep 17 00:00:00 2001
+From: Roman Tsisyk 
+Date: Thu, 15 Dec 2016 19:28:23 +0300
+Subject: [PATCH] Fix handling of map16 format in mp_check()
+
+Fixes TALOS-2016-0254
+Fixes CVE-2016-9036
+Fixes #12
+
+[adjusted for 1.0.3]
+--- msgpuck-1.0.3.orig/msgpuck.h
 msgpuck-1.0.3/msgpuck.h
+@@ -1940,7 +1940,7 @@ mp_check(const char **data, const char *
+   case MP_HINT_MAP_16:
+   /* MP_MAP (16) */
+   if (mp_unlikely(*data + sizeof(uint16_t) > end))
+-  return false;
++  return 1;
+   k += 2 * mp_load_u16(data);
+   break;
+   case MP_HINT_MAP_32:
+--- msgpuck-1.0.3.orig/test/msgpuck.c
 msgpuck-1.0.3/test/msgpuck.c
+@@ -771,9 +771,153 @@ test_mp_print()
+   return check_plan();
+ }
+ 
++int
++test_mp_check()
++{
++  plan(65);
++  header();
++
++#define invalid(data, fmt, ...) ({ \
++  const char *p = data; \
++  isnt(mp_check(, p + sizeof(data) - 1), 0, fmt, ## __VA_ARGS__); \
++});
++
++  /* fixmap */
++  invalid("\x81", "invalid fixmap 1");
++  invalid("\x81\x01", "invalid fixmap 2");
++  invalid("\x8f\x01", "invalid fixmap 3");
++
++  /* fixarray */
++  invalid("\x91", "invalid fixarray 1");
++  invalid("\x92\x01", "invalid fixarray 2");
++  invalid("\x9f\x01", "invalid fixarray 3");
++
++  /* fixstr */
++  invalid("\xa1", "invalid fixstr 1");
++  invalid("\xa2\x00", "invalid fixstr 2");
++  invalid("\xbf\x00", "invalid fixstr 3");
++
++  /* bin8 */
++  invalid("\xc4", "invalid bin8 1");
++  invalid("\xc4\x01", "invalid bin8 2");
++
++  /* bin16 */
++  invalid("\xc5", "invalid bin16 1");
++  invalid("\xc5\x00\x01", "invalid bin16 2");
++
++  /* bin32 */
++  invalid("\xc6", "invalid bin32 1");
++  invalid("\xc6\x00\x00\x00\x01", "invalid bin32 2");
++
++  /* ext8 */
++  invalid("\xc7", "invalid ext8 1");
++  invalid("\xc7\x00", "invalid ext8 2");
++  invalid("\xc7\x01\xff", "invalid ext8 3");
++  invalid("\xc7\x02\xff\x00", "invalid ext8 4");
++
++  /* ext16 */
++  invalid("\xc8", "invalid ext16 1");
++  invalid("\xc8\x00\x00", "invalid ext16 2");
++  invalid("\xc8\x00\x01\xff", "invalid ext16 3");
++  invalid("\xc8\x00\x02\xff\x00", "invalid ext16 4");
++
++  /* ext32 */
++  invalid("\xc9", "invalid ext32 1");
++  invalid("\xc9\x00\x00\x00\x00", "invalid ext32 2");
++  invalid("\xc9\x00\x00\x00\x01\xff", "invalid ext32 3");
++  invalid("\xc9\x00\x00\x00\x02\xff\x00", "invalid ext32 4");
++
++  /* float32 */
++  invalid("\xca", "invalid float32 1");
++  invalid("\xca\x00\x00\x00", "invalid float32 2");
++
++  /* float64 */
++  invalid("\xcb", "invalid float64 1");
++  invalid("\xcb\x00\x00\x00\x00\x00\x00\x00", "invalid float64 2");
++
++  /* uint8 */
++  invalid("\xcc", "invalid uint8 1");
++
++  /* uint16 */
++  invalid("\xcd\x00", "invalid uint16 1");
++
++  /* uint32 */
++  invalid("\xce\x00\x00\x00", "invalid uint32 1");
++
++  /* uint64 */
++  invalid("\xcf\x00\x00\x00\x00\x00\x00\x00", "invalid uint64 1");
++
++  /* int8 */
++  invalid("\xd0", "invalid int8 1");
++
++  /* int16 */
++  invalid("\xd1\x00", "invalid int16 1");
++
++  /* int32 */
++  invalid("\xd2\x00\x00\x00", "invalid int32 1");
++
++  /* int64 */
++  invalid("\xd3\x00\x00\x00\x00\x00\x00\x00", "invalid int64 1");
++
++  /* fixext8 */
++  invalid("\xd4", "invalid fixext8 1");
++  invalid("\xd4\x05", "invalid fixext8 2");
++
++  /* fixext16 */
++  invalid("\xd5", "invalid fixext16 1");
++

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-04 Thread Kurt Roeckx 
On Sun, Jun 04, 2017 at 11:09:00AM +, Niels Thykier wrote:
> Kurt Roeckx:
> > [...]
> >>
> >> Maybe file this as an RC bug against openssl so that it isn't forgotten
> >> about, but ignore it for r0?
> > 
> > So I have prepared an update. Should I upload it?
> > 
> > [...]
> > 
> > 
> > Kurt
> > 
> 
> Ack from here, so if KiBi is ok with it, then please go ahead.

So I changed it this instead:
dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines

the shlib files now looks like:
libcrypto 1.1 libssl1.1 (>= 1.1.0f)
libssl 1.1 libssl1.1 (>= 1.1.0f)
udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f)
udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f)

Since we have symbol files, this does not affect non-udeb
packages.


Kurt

Bug#864065: unblock: mate-themes/3.22.11-1

2017-06-04 Thread Vlad Orlov 
Hi,

Thanks for unblocking. This is really a good improvement over version 3.22.6.
We (upstream devs) have been testing various themes from the package, and with
each next version they definitely get better. :)

Re: Coordinating Debian Stretch & Tails 3.0 releases?

2017-06-04 Thread intrigeri 
Hi,

intrigeri:
> Tails 3.0 will be released either on June 13 or on June 17.

We've decided to release Tails 3.0 on June 13: we have to release
_something_ on that day anyway (Firefox security update), so moving
the Tails 3.0 release to June 17 would have added a substantial amount
of work on our plate, and forced our users to upgrade twice in just
a few days.

> In any case, the Debian & Tails releases will be very close to each
> other :)

Still true! I hope this will benefit both projects from
a communication/publicity point of view :)

Cheers,
-- 
intrigeri

Bug#864088: unblock (pre-approval): sqlite3/3.6.12-4

2017-06-04 Thread Niels Thykier 
Control: tags -1 confirmed moreinfo

László Böszörményi (GCS):
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi Release Team,
> 
> I would like to upload a security related update for sqlite3. It contains:
> - Prevent a possible NULL pointer dereference in the OP_Found opcode
> that can follow an OOM error. Problem found by OSS-Fuzz[1],
> - Stack overflow while parsing deeply nested JSON[2],
> - JSON allows unescaped control characters in strings[3],
> - JSON extension accepts invalid numeric values[4].
> 
> Upstream tagged these as 'code defect' and severity 'severe'. The
> changes itself are small and the 3.19.2-1 version in experimental
> contains these fixes.
> 
> Debdiff is attached. Thanks for consideration.
> 
> Regards,
> Laszlo/GCS
> [1] http://www.sqlite.org/src/info/c2de178fe7e2e4e0
> [2] https://www.sqlite.org/src/info/981329adeef51011052
> [3] https://www.sqlite.org/src/info/6c9b5514077fed34551
> [4] https://www.sqlite.org/src/info/b93be8729a895a528e2
> 

Ack, please go ahead.  Given the deadlines for migration, ideally this
upload is completed no later than Monday.

Thanks,
~Niels

Processed: Re: Bug#864088: unblock (pre-approval): sqlite3/3.6.12-4

2017-06-04 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 confirmed moreinfo
Bug #864088 [release.debian.org] unblock (pre-approval): sqlite3/3.6.12-4
Added tag(s) confirmed and moreinfo.

-- 
864088: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864088
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-04 Thread Niels Thykier 
Kurt Roeckx:
> [...]
>>
>> Maybe file this as an RC bug against openssl so that it isn't forgotten
>> about, but ignore it for r0?
> 
> So I have prepared an update. Should I upload it?
> 
> [...]
> 
> 
> Kurt
> 

Ack from here, so if KiBi is ok with it, then please go ahead.

Thanks,
~Niels

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-04 Thread Kurt Roeckx 
On Sun, Jun 04, 2017 at 05:29:21AM +0200, Cyril Brulebois wrote:
> Niels Thykier  (2017-06-03):
> > Kurt Roeckx:
> > > Package: release.debian.org
> > > User: release.debian@packages.debian.org
> > > Usertags: unblock
> > > Severity: normal
> > > 
> > > Hi,
> > > 
> > > I've uploaded a new upstream version of openssl that contains bug
> > > fixes. The Debian changelog says:
> > >* New upstream version
> > >  - Fix regression in req -x509 (Closes: #839575)
> > >  - Properly detect features on the AMD Ryzen processor
> > >(Closes: #861145)
> > >  - Don't mention -tls1_3 in the manpage (Closes: #859191)
> > >* Update libssl1.1.symbols for new symbols
> > >* Update man-section.patch
> > > 
> > > 
> > > Kurt
> > > 
> > 
> > Hi,
> > 
> > Fine by me.  CC'ing KiBi for a d-i ack assuming he is ok with this
> > last minute change.
> 
> Erm.
> 
> The libssl1.1-udeb package is broken, as it fails to depend on an
> appropriate version of libcrypto1.1-udeb, which means I've just
> successfully built a debian-installer against testing with this
> addition: build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb
> and gotten a broken wget:
> | wget: /usr/lib/libcrypto.so.1.1: version `OPENSSL_1_1_0f' not found 
> (required by /usr/lib/libssl.so.1.1)
> 
> See the missing version here:
> | $ dpkg --info build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb|grep 
> Depends:
> |  Depends: libc6-udeb (>= 2.24), libcrypto1.1-udeb
> 
> One could argue they're from the same source and that this isn't a
> practical problem since they're going to migrate at the same time and be
> used together in debian-installer, but further fun could come up when
> other packages start depending on particular symbols (hello wget), so I
> think I'd be nice to have this fixed.
> 
> Maybe file this as an RC bug against openssl so that it isn't forgotten
> about, but ignore it for r0?

So I have prepared an update. Should I upload it?

The source changes are:
--- openssl-1.1.0f/debian/changelog 2017-05-25 18:29:01.0 +0200
+++ openssl-1.1.0f/debian/changelog 2017-06-04 12:07:38.0 +0200
@@ -1,3 +1,10 @@
+openssl (1.1.0f-2) unstable; urgency=medium
+
+  * Make the udeb use a versioned depends (Closes: #864080)
+  * Conflict with libssl1.0-dev (Closes: #863367)
+
+ -- Kurt Roeckx   Sun, 04 Jun 2017 12:07:38 +0200
+
 openssl (1.1.0f-1) unstable; urgency=medium

   * New upstream version
diff -Nru openssl-1.1.0f/debian/control openssl-1.1.0f/debian/control
--- openssl-1.1.0f/debian/control   2017-01-26 23:19:08.0 +0100
+++ openssl-1.1.0f/debian/control   2017-06-04 12:07:33.0 +0200
@@ -72,6 +72,7 @@
 Multi-Arch: same
 Recommends: libssl-doc
 Depends: libssl1.1 (= ${binary:Version}), ${misc:Depends}
+Conflicts: libssl1.0-dev
 Description: Secure Sockets Layer toolkit - development files
  This package is part of the OpenSSL project's implementation of the SSL
  and TLS cryptographic protocols for secure communication over the
diff -Nru openssl-1.1.0f/debian/rules openssl-1.1.0f/debian/rules
--- openssl-1.1.0f/debian/rules 2017-05-25 18:17:29.0 +0200
+++ openssl-1.1.0f/debian/rules 2017-06-04 11:48:25.0 +0200
@@ -138,7 +138,7 @@

 override_dh_makeshlibs:
#dpkg-gensymbols -Pdebian/libssl1.1/ -plibssl1.1 -c4
-   dh_makeshlibs -a --add-udeb="libcrypto1.1-udeb" -Xengines
+   dh_makeshlibs -a --add-udeb="libcrypto1.1-udeb (>= 1.1.0f)" -Xengines
# XXX: This needs gets set perl:any by dh_perl which is correct, but
# that breaks debootstrap in jessie (the current stable). This hack
# could be removed once stretch is stable and contains a fixed

It changes the shlibs file from:
libcrypto 1.1 libssl1.1
libssl 1.1 libssl1.1
udeb: libcrypto 1.1 libcrypto1.1-udeb
udeb: libssl 1.1 libssl1.1-udeb

to:
libcrypto 1.1 libssl1.1
libssl 1.1 libssl1.1
udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f)
udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f)

It results in the following debdiff change on the binaries:
File lists identical (after any substitutions)

Control files of package libcrypto1.1-udeb: lines which differ (wdiff format)
-
Version: [-1.1.0f-1-] {+1.1.0f-2+}

Control files of package libssl-dev: lines which differ (wdiff format)
--
{+Conflicts: libssl1.0-dev+}
Depends: libssl1.1 (= [-1.1.0f-1)-] {+1.1.0f-2)+}
Version: [-1.1.0f-1-] {+1.1.0f-2+}

Control files of package libssl-doc: lines which differ (wdiff format)
--
Version: [-1.1.0f-1-] {+1.1.0f-2+}

Control files of package libssl1.1: lines which differ (wdiff format)
-
Version: [-1.1.0f-1-] {+1.1.0f-2+}

Control files of package libssl1.1-dbgsym: lines which differ (wdiff

Bug#864091: unblock: ettercap (CVE)

2017-06-04 Thread Gianfranco Costamagna 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package ettercap, we fixed CVE 2017-8366

unblock ettercap/1:0.8.2-5

debdiff attached
diff -Nru ettercap-0.8.2/debian/changelog ettercap-0.8.2/debian/changelog
--- ettercap-0.8.2/debian/changelog 2017-03-07 21:28:07.0 +0100
+++ ettercap-0.8.2/debian/changelog 2017-06-04 09:27:11.0 +0200
@@ -1,3 +1,12 @@
+ettercap (1:0.8.2-5) unstable; urgency=high
+
+  [ Alexander Koeppe ]
+  * debian/patches/803.patch: Fix buffer overflow/underflow
+with bad filters (Closes: #861604).
+CVE-2017-8366
+
+ -- Gianfranco Costamagna   Sun, 04 Jun 2017 
09:24:59 +0200
+
 ettercap (1:0.8.2-4) unstable; urgency=high
 
   * debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch:
diff -Nru ettercap-0.8.2/debian/patches/803.patch 
ettercap-0.8.2/debian/patches/803.patch
--- ettercap-0.8.2/debian/patches/803.patch 1970-01-01 01:00:00.0 
+0100
+++ ettercap-0.8.2/debian/patches/803.patch 2017-06-04 09:25:14.0 
+0200
@@ -0,0 +1,210 @@
+From d14d2558da14a33abf7baab28957488a75d16af1 Mon Sep 17 00:00:00 2001
+From: Alexander Koeppe 
+Date: Thu, 1 Jun 2017 08:56:23 +0200
+Subject: [PATCH 1/4] Add ASAN compiler flags in DEBUG build type
+
+---
+ CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: ettercap-0.8.2/CMakeLists.txt
+===
+--- ettercap-0.8.2.orig/CMakeLists.txt
 ettercap-0.8.2/CMakeLists.txt
+@@ -125,7 +125,27 @@
+   # library dir path in our RPATH.
+   set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
+ endif(NOT DISABLE_RPATH)
++
++# set general build flags for debug build-type
+ set(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb3 -DDEBUG -Wall -Wno-pointer-sign 
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wextra 
-Wredundant-decls" CACHE STRING "" FORCE)
++# append ASAN build flags if compiler version has support
++if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
++   if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
++  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address 
-fno-omit-frame-pointer" CACHE STRING "" FORCE)
++  message("Building with ASAN support (GNU compiler)")
++   else (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
++  message("Building without ASAN support (GNU compiler)")
++   endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
++elseif ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang")
++   if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
++  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address 
-fno-omit-frame-pointer" CACHE STRING "" FORCE)
++  message("Building with ASAN support (Clang compiler)")
++   elseif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
++  message("Building without ASAN support (Clang compiler)")
++   endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
++endif ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
++
++# set build flags for release build-type
+ set(CMAKE_C_FLAGS_RELEASE "-O2 -w -D_FORTIFY_SOURCE=2" CACHE STRING "" FORCE)
+ 
+ if(OS_DARWIN)
+Index: ettercap-0.8.2/include/ec_strings.h
+===
+--- ettercap-0.8.2.orig/include/ec_strings.h
 ettercap-0.8.2/include/ec_strings.h
+@@ -40,7 +40,7 @@
+ 
+ EC_API_EXTERN int match_pattern(const char *s, const char *pattern);
+ EC_API_EXTERN int base64_decode(char *bufplain, const char *bufcoded);
+-EC_API_EXTERN int strescape(char *dst, char *src);
++EC_API_EXTERN int strescape(char *dst, char *src, size_t len);
+ EC_API_EXTERN int str_replace(char **text, const char *s, const char *d);   
+ EC_API_EXTERN size_t strlen_utf8(const char *s);
+ EC_API_EXTERN char * ec_strtok(char *s, const char *delim, char **ptrptr);
+Index: ettercap-0.8.2/src/ec_strings.c
+===
+--- ettercap-0.8.2.orig/src/ec_strings.c
 ettercap-0.8.2/src/ec_strings.c
+@@ -167,13 +167,14 @@
+ /* 
+  * convert the escaped string into a binary one
+  */
+-int strescape(char *dst, char *src)
++int strescape(char *dst, char *src, size_t len)
+ {
+char  *olddst = dst;
++   char  *oldsrc = src;
+int   c;
+int   val;
+ 
+-   while ((c = *src++) != '\0') {
++   while ((c = *src++) != '\0' && (size_t)(src - oldsrc) <= len) {
+   if (c == '\\') {
+  switch ((c = *src++)) {
+ case '\0':
+@@ -218,9 +219,11 @@
+   if (c >= '0' && c <= '7')
+  val = (val << 3) | (c - '0');
+   else 
+- --src;
++ if (src > oldsrc) /* protect against buffer underflow */
++--src;
+} else 
+-  --src;
++  if (src > oldsrc) /* protect against buffer underflow */
++ --src;
+*dst++

Bug#864092: unblock: llvm-toolchain-3.8

2017-06-04 Thread Gianfranco Costamagna 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package llvm-toolchain-3.8, we fixed the Julia build
(bad arm64 generated code), and also fixed a sanitizer hang on newer kernels
(it is an upstream patch, it might be incomplete, we tested and it worked, but
it hanged again on one buildd)


unblock llvm-toolchain-3.8/1:3.8.1-24

thanks

G.
diff -Nru llvm-toolchain-3.8-3.8.1/debian/changelog 
llvm-toolchain-3.8-3.8.1/debian/changelog
--- llvm-toolchain-3.8-3.8.1/debian/changelog   2017-04-25 19:46:34.0 
+0200
+++ llvm-toolchain-3.8-3.8.1/debian/changelog   2017-06-02 15:15:49.0 
+0200
@@ -1,3 +1,14 @@
+llvm-toolchain-3.8 (1:3.8.1-24) unstable; urgency=medium
+
+  * Team upload
+  * debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch:
+fix relocation issue, preventing Julia from working correctly on
+arm64 (Closes: #862360, #861484)
+  * debian/patches/asan-48bit-VMA-aarch64.patch:
+- fix asan testsuite hang with some arm64 builders.
+
+ -- Gianfranco Costamagna   Fri, 02 Jun 2017 
15:11:29 +0200
+
 llvm-toolchain-3.8 (1:3.8.1-23) unstable; urgency=medium
 
   * Oups, same player try again (wrong package name, sorry)
diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch 
llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch
--- llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch
1970-01-01 01:00:00.0 +0100
+++ llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch
2017-06-02 15:12:44.0 +0200
@@ -0,0 +1,16 @@
+Description: [asan] Enable 48-bit VMA support on aarch64
+Origin: upstream, https://reviews.llvm.org/D22095?id=63084
+Bug-Debian: https://bugs.debian.org/862360
+Author: Adhemerval Zanella 
+Last-Update: 2016-07-07
+--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform.h
 b/compiler-rt/lib/sanitizer_common/sanitizer_platform.h
+@@ -114,6 +114,8 @@
+ // will still work but will consume more memory for TwoLevelByteMap.
+ #if defined(__mips__)
+ # define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 40)
++#elif defined(__aarch64__)
++# define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 48)
+ #else
+ # define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 47)
+ #endif
diff -Nru 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
--- 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
 1970-01-01 01:00:00.0 +0100
+++ 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
 2017-06-02 15:14:37.0 +0200
@@ -0,0 +1,16 @@
+Description: Fix R_AARCH64_MOVW_UABS_G3 relocation
+Origin: upstream, https://reviews.llvm.org/D27609?id=80860
+Bug-Debian: https://bugs.debian.org/862360
+Author: Yichao Yu 
+Last-Update: 2016-12-15
+--- a/lib/ExecutionEngine/RuntimeDyld/RuntimeDyldELF.cpp
 b/lib/ExecutionEngine/RuntimeDyld/RuntimeDyldELF.cpp
+@@ -357,7 +357,7 @@
+ // bits affected by the relocation on entry is garbage.
+ *TargetPtr &= 0xffe0001fU;
+ // Immediate goes in bits 20:5 of MOVZ/MOVK instruction
+-*TargetPtr |= Result >> (48 - 5);
++*TargetPtr |= (Result & 0xULL) >> (48 - 5);
+ // Shift must be "lsl #48", in bits 22:21
+ assert((*TargetPtr >> 21 & 0x3) == 3 && "invalid shift for relocation");
+ break;
diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/series 
llvm-toolchain-3.8-3.8.1/debian/patches/series
--- llvm-toolchain-3.8-3.8.1/debian/patches/series  2017-03-19 
22:10:46.0 +0100
+++ llvm-toolchain-3.8-3.8.1/debian/patches/series  2017-06-02 
15:11:44.0 +0200
@@ -57,3 +57,5 @@
 lldb-server-path.diff
 lldb-server-link.diff
 add_symbols_versioning.patch
+fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
+asan-48bit-VMA-aarch64.patch


signature.asc
Description: OpenPGP digital signature

Bug#864088: unblock (pre-approval): sqlite3/3.6.12-4

2017-06-04 Thread GCS 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team,

I would like to upload a security related update for sqlite3. It contains:
- Prevent a possible NULL pointer dereference in the OP_Found opcode
that can follow an OOM error. Problem found by OSS-Fuzz[1],
- Stack overflow while parsing deeply nested JSON[2],
- JSON allows unescaped control characters in strings[3],
- JSON extension accepts invalid numeric values[4].

Upstream tagged these as 'code defect' and severity 'severe'. The
changes itself are small and the 3.19.2-1 version in experimental
contains these fixes.

Debdiff is attached. Thanks for consideration.

Regards,
Laszlo/GCS
[1] http://www.sqlite.org/src/info/c2de178fe7e2e4e0
[2] https://www.sqlite.org/src/info/981329adeef51011052
[3] https://www.sqlite.org/src/info/6c9b5514077fed34551
[4] https://www.sqlite.org/src/info/b93be8729a895a528e2
diff -Nru sqlite3-3.16.2/debian/changelog sqlite3-3.16.2/debian/changelog
--- sqlite3-3.16.2/debian/changelog	2017-02-13 17:31:26.0 +
+++ sqlite3-3.16.2/debian/changelog	2017-06-04 07:58:54.0 +
@@ -1,3 +1,13 @@
+sqlite3 (3.16.2-4) unstable; urgency=high
+
+  * Backport fix for a possible NULL pointer dereference in the OP_Found
+opcode that can follow an OOM error.
+  * Backport fix for stack overflow while parsing deeply nested JSON.
+  * Backport fix for JSON allows unescaped control characters in strings.
+  * Backport fix for JSON extension accepts invalid numeric values.
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 04 Jun 2017 07:58:54 +
+
 sqlite3 (3.16.2-3) unstable; urgency=medium
 
   * Backport upstream fix to ensure that sqlite3_blob_reopen() correctly
diff -Nru sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch
--- sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch	1970-01-01 00:00:00.0 +
+++ sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch	2017-06-04 07:58:54.0 +
@@ -0,0 +1,24 @@
+Index: sqlite3/src/vdbe.c
+==
+--- sqlite3/src/vdbe.c
 sqlite3/src/vdbe.c
+@@ -4017,14 +4017,16 @@
+ }
+ #endif
+ pIdxKey = 
+ pFree = 0;
+   }else{
++assert( pIn3->flags & MEM_Blob );
++rc = ExpandBlob(pIn3);
++assert( rc==SQLITE_OK || rc==SQLITE_NOMEM );
++if( rc ) goto no_mem;
+ pFree = pIdxKey = sqlite3VdbeAllocUnpackedRecord(pC->pKeyInfo);
+ if( pIdxKey==0 ) goto no_mem;
+-assert( pIn3->flags & MEM_Blob );
+-(void)ExpandBlob(pIn3);
+ sqlite3VdbeRecordUnpack(pC->pKeyInfo, pIn3->n, pIn3->z, pIdxKey);
+   }
+   pIdxKey->default_rc = 0;
+   takeJump = 0;
+   if( pOp->opcode==OP_NoConflict ){
+
diff -Nru sqlite3-3.16.2/debian/patches/40-JSON-1.patch sqlite3-3.16.2/debian/patches/40-JSON-1.patch
--- sqlite3-3.16.2/debian/patches/40-JSON-1.patch	1970-01-01 00:00:00.0 +
+++ sqlite3-3.16.2/debian/patches/40-JSON-1.patch	2017-06-04 07:58:54.0 +
@@ -0,0 +1,205 @@
+Index: sqlite3/ext/misc/json1.c
+==
+--- sqlite3/ext/misc/json1.c
 sqlite3/ext/misc/json1.c
+@@ -726,17 +726,18 @@
+   char c;
+   u32 j;
+   int iThis;
+   int x;
+   JsonNode *pNode;
+-  while( safe_isspace(pParse->zJson[i]) ){ i++; }
+-  if( (c = pParse->zJson[i])=='{' ){
++  const char *z = pParse->zJson;
++  while( safe_isspace(z[i]) ){ i++; }
++  if( (c = z[i])=='{' ){
+ /* Parse object */
+ iThis = jsonParseAddNode(pParse, JSON_OBJECT, 0, 0);
+ if( iThis<0 ) return -1;
+ for(j=i+1;;j++){
+-  while( safe_isspace(pParse->zJson[j]) ){ j++; }
++  while( safe_isspace(z[j]) ){ j++; }
+   x = jsonParseValue(pParse, j);
+   if( x<0 ){
+ if( x==(-2) && pParse->nNode==(u32)iThis+1 ) return j+1;
+ return -1;
+   }
+@@ -743,18 +744,18 @@
+   if( pParse->oom ) return -1;
+   pNode = >aNode[pParse->nNode-1];
+   if( pNode->eType!=JSON_STRING ) return -1;
+   pNode->jnFlags |= JNODE_LABEL;
+   j = x;
+-  while( safe_isspace(pParse->zJson[j]) ){ j++; }
+-  if( pParse->zJson[j]!=':' ) return -1;
++  while( safe_isspace(z[j]) ){ j++; }
++  if( z[j]!=':' ) return -1;
+   j++;
+   x = jsonParseValue(pParse, j);
+   if( x<0 ) return -1;
+   j = x;
+-  while( safe_isspace(pParse->zJson[j]) ){ j++; }
+-  c = pParse->zJson[j];
++  while( safe_isspace(z[j]) ){ j++; }
++  c = z[j];
+   if( c==',' ) continue;
+   if( c!='}' ) return -1;
+   break;
+ }
+ pParse->aNode[iThis].n = pParse->nNode - (u32)iThis - 1;
+@@ -762,19 +763,19 @@
+   }else if( c=='[' ){
+ /* Parse array */
+ iThis = jsonParseAddNode(pParse, JSON_ARRAY, 0, 0);
+ if( iThis<0 ) return -1;
+ for(j=i+1;;j++){
+-  while( safe_isspace(pParse->zJson[j]) ){ j++; }
++  while( safe_isspace(z[j]) ){ j++; }
+   x = jsonParseValue(pParse, j);
+

Bug#864085: unblock: dnsmasq/2.76-5

2017-06-04 Thread ? 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package dnsmasq


The dnsmasq package in testing has a serious problem when dns-root-data is
installed, due to changes in the format of the dns-root-data files.
The effect is to render dnsmasq unusable.

There are several serious bugs filed to this effect, but they should
really be release-critical, eg 863896

There are also several bugs in the DNSSEC validation code, which are fixed
upstream, and really should be in stretch.

Therefore, if we can get dnsmasq-2.77-1, currently in unstable, into Stretch,
that would be a Good Thing. If not, it will need a point release.

Apologies for the short notice.


unblock dnsmasq/2.76-5

-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-78-generic (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#864084: unblock: zabbix/1:3.0.7+dfsg-3

2017-06-04 Thread Dmitry Smirnov 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Affects: -1 zabbix
X-Debbugs-CC: j...@debian.org
 
Please unblock zabbix/1:3.0.7+dfsg-3

I would like to accommodate two attached diffs to Stretch please.
One fixes defunctional UI (broken by incompatible libjs-jquery) and
another fixes two security vulnerabilities as per #863584.

Thanks.

-- 
All the best,
 Dmitry Smirnov.


signature.asc
Description: This is a digitally signed message part.
diff --git a/debian/changelog b/debian/changelog
index d570c6d..755bc59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium
+
+  * Frontend-PHP: switch to private jQuery (Closes: #857287).
+
+ -- Dmitry Smirnov   Sun, 21 May 2017 13:56:56 +1000
+
 zabbix (1:3.0.7+dfsg-1) unstable; urgency=medium
 
   * New upstream release [December 2016].
diff --git a/debian/control b/debian/control
index d989f84..c0f275f 100644
--- a/debian/control
+++ b/debian/control
@@ -21,7 +21,7 @@ Build-Depends: debhelper (>= 9), automake, dh-autoreconf, dh-systemd (>= 1.5), d
 ## dh-linktree:
 ,libjs-prototype
 ,libjs-jquery-ui (>= 1.10.1)
-,libjs-jquery (>= 1.10.1)
+#   ,libjs-jquery (>= 1.10.1)
 ## java-gateway deps:
 ,javahelper
 Build-Depends-Indep: default-jdk
diff --git a/debian/zabbix-frontend-php.linktrees b/debian/zabbix-frontend-php.linktrees
index 7308d0c..9dc6cc8 100644
--- a/debian/zabbix-frontend-php.linktrees
+++ b/debian/zabbix-frontend-php.linktrees
@@ -4,5 +4,5 @@ replace  /usr/share/javascript/prototype/prototype.js		/usr/share/zabbix/js/vend
 ## libjs-jquery-ui (1.10.1 vs 1.10.3)
 replace  /usr/share/javascript/jquery-ui/jquery-ui.js		/usr/share/zabbix/js/vendors/jquery-ui.js
 
-## libjs-jquery (1.11.3 vs 1.10.2)
-replace  /usr/share/javascript/jquery/jquery.js			/usr/share/zabbix/js/vendors/jquery.js
+## libjs-jquery (3.1.1 vs 1.10.2)
+#replace  /usr/share/javascript/jquery/jquery.js			/usr/share/zabbix/js/vendors/jquery.js
diff --git a/debian/changelog b/debian/changelog
index 755bc59..d1c4c64 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+zabbix (1:3.0.7+dfsg-3) unstable; urgency=high
+
+  * CVE-2017-2824, CVE-2017-2825: new upstream patches
+"ZBX-12075_r67082.patch", "ZBX-12075_r67270.patch" (Closes: #863584).
+
+ -- Dmitry Smirnov   Sun, 04 Jun 2017 17:14:06 +1000
+
 zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium
 
   * Frontend-PHP: switch to private jQuery (Closes: #857287).
diff --git a/debian/patches/ZBX-12075_r67082.patch b/debian/patches/ZBX-12075_r67082.patch
new file mode 100644
index 000..59bf622
--- /dev/null
+++ b/debian/patches/ZBX-12075_r67082.patch
@@ -0,0 +1,44 @@
+Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075
+From 089f0d90b3d94c577263e8bdfe08ce3f33f9e178 Mon Sep 17 00:00:00 2001
+Origin: upstream
+Date: Wed, 5 Apr 2017 15:31:59 +
+Subject: [DEV-567] added validation of discovered host IP addresses
+
+--- a/src/libs/zbxcommon/misc.c
 b/src/libs/zbxcommon/misc.c
+@@ -1872,17 +1872,9 @@
+  **
+  **/
+ int	is_ip(const char *ip)
+ {
+-	zabbix_log(LOG_LEVEL_DEBUG, "In is_ip() ip:'%s'", ip);
+-
+-	if (SUCCEED == is_ip4(ip))
+-		return SUCCEED;
+-#if defined(HAVE_IPV6)
+-	if (SUCCEED == is_ip6(ip))
+-		return SUCCEED;
+-#endif
+-	return FAIL;
++	return SUCCEED == is_ip4(ip) ? SUCCEED : is_ip6(ip);
+ }
+ 
+ /**
+  **
+--- a/src/libs/zbxdbhigh/proxy.c
 b/src/libs/zbxdbhigh/proxy.c
+@@ -2561,8 +2561,14 @@
+ 
+ 		if (FAIL == zbx_json_value_by_name(_row, ZBX_PROTO_TAG_IP, ip, sizeof(ip)))
+ 			goto json_parse_error;
+ 
++		if (SUCCEED != is_ip(ip))
++		{
++			zabbix_log(LOG_LEVEL_DEBUG, "\"%s\" is not a valid IP address", ip);
++			goto next;
++		}
++
+ 		if (SUCCEED == zbx_json_value_by_name(_row, ZBX_PROTO_TAG_PORT, tmp, sizeof(tmp)))
+ 			port = atoi(tmp);
+ 
+ 		zbx_json_value_by_name(_row, ZBX_PROTO_TAG_KEY, key_, sizeof(key_));
diff --git a/debian/patches/ZBX-12075_r67270.patch b/debian/patches/ZBX-12075_r67270.patch
new file mode 100644
index 000..10a403c
--- /dev/null
+++ b/debian/patches/ZBX-12075_r67270.patch
@@ -0,0 +1,93 @@
+Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075
+From 17a159950db846a1c6365027c647b25a4bb02b94 Mon Sep 17 00:00:00 2001
+Origin: upstream
+Date: Wed, 12 Apr 2017 06:17:40 +
+Subject: [DEV-567] resurrected old IP check function to check SourceIP config file parameter taking into account IPv6 support enabled/disabled at compile time
+
+--- a/include/common.h
 b/include/common.h
+@@ -981,8 +981,9 @@
+ #ifdef HAVE_IPV6
+ int	is_ip6(const char *ip);
+ #endif
+ int	is_ip4(const char

Bug#864083: unblock: libgcrypt20/1.7.6-2

2017-06-04 Thread Niels Thykier 
Control: tags -1 confirmed d-i

Andreas Metzler:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package libgcrypt20, the upload features the following
> changes:
> * Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped.
> * Pull two fixes from gcrypt 1.7.7 bugfix release:
>   + 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch
> Fix possible timing attack on EdDSA session key.
>   + 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch
> Fix long standing bug in secure memory implementation which could lead
> to a segv on free.
> 
> unblock libgcrypt20/1.7.6-2
> 
> Thanks, cu Andreas
> 

Ack from here, CC'ing KiBi for a d-i ack - assuming there is still time.
 Worst case, we will have to defer it to 9.1.

Thanks,
~Niels

Processed: Re: Bug#864083: unblock: libgcrypt20/1.7.6-2

2017-06-04 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 confirmed d-i
Bug #864083 [release.debian.org] unblock: libgcrypt20/1.7.6-2
Added tag(s) confirmed and d-i.

-- 
864083: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864083
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864083: unblock: libgcrypt20/1.7.6-2

2017-06-04 Thread Andreas Metzler 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libgcrypt20, the upload features the following
changes:
* Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped.
* Pull two fixes from gcrypt 1.7.7 bugfix release:
  + 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch
Fix possible timing attack on EdDSA session key.
  + 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch
Fix long standing bug in secure memory implementation which could lead
to a segv on free.

unblock libgcrypt20/1.7.6-2

Thanks, cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru libgcrypt20-1.7.6/debian/changelog libgcrypt20-1.7.6/debian/changelog
--- libgcrypt20-1.7.6/debian/changelog	2017-01-26 11:58:32.0 +0100
+++ libgcrypt20-1.7.6/debian/changelog	2017-06-03 10:58:36.0 +0200
@@ -1,3 +1,15 @@
+libgcrypt20 (1.7.6-2) unstable; urgency=high
+
+  * Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped.
+  * Pull two fixes from gcrypt 1.7.7 bugfix release:
++ 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch
+  Fix possible timing attack on EdDSA session key.
++ 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch
+  Fix long standing bug in secure memory implementation which could lead
+  to a segv on free.
+
+ -- Andreas Metzler   Sat, 03 Jun 2017 10:58:36 +0200
+
 libgcrypt20 (1.7.6-1) unstable; urgency=medium
 
   * New upstream version, includes
diff -Nru libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch
--- libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch	1970-01-01 01:00:00.0 +0100
+++ libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch	2017-06-03 10:53:37.0 +0200
@@ -0,0 +1,35 @@
+From f9494b3f258e01b6af8bd3941ce436bcc00afc56 Mon Sep 17 00:00:00 2001
+From: Jo Van Bulck 
+Date: Thu, 19 Jan 2017 17:00:15 +0100
+Subject: [PATCH 1/2] ecc: Store EdDSA session key in secure memory.
+
+* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate
+session key.
+--
+
+An attacker who learns the EdDSA session key from side-channel
+observation during the signing process, can easily revover the long-
+term secret key. Storing the session key in secure memory ensures that
+constant time point operations are used in the MPI library.
+
+Signed-off-by: Jo Van Bulck 
+---
+ cipher/ecc-eddsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c
+index f91f8489..813e030d 100644
+--- a/cipher/ecc-eddsa.c
 b/cipher/ecc-eddsa.c
+@@ -603,7 +603,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+   a = mpi_snew (0);
+   x = mpi_new (0);
+   y = mpi_new (0);
+-  r = mpi_new (0);
++  r = mpi_snew (0);
+   ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0,
+  skey->E.p, skey->E.a, skey->E.b);
+   b = (ctx->nbits+7)/8;
+-- 
+2.11.0
+
diff -Nru libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch
--- libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch	1970-01-01 01:00:00.0 +0100
+++ libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch	2017-06-03 10:53:37.0 +0200
@@ -0,0 +1,69 @@
+From 91456759b887e153c4d4ce19538d478df260cab2 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka 
+Date: Fri, 2 Jun 2017 10:34:42 +0900
+Subject: [PATCH 2/2] secmem: Fix SEGV and stat calculation.
+
+* src/secmem (init_pool): Care about the header size.
+(_gcry_secmem_malloc_internal): Likewise.
+(_gcry_secmem_malloc_internal): Use mb->size for stats.
+
+--
+
+GnuPG-bug-id: 3027
+Signed-off-by: NIIBE Yutaka 
+---
+ src/secmem.c | 10 +-
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/secmem.c b/src/secmem.c
+index 46bbf82e..b2a9667d 100644
+--- a/src/secmem.c
 b/src/secmem.c
+@@ -454,7 +454,7 @@ init_pool (pooldesc_t *pool, size_t n)
+ 
+   /* Initialize first memory block.  */
+   mb = (memblock_t *) pool->mem;
+-  mb->size = pool->size;
++  mb->size = pool->size - BLOCK_HEAD_SIZE;
+   mb->flags = 0;
+ }
+ 
+@@ -610,7 +610,7 @@ _gcry_secmem_malloc_internal (size_t size, int xhint)
+   mb = mb_get_new (pool, (memblock_t *) pool->mem, size);
+   if (mb)
+ {
+-  stats_update (pool, size, 0);
++  stats_update (pool, mb->size, 0);
+

Bug#864067: marked as done (unblock: plasma-workspace/5.8.6-2.1)

2017-06-04 Thread Debian Bug Tracking System 
Your message dated Sun, 04 Jun 2017 07:15:00 +
with message-id 
and subject line Re: Bug#864067: unblock: plasma-workspace/5.8.6-2.1
has caused the Debian Bug report #864067,
regarding unblock: plasma-workspace/5.8.6-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

I want to upload a NMU of plasma-workspace to unstable fixing an issue 
where processing stopped in ksplashqml on some environments(e.g. Japanese
environment), proposed patch attached.

unblock plasma-workspace/5.8.6-2.1.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf, armel, sh4, powerpc

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ja_JP.utf8, LC_CTYPE=ja_JP.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru plasma-workspace-5.8.6/debian/changelog 
plasma-workspace-5.8.6/debian/changelog
--- plasma-workspace-5.8.6/debian/changelog 2017-03-16 03:45:10.0 
+0900
+++ plasma-workspace-5.8.6/debian/changelog 2017-06-02 22:17:22.0 
+0900
@@ -1,3 +1,12 @@
+plasma-workspace (4:5.8.6-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix problem where processing stopped in ksplashqml on some environments.
+(Closes: #862558)
+Add patches/replace-fds.patch.
+
+ -- Nobuhiro Iwamatsu   Fri, 02 Jun 2017 22:17:22 +0900
+
 plasma-workspace (4:5.8.6-2) unstable; urgency=medium
 
   * Release to unstable
diff -Nru plasma-workspace-5.8.6/debian/patches/replace-fds.patch 
plasma-workspace-5.8.6/debian/patches/replace-fds.patch
--- plasma-workspace-5.8.6/debian/patches/replace-fds.patch 1970-01-01 
09:00:00.0 +0900
+++ plasma-workspace-5.8.6/debian/patches/replace-fds.patch 2017-06-02 
22:17:22.0 +0900
@@ -0,0 +1,122 @@
+Description: Not close stdin,stdout,stderr, and redirects stdin,stdout,stderr 
to /dev/null
+ This fix a bug in ksplashqml. An upstream commit
+ 
https://cgit.kde.org/plasma-workspace.git/commit/?id=56d2c15b9acb9c4b57398b281685807c3191f622
+ has caused this problem.
+
+ x-session-manag,133,kdetest /usr/bin/x-session-manager
+   +-(ksplashqml,232)
+   +-ssh-agent,191 /usr/bin/im-launch x-session-manager
+   +-uim-toolbar,220
+   |   +-{llvmpipe-0},235
+   |   +-{llvmpipe-1},236
+   |   +-{llvmpipe-2},237
+   |   `-{llvmpipe-3},238
+   `-uim-xim,219
+ ksplashqml,233,kdetest Breeze --pid
+   +-mozc_server,239
+   |   +-{IPCServer},244
+   |   +-{QueueTimer},240
+   |   +-{QueueTimer},243
+   |   `-{WatchDog},242
+   +-uim-candwin-qt5,245 -v
+   |   +-{QDBusConnection},249
+   |   `-{QXcbEventReader},248
+   |-{QDBusConnection},255
+   |-{QQmlThread},254
+   |-{QXcbEventReader},234
+   |-{llvmpipe-0},250
+   |-{llvmpipe-1},251
+   |-{llvmpipe-2},252
+   `-{llvmpipe-3},253
+ 
+ # strace -f -p 133
+ strace: Process 133 attached
+ read(3, ^Cstrace: Process 133 detached
+  
+ 
+ It looks like the parent process (133), x-session-manager (startkde
+ script), is waiting for the stdout of the ksplashqml process (232),
+ but which is now defunct. Its child process(es) may be writing to the
+ same fd.
+ 
+ # ls -l /proc/133/fd/3
+ lr-x-- 1 kdetest kdetest 64 May 31 05:13 /proc/133/fd/3 -> pipe:[88694]
+ 
+ The direct child of the ksplashqml process (233), the splash screen daemon,
+ closes the file descriptor at ksplash/ksplashqml/main.cpp:97.
+ 
+ # ls -l /proc/233/fd/1
+ ls: cannot access '/proc/233/fd/1': No such file or directory
+ 
+ One of the children of the process (239), mozc_server, is holding the fd:
+ 
+ # ls -l /proc/239/fd/1
+ l-wx-- 1 kdetest kdetest 64 May 31 05:14 /proc/239/fd/1 -> pipe:[88694]
+ 
+ So the startkde process has finished reading the pid number string from
+ the now-defunct process, but is still waiting for another write(s) until
+ the (shared) fd has been closed.
+ 
+ This mozc_server process has been started during uim-qt5
+ (a QPlatformInputContext) startup in the SplashApp
+ initialization phase at ksplash/ksplashqml/main.cpp:92.
+ 
+ Due to the upstream commit the splash screen daemon does not close file
+ descriptors before the SplashApp initialization, thus its subprocess
+ shares the fds.
+ 
+ The commit log states Wayland

Bug#864067: unblock: plasma-workspace/5.8.6-2.1

2017-06-04 Thread Nobuhiro Iwamatsu 
Hi,

2017-06-04 15:00 GMT+09:00 Niels Thykier :
> Control: tags -1 confirmed moreinfo
>
> Nobuhiro Iwamatsu:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: unblock
>>
>> Hi,
>>
>> I want to upload a NMU of plasma-workspace to unstable fixing an issue
>> where processing stopped in ksplashqml on some environments(e.g. Japanese
>> environment), proposed patch attached.
>>
>> unblock plasma-workspace/5.8.6-2.1.
>>
>> [...]
>>
>
> Ack, please go head.  Please do the upload today or tomorrow (with at
> most 1-day in the delay queue, but preferably without delay) as the
> deadline for migration is Friday.

Thanks! I just uploaded.

>
> Thanks,
> ~Niels
>
>

Best regards,
  Nobuhiro


-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6

Bug#864049: marked as done (unblock: mate-desktop/1.16.2-2)

2017-06-04 Thread Debian Bug Tracking System 
Your message dated Sun, 04 Jun 2017 06:07:00 +
with message-id 
and subject line Re: Bug#864049: unblock: mate-desktop/1.16.2-2
has caused the Debian Bug report #864049,
regarding unblock: mate-desktop/1.16.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864049: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864049
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please consider unblocking a minor follow-up fix for package mate-desktop

The DH call until mate-desktop 1.16.2-1 has been missing the "--with gir"
option. The proposed next upload of mate-desktop will fix that. A
.debdiff has been attached.

unblock mate-desktop/1.16.2-2

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru mate-desktop-1.16.2/debian/changelog 
mate-desktop-1.16.2/debian/changelog
--- mate-desktop-1.16.2/debian/changelog2017-04-28 22:28:53.0 
+0200
+++ mate-desktop-1.16.2/debian/changelog2017-06-03 16:14:34.0 
+0200
@@ -1,3 +1,11 @@
+mate-desktop (1.16.2-2) unstable; urgency=medium
+
+  * debian/rules:
++ Add --with gir to DH options. Fixes missing dependencies in
+  gir1.2-mate-desktop. (Closes: #862172).
+
+ -- Mike Gabriel   Sat, 03 Jun 2017 16:14:34 +0200
+
 mate-desktop (1.16.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru mate-desktop-1.16.2/debian/rules mate-desktop-1.16.2/debian/rules
--- mate-desktop-1.16.2/debian/rules2016-09-30 09:46:02.0 +0200
+++ mate-desktop-1.16.2/debian/rules2017-06-03 16:12:32.0 +0200
@@ -7,7 +7,7 @@
 include /usr/share/dpkg/buildflags.mk
 
 %:
-   dh $@ $(DHFLAGS) --with python2
+   dh $@ $(DHFLAGS) --with gir,python2
 
 override_dh_install:
rm -f debian/tmp/usr/lib/*/*.la
--- End Message ---
--- Begin Message ---
Mike Gabriel:
> [...]
> 
> Ah... not uploaded by me so far. Right. Dang. Just did so. Should appear
> in unstable soon.
> 
> Mike

Unblocked, thanks,

~Niels--- End Message ---

Bug#864068: marked as done (unblock: debian-edu-doc/1.921~20170603)

2017-06-04 Thread Debian Bug Tracking System 
Your message dated Sun, 04 Jun 2017 06:02:00 +
with message-id <44228efe-0025-21fa-6bce-23a464213...@thykier.net>
and subject line Re: Bug#864068: unblock: debian-edu-doc/1.921~20170603
has caused the Debian Bug report #864068,
regarding unblock: debian-edu-doc/1.921~20170603
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864068: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864068
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package debian-edu-doc, it just contains documentation and
translation updates (matching the change in debian-edu-install/1.916, among 
others).

$ debdiff debian-edu-doc_1.920~20170528.dsc 
debian-edu-doc_1.921~20170603.dsc|diffstat
 debian/changelog |   18 
 documentation/debian-edu-jessie/debian-edu-jessie-manual.nb.po   |   36 -
 documentation/debian-edu-stretch/debian-edu-stretch-manual.da.po |   58 -
 documentation/debian-edu-stretch/debian-edu-stretch-manual.de.po |   59 -
 documentation/debian-edu-stretch/debian-edu-stretch-manual.es.po |   57 -
 documentation/debian-edu-stretch/debian-edu-stretch-manual.fr.po |   77 --
 documentation/debian-edu-stretch/debian-edu-stretch-manual.it.po |  116 +--
 documentation/debian-edu-stretch/debian-edu-stretch-manual.ja.po |   70 +-
 documentation/debian-edu-stretch/debian-edu-stretch-manual.nb.po |  305 
--
 documentation/debian-edu-stretch/debian-edu-stretch-manual.nl.po |  106 +--
 documentation/debian-edu-stretch/debian-edu-stretch-manual.pl.po |   26 
 documentation/debian-edu-stretch/debian-edu-stretch-manual.pot   |   26 
 documentation/debian-edu-stretch/debian-edu-stretch-manual.xml   |   12 
 documentation/debian-edu-stretch/debian-edu-stretch-manual.zh.po |   38 -
 documentation/rosegarden/rosegarden-manual.nb.po |   60 -
 15 files changed, 459 insertions(+), 605 deletions(-)

I've also attached this diff.

unblock debian-edu-doc/1.921~20170603


Thanks for your work on Stretch!

-- 
cheers,
Holger


debian-edu-doc_1.921~20170603.diff.gz
Description: application/gzip


signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Holger Levsen:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package debian-edu-doc, it just contains documentation and
> translation updates (matching the change in debian-edu-install/1.916, among 
> others).
> 
> [...]
> 
> I've also attached this diff.
> 
> unblock debian-edu-doc/1.921~20170603
> 
> 
> Thanks for your work on Stretch!
> 

Unblocked, thanks.

~Niels--- End Message ---

Processed: Re: Bug#864067: unblock: plasma-workspace/5.8.6-2.1

2017-06-04 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 confirmed moreinfo
Bug #864067 [release.debian.org] unblock: plasma-workspace/5.8.6-2.1
Added tag(s) confirmed and moreinfo.

-- 
864067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864067: unblock: plasma-workspace/5.8.6-2.1

2017-06-04 Thread Niels Thykier 
Control: tags -1 confirmed moreinfo

Nobuhiro Iwamatsu:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi,
> 
> I want to upload a NMU of plasma-workspace to unstable fixing an issue 
> where processing stopped in ksplashqml on some environments(e.g. Japanese
> environment), proposed patch attached.
> 
> unblock plasma-workspace/5.8.6-2.1.
> 
> [...]
> 

Ack, please go head.  Please do the upload today or tomorrow (with at
most 1-day in the delay queue, but preferably without delay) as the
deadline for migration is Friday.

Thanks,
~Niels

Processed: Re: Bug#864076: unblock: distro-info-data/0.36

2017-06-04 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 confirmed moreinfo
Bug #864076 [release.debian.org] unblock: distro-info-data/0.36
Added tag(s) moreinfo and confirmed.

-- 
864076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864076
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864076: unblock: distro-info-data/0.36

2017-06-04 Thread Niels Thykier 
Control: tags -1 confirmed moreinfo

Stefano Rivera:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package distro-info-data
> 
> This is a pre-upload unblock request for distro-info-data, now that the
> Jessie release date has been announced.
> 
> While I was here, I realised that we didn't have EOL dates for Jessie or
> Wheezy yet :( We have a long-standing bug of not including LTS dates
> (#782685) so I've maintained the status-quo and did that for these two
> as well. Alternatively, I could just extend the support dates out to
> include LTS, but that seems like another bad idea :/
> 
> So, are you OK with this patch-set, and would you consider allowing it
> in, for Stretch?
> 
> unblock distro-info-data/0.36
> 
> Thanks,
> 
> SR
> 
> [...]
> 

Ack, please go head.  Please do the upload today or tomorrow as the
deadline for migration is Friday.

Thanks,
~Niels