Re: Scheduling 9.1, maybe 8.9

[Joerg Jaspert]

On 14714 March 1977, Jonathan Wiltshire wrote:

> A month or so from 9.0 bring us to about 15th July. How would any of these
> suit? Is 8.9 at the same time feasible?
> 8/9 July (probably a bit soon)
> 15/16 July

Both of them don't work for me.

> 22/23 July

That I could do.

-- 
bye, Joerg

Bug#863093: jessie-pu: package libwnckmm/0.1.1-1+deb8u1

[Cyril Brulebois]

Hi again,

Samuel Thibault  (2017-05-21):
> Jessie is still affected by this serious Bug#796530, Adrian Bunk
> requested it to be fixed there. In the attached changes that I have
> uploaded to tpu, I have also fixed the duplication of jquery.js, also
> a serious issue.

Wait a minute, this adds a symlink and a dependency, but doesn't remove
anything; this doesn't look like a duplication fix?


KiBi.


signature.asc
Description: Digital signature

Bug#862169: jessie-pu: package lxterminal/0.2.0-1

[Yao Wei]

Hi,

On Tue, Jun 27, 2017 at 10:59:24PM +0200, Cyril Brulebois wrote:
> You're fixing this through jessie-pu (short for jessie-proposed-updates),
> rather than via security; so please use “jessie” as the target codename.

Sorry that the patch was meant to jessie-security target.  Attached is
the corrected one.

Yao Wei
diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog
--- lxterminal-0.2.0/debian/changelog   2014-10-22 06:18:50.0 +0800
+++ lxterminal-0.2.0/debian/changelog   2017-05-09 11:37:21.0 +0800
@@ -1,3 +1,10 @@
+lxterminal (0.2.0-1+deb8u1) jessie; urgency=high
+
+  * Fix improper use of /tmp for a socket file (CVE-2016-10369)
+(Closes: #862098)
+
+ -- Yao Wei (魏銘廷)   Tue, 09 May 2017 11:37:21 +0800
+
 lxterminal (0.2.0-1) unstable; urgency=low
 
   * Adding --disable-silent-rules to fix buildlog checker warning.
diff -Nru lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff 
lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff
--- lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff  1970-01-01 
08:00:00.0 +0800
+++ lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff  2017-05-09 
11:37:21.0 +0800
@@ -0,0 +1,19 @@
+From: Yao Wei (魏銘廷) 
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, 
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+--- a/src/unixsocket.c
 b/src/unixsocket.c
+@@ -120,7 +120,7 @@
+  * This function returns TRUE if this process should keep running and 
FALSE if it should exit. */
+ 
+ /* Formulate the path for the Unix domain socket. */
+-gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", 
gdk_get_display(), g_get_user_name());
++gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", 
g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ 
+ /* Create socket. */
+ int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.2.0/debian/patches/series 
lxterminal-0.2.0/debian/patches/series
--- lxterminal-0.2.0/debian/patches/series  2014-10-22 05:56:19.0 
+0800
+++ lxterminal-0.2.0/debian/patches/series  2017-05-09 11:37:21.0 
+0800
@@ -0,0 +1 @@
+01-cve-2016-10369.diff


signature.asc
Description: PGP signature

Bug#862457: jessie-pu: package gdm3/3.14.1-8~deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-13):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

See comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862457: jessie-pu: package gdm3/3.14.1-8~deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #862457 [release.debian.org] jessie-pu: package gdm3/3.14.1-8~deb8u1
Added tag(s) moreinfo.

-- 
862457: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862457
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#862800: jessie-pu: package etherpuppet/0.3-3~deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #862800 [release.debian.org] jessie-pu: package etherpuppet/0.3-3~deb8u1
Added tag(s) moreinfo.

-- 
862800: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862800
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862800: jessie-pu: package etherpuppet/0.3-3~deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-17):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

See comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Bug#865122: stretch-pu: package pulseaudio/10.0-1

[Cyril Brulebois]

Control: tag -1 confirmed

Felipe Sateler  (2017-06-27):
> On Sun, Jun 25, 2017 at 4:56 PM, Cyril Brulebois  wrote:
> > The rest looks good but I'd be happy to see an updated debdiff.
> >
> 
> Attached. Changed from the earlier diff is only the stable => stretch
> change.

Sorry for the extra round-trip, but that's usually better to catch
possible issues early, instead of going through a REJECT once the
package is in jessie-new…

(Sometimes the final source debdiff is also different from the
announced git diff-based changes…)

Feel free to upload; thanks.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#865122: stretch-pu: package pulseaudio/10.0-1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #865122 [release.debian.org] stretch-pu: package pulseaudio/10.0-1
Added tag(s) confirmed.

-- 
865122: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865122
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#863342: jessie-pu: package libauthen-krb5-perl/1.9-4+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863342 [release.debian.org] jessie-pu: package 
libauthen-krb5-perl/1.9-4+deb8u1
Added tag(s) moreinfo.

-- 
863342: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863342
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863342: jessie-pu: package libauthen-krb5-perl/1.9-4+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-25):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

See comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#863341: jessie-pu: package nadoka/0.7.6-1.1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863341 [release.debian.org] jessie-pu: package nadoka/0.7.6-1.1+deb8u1
Added tag(s) moreinfo.

-- 
863341: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863341
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863341: jessie-pu: package nadoka/0.7.6-1.1+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-25):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Source format 1.0 does not apply debian/patches/

This is better than nothing, but see comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Bug#862811: jessie-pu: package libevhtp/1.2.9-1+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-17):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

See comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#863084: jessie-pu: package libnids/1.23-2+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863084 [release.debian.org] jessie-pu: package libnids/1.23-2+deb8u1
Added tag(s) moreinfo.

-- 
863084: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863084
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863084: jessie-pu: package libnids/1.23-2+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-21):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

See comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862811: jessie-pu: package libevhtp/1.2.9-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #862811 [release.debian.org] jessie-pu: package libevhtp/1.2.9-1+deb8u1
Added tag(s) moreinfo.

-- 
862811: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862811
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#863086: jessie-pu: package libwcat1/1.1-1.1~deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863086 [release.debian.org] jessie-pu: package libwcat1/1.1-1.1~deb8u1
Added tag(s) moreinfo.

-- 
863086: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863086
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863086: jessie-pu: package libwcat1/1.1-1.1~deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-21):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

See comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Bug#863377: jessie-pu: package nethogs/0.8.0-1+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-25):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

See comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#863083: jessie-pu: package libtool/2.4.2-1.11+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863083 [release.debian.org] jessie-pu: package libtool/2.4.2-1.11+deb8u1
Added tag(s) moreinfo.

-- 
863083: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863083
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#863079: jessie-pu: package mozjs24/24.2.0-2+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863079 [release.debian.org] jessie-pu: package mozjs24/24.2.0-2+deb8u1
Added tag(s) moreinfo.

-- 
863079: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863079
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863376: jessie-pu: package mylvmbackup/0.15-1.1~deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-25):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

See comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Bug#863083: jessie-pu: package libtool/2.4.2-1.11+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-21):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

See comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#863377: jessie-pu: package nethogs/0.8.0-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863377 [release.debian.org] jessie-pu: package nethogs/0.8.0-1+deb8u1
Added tag(s) moreinfo.

-- 
863377: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863377
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#863376: jessie-pu: package mylvmbackup/0.15-1.1~deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863376 [release.debian.org] jessie-pu: package mylvmbackup/0.15-1.1~deb8u1
Added tag(s) moreinfo.

-- 
863376: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863376
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863079: jessie-pu: package mozjs24/24.2.0-2+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-21):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

See comments in my reply to #863352.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#863352: jessie-pu: package lasso/2.4.1-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863352 [release.debian.org] jessie-pu: package lasso/2.4.1-1+deb8u1
Added tag(s) moreinfo.

-- 
863352: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863352
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863352: jessie-pu: package lasso/2.4.1-1+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Adrian Bunk  (2017-05-25):
>  changelog|9 +++
>  patches/0001-perl-remove-quotes-from-PERL-V-ccflags-output.patch |   25 
> ++
>  patches/series   |1 
>  3 files changed, 35 insertions(+)

I won't repeat myself about the total lack of context in your pu
mails, but I can assure you it's still very much not welcome.

Also, is this coordinated with the maintainer at all?

Also tired of this:
| patching file debian/changelog
| patching file 
debian/patches/0001-perl-remove-quotes-from-PERL-V-ccflags-output.patch
| patching file debian/patches/series
| patch unexpectedly ends in middle of line
| patch:  malformed patch at line 62:  

Please send a proper debdiff, as an attachment.


KiBi.


signature.asc
Description: Digital signature

Bug#863346: jessie-pu: package libsx/2.05-6+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Hi,

Adrian Bunk  (2017-05-25):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

Feel free to articulate some sentences when requesting an update.

Also, attaching a patch means it can be applied instead of being
mangled (the debian/rules part doesn't apply).

> diff -Nru libsx-2.05/debian/changelog libsx-2.05/debian/changelog
> --- libsx-2.05/debian/changelog   2014-09-13 16:46:07.0 +0300
> +++ libsx-2.05/debian/changelog   2017-05-25 19:30:28.0 +0300
> @@ -1,3 +1,12 @@
> +libsx (2.05-6+deb8u1) jessie; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Apply changes from Alastair McKinstry to ship libsx.h, libsx.pc,
> +libsx.a and the HTML documentation in libsx-dev and the dialogs
> +to libsx0. (Closes: #856725)
> +
> + -- Adrian Bunk   Thu, 25 May 2017 19:19:58 +0300
> +
>  libsx (2.05-6) unstable; urgency=medium
>  
>* Apply patch from Alexander to fix clang compilation. Closes: #758760. 
> diff -Nru libsx-2.05/debian/libsx-dev.install 
> libsx-2.05/debian/libsx-dev.install
> --- libsx-2.05/debian/libsx-dev.install   2014-09-13 16:46:07.0 
> +0300
> +++ libsx-2.05/debian/libsx-dev.install   1970-01-01 02:00:00.0 
> +0200
> @@ -1,5 +0,0 @@
> -src/libsx.h  usr/include
> -src/libsx.a  usr/lib/*
> -docs/html/*  usr/share/doc/libsx-dev/html
> -docs/text/*  usr/share/doc/libsx-dev/text
> -debian/libsx.pc  usr/lib/*/pkgconfig

With your patch, this file gets autogenerated, so appears in the final
source package after a binary build.

> diff -Nru libsx-2.05/debian/rules libsx-2.05/debian/rules
> --- libsx-2.05/debian/rules   2014-09-13 16:46:07.0 +0300
> +++ libsx-2.05/debian/rules   2017-05-25 19:32:11.0 +0300
> @@ -6,6 +6,7 @@
>  
>  DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
>  LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH)
> +AUTOGENERATED:= libsx-dev.install
>  
>  CFLAGS = `dpkg-buildflags --get CFLAGS`
>  CFLAGS += `dpkg-buildflags --get CPPFLAGS`
> @@ -15,9 +16,13 @@
>   dh_installexamples -Xlibsx.h
>  
>  override_dh_install:
> - dh_auto_install
> + for f in ${AUTOGENERATED} ; do \
> +sed -e 's%@ARCH@%${DEB_HOST_MULTIARCH}%g' < debian/$$f.in  > 
> debian/$$f ; \
> +done
>   mkdir -p debian/libsx0/$(LIBDIR)
>   mv src/libsx.so debian/libsx0/$(LIBDIR)/libsx.so.0.0.0
>   dh_link -p libsx0 $(LIBDIR)/libsx.so.0.0.0  $(LIBDIR)/libsx.so.0
>   dh_link -p libsx-dev $(LIBDIR)/libsx.so.0.0.0 $(LIBDIR)/libsx.so
> + dh_install 
> + dh_auto_install

I don't understand what one expects dh_auto_install to do *after*
dh_install.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#863346: jessie-pu: package libsx/2.05-6+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863346 [release.debian.org] jessie-pu: package libsx/2.05-6+deb8u1
Added tag(s) moreinfo.

-- 
863346: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863346
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#865122: stretch-pu: package pulseaudio/10.0-1

[Felipe Sateler]

On Sun, Jun 25, 2017 at 4:56 PM, Cyril Brulebois  wrote:

> Hi,
>
> Felipe Sateler  (2017-06-19):
> > pulseaudio (10.0-1+deb9u1) stable; urgency=medium
> >
> >   [ Balint Reczey ]
> >   * Removing myself from Uploaders.
> >
> >   [ Scott Leggett ]
> >   * Move AGPL-3 text into copyright file (Closes: #863082)
> >
> >  -- Felipe Sateler   Sun, 18 Jun 2017 12:03:31
> -0400
>
> Please use stretch if you target stretch (especially around the 17-18 of
> June, what “stable” means isn't exactly set in stone).
>

Thanks, I will do so next time.


>
> The rest looks good but I'd be happy to see an updated debdiff.
>

Attached. Changed from the earlier diff is only the stable => stretch
change.




-- 

Saludos,
Felipe Sateler
diff -Nru pulseaudio-10.0/debian/changelog pulseaudio-10.0/debian/changelog
--- pulseaudio-10.0/debian/changelog2017-01-19 20:49:55.0 -0300
+++ pulseaudio-10.0/debian/changelog2017-06-18 12:03:31.0 -0400
@@ -1,3 +1,17 @@
+pulseaudio (10.0-1+deb9u1) stretch; urgency=medium
+
+  [ Balint Reczey ]
+  * Removing myself from Uploaders.
+I made a few changes to the package when it badly needed help
+but now it is well maintained and I haven't contributed to it
+for years. Thanks to everyone in the packaging team and everyone
+who improved the package!
+
+  [ Scott Leggett ]
+  * Move AGPL-3 text into copyright file (Closes: #863082)
+
+ -- Felipe Sateler   Sun, 18 Jun 2017 12:03:31 -0400
+
 pulseaudio (10.0-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru pulseaudio-10.0/debian/control pulseaudio-10.0/debian/control
--- pulseaudio-10.0/debian/control  2017-01-19 20:49:55.0 -0300
+++ pulseaudio-10.0/debian/control  2017-06-18 12:03:31.0 -0400
@@ -3,7 +3,6 @@
 Priority: optional
 Maintainer: Pulseaudio maintenance team 

 Uploaders: Sjoerd Simons ,
-Balint Reczey ,
 Felipe Sateler 
 Build-Depends: debhelper (>= 9.20141010),
 check,
diff -Nru pulseaudio-10.0/debian/copyright pulseaudio-10.0/debian/copyright
--- pulseaudio-10.0/debian/copyright2017-01-19 20:49:55.0 -0300
+++ pulseaudio-10.0/debian/copyright2017-06-18 12:03:31.0 -0400
@@ -606,15 +606,664 @@
 Files: src/utils/qpaeq
 Copyright: 2009  Jason Newton 
 License: AGPL-3+
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU Affero General Public License as
- published by the Free Software Foundation, either version 3 of the
- License, or (at your option) any later version.
- .
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU Affero General Public License for more details.
+ GNU AFFERO GENERAL PUBLIC LICENSE
+Version 3, 19 November 2007
  .
- On Debian systems, the complete text of the AGPL 3 can be found in
- /usr/share/doc/pulseaudio/AGPL
+  Copyright (C) 2007 Free Software Foundation, Inc. 
+  Everyone is permitted to copy and distribute verbatim copies
+  of this license document, but changing it is not allowed.
+ .
+ Preamble
+ .
+   The GNU Affero General Public License is a free, copyleft license for
+ software and other kinds of works, specifically designed to ensure
+ cooperation with the community in the case of network server software.
+ .
+   The licenses for most software and other practical works are designed
+ to take away your freedom to share and change the works.  By contrast,
+ our General Public Licenses are intended to guarantee your freedom to
+ share and change all versions of a program--to make sure it remains free
+ software for all its users.
+ .
+   When we speak of free software, we are referring to freedom, not
+ price.  Our General Public Licenses are designed to make sure that you
+ have the freedom to distribute copies of free software (and charge for
+ them if you wish), that you receive source code or can get it if you
+ want it, that you can change the software or use pieces of it in new
+ free programs, and that you know you can do these things.
+ .
+   Developers that use our General Public Licenses protect your rights
+ with two steps: (1) assert copyright on the software, and (2) offer
+ you this License which gives you legal permission to copy, distribute
+ and/or modify the software.
+ .
+   A secondary benefit of defending all users' freedom is that
+ improvements made in alternate versions of the program, if they
+ receive widespread use, become available for other developers to
+ incorporate.  Many developers of free software are heartened and
+ encouraged by the resulting cooperation.  However, in 

Processed: Re: Bug#863562: jessie-pu: package libonig/5.9.5-3.2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #863562 [release.debian.org] jessie-pu: package libonig/5.9.5-3.2
Added tag(s) confirmed.

-- 
863562: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863562
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863562: jessie-pu: package libonig/5.9.5-3.2

[Cyril Brulebois]

Control: tag -1 confirmed

Hi Jörg,

Jörg Frings-Fürst  (2017-05-28):
> I have the release 5.9.5-3.2+deb8u1 with fixes for the CVE's:
> 
>  CVE-2017-9224
>  CVE-2017-9226
>  CVE-2017-9227
>  CVE-2017-9228
>  CVE-2017-9229
> 
> ready, The debdiff is attached.

It seems there was some kind of coordination with the security team,
since I see “no-dsa” mentioned in the security tracker, but feel free
to mention this upfront in your next pu requests.

A few remarks:
 - patch -p1 was unhappy with the debian/patches/series update. :)
 - funny things, using square brackets in filenames.

I suspect it would have been nice to have separate patches for each
bug fix, in case someone needs to dig into one or another, but oh
well, having them all lumped together isn't that bad.

A few comments:
> diff -Nru libonig-5.9.5/debian/changelog libonig-5.9.5/debian/changelog
> --- libonig-5.9.5/debian/changelog2014-12-28 12:11:12.0 +0100
> +++ libonig-5.9.5/debian/changelog2017-05-28 16:59:55.0 +0200
> @@ -1,3 +1,15 @@
> +libonig (5.9.5-3.2+deb8u1) stable; urgency=medium

Please always use codenames, and target jessie instead.

> +  * New debian/patches/0500-CVE-2017-922[4-9].patch:
> +- Cherrypicked from upstream to correct:
> +  + CVE-2017-9224 (Closes: #863312)
> +  + CVE-2017-9226 (Closes: #863314)
> +  + CVE-2017-9227 (Closes: #863315)
> +  + CVE-2017-9228 (Closes: #863316)
> +  + CVE-2017-9229 (Closes: #863318)
> +
> + -- Jörg Frings-Fürst   Sun, 28 May 2017 16:59:55 
> +0200

[…]

> --- libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch 1970-01-01 
> 01:00:00.0 +0100
> +++ libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch 2017-05-26 
> 07:07:41.0 +0200
> @@ -0,0 +1,121 @@
> +Correct CVE-2017-922[4-9]
> + Fix mutilple invalid pointer dereference, out-of-bounds write memory 
> + corruption and stack buffer overflow,
> +Origin: Cheerypicked from upstream

(multiple & cherrypicked)

With the target distribution (and maybe typos) fixed, feel free to
upload; thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#863862: jessie-pu: package multipath-tools/0.5.0-6+deb8u2

[Cyril Brulebois]

Control: tag -1 moreinfo

Hi,

Ritesh Raj Sarraf  (2017-06-01):
> I am filing this bug report and reivew request, now, just to keep it
> in the queue. I completely had forgotten to queue it for the next
> Jessie update.
> 
> Attached debdiff fixes 2 annoying issues with multipath-tools.
> 
> 1. Fixes a crash where the vendor or product id for the scsi block
> device is missing.
> 
> 2. Fixes a locking issue which got introduced because of udev's way of
> behaving.
> 
> Both fixes are in upstream's repository and also already part of
> Stretch.

It seems the BTS doesn't reflect the proper status for those bugs, then?
 - #751993 is still open, tagged moreinfo and pending; but not fixed in
   any suites?
 - #799781 is still open, tagged patch and pending; but not fixed in any
   suites.

A few versioned -done@ should do the trick to update the BTS though.

> diff -Nru multipath-tools-0.5.0/debian/changelog 
> multipath-tools-0.5.0/debian/changelog
> --- multipath-tools-0.5.0/debian/changelog2015-10-21 15:23:45.0 
> +0545
> +++ multipath-tools-0.5.0/debian/changelog2017-06-01 11:45:39.0 
> +0545
> @@ -1,3 +1,13 @@
> +multipath-tools (0.5.0-6+deb8u3) jessie; urgency=medium

Version number and target distribution are good…

> +  * Refresh patches

… but it would be great if we could avoid such noise in a stable upload.
AFAICT that serves no practical purposes, so better skip it.

> +  * Fix segfault is either of vid/pid is missing in blacklist
> +(Closes: #751993)
> +  * Add patch to fix device locking issue in between multipath and udev
> +(Closes: #799781)

The patches themselves look reasonable to me though.


To sum it up: please adjust metadata for both bug reports in the BTS,
and send a cleaner debdiff for a second look.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#863862: jessie-pu: package multipath-tools/0.5.0-6+deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863862 [release.debian.org] jessie-pu: package 
multipath-tools/0.5.0-6+deb8u2
Added tag(s) moreinfo.

-- 
863862: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863862
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #863953 [release.debian.org] jessie-pu: package xarchiver/1:0.5.4-1+deb8u1
Added tag(s) confirmed.

-- 
863953: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863953
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

Markus Koschany  (2017-06-02):
> I would like to update xarchiver in Jessie. It was discovered that
> data loss could occur when an archive name contained shell
> metacharacters. [1]
> 
> Please find attached the debdiff.
> 
> Regards,
> 
> Markus
> 
> 
> [1] https://bugs.debian.org/862593

> diff -Nru xarchiver-0.5.4/debian/changelog xarchiver-0.5.4/debian/changelog
> --- xarchiver-0.5.4/debian/changelog  2016-05-15 00:05:35.0 +0200
> +++ xarchiver-0.5.4/debian/changelog  2017-06-02 10:29:41.0 +0200
> @@ -1,3 +1,15 @@
> +xarchiver (1:0.5.4-1+deb8u2) jessie; urgency=medium
> +
> +  [ Chris Lamb ]
> +  * Fix data-loss issue where adding files to a tar-based archive removed all
> +existing content when the target filename included shell metacharacters.
> +The test to see whether it already existed to determine whether to create
> +a new archive or simply add a new file incorrectly used an escaped path.
> +Thanks to Nikolaus Rath for the report and Chris Lamb for the patch.
> +(Closes: #862593)
> +
> + -- Markus Koschany   Fri, 02 Jun 2017 10:29:41 +0200

This looks good to me, feel free to upload.

Thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

[Cyril Brulebois]

Control: tag -1 moreinfo

Hi,

Comments below:

Benjamin Drung  (2017-05-22):
> diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 
> salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> --- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch  1970-01-01 
> 01:00:00.0 +0100
> +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch  2017-04-18 
> 12:18:56.0 +0200
> @@ -0,0 +1,46 @@
> +From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00 2001
> +From: Tarjei Husøy 
> +Date: Wed, 19 Aug 2015 11:41:10 -0700
> +Subject: [PATCH] Git: Don't leak https user/pw to log
> +Origin: backport, 
> https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
> +
> +---
> + salt/modules/git.py| 17 ++---
> + tests/unit/modules/git_test.py | 18 ++
> + 2 files changed, 32 insertions(+), 3 deletions(-)
> +
> +--- a/salt/modules/git.py
>  b/salt/modules/git.py
> +@@ -5,6 +5,7 @@
> + 
> + # Import python libs
> + import os
> ++import re
> + import tempfile
> + try:
> + import pipes
> +@@ -75,6 +76,7 @@
> + result = __salt__['cmd.run_all'](cmd,
> +  cwd=cwd,
> +  runas=runas,
> ++ output_loglevel='quiet',
> +  env=env,
> +  **kwargs)
> + 
> +@@ -86,7 +88,15 @@
> + if retcode == 0:
> + return result['stdout']
> + else:
> +-raise exceptions.CommandExecutionError(result['stderr'])
> ++stderr = _remove_sensitive_data(result['stderr'])
> ++raise exceptions.CommandExecutionError(stderr)
> ++
> ++
> ++def _remove_sensitive_data(sensitive_output):
> ++'''
> ++Remove HTTP user and password.
> ++'''
> ++return re.sub('(https?)://.*@', r'\1://@', sensitive_output)

This is possibly going to remove too much stuff if one has something
like ?

Anyway, it's probably an acceptable loss compared to the various
security bug fixes, so it's probably a good idea to proceed anyway.

I'm tagging this with moreinfo for the time being, as some feedback from
your side would be welcome.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863129 [release.debian.org] jessie-pu: package salt/2014.1.13+ds-3
Added tag(s) moreinfo.

-- 
863129: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863129
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863093: jessie-pu: package libwnckmm/0.1.1-1+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

Hi Samuel,

Samuel Thibault  (2017-05-21):
> libwnckmm did not have correct versioned dependency before its version
> 0.1.1-2, leading to /usr/lib/*/libwnckmm-1.0.so potentially being a
> dangling link to an outdated .so filename.

OK for the change.

> Jessie is still affected by this serious Bug#796530, Adrian Bunk
> requested it to be fixed there. In the attached changes that I have
> uploaded to tpu, I have also fixed the duplication of jquery.js, also
> a serious issue.

OK for the change.

From a process point of view, you're supposed to be getting an ACK from
the release team before upload to one of the proposed-updates suites…

I'll look at libwnckmm in jessie-new later.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#863093: jessie-pu: package libwnckmm/0.1.1-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #863093 [release.debian.org] jessie-pu: package libwnckmm/0.1.1-1+deb8u1
Added tag(s) confirmed.

-- 
863093: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863093
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#863049: jessie-pu: package shutter/0.92-0.1+deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #863049 [release.debian.org] jessie-pu: package shutter/0.92-0.1+deb8u2
Added tag(s) moreinfo.

-- 
863049: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863049
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863049: jessie-pu: package shutter/0.92-0.1+deb8u2

[Cyril Brulebois]

Control: tag -1 moreinfo

gregor herrmann  (2017-05-20):
> I've prepared an upload of shutter for stable. The new version
> includes two patches:
> - one fixing CVE-2016-10081 / #849777
> - another one which dod uploaded together with this one as 0.93.1-1.3
>   in January which is also security relevant (replaces
>   system("string") with system(@array)).

That's a long patch… Comments below (see last hunk, mainly).

> +shutter (0.92-0.1+deb8u2) UNRELEASED; urgency=medium

As usual, target jessie when uploading.

> ++system(
> ++convert =>
> ++-caption => $text,
> ++-fill => sprintf( "#%04x%04x%04x%04x",
> ++  $color->red,
> ++  $color->green,
> ++  $color->blue,
> ++  $stroke_color->get_alpha
> ++  ),
> ++$filename,
> ++-pointsize => $pointsize_sbutton->get_value,
> ++-gravity => $gravity_combo->get_active_text,
> ++qw/-bordercolor snow -background black/,
> ++-polaroid => $angle_sbutton->get_value,
> ++$tmpfilename
> ++);

Nice variations on the “how to build a list” topic, thanks for making
sure the release team folks are fluent in Perl.

> ++#execute imagemagick command
> ++system(
> ++convert =>
> ++-background => '#',

I wasn't sure that worked, but that seems to do the trick; Perl is fun.

> + sub nautilus_sendto {
> + my ( $self, $user_data ) = @_;
> +-system("nautilus-sendto $user_data &");
> ++system('nautilus-sendto', $user_data);
> + if($?){
> + my $response = $self->{_dialogs}->dlg_error_message( 
> + sprintf( $self->{_d}->get("Error while executing %s."), 
> "'nautilus-sendto'"),

Was the '&' really meant to go away?


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862997: jessie-pu: package libx11-protocol-other-perl/28-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862997 [release.debian.org] jessie-pu: package 
libx11-protocol-other-perl/28-1+deb8u1
Added tag(s) confirmed.

-- 
862997: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862997
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862997: jessie-pu: package libx11-protocol-other-perl/28-1+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

gregor herrmann  (2017-05-19):
> I've prepared an update for libx11-protocol-other-perl in jessie to
> fix #848060. The only change is to disable a brittle test via
> debian/rules in order to avoid test/build failures.

This looks good to me, feel free to upload (targetting jessie); thanks.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862983: jessie-pu: package libsys-syscall-perl/0.25-2+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862983 [release.debian.org] jessie-pu: package 
libsys-syscall-perl/0.25-2+deb8u1
Added tag(s) confirmed.

-- 
862983: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862983
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862983: jessie-pu: package libsys-syscall-perl/0.25-2+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

gregor herrmann  (2017-05-19):
> I've prepared an update for libsys-syscall-perl that adds support for
> more architectures where the package is silently broken in stable
> right now. The patches are taken unchanged from testing/sid.
> Fixed bugs: #824843, #824936, #826136

This looks good to me, feel free to upload (targetting jessie).

Thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#862986: jessie-pu: package libdata-faker-perl/0.10-1+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

gregor herrmann  (2017-05-19):
> I've prepared an update for libdata-faker-perl which makes sure that
> tests are run under the C locale in order to avoid test failures as
> in #808454.

This looks good to me, feel free to upload (targetting jessie); thanks.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862986: jessie-pu: package libdata-faker-perl/0.10-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862986 [release.debian.org] jessie-pu: package 
libdata-faker-perl/0.10-1+deb8u1
Added tag(s) confirmed.

-- 
862986: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862986
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#862976: jessie-pu: package libhttp-proxy-perl/0.301-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862976 [release.debian.org] jessie-pu: package 
libhttp-proxy-perl/0.301-1+deb8u1
Added tag(s) confirmed.

-- 
862976: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862976
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862976: jessie-pu: package libhttp-proxy-perl/0.301-1+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

Hi,

gregor herrmann  (2017-05-19):
> I've prepared an update for libhttp-proxy-perl in jessie to fix
> #788350. The update adds a patch from the recent upstream release
> (which is in testing/unstable, and we've also used the patch before
> it was released). Full debdiff attached.

This looks good to me, feel free to upload (targetting jessie).


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862964: jessie-pu: package libhtml-microformats-perl/0.105-2+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862964 [release.debian.org] jessie-pu: package 
libhtml-microformats-perl/0.105-2+deb8u1
Added tag(s) confirmed.

-- 
862964: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862964
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862964: jessie-pu: package libhtml-microformats-perl/0.105-2+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

gregor herrmann  (2017-05-19):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> I've prepared an update of libhtml-microformats-perl in stable to fix
> #783656. The only change is the addition of the missing dependency.

This looks good to me, feel free to upload (targetting jessie).

Thanks.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862961: jessie-pu: package libembperl-perl/2.5.0-4+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #862961 [release.debian.org] jessie-pu: package 
libembperl-perl/2.5.0-4+deb8u1
Added tag(s) moreinfo.

-- 
862961: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862961
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862961: jessie-pu: package libembperl-perl/2.5.0-4+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Hi,

gregor herrmann  (2017-05-19):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> I've prepared an update for libembperl-perl in jessie to fix #810655
> there as well. The changes are just the targetted fix taken from -5
> without changes. Full debdiff attached.

> diff --git a/debian/changelog b/debian/changelog
> index b59bf9e..e296d69 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,11 @@
> +libembperl-perl (2.5.0-4+deb8u1) UNRELEASED; urgency=medium
> +
> +  [ Axel Beckert ]
> +  * Drop hard a2enmod dependency on mod_perl in zembperl.load. mod_perl is
> +enabled by default anyways if installed. (Closes: #810655)
> +
> + -- gregor herrmann   Fri, 19 May 2017 13:09:03 +0200
> +

I haven't matched this to code changes at first glance. For the sake of
clarity: this relates to the Depends → Recommends update, because code
was added to “apache2_invoke enmode perl” where needed?

(The second sentence makes it look like this /was/ the case already,
while this seems to /become/ the case with this particular upload
AFAIUI.)

Confirmation (and possibly reworded changelog if you agree) welcome.


KiBi.


signature.asc
Description: Digital signature

Bug#862960: jessie-pu: package libcgi-application-plugin-anytemplate-perl/0.18-1+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

gregor herrmann  (2017-05-19):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> I've prepared an update for libcgi-application-plugin-anytemplate-perl
> in stable to fix #788008. Complete debdiff attached.

This looks good to me, but please remember to target jessie.

Feel free to upload, thanks.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862960: jessie-pu: package libcgi-application-plugin-anytemplate-perl/0.18-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862960 [release.debian.org] jessie-pu: package 
libcgi-application-plugin-anytemplate-perl/0.18-1+deb8u1
Added tag(s) confirmed.

-- 
862960: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862960
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#862891: jessie-pu: package flightgear/3.0.0-5+deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #862891 [release.debian.org] jessie-pu: package flightgear/3.0.0-5+deb8u2
Added tag(s) moreinfo.

-- 
862891: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862891
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862891: jessie-pu: package flightgear/3.0.0-5+deb8u2

[Cyril Brulebois]

Control: tag -1 moreinfo

Markus Wanner  (2017-05-18):
> as per Salvatore Bonaccorso, the current security fix for flightgear
> doesn't warrant a DSA on its own (see below). Is it okay to upload to
> 'stable'?
> 
> A debdiff against the current version in stable-sec (3.0.0-5+deb8u1) is
> attached. Please note that stable itself is still at 3.0.0-5 and doesn't
> offer the first (and related) security fix.

Hi Markus,

I don't see 3.0.0-5+deb8u1 anywhere?

flightgear | 3.0.0-5   | oldstable  | source
flightgear | 3.0.0-5   | oldstable-kfreebsd | source
flightgear | 1:2016.4.4+dfsg-3 | stable | source
flightgear | 1:2016.4.4+dfsg-3 | testing| source
flightgear | 1:2016.4.4+dfsg-3 | unstable   | source
flightgear | 1:2016.4.4+dfsg-3 | unstable-debug | source

What's up with the security upload?

(Also, you should be targetting “jessie” directly instead of “stable”.)


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862523: jessie-pu: package jesred/1.2pl1-19+deb8

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #862523 [release.debian.org] jessie-pu: package jesred/1.2pl1-19+deb8
Added tag(s) moreinfo.

-- 
862523: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862523
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862523: jessie-pu: package jesred/1.2pl1-19+deb8

[Cyril Brulebois]

Control: tag -1 moreinfo

Hi Alexander,

Alexander Zangerl  (2017-05-14):
> i've been asked to retrofit the fix for #801907 to the version
> in jessie. that bug is fixed in testing. the bug causes jesred to not
> interoperate properly with squid versions 3.4 and newer.
> 
> changes are as per the attached debdiff: patch 05-squid3 (which makes
> jesred work with squid 3 in the first place) was updated, and a small
> followup was made to patch 07-ipv6 which was necessary as it
> didn't apply properly on top of the updated 05-squid3 patch.

Trying to apply your debdiff to the current package in jessie, I'm
getting a lot of errors. Did you attach the right file?

| kibi@armor:/tmp$ apt-get source jesred
| Reading package lists... Done
| Building dependency tree   
| Reading state information... Done
| Skipping already downloaded file 'jesred_1.2pl1-19.dsc'
| Skipping already downloaded file 'jesred_1.2pl1.orig.tar.gz'
| Skipping already downloaded file 'jesred_1.2pl1-19.debian.tar.gz'
| Need to get 0 B of source archives.
| gpgv: Signature made Sun 29 Sep 2013 05:44:48 CEST using DSA key ID 1BDBD83C
| gpgv: Can't check signature: public key not found
| dpkg-source: warning: failed to verify signature on ./jesred_1.2pl1-19.dsc
| dpkg-source: info: extracting jesred in jesred-1.2pl1
| dpkg-source: info: unpacking jesred_1.2pl1.orig.tar.gz
| dpkg-source: info: unpacking jesred_1.2pl1-19.debian.tar.gz
| dpkg-source: info: applying 01-extregex
| dpkg-source: info: applying 01-logfix
| dpkg-source: info: applying 01-old-debdiffs
| dpkg-source: info: applying 02-warnings
| dpkg-source: info: applying 03-allredir
| dpkg-source: info: applying 04-urlgroup
| dpkg-source: info: applying 05-squid3
| dpkg-source: info: applying 06-hardening
| dpkg-source: info: applying 07-ipv6
| kibi@armor:/tmp$ cd /tmp/jesred-1.2pl1
| kibi@armor:/tmp/jesred-1.2pl1$ patch -l -p1 < ~/jesred-jessie.debdiff 
| patching file debian/changelog
| patching file debian/patches/05-squid3
| Hunk #1 FAILED at 13.
| Hunk #2 FAILED at 97.
| Hunk #3 FAILED at 117.
| Hunk #4 FAILED at 148.
| Hunk #5 FAILED at 169.
| Hunk #6 FAILED at 180.
| Hunk #7 FAILED at 189.
| Hunk #8 FAILED at 271.
| 8 out of 8 hunks FAILED -- saving rejects to file debian/patches/05-squid3.rej
| patching file debian/patches/07-ipv6
| Hunk #1 FAILED at 241.
| Hunk #2 succeeded at 282 (offset -3 lines).
| 1 out of 2 hunks FAILED -- saving rejects to file debian/patches/07-ipv6.rej

Below, an extra comment while waiting for a revised debdiff:

> --- jesred-1.2pl1/debian/changelog2013-09-29 13:37:11.0 +1000
> +++ jesred-1.2pl1/debian/changelog2017-05-14 13:20:06.0 +1000
> @@ -1,3 +1,10 @@
> +jesred (1.2pl1-19+deb8) stable; urgency=high

You should be using 1.2pl1-19+deb8u1 (first upload to jessie), and
targetting the codename (jessie).


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862498: jessie-pu: package gitolite3/3.6.1-2+deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862498 [release.debian.org] jessie-pu: package gitolite3/3.6.1-2+deb8u2
Added tag(s) confirmed.

-- 
862498: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862498
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862498: jessie-pu: package gitolite3/3.6.1-2+deb8u2

[Cyril Brulebois]

Control: tag -1 confirmed

David Bremner  (2017-05-13):
> I'd like to close #834153 in stable. The bug has an easy workaround,
> but it still admittedly pretty annoying.
> 
> There isn't that much to test here, but I've installed the resulting
> package on jessie, and did a few basic operations.  Of course I
> already had openssh-client on the host in question.
> 
> diff -u gitolite3-3.6.1/debian/changelog gitolite3-3.6.1/debian/changelog
> --- gitolite3-3.6.1/debian/changelog
> +++ gitolite3-3.6.1/debian/changelog
> @@ -1,3 +1,10 @@
> +gitolite3 (3.6.1-2+deb8u2) stable; urgency=medium
> +
> +  * Bug fix: "gitolite3 should depend on openssh-client", thanks to Keller
> +Fuchs (Closes: #834153).
> +
> + -- David Bremner   Sat, 13 May 2017 12:38:44 -0300
> +

This looks reasonable, but please target the codename: jessie. Feel free
to upload; thanks.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862481: jessie-pu: package xfce4-weather-plugin/0.8.3-2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862481 [release.debian.org] jessie-pu: package xfce4-weather-plugin/0.8.3-2
Added tag(s) confirmed.

-- 
862481: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862481
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862481: jessie-pu: package xfce4-weather-plugin/0.8.3-2

[Cyril Brulebois]

Control: tag -1 confirmed

Yves-Alexis Perez  (2017-05-13):
> xfce4-weather-plugin uses met.no as source for weather information.
> There was multiple changes in API in recent years, and they disabled
> legacy API in the last few days, meaning weather plugin in Jessie
> doesn't work anymore.
> 
> I've prepared an update pulling only the API changes from upstream,
> which results in the attached debdiff and the following diffstat:
> 
>  changelog   |   
> 17 +
>  patches/0001-Make-plugin-ready-for-met.no-locationforecast-1.2-AP.patch |  
> 160 ++
>  patches/0002-Switch-to-met.no-locationforecastLTS-1.2-API-bug-109.patch |   
> 26 +
>  patches/0003-Update-NEWS-and-README.patch   |   
> 56 +++
>  patches/0004-Update-URL-for-sunrise-API-to-point-to-version-1.1-b.patch |   
> 58 +++
>  patches/0005-Update-http-api.yr.no-URLs-to-https-api.met.no.patch   |   
> 66 
>  patches/0006-Bump-LocationforecastLTS-version-to-1.3.patch  |   
> 48 +++
>  patches/0007-Change-more-URLs-from-http-yr.no-to-https-met.no.patch |   
> 67 
>  patches/git_support-locationforecast-1.2.patch  |  
> 151 -
>  patches/git_use-locationforecast-1.2.patch  |   
> 21 -
>  patches/series  |
> 9 
>  11 files changed, 505 insertions(+), 174 deletions(-)
> 
> Would it be ok for a stable upload?

This looks good to me (also tested locally without then with the patch
series). Feel free to upload, targetting jessie; thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#862456: jessie-pu: package cfitsio/3.370-2+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

Hi Aurélien,

Aurelien Jarno  (2017-05-12):
> I would like to fix the cfitsio package in stable wrt bug#800819. The
> wrong use of memcpy on overlapping area causes some tests in depending
> packages to fail. More importantly this bug is likely to cause issues
> on other architectures. The patch, which simply replaces memcpy by
> memmove is included upstream for quite some time now, as well as in
> stretch.
> 
> You will find below the full debdiff of the proposed changes. Thanks
> for considering.

Looks good to me, feel free to upload; thanks.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862456: jessie-pu: package cfitsio/3.370-2+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862456 [release.debian.org] jessie-pu: package cfitsio/3.370-2+deb8u1
Added tag(s) confirmed.

-- 
862456: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862456
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862438: jessie-pu: package eterm/0.9.6-1+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

Adrian Bunk  (2017-05-12):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
>  eterm-0.9.6/debian/changelog |8 
>  src/command.c|2 +-
>  2 files changed, 9 insertions(+), 1 deletion(-)

Next time, feel free to articulate a message for the humans reading your
proposed changes, this wouldn't hurt.

> diff -u eterm-0.9.6/debian/changelog eterm-0.9.6/debian/changelog
> --- eterm-0.9.6/debian/changelog
> +++ eterm-0.9.6/debian/changelog
> @@ -1,3 +1,11 @@
> +eterm (0.9.6-1+deb8u1) jessie; urgency=medium
> +
> +  * QA upload.
> +  * Apply patch from Arnaud Ceyrolle to fix problems when starting
> +or stopping the shell caused by an integer overflow. (Closes: #770369)
> +
> + -- Adrian Bunk   Fri, 12 May 2017 19:52:47 +0300
> +
>  eterm (0.9.6-1) unstable; urgency=low
>  
>* QA upload.
> only in patch2:
> unchanged:
> --- eterm-0.9.6.orig/src/command.c
> +++ eterm-0.9.6/src/command.c
> @@ -1561,7 +1561,7 @@
>   * child processes remain alive upon deletion of the window.
>   */
>  {
> -unsigned short i;
> +unsigned long i;
>  unsigned long max_fds;
>  
>  /* get number of available file descriptors */

KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862438: jessie-pu: package eterm/0.9.6-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862438 [release.debian.org] jessie-pu: package eterm/0.9.6-1+deb8u1
Added tag(s) confirmed.

-- 
862438: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862438
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#862363: jessie-pu: package dwww/1.12.1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #862363 [release.debian.org] jessie-pu: package dwww/1.12.1+deb8u1
Added tag(s) moreinfo.

-- 
862363: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862363
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862363: jessie-pu: package dwww/1.12.1+deb8u1

[Cyril Brulebois]

Control: tag -1 moreinfo

Hi,

Robert Luberda  (2017-05-20):
> Adrian Bunk wrote:

[ a patch with no context whatsoever ]

Seriously?!

> Could you please approve this change and allow Adrian to proceed with
> the NMU?
> 
> It fixes a pretty old bug in dwww that was recently made visible (and
> thus made dwww mostly unusable) due to the security upload of apache2
> into jessie.

This is the kind of things that should have been in the pu request. This
should also be mentioned in the changelog. Fixing bugs is great, but
providing explanations while doing so is even better.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862353: jessie-pu: package chkrootkit/3.2~deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862353 [release.debian.org] jessie-pu: package chkrootkit/3.2~deb8u1
Added tag(s) confirmed.

-- 
862353: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862353
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862353: jessie-pu: package chkrootkit/3.2~deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

Hi,

Adrian Bunk  (2017-05-11):
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu

I'm all for brevity, but seriously, not including a single text in a pu
bug report might make people want to close it right away.

Also, patches as attachments work best.

Anyway, feel free to upload.


KiBi.


signature.asc
Description: Digital signature

Bug#866045: stretch-pu: package bridge-utils/1.5-14

[Santiago Garcia Mantinan]

I'm sorry about the mistakes on this stretch-pu upload, this is the first time
I try to upload something to stable.

I was following
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
but didn't find there all the info I was looking for, is there any other
more comprehensive doc?

My first doubt was if I should fill the bug report against current stable
version or if I should first upload a fixed version.

About the bug report as I was the one finding it I directly created the fix,
if you prefer me to file a bug so that we can then close it on our
changelog, that's fine with me.

The full patch should be this one:

diff -ru bridge-utils-1.5-13/debian/bridge-utils.sh 
bridge-utils-1.5-13+deb9u1/debian/bridge-utils.sh
--- bridge-utils-1.5-13/debian/bridge-utils.sh  2017-06-27 22:57:15.0 
+0200
+++ bridge-utils-1.5-13+deb9u1/debian/bridge-utils.sh   2017-06-27 
22:57:37.0 +0200
@@ -58,11 +58,11 @@
 create_vlan_port()
 {
 # port doesn't yet exist
-if ! grep -q "$port" /proc/net/dev
+if ! grep -q "$port:" /proc/net/dev
 then
   dev="${port%.*}"
   # port is a vlan and the device exists?
-  if [ "$port" != "$dev" ] && grep -q "$dev" /proc/net/dev
+  if [ "$port" != "$dev" ] && grep -q "$dev:" /proc/net/dev
   then
 if [ -f /proc/sys/net/ipv6/conf/$dev/disable_ipv6 ]
 then
@@ -77,7 +77,7 @@
 destroy_vlan_port()
 {
 # port exists
-if grep -q "$port" /proc/net/dev
+if grep -q "$port:" /proc/net/dev
 then
   dev="${port%.*}"
   # port is a vlan
diff -ru bridge-utils-1.5-13/debian/changelog 
bridge-utils-1.5-13+deb9u1/debian/changelog
--- bridge-utils-1.5-13/debian/changelog2017-06-27 22:57:15.0 
+0200
+++ bridge-utils-1.5-13+deb9u1/debian/changelog 2017-06-27 22:57:37.0 
+0200
@@ -1,3 +1,9 @@
+bridge-utils (1.5-13+deb9u1) stretch; urgency=low
+
+  * Fix a problem with some vlan interfaces not being created.
+
+ -- Santiago Garcia Mantinan   Tue, 27 Jun 2017 22:53:30 
+0200
+
 bridge-utils (1.5-13) unstable; urgency=low
 
   * Fix a hardcoded interface name on bridge-utils.sh. Closes: #854841.


About the problem we are trying to fix was not with the interfaces but with
other vlans, for example if the first vlan bridge port being created is
eth0.2000 and then eth0.2 is being added to this bridge, eth0.2 won't be
created as the bug will confuse eth0.2 with eth0.2000, with the patch this
will work ok.

So... how do we proceed from here?

Thanks in advance and sorry again.

Regards.
-- 
Manty/BestiaTester -> http://manty.net

Bug#862327: jessie-pu: package apt-cacher/1.7.10+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

Mark Hindley  (2017-05-11):
> I would like approval to update apt-cacher in jessie by backporting the fix 
> for
> #786661.This ensures that /var/run/apt-cacher is created in the initscript 
> when
> operating under inetd.

This looks good to me, feel free to upload; thanks.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862327: jessie-pu: package apt-cacher/1.7.10+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862327 [release.debian.org] jessie-pu: package apt-cacher/1.7.10+deb8u1
Added tag(s) confirmed.

-- 
862327: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862327
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#843701: jessie-pu: package boinc/7.4.23+dfsg-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo
Bug #843701 [release.debian.org] jessie-pu: package boinc/7.4.23+dfsg-1
Removed tag(s) moreinfo.

-- 
843701: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843701
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#843701: jessie-pu: package boinc/7.4.23+dfsg-1

[Gianfranco Costamagna]

control: tags -1 -moreinfo


>I'm interested in seeing an updated debdiff with a better wording for
>the xhost issue. The proposed one suggests a syntax error but says
>nothing about the permission issues which need a fix.

ok, fair enough, updated

>Similarly, the OOM_ADJ handling could be more descriptive, something
>like “Try both oom_score_adj and oom_adj when adjusting the OOM score
>(Closes: #843663).”?

this seems really better and more descriptive, indeed.

Updated debdiff attached

thanks

G.
diff -Nru boinc-7.4.23+dfsg/debian/boinc-client.init 
boinc-7.4.23+dfsg/debian/boinc-client.init
--- boinc-7.4.23+dfsg/debian/boinc-client.init  2014-10-17 17:10:09.0 
+0200
+++ boinc-7.4.23+dfsg/debian/boinc-client.init  2016-11-08 21:53:59.0 
+0100
@@ -29,6 +29,7 @@
 BOINC_DIR=/var/lib/boinc-client
 BOINC_CLIENT=/usr/bin/boinc
 BOINC_OOM_ADJ=15
+BOINC_OOM_SCORE_ADJ=1000
 
 #VALGRIND_OPTIONS="-v --log-file=/tmp/valgrind_boinc.log "
 VALGRIND_OPTIONS=""
@@ -106,7 +107,7 @@
   else
 if [ -n "$DISPLAY" -a -x /usr/bin/xhost ]; then
# grant the boinc client to perform GPU computing
-   xhost local:boinc || echo -n "xhost error ignored, GPU computing may 
not be possible"
+   xhost +si:localuser:$BOINC_USER || echo -n "xhost error ignored, GPU 
computing may not be possible"
 fi
 if [ -n "$VALGRIND_OPTIONS" ]; then
   start-stop-daemon --start --quiet --background --pidfile $PIDFILE \
@@ -206,10 +207,13 @@
   fi
 fi
 for BPID in ${pid} ${children}; do
-  if [ -w /proc/${BPID}/oom_adj ]; then
-echo ${BOINC_OOM_AD} > /proc/${BPID}/oom_adj 2>/dev/null || true
+  # Fallback to old oom_adj if oom_score_adj doesn't exist
+  if [ -w /proc/${BPID}/oom_score_adj ]; then
+echo ${BOINC_OOM_SCORE_ADJ} > /proc/${BPID}/oom_score_adj 2>/dev/null 
|| true
+  elif [ -w /proc/${BPID}/oom_adj ]; then
+echo ${BOINC_OOM_ADJ} > /proc/${BPID}/oom_adj 2>/dev/null || true
   else
-echo "Could not write to /proc/${BPID}/oom_adj"
+echo "Could not adjust oom_score of task"
   fi
 done
   fi
diff -Nru boinc-7.4.23+dfsg/debian/changelog boinc-7.4.23+dfsg/debian/changelog
--- boinc-7.4.23+dfsg/debian/changelog  2014-10-17 17:19:50.0 +0200
+++ boinc-7.4.23+dfsg/debian/changelog  2016-11-08 21:53:59.0 +0100
@@ -1,3 +1,16 @@
+boinc (7.4.23+dfsg-1+deb8u1) jessie; urgency=medium
+
+  [ Tom Downes ]
+  * Try both oom_score_adj and oom_adj when adjusting the OOM score
+(Closes: #843663).
+
+  [ Mike Brennan  ]
+  * Fix xhost syntax. (Closes: #841665)
+- the xhost permissions syntax requires a "localuser" keyword for locally
+  specified users.
+
+ -- Gianfranco Costamagna   Tue, 08 Nov 2016 
21:53:59 +0100
+
 boinc (7.4.23+dfsg-1) unstable; urgency=medium
 
   * New upstream release candidate.


signature.asc
Description: OpenPGP digital signature

Bug#862173: jessie-pu: package offlineimap/6.3.4-1

[Cyril Brulebois]

Hi Ilias,

Ilias Tsitsimpis  (2017-05-09):
> Dear Release Team,
> 
> I would like to update OfflineIMAP in jessie, to fix the #859478 RC bug.
> Backporting the fix from newer versions of the software is too invasive,
> so instead I have added a WARNING message, that will prevent users from
> using the broken functionality. For more information, please see the
> related bug report.

The patch looks good to me, except you want to be targetting “jessie”.

I feel uneasy about approving this change myself since I'm the one having
filed the original bug report, and I think it would make sense to let
someone else from the release team double check this update.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#862169: jessie-pu: package lxterminal/0.2.0-1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #862169 [release.debian.org] jessie-pu: package lxterminal/0.2.0-1
Added tag(s) confirmed.

-- 
862169: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862169
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862169: jessie-pu: package lxterminal/0.2.0-1

[Cyril Brulebois]

Control: tag -1 confirmed

Hi,

Yao Wei  (2017-05-09):
> I'd like to upload a fix for CVE-2016-10369 to jessie.

This looks good but:

> diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog
> --- lxterminal-0.2.0/debian/changelog 2014-10-22 06:18:50.0 +0800
> +++ lxterminal-0.2.0/debian/changelog 2017-05-09 11:37:21.0 +0800
> @@ -1,3 +1,10 @@
> +lxterminal (0.2.0-1+deb8u1) jessie-security; urgency=high
   ^^^

You're fixing this through jessie-pu (short for jessie-proposed-updates),
rather than via security; so please use “jessie” as the target codename.

Feel free to open once you've fixed this.


KiBi.


signature.asc
Description: Digital signature

Bug#864770: jessie-pu: package libapache2-mod-perl2/2.0.9~1624218-2+deb8u2

[Niko Tyni]

On Tue, Jun 27, 2017 at 06:27:00AM +0200, Cyril Brulebois wrote:
> Control: tag -1 confirmed
> 
> Niko Tyni  (2017-06-14):
> > The changes in apache2_2.4.10-10+deb8u8 related to CVE-2016-8743
> > caused libapache2-mod-perl2 to start failing its test suite, as
> > seen in #864316.
> > 
> > The attached debdiff fixes this by amending the test suite. The
> > changes are identical to those we made in stretch/sid for #849082.
> > 
> > Please let me know if it's OK to upload to jessie.
> 
> Looks good to me, feel free to upload.

Thanks, uploaded.
 
> (I was amused by the http vs. HTTP one. ;))

Yeah, me too :)
-- 
Niko

Processed: Re: Bug#862030: jessie-pu: package rar/2:4.2.0+dfsg.1-0.1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #862030 [release.debian.org] jessie-pu: package rar/2:4.2.0+dfsg.1-0.1
Added tag(s) moreinfo.

-- 
862030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862030
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862030: jessie-pu: package rar/2:4.2.0+dfsg.1-0.1

[Cyril Brulebois]

Control: tag -1 moreinfo

Ben Hutchings  (2017-05-07):
> rar should be updated to fix #860952.
> 
> The orig tarballs need to be repacked to exclude rar_static.  Then I
> would apply the following source patch:
> 
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,12 @@
> +rar (2:4.2.0+dfsg.1-0.1) jessie; urgency=medium
> +
> +  * Non-maintainer upload
> +  * Repacked orig tarball excludes statically linked rar
> +(Closes: #693396, #860952)
> +  * Install dynamically linked rar
> +
> + -- Ben Hutchings   Sun, 07 May 2017 16:00:26 +0100
> +
>  rar (2:4.2.0-1) unstable; urgency=low
>  
>* New upstream release (Closes: #661065)
> --- a/debian/lintian
> +++ b/debian/lintian
> @@ -1,6 +1,2 @@
>  rar: extra-license-file usr/share/doc/rar/license.txt.gz
>  rar: binary-file-compressed-with-upx ./usr/lib/default.sfx <===
> -rar: statically-linked-binary usr/lib/default.sfx  <===
> -rar: statically-linked-binary usr/bin/rar
> -# Statically linked file
> -rar: missing-depends-line

Based on the last line of context and the first line of the diff (marked
with <=== above), I'm not sure whether you plan to remove default.sfx
along with it, since the previous line still mentions it, and the rules
file as well, see below.

> --- a/debian/rules
> +++ b/debian/rules
> @@ -23,9 +23,9 @@
>   dh_installdirs
>  
>   mkdir ./i386
> - cp ./rar_static ./i386
> + cp ./rar ./i386
>   cp ./default.sfx ./i386

^

> - install -o root -g root -s -m 0755 $(DEB_BUILD_ARCH)/rar_static 
> debian/rar/usr/bin/rar
> + install -o root -g root -s -m 0755 $(DEB_BUILD_ARCH)/rar 
> debian/rar/usr/bin/rar
>   
>   dh_installdocs
>   dh_installman debian/rar.1


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#861926: Acknowledgement (jessie-pu: package php-tcpdf/6.0.093+dfsg-1)

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #861926 [release.debian.org] jessie-pu: package tcpdf/6.0.093+dfsg-1
Added tag(s) confirmed.

-- 
861926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861926
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#861926: Acknowledgement (jessie-pu: package php-tcpdf/6.0.093+dfsg-1)

[Cyril Brulebois]

Control: tag -1 confirmed

Hi,

Laurent Destailleur (aka Eldy)  (2017-05-06):
> I made an error when copying and paste the CVE number in my first request.
> Bug number was correct, so #814030, but CVE related is CVE-2017-6100
> 
> 
> Also, this is the full debdiff (i previously provided only the patch file): 
> […]

Next time, please attach the full debdiff properly instead of inlining
it, it gets line-wrapped, which makes it hard to read, check, and apply.
It was additionally rejected by dpkg-source:
| patching file config/tcpdf_config.php
| Hunk #1 FAILED at 210.
| 1 out of 1 hunk FAILED
| dpkg-source: info: the patch has fuzz which is not allowed, or is malformed

Anyway, no objection on the patch itself, except for the lack of
documentation in the changelog. I'm attaching a new debdiff which is a
bit more descriptive.

Feel free to upload.


KiBi.
diff -Nru tcpdf-6.0.093+dfsg/debian/changelog tcpdf-6.0.093+dfsg/debian/changelog
--- tcpdf-6.0.093+dfsg/debian/changelog	2014-09-07 17:22:38.0 +0200
+++ tcpdf-6.0.093+dfsg/debian/changelog	2017-06-27 22:45:18.0 +0200
@@ -1,3 +1,10 @@
+tcpdf (6.0.093+dfsg-1+deb8u1) jessie; urgency=medium
+
+  [ Laurent Destailleur (eldy) ]
+  * Fix CVE-2017-6100 by disallowing tcpdf calls in HTML (Closes: #814030)
+
+ -- Laurent Destailleur (eldy)   Tue, 27 Jun 2017 22:44:33 +0200
+
 tcpdf (6.0.093+dfsg-1) unstable; urgency=medium
 
   * New upstream release 6.0.093+dfsg
diff -Nru tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch
--- tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch	1970-01-01 01:00:00.0 +0100
+++ tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch	2017-06-27 22:42:54.0 +0200
@@ -0,0 +1,17 @@
+Description: Set default value of K_TCPDF_CALLS_IN_HTML to false.
+Author: Laurent Destailleur 
+Forwarded: not-needed
+Last-Update: 2013-07-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/config/tcpdf_config.php
 b/config/tcpdf_config.php
+@@ -210,7 +210,7 @@ define('K_THAI_TOPCHARS', true);
+  * If true allows to call TCPDF methods using HTML syntax
+  * IMPORTANT: For security reason, disable this feature if you are printing user HTML content.
+  */
+-define('K_TCPDF_CALLS_IN_HTML', true);
++define('K_TCPDF_CALLS_IN_HTML', false);
+ 
+ /**
+  * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.
diff -Nru tcpdf-6.0.093+dfsg/debian/patches/series tcpdf-6.0.093+dfsg/debian/patches/series
--- tcpdf-6.0.093+dfsg/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ tcpdf-6.0.093+dfsg/debian/patches/series	2017-06-27 22:42:17.0 +0200
@@ -0,0 +1 @@
+default-K_TCPDF_CALLS_IN_HTML-to-false.patch


signature.asc
Description: Digital signature

Bug#861541: jessie-pu: package kedpm/1.0

[Adam D. Barratt]

On Tue, 2017-06-27 at 22:39 +0200, Cyril Brulebois wrote:
> Control: tag -1 confirmed
> 
> Antoine Beaupre  (2017-04-30):
> > diff -Nru kedpm-1.0/debian/changelog kedpm-1.0+deb8u1/debian/changelog
> > --- kedpm-1.0/debian/changelog  2012-11-30 15:45:14.0 -0500
> > +++ kedpm-1.0+deb8u1/debian/changelog   2017-04-26 20:44:11.0 
> > -0400
> > @@ -1,3 +1,10 @@
> > +kedpm (1.0+deb8u1) jessie; urgency=high
> > +
> > +  * Non-maintainer upload by the Security Team.

On a side note, the above appears to be incorrect.

Regards,

Adam

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: debootstrap_1.0.67+deb8u1_amd64.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: squashfs-tools_4.3-3+deb9u1_amd64.changes
  ACCEPT

Processed: Re: Bug#861541: jessie-pu: package kedpm/1.0

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #861541 [release.debian.org] jessie-pu: package kedpm/1.0
Added tag(s) confirmed.

-- 
861541: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861541
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#861541: jessie-pu: package kedpm/1.0

[Cyril Brulebois]

Control: tag -1 confirmed

Antoine Beaupre  (2017-04-30):
> diff -Nru kedpm-1.0/debian/changelog kedpm-1.0+deb8u1/debian/changelog
> --- kedpm-1.0/debian/changelog2012-11-30 15:45:14.0 -0500
> +++ kedpm-1.0+deb8u1/debian/changelog 2017-04-26 20:44:11.0 -0400
> @@ -1,3 +1,10 @@
> +kedpm (1.0+deb8u1) jessie; urgency=high
> +
> +  * Non-maintainer upload by the Security Team.
> +  * fix information leak via command history file (Closes: #860817)
> +
> + -- Antoine Beaupré   Wed, 26 Apr 2017 20:44:11 -0400
> +
>  kedpm (1.0) unstable; urgency=low
>  
>* New upstream release.
> diff -Nru 
> kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
>  
> kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
> --- 
> kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
>   1969-12-31 19:00:00.0 -0500
> +++ 
> kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
>2017-04-26 20:43:55.0 -0400
> @@ -0,0 +1,61 @@
> +From b8f7e8b3b2cb37425cb89b205c9836c6ac02a048 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= 
> +Date: Wed, 26 Apr 2017 16:58:56 -0400
> +Subject: [PATCH 1/2] always prompt for password and do not save to database

The 1/2 part seems a bit weird here; was the second patch relevant for
this security fix?

> +-"""Change master password for opened database
> +-
> +-Syntax:
> +-password [new password]
> +-
> +-If new password is not provided with command, you will be promted to enter 
> new
> +-one.
> +-"""
> +-
> +-if not arg:
> +-# Password is not provided with command. Ask user for it
> +-pass1 = getpass(_("New password: "))
> +-pass2 = getpass(_("Repeat password: "))
> +-if pass1 == '':
> +-print _("Empty passwords are really insecure. You should " \
> +-"create one.")
> +-return
> +-if pass1!=pass2:
> +-print _("Passwords don't match! Please repeat.")
> +-return
> +-new_pass = pass1
> +-else:
> +-new_pass = arg
> ++"""Change master password for opened database"""
> ++
> ++# remove possibly master password from history file
> ++
> readline.remove_history_item(readline.get_current_history_length()-1)

I'm assuming the history was already updated to include the last/current
command?

> ++# Password is not provided with command. Ask user for it

I suppose this became a bit of a lie. :) Feel free to replace it with
“Always ask the user for the password”, or remove it entirely.

With or without the comment fix, feel free to upload.


KiBi.


signature.asc
Description: Digital signature

Bug#865763: jessie-pu: package gnutls28/3.3.8-6+deb8u7

[Cyril Brulebois]

Control: tag -1 - moreinfo + confirmed

Andreas Metzler  (2017-06-27):
> Yes, the same route was taken. The patch on the gnutls_3_3_x branch
> 5006914fda50f25807451a03616cdf2e7be0268f was picked and unfuzzed from
> 408cfd7a3afba0c5a2310c5cbcee581f57d9248c on gnutls_3_5_x

Perfect, thanks. Please go ahead.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#865763: jessie-pu: package gnutls28/3.3.8-6+deb8u7

[Debian Bug Tracking System]

Processing control commands:

> tag -1 - moreinfo + confirmed
Bug #865763 [release.debian.org] jessie-pu: package gnutls28/3.3.8-6+deb8u7
Removed tag(s) moreinfo.
Bug #865763 [release.debian.org] jessie-pu: package gnutls28/3.3.8-6+deb8u7
Added tag(s) confirmed.

-- 
865763: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865763
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#861280: ***SPAM*** Re: Bug#861280: jessie-pu: package caja/1.8.2-3+deb8u2

[Cyril Brulebois]

Control: tag -1 moreinfo

Hi Pablo,

Pablo Barciela  (2017-04-27):
> 1) Fix: open new window with tree view in side panel (Closes: #851523).
> 
> In the side pane, with tree view, right click in a item, click in "open in
> new window".
> -without the patch, it shows in the same window
> -with the patch, as expected, it open new window

Yeah, this looks a bit silly for a file manager not to be abe to do
something so basic. From reading the diff, it looks like one function
was traded for another one, more generic, with different flags.

It would be helpful to have cleaner diffs, e.g. removing lines instead
of removing them to replace them with a commented out version, e.g.
avoid this:

-fm_tree_view_activate_file (view, view->details->popup_file, 
CAJA_WINDOW_OPEN_FLAG_NEW_WINDOW);
+/* fm_tree_view_activate_file (view, view->details->popup_file, 
CAJA_WINDOW_OPEN_FLAG_NEW_WINDOW); */

> 2) Don't crash on toggling "Show hidden and backup files" (Closes: #797723).
> 
> easy to reproduce with gdb
> edit -> preferences -> show hidden and backup files
> caja crashes randomly activating/deactivating the checkbox

Yep, this is sad as well.

So, a function renamed because it no longer handles a single event, but
two instead (the original one for trash, and the new one for preferences)?
Out of curiosity, are the disconnected signals reconnected properly
afterwards?

[Trying to find appropriate line-wrapping, long function names ahead…]

The trash monitor is handled through:
  caja_window_initialize_trash_icon_monitor()
called by:
  caja_window_initialize_menus()
which also contains a g_signal_connect_swapped() call with:
  G_CALLBACK(show_hidden_files_preference_callback)
as a parameter, so we have the required symmetry for both signals,
being:
 - set up from caja_window_initialize_menus()
 - and unset from caja_window_finalize_menus()?

> 3) Allow the user to drag'n'drop files into the bookmark section. (Closes:
> #786395).
> 
> We can dran'n'drop files to everywhere in the side pane except bookmarks,
> this is the fix to work too with bookmarks

As Adam mentioned, this is borderline feature addition, plus the diff
contains a lot of whitespace noise: part of hunk 2, all of hunks 3 and
4, part of hunk 5.

Even with a cleaner patch, I'm wondering whether regressions could
appear with drag'n'dropping into places which haven't been considered in
the implemented checks.

> 4) Filename font color now gets picked up from theme correctly for all
> themes. (Closes: #770760).

The patch itself doesn't make it obvious what the changes do…

This is slightly more informative:
  
https://github.com/mate-desktop/caja/pull/526/commits/828aea9083e19cec1a712c349285553197bc1c6f

so at least having “icon container: restore original font color select
logic” in the patch description would have helped.

Ditto for:
  
https://github.com/mate-desktop/caja/pull/526/commits/c74212b4630767b3b11b41cb26a8df20090096f4

with “eel: never try to block background change signal”

Ditto for:
  
https://github.com/mate-desktop/caja/pull/526/commits/ce7cc9580809d4017c74b0128f7e82f94eb173d9

and “icon container: don't set label colors right after widget realize”

→ Please mention all three commit (short) messages after the “taken
from” line in your fourth patch.

> >The above bug is filed as minor severity. In fact, the highest severity
> >of any of them is currently "normal". Is that correct?
> 
> yes, it was reported as severity minor, but the font color black in dark
> themes is erroneous, and the patch fixes it.

I'm not going to debate each severity in turn, but I can understand how
the combination of these 4 bugs makes you want to see an update in
jessie.

If you can confirm my understanding of patches 1 & 2, can lower the
noise in patch 3, and can improve the documentation in patch 4, feel
free to post an updated debdiff for a new review. Tagging this jessie-pu
request with moreinfo in the meanwhile.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#861280: ***SPAM*** Re: Bug#861280: jessie-pu: package caja/1.8.2-3+deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #861280 [release.debian.org] jessie-pu: package caja/1.8.2-3+deb8u2
Added tag(s) moreinfo.

-- 
861280: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861280
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#865225: stretch-pu: package request-tracker4/4.4.1-3+deb9u2

[Dominic Hargreaves]

On Tue, Jun 27, 2017 at 05:25:45AM +0200, Cyril Brulebois wrote:
> Hi Dominic,
> 
> Dominic Hargreaves  (2017-06-26):
> > Thanks, uploaded.
> 
> I only see the security update (4.4.1-3+deb9u1), but not the package for
> this pu request (4.4.1-3+deb9u2). Did the upload go through properly, to
> the regular archive rather than the security one?

Sorry, this is not yet uploaded. I somehow got this and the anope
bug mixed up.

Bug#843701: jessie-pu: package boinc/7.4.23+dfsg-1

[Cyril Brulebois]

Control: tag -1 moreinfo

Hi,

Gianfranco Costamagna  (2016-12-17):
> Hi,
> >Your mail client mangled the diff.
> 
> 
> 
> sorry for that
> 
> > the diff is simple:> +  [ Tom Downes ]
> > +  * Fix OOM_ADJ handling with a backportable approach
> > +(Closes: #843663)
> > 
> > ^^ a typo in a variable name was preventing OOM_ADJ from being correctly 
> > set in the init script
> > 
> 
> What's the impact of that bug?
> 
> when kernel is OOM, boinc tasks should be killed before other tasks.
> boinc is something that shouldn't impact the rest of the system
> (voluntary computing), so it runs with lower nice level, and should
> be killed before other programs in case the system gets out of memory.
> 
> this typo was preventing the second OOM handling to be correctly set, so 
> people might have got
> some other program killed instead of a boinc task.
> 
> >How can that possibly work?  The init script doesn't have an X>display...
> 
> this is a known problem/issue, usually people can do GPU computing with a 
> reload of the boinc-client
> daemon, in this case the init system picks the X server up.
> (this is how things should work, I'm clueless about such stuff and I avoid 
> touching it when it
> "works")
> 
> thanks for the review,

I'm interested in seeing an updated debdiff with a better wording for
the xhost issue. The proposed one suggests a syntax error but says
nothing about the permission issues which need a fix.

Similarly, the OOM_ADJ handling could be more descriptive, something
like “Try both oom_score_adj and oom_adj when adjusting the OOM score
(Closes: #843663).”?


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#843701: jessie-pu: package boinc/7.4.23+dfsg-1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #843701 [release.debian.org] jessie-pu: package boinc/7.4.23+dfsg-1
Added tag(s) moreinfo.

-- 
843701: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843701
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#864986: jessie-pu: package debootstrap/1.0.67+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #864986 [release.debian.org] jessie-pu: package debootstrap/1.0.67+deb8u1
Added tag(s) pending.

-- 
864986: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864986
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems