Bug#866351: stretch-pu: package phpunit/5.4.6-2~deb8u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi stable managers,

Please, allow this patched version of phpunit, built and tested in a
Stretch environment, fixing an arbitrary PHP code execution via HTTP
POST [CVE-2017-9841], aka #866200. As discussed with the security team,
PHPUnit should not be available on a production server, even less
publicly accessible (so we’d prefer to pass on a proper DSA), yet, we’d
prefer not to let such a big flaw available, so please, accept it in the
next stable update.

Regards

David
diff -Nru phpunit-5.4.6/debian/changelog phpunit-5.4.6/debian/changelog
--- phpunit-5.4.6/debian/changelog	2016-06-18 12:34:11.0 -1000
+++ phpunit-5.4.6/debian/changelog	2017-06-28 17:03:35.0 -1000
@@ -1,3 +1,18 @@
+phpunit (5.4.6-2~deb8u1) stretch; urgency=high
+
+  * Team upload
+  * Upload previous fix to Stretch
+
+ -- David Prévot   Wed, 28 Jun 2017 17:03:35 -1000
+
+phpunit (5.4.6-2) unstable; urgency=high
+
+  * Team upload
+  * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841]
+(Closes: #866200)
+
+ -- David Prévot   Wed, 28 Jun 2017 16:43:26 -1000
+
 phpunit (5.4.6-1) unstable; urgency=medium
 
   * Team upload
diff -Nru phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch
--- phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch	1969-12-31 14:00:00.0 -1000
+++ phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch	2017-06-28 16:41:16.0 -1000
@@ -0,0 +1,34 @@
+From: Bob Weinand 
+Date: Sun, 13 Nov 2016 18:52:50 +0100
+Subject: Correct fix for #1956
+
+Origin: upstream, https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
+Bug: https://github.com/sebastianbergmann/phpunit/pull/2356
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200
+---
+ src/Util/PHP/Template/TestCaseMethod.tpl.dist | 2 +-
+ src/Util/PHP/eval-stdin.php   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist
+index 47ef6e4..c7172b9 100644
+--- a/src/Util/PHP/Template/TestCaseMethod.tpl.dist
 b/src/Util/PHP/Template/TestCaseMethod.tpl.dist
+@@ -58,7 +58,7 @@ function __phpunit_run_isolated_test()
+ $output = $test->getActualOutput();
+ }
+ 
+-rewind(STDOUT);
++@rewind(STDOUT); /* @ as not every STDOUT target stream is rewindable */
+ if ($stdout = stream_get_contents(STDOUT)) {
+ $output = $stdout . $output;
+ }
+diff --git a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php
+index fe1b8bd..3b3a6d0 100644
+--- a/src/Util/PHP/eval-stdin.php
 b/src/Util/PHP/eval-stdin.php
+@@ -1,3 +1,3 @@
+ ' . file_get_contents('php://input'));
++eval('?>' . file_get_contents('php://stdin'));
diff -Nru phpunit-5.4.6/debian/patches/series phpunit-5.4.6/debian/patches/series
--- phpunit-5.4.6/debian/patches/series	2016-06-18 12:15:55.0 -1000
+++ phpunit-5.4.6/debian/patches/series	2017-06-28 16:41:16.0 -1000
@@ -1 +1,2 @@
 0001-Remove-Composer-autoload.patch
+0002-Correct-fix-for-1956.patch


signature.asc
Description: PGP signature

Bug#866335: transition: python3-defaults

[Emilio Pozuelo Monfort]

Control: forwarded -1 https://release.debian.org/transitions/html/python3.6.html

On 28/06/17 23:46, Scott Kitterman wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
> 
> We would like to add python3.6 as a supported python3 version along with
> python3.5.  This is not exactly like a normal transition.  Only transient
> unbuildability of higher level packages is to be expected.
> 
> As usual, we are planning a three step transition from python3.5 to python3.6.
> 
> Adding python3.6 as supported is first.
> 
> Once that is complete, we'll file another request to make python3.6 the
> default python3.  This step does not need to immediately follow the first.
> 
> After that, we'll drop python3.5 as a supported version (other than needing a
> tracker, that step doesn't need any support from the release team and won't
> entangle anything as buildability of packages is not implicated).

Sure, should be all fine. For the first step, have you done a rebuild? Do or
should all rdeps that build modules for all supported python versions works fine
with 3.6, or are there some bugs / ftbfs issues?

> Ben file:
> 
> title = "python3-defaults";
> is_affected = .depends ~ "python3-all-dev";

You probably meant build-depends, but I prefer to use depends as otherwise there
usually are too many unknowns. Hopefully the tracker (similar to the python3.5
one) is fine.

Emilio

> is_good = .depends ~ "python3 (<< 3.7)";
> is_bad = .depends ~ "python3 (<< 3.6)";
> 
> Scott K
> 
> 

Processed: Re: Bug#866335: transition: python3-defaults

[Debian Bug Tracking System]

Processing control commands:

> forwarded -1 https://release.debian.org/transitions/html/python3.6.html
Bug #866335 [release.debian.org] transition: python3-defaults
Set Bug forwarded-to-address to 
'https://release.debian.org/transitions/html/python3.6.html'.

-- 
866335: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866335
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#866335: Acknowledgement (transition: python3-defaults)

[Scott Kitterman]

Sorry,

Affected should be build-depends, not depends.

Scott K

Bug#866335: transition: python3-defaults

[Scott Kitterman]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

We would like to add python3.6 as a supported python3 version along with
python3.5.  This is not exactly like a normal transition.  Only transient
unbuildability of higher level packages is to be expected.

As usual, we are planning a three step transition from python3.5 to python3.6.

Adding python3.6 as supported is first.

Once that is complete, we'll file another request to make python3.6 the
default python3.  This step does not need to immediately follow the first.

After that, we'll drop python3.5 as a supported version (other than needing a
tracker, that step doesn't need any support from the release team and won't
entangle anything as buildability of packages is not implicated).

Ben file:

title = "python3-defaults";
is_affected = .depends ~ "python3-all-dev";
is_good = .depends ~ "python3 (<< 3.7)";
is_bad = .depends ~ "python3 (<< 3.6)";

Scott K

Bug#866333: jessie-pu: package c-ares/1.10.0-2+deb8u1

[Gregor Jasny]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello,

recently a buffer overlow in c-ares has been fixed and the Security Team
asked me to prepare an upload to jessie (see #865360).

Attached you'll find the debdiff.

Thanks,
Gregor

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru c-ares-1.10.0/debian/changelog c-ares-1.10.0/debian/changelog
--- c-ares-1.10.0/debian/changelog  2016-09-29 20:30:48.0 +0200
+++ c-ares-1.10.0/debian/changelog  2017-06-26 22:03:42.0 +0200
@@ -1,3 +1,9 @@
+c-ares (1.10.0-2+deb8u2) jessie; urgency=medium
+
+  * Add patch for CVE-2017-1000381 (Closes: #865360)
+
+ -- Gregor Jasny   Mon, 26 Jun 2017 22:03:42 +0200
+
 c-ares (1.10.0-2+deb8u1) jessie-security; urgency=high
 
   * Apply patch for CVE-2016-5180 (Closes: #839151)
diff -Nru c-ares-1.10.0/debian/patches/CVE-2017-1000381.diff 
c-ares-1.10.0/debian/patches/CVE-2017-1000381.diff
--- c-ares-1.10.0/debian/patches/CVE-2017-1000381.diff  1970-01-01 
01:00:00.0 +0100
+++ c-ares-1.10.0/debian/patches/CVE-2017-1000381.diff  2017-06-26 
22:03:42.0 +0200
@@ -0,0 +1,30 @@
+Origin: upstream, e1f43d4d7e89ef8db479d6efd0389c6b6ee1d116
+From: David Drysdale 
+Date: Mon, 22 May 2017 10:54:10 +0100
+Subject: [PATCH 5/5] ares_parse_naptr_reply: check sufficient data
+Bug-Debian: http://bugs.debian.org/865360
+
+Check that there is enough data for the required elements
+of an NAPTR record (2 int16, 3 bytes for string lengths)
+before processing a record.
+
+--- a/ares_parse_naptr_reply.c
 b/ares_parse_naptr_reply.c
+@@ -110,6 +110,12 @@
+   status = ARES_EBADRESP;
+   break;
+ }
++  /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
++  if (rr_len < 7)
++{
++  status = ARES_EBADRESP;
++  break;
++}
+ 
+   /* Check if we are really looking at a NAPTR record */
+   if (rr_class == C_IN && rr_type == T_NAPTR)
+@@ -185,4 +191,3 @@
+ 
+   return ARES_SUCCESS;
+ }
+-
diff -Nru c-ares-1.10.0/debian/patches/series 
c-ares-1.10.0/debian/patches/series
--- c-ares-1.10.0/debian/patches/series 2016-09-29 20:28:42.0 +0200
+++ c-ares-1.10.0/debian/patches/series 2017-06-26 22:03:42.0 +0200
@@ -1,2 +1,3 @@
 disable-cflags-rewrite.diff
 CVE-2016-5180.diff
+CVE-2017-1000381.diff

Bug#866332: stretch-pu: package c-ares/1.12.0-1

[Gregor Jasny]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello,

recently a buffer overlow in c-ares has been fixed and the Security Team
asked me to prepare an upload to stretch (see #865360).

Attached you'll find the debdiff.

Thanks,
Gregor

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru c-ares-1.12.0/debian/changelog c-ares-1.12.0/debian/changelog
--- c-ares-1.12.0/debian/changelog  2016-09-29 18:19:09.0 +0200
+++ c-ares-1.12.0/debian/changelog  2017-06-26 22:00:03.0 +0200
@@ -1,3 +1,9 @@
+c-ares (1.12.0-1+deb9u1) stretch; urgency=medium
+
+  * Add patch for CVE-2017-1000381 (Closes: #865360)
+
+ -- Gregor Jasny   Mon, 26 Jun 2017 22:00:03 +0200
+
 c-ares (1.12.0-1) unstable; urgency=high
 
   [ Daniel Stenberg ]
diff -Nru c-ares-1.12.0/debian/gbp.conf c-ares-1.12.0/debian/gbp.conf
--- c-ares-1.12.0/debian/gbp.conf   2016-02-12 22:09:13.0 +0100
+++ c-ares-1.12.0/debian/gbp.conf   2017-06-26 22:00:03.0 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream
-debian-branch = master
+debian-branch = stretch
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = True
diff -Nru c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff 
c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff
--- c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff  1970-01-01 
01:00:00.0 +0100
+++ c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff  2017-06-26 
22:00:03.0 +0200
@@ -0,0 +1,30 @@
+Origin: upstream, e1f43d4d7e89ef8db479d6efd0389c6b6ee1d116
+From: David Drysdale 
+Date: Mon, 22 May 2017 10:54:10 +0100
+Subject: [PATCH 5/5] ares_parse_naptr_reply: check sufficient data
+Bug-Debian: http://bugs.debian.org/865360
+
+Check that there is enough data for the required elements
+of an NAPTR record (2 int16, 3 bytes for string lengths)
+before processing a record.
+
+--- a/ares_parse_naptr_reply.c
 b/ares_parse_naptr_reply.c
+@@ -110,6 +110,12 @@
+   status = ARES_EBADRESP;
+   break;
+ }
++  /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
++  if (rr_len < 7)
++{
++  status = ARES_EBADRESP;
++  break;
++}
+ 
+   /* Check if we are really looking at a NAPTR record */
+   if (rr_class == C_IN && rr_type == T_NAPTR)
+@@ -185,4 +191,3 @@
+ 
+   return ARES_SUCCESS;
+ }
+-
diff -Nru c-ares-1.12.0/debian/patches/series 
c-ares-1.12.0/debian/patches/series
--- c-ares-1.12.0/debian/patches/series 2016-02-12 22:09:13.0 +0100
+++ c-ares-1.12.0/debian/patches/series 2017-06-26 22:00:03.0 +0200
@@ -1 +1,2 @@
 disable-cflags-rewrite.diff
+CVE-2017-1000381.diff

Bug#862456: jessie-pu: package cfitsio/3.370-2+deb8u1

[Aurelien Jarno]

On 2017-06-28 00:00, Cyril Brulebois wrote:
> Control: tag -1 confirmed
> 
> Hi Aurélien,
> 
> Aurelien Jarno  (2017-05-12):
> > I would like to fix the cfitsio package in stable wrt bug#800819. The
> > wrong use of memcpy on overlapping area causes some tests in depending
> > packages to fail. More importantly this bug is likely to cause issues
> > on other architectures. The patch, which simply replaces memcpy by
> > memmove is included upstream for quite some time now, as well as in
> > stretch.
> > 
> > You will find below the full debdiff of the proposed changes. Thanks
> > for considering.
> 
> Looks good to me, feel free to upload; thanks.

Thanks for the review, I have just uploaded it.

Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net


signature.asc
Description: PGP signature

Bug#846271: marked as done (transition: ntfs-3g)

[Debian Bug Tracking System]

Your message dated Wed, 28 Jun 2017 21:03:56 +0100
with message-id <20170628200356.itullslmxpuok...@powdarrmonkey.net>
and subject line Re: Bug#846271: transition: ntfs-3g
has caused the Debian Bug report #846271,
regarding transition: ntfs-3g
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
846271: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846271
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Dear Release Team,

Mini transition of ntfs-3g which changed the library name from
libntfs-3g871 to libntfs-3g872 . These are co-installable and the
new version is in experimental, built on all release architectures.
The affected packages are[1]:
partclone
testdisk
wimlib

All build fine with the new ntfs-3g release as well. Hope this can be
done before the Stretch release.

Kind regards,
Laszlo/GCS
[1] https://release.debian.org/transitions/html/auto-ntfs-3g.html
--- End Message ---
--- Begin Message ---
On Tue, Nov 29, 2016 at 07:38:52PM +0100, Laszlo Boszormenyi (GCS) wrote:
> Mini transition of ntfs-3g which changed the library name from
> libntfs-3g871 to libntfs-3g872 . These are co-installable and the
> new version is in experimental, built on all release architectures.

This has completed.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51--- End Message ---

Processed: tagging 865547

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 865547 + pending
Bug #865547 [release.debian.org] transition: libraw
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
865547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865547
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 846613

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 846613 + pending
Bug #846613 [release.debian.org] transition: gflags
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
846613: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846613
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863049: jessie-pu: package shutter/0.92-0.1+deb8u2

[gregor herrmann]

On Wed, 28 Jun 2017 01:27:42 +0200, Cyril Brulebois wrote:

> gregor herrmann  (2017-05-20):
> > I've prepared an upload of shutter for stable. The new version
> > includes two patches:
> > - one fixing CVE-2016-10081 / #849777
> > - another one which dod uploaded together with this one as 0.93.1-1.3
> >   in January which is also security relevant (replaces
> >   system("string") with system(@array)).
> That's a long patch… Comments below (see last hunk, mainly).

Thanks for taking the time to go through the patch in detail!
 
> > + sub nautilus_sendto {
> > +   my ( $self, $user_data ) = @_;
> > +-  system("nautilus-sendto $user_data &");
> > ++  system('nautilus-sendto', $user_data);
> > +   if($?){
> > +   my $response = $self->{_dialogs}->dlg_error_message( 
> > +   sprintf( $self->{_d}->get("Error while executing %s."), 
> > "'nautilus-sendto'"),
> 
> Was the '&' really meant to go away?

I suppose yes, in order to make sure that the script waits for nautilus-sendto
to return, as the return value is checked in the next line.

And/or because it simply doesn't work, as adding a '&' would be
interpreted as an argument:


#v+
#!/usr/bin/perl

use strict;
use warnings;

my $args='-ls';

print "string\n";
system( "ls $args &" ) == 0 or die "system(string) failed: $?";
#-

% perl background.pl
string
total 4 
  
4 -rw-rw-r-- 1 gregoa gregoa 234 Jun 28 20:10 background.pl


vs.


#v+
#!/usr/bin/perl

use strict;
use warnings;

my $args='-ls';

print "list\n";
system( 'ls', '-la', '&' ) == 0 or die "system(list) failed: $?";
#v-

% perl background.pl
list
ls: cannot access '&': No such file or directory
system(list) failed: 512 at background.pl line 9.


So yes, this seems intended :)


Nevertheless looping in dod as the author of this patch.


Cheers,
gregor


-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Ben Weaver: Voice In The Wilderness


signature.asc
Description: Digital Signature

Bug#862961: jessie-pu: package libembperl-perl/2.5.0-4+deb8u1

[gregor herrmann]

On Wed, 28 Jun 2017 00:51:33 +0200, Cyril Brulebois wrote:

> > I've prepared an update for libembperl-perl in jessie to fix #810655
> > there as well. The changes are just the targetted fix taken from -5
> > without changes. Full debdiff attached.
> 
> > diff --git a/debian/changelog b/debian/changelog
> > index b59bf9e..e296d69 100644
> > --- a/debian/changelog
> > +++ b/debian/changelog
> > @@ -1,3 +1,11 @@
> > +libembperl-perl (2.5.0-4+deb8u1) UNRELEASED; urgency=medium
> > +
> > +  [ Axel Beckert ]
> > +  * Drop hard a2enmod dependency on mod_perl in zembperl.load. mod_perl is
> > +enabled by default anyways if installed. (Closes: #810655)
> > +
> > + -- gregor herrmann   Fri, 19 May 2017 13:09:03 +0200
> > +
> 
> I haven't matched this to code changes at first glance. For the sake of
> clarity: this relates to the Depends → Recommends update, because code
> was added to “apache2_invoke enmode perl” where needed?

Thanks for asking; this made me look at the changes again, and made
me realize that I made a mistake (I took only one of Axel's commits
between 2.5.0-4 and 2.5.0-5 but there were actually three). Sorry for
that.
 
> (The second sentence makes it look like this /was/ the case already,
> while this seems to /become/ the case with this particular upload
> AFAIUI.)

The problem in #810655, as I understand it, is that d/control has
libapache2-mod-perl2 in Recommends (which is correct as embperl
doesn't require it) but that embperl's
/etc/apache2/mods-available/zembperl.load unconditionally tried to
load mod_perl.
 

Axel has in a later commit removed the changes in libembperl-perl.postinst
again, after verifying that embperl installs without mod_perl, with
mod_perl installed and activated and with mod_perl installed but
disabled.


So the only remaining code change is actually:

#v+
--- a/debian/zembperl.load.in
+++ b/debian/zembperl.load.in
@@ -1,6 +1,6 @@
 # The sucky "zembperl" name is so we load after perl

-# Depends: perl
+# Recommends: perl

 
   LoadModule embperl_module @ARCHLIB@/auto/Embperl/Embperl.so
#v-


I've now tentatively changed d/changelog to say

#v+
  * Change hard dependency on mod_perl in zembperl.load to Recommends.
mod_perl is not required, and is enabled by default anyway if it is
installed.
This change matches the package dependencies and fixes an installation
failure when libapache2-mod-perl2 is not installed.
(Closes: #810655)
#v-


Does this make sense?


I'm attaching the full new debdiff, and I'm looping in Axel for a
sanity check.


Cheers,
gregor


-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Tom Waits: Sins Of My Father
diff --git a/debian/changelog b/debian/changelog
index b59bf9e..b2e9d48 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+libembperl-perl (2.5.0-4+deb8u1) UNRELEASED; urgency=medium
+
+  [ Axel Beckert ]
+  * Change hard dependency on mod_perl in zembperl.load to Recommends.
+mod_perl is not required, and is enabled by default anyway if it is
+installed.
+This change matches the package dependencies and fixes an installation
+failure when libapache2-mod-perl2 is not installed.
+(Closes: #810655)
+
+ -- gregor herrmann   Fri, 19 May 2017 13:09:03 +0200
+
 libembperl-perl (2.5.0-4) unstable; urgency=low
 
   [ Salvatore Bonaccorso ]
diff --git a/debian/zembperl.load.in b/debian/zembperl.load.in
index ce9542b..91bb120 100644
--- a/debian/zembperl.load.in
+++ b/debian/zembperl.load.in
@@ -1,6 +1,6 @@
 # The sucky "zembperl" name is so we load after perl
 
-# Depends: perl
+# Recommends: perl
 
 
   LoadModule embperl_module @ARCHLIB@/auto/Embperl/Embperl.so


signature.asc
Description: Digital Signature

Bug#865483: jessie-pu: package libosinfo/0.2.11-1.1+deb8u1

[Guido Günther]

Hi Cyril,
On Tue, Jun 27, 2017 at 09:24:03PM +0200, Cyril Brulebois wrote:
> Hi Guido,
> 
> Guido Günther  (2017-06-27):
> > One thing that just crossed my mind: should we delay this update for
> > Jessie past the first stretch point release. I would then change the
> > patch to use an URL for stretch from
> > 
> > http://cdimage.debian.org/mirror/cdimage/archive/9.0.0
> > 
> > instead of
> > 
> > http://cdimage.debian.org/mirror/cdimage/release/
> > 
> > so we have a stable URL that doesn't break with every stretch point
> > release asking for further updates? Sorry for not thinking about this
> > earlier.
> 
> It's likely we'll release 8.9 & 9.1 during the same week-end. So maybe
> you could include this change right away? It would only be an annoyance
> for people fetching the updated package “in advance” from the
> jessie-proposed-updates suite? But then, we don't have stretch support
> at all right now, so that's not even a regression.

Great. See new debdiff attached. I've also attached the diff with
patches applied for the relevant part of the debian.xml.in
(url-change.diff). For the sake of completeness: I've also changed
debian/gbp.conf to point to debian/jessie so gbp picks up the right
chroot withou further typing.

Tested on Jessie:

$ osinfo-detect debian-9.0.0-amd64-netinst.iso 
Media is bootable.
Media is an installer for OS 'Debian Stretch'

O.k. to upload to jessie-p-u?
Cheers,
 -- Guido

> 
> > Regarding the tests:
> > 
> > Things are split up in stretch so that tests/ are in libosinfo while the
> > data is in osinfo-db:
> > 
> > 
> > https://gitlab.com/agx1/libosinfo/commit/117029715f90c5c7a2f2a996b21e9fefca6585c8
> > 
> > and I deemed updating libosifo in stretch as well only for the tests
> > overkill (but I ran them there as well).
> 
> (Just to be clear: I was really enjoying seeing tests get added.)
> 
> 
> KiBi.


diff --git a/data/oses/debian.xml.in b/data/oses/debian.xml.in
index 5924850..73bc327 100644
--- a/data/oses/debian.xml.in
+++ b/data/oses/debian.xml.in
@@ -334,7 +334,7 @@
 
 
 
-  http://cdimage.debian.org/cdimage/release/current/i386/iso-cd/debian-9.0.0-i386-netinst.iso
+  http://cdimage.debian.org/mirror/cdimage/archive/9.0.0/i386/iso-cd/debian-9.0.0-i386-netinst.iso
   
 Debian 9.\d.\d i386 (1|n)
   
@@ -342,7 +342,7 @@
   install.386/initrd.gz
 
 
-  http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd/debian-9.0.0-amd64-netinst.iso
+  http://cdimage.debian.org/mirror/cdimage/archive/9.0.0/amd64/iso-cd/debian-9.0.0-amd64-netinst.iso
   
 Debian 9.\d.\d amd64 (1|n)
   
diff --git a/debian/changelog b/debian/changelog
index 45f9af0..10d7772 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libosinfo (0.2.11-2) jessie; urgency=medium
+
+  * [4b4388e] Add Debian Jessie and Stretch
+  * [335f18d] Adjust gbp.conf for Debian Jessie
+
+ -- Guido Günther   Wed, 28 Jun 2017 19:06:22 +0200
+
 libosinfo (0.2.11-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 4b41283..9103184 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,4 @@
 [DEFAULT]
-debian-branch = debian/sid
+debian-branch = debian/jessie
 upstream-tag = v%(version)s
 upstream-branch = upstream/master
diff --git a/debian/patches/Add-Debian-Jessie-and-Stretch.patch b/debian/patches/Add-Debian-Jessie-and-Stretch.patch
new file mode 100644
index 000..fd7e856
--- /dev/null
+++ b/debian/patches/Add-Debian-Jessie-and-Stretch.patch
@@ -0,0 +1,242 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= 
+Date: Wed, 21 Jun 2017 08:36:07 +0200
+Subject: Add Debian Jessie and Stretch
+
+---
+ data/oses/debian.xml.in| 100 -
+ .../debian/debian8/debian-8.7.1-amd64-CD-1.iso.txt |  29 ++
+ .../debian9/debian-9.0-amd64-netinst.iso.txt   |  29 ++
+ .../debian/debian9/debian-9.0-amd64.iso.txt|  29 ++
+ 4 files changed, 185 insertions(+), 2 deletions(-)
+ create mode 100644 test/isodata/debian/debian8/debian-8.7.1-amd64-CD-1.iso.txt
+ create mode 100644 test/isodata/debian/debian9/debian-9.0-amd64-netinst.iso.txt
+ create mode 100644 test/isodata/debian/debian9/debian-9.0-amd64.iso.txt
+
+diff --git a/data/oses/debian.xml.in b/data/oses/debian.xml.in
+index 61d4d52..73bc327 100644
+--- a/data/oses/debian.xml.in
 b/data/oses/debian.xml.in
+@@ -238,7 +238,7 @@
+ 
+ 
+ 
+-  http://cdimage.debian.org/debian-cd/7.3.0/i386/iso-dvd/debian-7.3.0-i386-DVD-1.iso
++  http://cdimage.debian.org/mirror/cdimage/archive/7.11.0/i386/iso-dvd/debian-7.11.0-i386-DVD-1.iso
+   
+ Debian 7.\d.\d i386 1
+   
+@@ -246,7 +246,7 @@
+   install.386/initrd.gz
+ 
+ 
+-  http://cdimage.debian.org/debian-cd/7.3.0/amd64/iso-dvd/debian-7.3.0-amd64-DVD-1.iso
++  

Bug#862997: jessie-pu: package libx11-protocol-other-perl/28-1+deb8u1

[gregor herrmann]

On Wed, 28 Jun 2017 01:13:37 +0200, Cyril Brulebois wrote:

> gregor herrmann  (2017-05-19):
> > I've prepared an update for libx11-protocol-other-perl in jessie to
> > fix #848060. The only change is to disable a brittle test via
> > debian/rules in order to avoid test/build failures.
> This looks good to me, feel free to upload (targetting jessie); thanks.

Thanks, uploaded.


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Didier Squiban: Marche des conscrits du Faoutet


signature.asc
Description: Digital Signature

Bug#862986: jessie-pu: package libdata-faker-perl/0.10-1+deb8u1

[gregor herrmann]

On Wed, 28 Jun 2017 01:07:24 +0200, Cyril Brulebois wrote:

> gregor herrmann  (2017-05-19):
> > I've prepared an update for libdata-faker-perl which makes sure that
> > tests are run under the C locale in order to avoid test failures as
> > in #808454.
> This looks good to me, feel free to upload (targetting jessie); thanks.

Thanks! Uploaded.


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   


signature.asc
Description: Digital Signature

Bug#862983: jessie-pu: package libsys-syscall-perl/0.25-2+deb8u1

[gregor herrmann]

On Wed, 28 Jun 2017 01:05:23 +0200, Cyril Brulebois wrote:

> gregor herrmann  (2017-05-19):
> > I've prepared an update for libsys-syscall-perl that adds support for
> > more architectures where the package is silently broken in stable
> > right now. The patches are taken unchanged from testing/sid.
> > Fixed bugs: #824843, #824936, #826136
> This looks good to me, feel free to upload (targetting jessie).

Thank you; uploaded.


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Eagles


signature.asc
Description: Digital Signature

Bug#862976: jessie-pu: package libhttp-proxy-perl/0.301-1+deb8u1

[gregor herrmann]

On Wed, 28 Jun 2017 00:59:29 +0200, Cyril Brulebois wrote:

> gregor herrmann  (2017-05-19):
> > I've prepared an update for libhttp-proxy-perl in jessie to fix
> > #788350. The update adds a patch from the recent upstream release
> > (which is in testing/unstable, and we've also used the patch before
> > it was released). Full debdiff attached.
> This looks good to me, feel free to upload (targetting jessie).

Thank you; uploaded.


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Bruce Springsteen: Secret Garden


signature.asc
Description: Digital Signature

Bug#862964: jessie-pu: package libhtml-microformats-perl/0.105-2+deb8u1

[gregor herrmann]

On Wed, 28 Jun 2017 00:56:22 +0200, Cyril Brulebois wrote:

> > I've prepared an update of libhtml-microformats-perl in stable to fix
> > #783656. The only change is the addition of the missing dependency.
> This looks good to me, feel free to upload (targetting jessie).

Thank you; uploaded.


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Van Morrison


signature.asc
Description: Digital Signature

Bug#862960: jessie-pu: package libcgi-application-plugin-anytemplate-perl/0.18-1+deb8u1

[gregor herrmann]

On Wed, 28 Jun 2017 00:46:01 +0200, Cyril Brulebois wrote:

> > I've prepared an update for libcgi-application-plugin-anytemplate-perl
> > in stable to fix #788008. Complete debdiff attached.
> This looks good to me, but please remember to target jessie.
> Feel free to upload, thanks.

Thank you! Uploaded.


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Beatles


signature.asc
Description: Digital Signature

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: squashfs-tools_4.3-3+deb9u1_arm64.changes
  ACCEPT
Processing changes file: squashfs-tools_4.3-3+deb9u1_armel.changes
  ACCEPT
Processing changes file: squashfs-tools_4.3-3+deb9u1_i386.changes
  ACCEPT
Processing changes file: squashfs-tools_4.3-3+deb9u1_mips.changes
  ACCEPT
Processing changes file: squashfs-tools_4.3-3+deb9u1_mips64el.changes
  ACCEPT
Processing changes file: squashfs-tools_4.3-3+deb9u1_mipsel.changes
  ACCEPT
Processing changes file: squashfs-tools_4.3-3+deb9u1_ppc64el.changes
  ACCEPT

Bug#865102: jessie-pu: package libdvdnav/5.0.1-1+deb8u1

[Mike Gabriel]

Hi,

On  Di 27 Jun 2017 06:18:05 CEST, Cyril Brulebois wrote:


Control: tag -1 confirmed

Mike Gabriel  (2017-06-19):

Attached is a .debdiff that fixes various crashes when playing DVDs in VLC.
The DVD mostly starts playing for some time, but crashes some 5-10 minutes
after the DVD has been started playing. With the attached change, no crashes
are observed anymore.

The issue is resolved in stretch, but still open in jessie. Please consider
accepting this change via jessie-pu. Thanks.


Looks good to me, feel free to upload; thanks.


There is an update for one uploader in the .debdiff. This one is of
course optional, but preferred.


OK.


KiBi.


the package has just been uploaded (by mfv@d.o).

Thanks!
Mike
--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net



pgpBh6tOgHupt.pgp
Description: Digitale PGP-Signatur

Bug#862481: jessie-pu: package xfce4-weather-plugin/0.8.3-2

[Yves-Alexis Perez]

On Wed, 2017-06-28 at 15:13 +0200, Emilio Pozuelo Monfort wrote:
> On 28/06/17 12:38, Yves-Alexis Perez wrote:
> > On Wed, 2017-06-28 at 00:24 +0200, Cyril Brulebois wrote:
> > > This looks good to me (also tested locally without then with the patch
> > > series). Feel free to upload, targetting jessie; thanks.
> > 
> > Thanks! Should I target 'jessie' (not recognized by dch -r) or 'oldstable-
> > proposed-updates'?
> 
> jessie. Can you file a bug against devscripts so codenames are recognized?

Done (#866223)
-- 
Yves-Alexis

signature.asc
Description: This is a digitally signed message part

Bug#863093: jessie-pu: package libwnckmm/0.1.1-1+deb8u1

[Cyril Brulebois]

Hi,

Samuel Thibault  (2017-06-28):
> Cyril Brulebois, on mer. 28 juin 2017 04:11:05 +0200, wrote:
> > Wait a minute, this adds a symlink and a dependency, but doesn't
> > remove anything; this doesn't look like a duplication fix?
> 
> ln -sf replaces the existing file with the symlink.

Sure, I know what ln -sf does. But the said file was never shipped in
the first place:

kibi@armor:/tmp/binary-libwnckmm-1.0-0-dev$ dpkg --contents 
libwnckmm-1.0-0-dev_0.1.1-1_amd64.deb | grep jquery.js
kibi@armor:/tmp/binary-libwnckmm-1.0-0-dev$ 

Indeed, after a build in a jessie chroot, there are plenty of references
to jquery.js in HTML files, but there's no jquery.js in the build tree.


KiBi.


signature.asc
Description: Digital signature

Bug#862481: jessie-pu: package xfce4-weather-plugin/0.8.3-2

[Emilio Pozuelo Monfort]

On 28/06/17 12:38, Yves-Alexis Perez wrote:
> On Wed, 2017-06-28 at 00:24 +0200, Cyril Brulebois wrote:
>> This looks good to me (also tested locally without then with the patch
>> series). Feel free to upload, targetting jessie; thanks.
> 
> Thanks! Should I target 'jessie' (not recognized by dch -r) or 'oldstable-
> proposed-updates'?

jessie. Can you file a bug against devscripts so codenames are recognized?

Thanks,
Emilio

Bug#862481: jessie-pu: package xfce4-weather-plugin/0.8.3-2

[Yves-Alexis Perez]

On Wed, 2017-06-28 at 00:24 +0200, Cyril Brulebois wrote:
> This looks good to me (also tested locally without then with the patch
> series). Feel free to upload, targetting jessie; thanks.

Thanks! Should I target 'jessie' (not recognized by dch -r) or 'oldstable-
proposed-updates'?

Regards,
-- 
Yves-Alexis

signature.asc
Description: This is a digitally signed message part

Bug#865997: [Pkg-pascal-devel] Bug#865997: [release.debian.org] stretch-pu: Fix Local time / UTC conversion in Free Pascal Run Time Library

[Abou Al Montacir]

Hi Jonathan and Adam,

On Mon, 2017-06-26 at 14:04 +0100, Jonathan Wiltshire wrote:...

> The patch alone is not enough to decide this; please prepare a source 
> debdiff (i.e. between the .dsc files) of your proposed upload relative 
> to stretch. The upload target should be 'stretch', not 'stable'.
Please find attached the debdiff.
-- 
Cheers,
Abou Al Montacirdiff -Nru fpc-3.0.0+dfsg/debian/changelog fpc-3.0.0+dfsg/debian/changelog
--- fpc-3.0.0+dfsg/debian/changelog	2017-02-08 10:53:35.0 +0100
+++ fpc-3.0.0+dfsg/debian/changelog	2017-06-10 19:13:48.0 +0200
@@ -1,3 +1,10 @@
+fpc (3.0.0+dfsg-11+deb9u1) stretch; urgency=medium
+
+  * Fix "[fp-units-rtl-3.0.0] Incorrect conversion from local time to
+UTC". Backported fix from 3.0.2 (Closes: #864148)
+
+ -- Abou Al Montacir   Sat, 10 Jun 2017 19:13:48 +0200
+
 fpc (3.0.0+dfsg-11) unstable; urgency=medium
 
   * Team upload
diff -Nru fpc-3.0.0+dfsg/debian/patches/Correct-for-different-meaning-of-TZOffset.patch fpc-3.0.0+dfsg/debian/patches/Correct-for-different-meaning-of-TZOffset.patch
--- fpc-3.0.0+dfsg/debian/patches/Correct-for-different-meaning-of-TZOffset.patch	1970-01-01 01:00:00.0 +0100
+++ fpc-3.0.0+dfsg/debian/patches/Correct-for-different-meaning-of-TZOffset.patch	2017-06-10 19:13:48.0 +0200
@@ -0,0 +1,35 @@
+From 731f6175a3870c396a7ddaae774ea8a859b4512b Mon Sep 17 00:00:00 2001
+From: michael 
+Date: Fri, 21 Aug 2015 10:36:30 +
+Subject: [PATCH] * Correct for different meaning of TZOffset
+
+git-svn-id: http://svn.freepascal.org/svn/fpc/trunk@31356 3ad0048d-3df7-0310-abae-a5850022a9f2
+---
+ packages/rtl-objpas/src/inc/dateutil.inc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fpcsrc/packages/rtl-objpas/src/inc/dateutil.inc b/fpcsrc/packages/rtl-objpas/src/inc/dateutil.inc
+index c90c83deff..fc7f87a13e 100644
+--- a/fpcsrc/packages/rtl-objpas/src/inc/dateutil.inc
 b/fpcsrc/packages/rtl-objpas/src/inc/dateutil.inc
+@@ -2532,7 +2532,7 @@ end;
+ function UniversalTimeToLocal(UT: TDateTime): TDateTime;
+ 
+ begin
+-  Result:=UniversalTimeToLocal(UT,GetLocalTimeOffset);
++  Result:=UniversalTimeToLocal(UT,-GetLocalTimeOffset);
+ end;
+ 
+ function UniversalTimeToLocal(UT: TDateTime; TZOffset : Integer): TDateTime;
+@@ -2549,7 +2549,7 @@ end;
+ Function LocalTimeToUniversal(LT: TDateTime): TDateTime;
+ 
+ begin
+-  Result:=LocalTimeToUniversal(LT,GetLocalTimeOffset);
++  Result:=LocalTimeToUniversal(LT,-GetLocalTimeOffset);
+ end;
+ 
+ Function LocalTimeToUniversal(LT: TDateTime;TZOffset: Integer): TDateTime;
+-- 
+2.11.0
+
diff -Nru fpc-3.0.0+dfsg/debian/patches/series fpc-3.0.0+dfsg/debian/patches/series
--- fpc-3.0.0+dfsg/debian/patches/series	2017-02-06 20:26:00.0 +0100
+++ fpc-3.0.0+dfsg/debian/patches/series	2017-06-10 19:13:48.0 +0200
@@ -39,3 +39,4 @@
 ppdep-fix-else-handling.patch
 fix-spelling-errors_more.patch
 armhf-fix-vstr-vld-offset.patch
+Correct-for-different-meaning-of-TZOffset.patch


signature.asc
Description: This is a digitally signed message part

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: squashfs-tools_4.3-3+deb9u1_armhf.changes
  ACCEPT
Processing changes file: squashfs-tools_4.3-3+deb9u1_s390x.changes
  ACCEPT

Bug#863093: jessie-pu: package libwnckmm/0.1.1-1+deb8u1

[Samuel Thibault]

Hello,

Cyril Brulebois, on mer. 28 juin 2017 04:11:05 +0200, wrote:
> Samuel Thibault  (2017-05-21):
> > Jessie is still affected by this serious Bug#796530, Adrian Bunk
> > requested it to be fixed there. In the attached changes that I have
> > uploaded to tpu, I have also fixed the duplication of jquery.js, also
> > a serious issue.
> 
> Wait a minute, this adds a symlink and a dependency, but doesn't remove
> anything; this doesn't look like a duplication fix?

ln -sf replaces the existing file with the symlink.

Samuel