Bug#866351: stretch-pu: package phpunit/5.4.6-2~deb8u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi stable managers, Please, allow this patched version of phpunit, built and tested in a Stretch environment, fixing an arbitrary PHP code execution via HTTP POST [CVE-2017-9841], aka #866200. As discussed with the security team, PHPUnit should not be available on a production server, even less publicly accessible (so we’d prefer to pass on a proper DSA), yet, we’d prefer not to let such a big flaw available, so please, accept it in the next stable update. Regards David diff -Nru phpunit-5.4.6/debian/changelog phpunit-5.4.6/debian/changelog --- phpunit-5.4.6/debian/changelog 2016-06-18 12:34:11.0 -1000 +++ phpunit-5.4.6/debian/changelog 2017-06-28 17:03:35.0 -1000 @@ -1,3 +1,18 @@ +phpunit (5.4.6-2~deb8u1) stretch; urgency=high + + * Team upload + * Upload previous fix to Stretch + + -- David PrévotWed, 28 Jun 2017 17:03:35 -1000 + +phpunit (5.4.6-2) unstable; urgency=high + + * Team upload + * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841] +(Closes: #866200) + + -- David Prévot Wed, 28 Jun 2017 16:43:26 -1000 + phpunit (5.4.6-1) unstable; urgency=medium * Team upload diff -Nru phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch --- phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch 1969-12-31 14:00:00.0 -1000 +++ phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch 2017-06-28 16:41:16.0 -1000 @@ -0,0 +1,34 @@ +From: Bob Weinand +Date: Sun, 13 Nov 2016 18:52:50 +0100 +Subject: Correct fix for #1956 + +Origin: upstream, https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5 +Bug: https://github.com/sebastianbergmann/phpunit/pull/2356 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200 +--- + src/Util/PHP/Template/TestCaseMethod.tpl.dist | 2 +- + src/Util/PHP/eval-stdin.php | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist +index 47ef6e4..c7172b9 100644 +--- a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist +@@ -58,7 +58,7 @@ function __phpunit_run_isolated_test() + $output = $test->getActualOutput(); + } + +-rewind(STDOUT); ++@rewind(STDOUT); /* @ as not every STDOUT target stream is rewindable */ + if ($stdout = stream_get_contents(STDOUT)) { + $output = $stdout . $output; + } +diff --git a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php +index fe1b8bd..3b3a6d0 100644 +--- a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php +@@ -1,3 +1,3 @@ + ' . file_get_contents('php://input')); ++eval('?>' . file_get_contents('php://stdin')); diff -Nru phpunit-5.4.6/debian/patches/series phpunit-5.4.6/debian/patches/series --- phpunit-5.4.6/debian/patches/series 2016-06-18 12:15:55.0 -1000 +++ phpunit-5.4.6/debian/patches/series 2017-06-28 16:41:16.0 -1000 @@ -1 +1,2 @@ 0001-Remove-Composer-autoload.patch +0002-Correct-fix-for-1956.patch signature.asc Description: PGP signature
Bug#866335: transition: python3-defaults
Control: forwarded -1 https://release.debian.org/transitions/html/python3.6.html On 28/06/17 23:46, Scott Kitterman wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > > We would like to add python3.6 as a supported python3 version along with > python3.5. This is not exactly like a normal transition. Only transient > unbuildability of higher level packages is to be expected. > > As usual, we are planning a three step transition from python3.5 to python3.6. > > Adding python3.6 as supported is first. > > Once that is complete, we'll file another request to make python3.6 the > default python3. This step does not need to immediately follow the first. > > After that, we'll drop python3.5 as a supported version (other than needing a > tracker, that step doesn't need any support from the release team and won't > entangle anything as buildability of packages is not implicated). Sure, should be all fine. For the first step, have you done a rebuild? Do or should all rdeps that build modules for all supported python versions works fine with 3.6, or are there some bugs / ftbfs issues? > Ben file: > > title = "python3-defaults"; > is_affected = .depends ~ "python3-all-dev"; You probably meant build-depends, but I prefer to use depends as otherwise there usually are too many unknowns. Hopefully the tracker (similar to the python3.5 one) is fine. Emilio > is_good = .depends ~ "python3 (<< 3.7)"; > is_bad = .depends ~ "python3 (<< 3.6)"; > > Scott K > >
Processed: Re: Bug#866335: transition: python3-defaults
Processing control commands: > forwarded -1 https://release.debian.org/transitions/html/python3.6.html Bug #866335 [release.debian.org] transition: python3-defaults Set Bug forwarded-to-address to 'https://release.debian.org/transitions/html/python3.6.html'. -- 866335: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866335 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#866335: Acknowledgement (transition: python3-defaults)
Sorry, Affected should be build-depends, not depends. Scott K
Bug#866335: transition: python3-defaults
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition We would like to add python3.6 as a supported python3 version along with python3.5. This is not exactly like a normal transition. Only transient unbuildability of higher level packages is to be expected. As usual, we are planning a three step transition from python3.5 to python3.6. Adding python3.6 as supported is first. Once that is complete, we'll file another request to make python3.6 the default python3. This step does not need to immediately follow the first. After that, we'll drop python3.5 as a supported version (other than needing a tracker, that step doesn't need any support from the release team and won't entangle anything as buildability of packages is not implicated). Ben file: title = "python3-defaults"; is_affected = .depends ~ "python3-all-dev"; is_good = .depends ~ "python3 (<< 3.7)"; is_bad = .depends ~ "python3 (<< 3.6)"; Scott K
Bug#866333: jessie-pu: package c-ares/1.10.0-2+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello, recently a buffer overlow in c-ares has been fixed and the Security Team asked me to prepare an upload to jessie (see #865360). Attached you'll find the debdiff. Thanks, Gregor -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru c-ares-1.10.0/debian/changelog c-ares-1.10.0/debian/changelog --- c-ares-1.10.0/debian/changelog 2016-09-29 20:30:48.0 +0200 +++ c-ares-1.10.0/debian/changelog 2017-06-26 22:03:42.0 +0200 @@ -1,3 +1,9 @@ +c-ares (1.10.0-2+deb8u2) jessie; urgency=medium + + * Add patch for CVE-2017-1000381 (Closes: #865360) + + -- Gregor JasnyMon, 26 Jun 2017 22:03:42 +0200 + c-ares (1.10.0-2+deb8u1) jessie-security; urgency=high * Apply patch for CVE-2016-5180 (Closes: #839151) diff -Nru c-ares-1.10.0/debian/patches/CVE-2017-1000381.diff c-ares-1.10.0/debian/patches/CVE-2017-1000381.diff --- c-ares-1.10.0/debian/patches/CVE-2017-1000381.diff 1970-01-01 01:00:00.0 +0100 +++ c-ares-1.10.0/debian/patches/CVE-2017-1000381.diff 2017-06-26 22:03:42.0 +0200 @@ -0,0 +1,30 @@ +Origin: upstream, e1f43d4d7e89ef8db479d6efd0389c6b6ee1d116 +From: David Drysdale +Date: Mon, 22 May 2017 10:54:10 +0100 +Subject: [PATCH 5/5] ares_parse_naptr_reply: check sufficient data +Bug-Debian: http://bugs.debian.org/865360 + +Check that there is enough data for the required elements +of an NAPTR record (2 int16, 3 bytes for string lengths) +before processing a record. + +--- a/ares_parse_naptr_reply.c b/ares_parse_naptr_reply.c +@@ -110,6 +110,12 @@ + status = ARES_EBADRESP; + break; + } ++ /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */ ++ if (rr_len < 7) ++{ ++ status = ARES_EBADRESP; ++ break; ++} + + /* Check if we are really looking at a NAPTR record */ + if (rr_class == C_IN && rr_type == T_NAPTR) +@@ -185,4 +191,3 @@ + + return ARES_SUCCESS; + } +- diff -Nru c-ares-1.10.0/debian/patches/series c-ares-1.10.0/debian/patches/series --- c-ares-1.10.0/debian/patches/series 2016-09-29 20:28:42.0 +0200 +++ c-ares-1.10.0/debian/patches/series 2017-06-26 22:03:42.0 +0200 @@ -1,2 +1,3 @@ disable-cflags-rewrite.diff CVE-2016-5180.diff +CVE-2017-1000381.diff
Bug#866332: stretch-pu: package c-ares/1.12.0-1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, recently a buffer overlow in c-ares has been fixed and the Security Team asked me to prepare an upload to stretch (see #865360). Attached you'll find the debdiff. Thanks, Gregor -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru c-ares-1.12.0/debian/changelog c-ares-1.12.0/debian/changelog --- c-ares-1.12.0/debian/changelog 2016-09-29 18:19:09.0 +0200 +++ c-ares-1.12.0/debian/changelog 2017-06-26 22:00:03.0 +0200 @@ -1,3 +1,9 @@ +c-ares (1.12.0-1+deb9u1) stretch; urgency=medium + + * Add patch for CVE-2017-1000381 (Closes: #865360) + + -- Gregor JasnyMon, 26 Jun 2017 22:00:03 +0200 + c-ares (1.12.0-1) unstable; urgency=high [ Daniel Stenberg ] diff -Nru c-ares-1.12.0/debian/gbp.conf c-ares-1.12.0/debian/gbp.conf --- c-ares-1.12.0/debian/gbp.conf 2016-02-12 22:09:13.0 +0100 +++ c-ares-1.12.0/debian/gbp.conf 2017-06-26 22:00:03.0 +0200 @@ -1,6 +1,6 @@ [DEFAULT] upstream-branch = upstream -debian-branch = master +debian-branch = stretch upstream-tag = upstream/%(version)s debian-tag = debian/%(version)s pristine-tar = True diff -Nru c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff --- c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff 1970-01-01 01:00:00.0 +0100 +++ c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff 2017-06-26 22:00:03.0 +0200 @@ -0,0 +1,30 @@ +Origin: upstream, e1f43d4d7e89ef8db479d6efd0389c6b6ee1d116 +From: David Drysdale +Date: Mon, 22 May 2017 10:54:10 +0100 +Subject: [PATCH 5/5] ares_parse_naptr_reply: check sufficient data +Bug-Debian: http://bugs.debian.org/865360 + +Check that there is enough data for the required elements +of an NAPTR record (2 int16, 3 bytes for string lengths) +before processing a record. + +--- a/ares_parse_naptr_reply.c b/ares_parse_naptr_reply.c +@@ -110,6 +110,12 @@ + status = ARES_EBADRESP; + break; + } ++ /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */ ++ if (rr_len < 7) ++{ ++ status = ARES_EBADRESP; ++ break; ++} + + /* Check if we are really looking at a NAPTR record */ + if (rr_class == C_IN && rr_type == T_NAPTR) +@@ -185,4 +191,3 @@ + + return ARES_SUCCESS; + } +- diff -Nru c-ares-1.12.0/debian/patches/series c-ares-1.12.0/debian/patches/series --- c-ares-1.12.0/debian/patches/series 2016-02-12 22:09:13.0 +0100 +++ c-ares-1.12.0/debian/patches/series 2017-06-26 22:00:03.0 +0200 @@ -1 +1,2 @@ disable-cflags-rewrite.diff +CVE-2017-1000381.diff
Bug#862456: jessie-pu: package cfitsio/3.370-2+deb8u1
On 2017-06-28 00:00, Cyril Brulebois wrote: > Control: tag -1 confirmed > > Hi Aurélien, > > Aurelien Jarno(2017-05-12): > > I would like to fix the cfitsio package in stable wrt bug#800819. The > > wrong use of memcpy on overlapping area causes some tests in depending > > packages to fail. More importantly this bug is likely to cause issues > > on other architectures. The patch, which simply replaces memcpy by > > memmove is included upstream for quite some time now, as well as in > > stretch. > > > > You will find below the full debdiff of the proposed changes. Thanks > > for considering. > > Looks good to me, feel free to upload; thanks. Thanks for the review, I have just uploaded it. Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net signature.asc Description: PGP signature
Bug#846271: marked as done (transition: ntfs-3g)
Your message dated Wed, 28 Jun 2017 21:03:56 +0100 with message-id <20170628200356.itullslmxpuok...@powdarrmonkey.net> and subject line Re: Bug#846271: transition: ntfs-3g has caused the Debian Bug report #846271, regarding transition: ntfs-3g to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 846271: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846271 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release Team, Mini transition of ntfs-3g which changed the library name from libntfs-3g871 to libntfs-3g872 . These are co-installable and the new version is in experimental, built on all release architectures. The affected packages are[1]: partclone testdisk wimlib All build fine with the new ntfs-3g release as well. Hope this can be done before the Stretch release. Kind regards, Laszlo/GCS [1] https://release.debian.org/transitions/html/auto-ntfs-3g.html --- End Message --- --- Begin Message --- On Tue, Nov 29, 2016 at 07:38:52PM +0100, Laszlo Boszormenyi (GCS) wrote: > Mini transition of ntfs-3g which changed the library name from > libntfs-3g871 to libntfs-3g872 . These are co-installable and the > new version is in experimental, built on all release architectures. This has completed. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51--- End Message ---
Processed: tagging 865547
Processing commands for cont...@bugs.debian.org: > tags 865547 + pending Bug #865547 [release.debian.org] transition: libraw Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 865547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 846613
Processing commands for cont...@bugs.debian.org: > tags 846613 + pending Bug #846613 [release.debian.org] transition: gflags Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 846613: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846613 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#863049: jessie-pu: package shutter/0.92-0.1+deb8u2
On Wed, 28 Jun 2017 01:27:42 +0200, Cyril Brulebois wrote: > gregor herrmann(2017-05-20): > > I've prepared an upload of shutter for stable. The new version > > includes two patches: > > - one fixing CVE-2016-10081 / #849777 > > - another one which dod uploaded together with this one as 0.93.1-1.3 > > in January which is also security relevant (replaces > > system("string") with system(@array)). > That's a long patch… Comments below (see last hunk, mainly). Thanks for taking the time to go through the patch in detail! > > + sub nautilus_sendto { > > + my ( $self, $user_data ) = @_; > > +- system("nautilus-sendto $user_data &"); > > ++ system('nautilus-sendto', $user_data); > > + if($?){ > > + my $response = $self->{_dialogs}->dlg_error_message( > > + sprintf( $self->{_d}->get("Error while executing %s."), > > "'nautilus-sendto'"), > > Was the '&' really meant to go away? I suppose yes, in order to make sure that the script waits for nautilus-sendto to return, as the return value is checked in the next line. And/or because it simply doesn't work, as adding a '&' would be interpreted as an argument: #v+ #!/usr/bin/perl use strict; use warnings; my $args='-ls'; print "string\n"; system( "ls $args &" ) == 0 or die "system(string) failed: $?"; #- % perl background.pl string total 4 4 -rw-rw-r-- 1 gregoa gregoa 234 Jun 28 20:10 background.pl vs. #v+ #!/usr/bin/perl use strict; use warnings; my $args='-ls'; print "list\n"; system( 'ls', '-la', '&' ) == 0 or die "system(list) failed: $?"; #v- % perl background.pl list ls: cannot access '&': No such file or directory system(list) failed: 512 at background.pl line 9. So yes, this seems intended :) Nevertheless looping in dod as the author of this patch. Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Ben Weaver: Voice In The Wilderness signature.asc Description: Digital Signature
Bug#862961: jessie-pu: package libembperl-perl/2.5.0-4+deb8u1
On Wed, 28 Jun 2017 00:51:33 +0200, Cyril Brulebois wrote: > > I've prepared an update for libembperl-perl in jessie to fix #810655 > > there as well. The changes are just the targetted fix taken from -5 > > without changes. Full debdiff attached. > > > diff --git a/debian/changelog b/debian/changelog > > index b59bf9e..e296d69 100644 > > --- a/debian/changelog > > +++ b/debian/changelog > > @@ -1,3 +1,11 @@ > > +libembperl-perl (2.5.0-4+deb8u1) UNRELEASED; urgency=medium > > + > > + [ Axel Beckert ] > > + * Drop hard a2enmod dependency on mod_perl in zembperl.load. mod_perl is > > +enabled by default anyways if installed. (Closes: #810655) > > + > > + -- gregor herrmannFri, 19 May 2017 13:09:03 +0200 > > + > > I haven't matched this to code changes at first glance. For the sake of > clarity: this relates to the Depends → Recommends update, because code > was added to “apache2_invoke enmode perl” where needed? Thanks for asking; this made me look at the changes again, and made me realize that I made a mistake (I took only one of Axel's commits between 2.5.0-4 and 2.5.0-5 but there were actually three). Sorry for that. > (The second sentence makes it look like this /was/ the case already, > while this seems to /become/ the case with this particular upload > AFAIUI.) The problem in #810655, as I understand it, is that d/control has libapache2-mod-perl2 in Recommends (which is correct as embperl doesn't require it) but that embperl's /etc/apache2/mods-available/zembperl.load unconditionally tried to load mod_perl. Axel has in a later commit removed the changes in libembperl-perl.postinst again, after verifying that embperl installs without mod_perl, with mod_perl installed and activated and with mod_perl installed but disabled. So the only remaining code change is actually: #v+ --- a/debian/zembperl.load.in +++ b/debian/zembperl.load.in @@ -1,6 +1,6 @@ # The sucky "zembperl" name is so we load after perl -# Depends: perl +# Recommends: perl LoadModule embperl_module @ARCHLIB@/auto/Embperl/Embperl.so #v- I've now tentatively changed d/changelog to say #v+ * Change hard dependency on mod_perl in zembperl.load to Recommends. mod_perl is not required, and is enabled by default anyway if it is installed. This change matches the package dependencies and fixes an installation failure when libapache2-mod-perl2 is not installed. (Closes: #810655) #v- Does this make sense? I'm attaching the full new debdiff, and I'm looping in Axel for a sanity check. Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Tom Waits: Sins Of My Father diff --git a/debian/changelog b/debian/changelog index b59bf9e..b2e9d48 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +libembperl-perl (2.5.0-4+deb8u1) UNRELEASED; urgency=medium + + [ Axel Beckert ] + * Change hard dependency on mod_perl in zembperl.load to Recommends. +mod_perl is not required, and is enabled by default anyway if it is +installed. +This change matches the package dependencies and fixes an installation +failure when libapache2-mod-perl2 is not installed. +(Closes: #810655) + + -- gregor herrmann Fri, 19 May 2017 13:09:03 +0200 + libembperl-perl (2.5.0-4) unstable; urgency=low [ Salvatore Bonaccorso ] diff --git a/debian/zembperl.load.in b/debian/zembperl.load.in index ce9542b..91bb120 100644 --- a/debian/zembperl.load.in +++ b/debian/zembperl.load.in @@ -1,6 +1,6 @@ # The sucky "zembperl" name is so we load after perl -# Depends: perl +# Recommends: perl LoadModule embperl_module @ARCHLIB@/auto/Embperl/Embperl.so signature.asc Description: Digital Signature
Bug#865483: jessie-pu: package libosinfo/0.2.11-1.1+deb8u1
Hi Cyril, On Tue, Jun 27, 2017 at 09:24:03PM +0200, Cyril Brulebois wrote: > Hi Guido, > > Guido Günther(2017-06-27): > > One thing that just crossed my mind: should we delay this update for > > Jessie past the first stretch point release. I would then change the > > patch to use an URL for stretch from > > > > http://cdimage.debian.org/mirror/cdimage/archive/9.0.0 > > > > instead of > > > > http://cdimage.debian.org/mirror/cdimage/release/ > > > > so we have a stable URL that doesn't break with every stretch point > > release asking for further updates? Sorry for not thinking about this > > earlier. > > It's likely we'll release 8.9 & 9.1 during the same week-end. So maybe > you could include this change right away? It would only be an annoyance > for people fetching the updated package “in advance” from the > jessie-proposed-updates suite? But then, we don't have stretch support > at all right now, so that's not even a regression. Great. See new debdiff attached. I've also attached the diff with patches applied for the relevant part of the debian.xml.in (url-change.diff). For the sake of completeness: I've also changed debian/gbp.conf to point to debian/jessie so gbp picks up the right chroot withou further typing. Tested on Jessie: $ osinfo-detect debian-9.0.0-amd64-netinst.iso Media is bootable. Media is an installer for OS 'Debian Stretch' O.k. to upload to jessie-p-u? Cheers, -- Guido > > > Regarding the tests: > > > > Things are split up in stretch so that tests/ are in libosinfo while the > > data is in osinfo-db: > > > > > > https://gitlab.com/agx1/libosinfo/commit/117029715f90c5c7a2f2a996b21e9fefca6585c8 > > > > and I deemed updating libosifo in stretch as well only for the tests > > overkill (but I ran them there as well). > > (Just to be clear: I was really enjoying seeing tests get added.) > > > KiBi. diff --git a/data/oses/debian.xml.in b/data/oses/debian.xml.in index 5924850..73bc327 100644 --- a/data/oses/debian.xml.in +++ b/data/oses/debian.xml.in @@ -334,7 +334,7 @@ - http://cdimage.debian.org/cdimage/release/current/i386/iso-cd/debian-9.0.0-i386-netinst.iso + http://cdimage.debian.org/mirror/cdimage/archive/9.0.0/i386/iso-cd/debian-9.0.0-i386-netinst.iso Debian 9.\d.\d i386 (1|n) @@ -342,7 +342,7 @@ install.386/initrd.gz - http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd/debian-9.0.0-amd64-netinst.iso + http://cdimage.debian.org/mirror/cdimage/archive/9.0.0/amd64/iso-cd/debian-9.0.0-amd64-netinst.iso Debian 9.\d.\d amd64 (1|n) diff --git a/debian/changelog b/debian/changelog index 45f9af0..10d7772 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libosinfo (0.2.11-2) jessie; urgency=medium + + * [4b4388e] Add Debian Jessie and Stretch + * [335f18d] Adjust gbp.conf for Debian Jessie + + -- Guido Günther Wed, 28 Jun 2017 19:06:22 +0200 + libosinfo (0.2.11-1.1) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/gbp.conf b/debian/gbp.conf index 4b41283..9103184 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,4 +1,4 @@ [DEFAULT] -debian-branch = debian/sid +debian-branch = debian/jessie upstream-tag = v%(version)s upstream-branch = upstream/master diff --git a/debian/patches/Add-Debian-Jessie-and-Stretch.patch b/debian/patches/Add-Debian-Jessie-and-Stretch.patch new file mode 100644 index 000..fd7e856 --- /dev/null +++ b/debian/patches/Add-Debian-Jessie-and-Stretch.patch @@ -0,0 +1,242 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= +Date: Wed, 21 Jun 2017 08:36:07 +0200 +Subject: Add Debian Jessie and Stretch + +--- + data/oses/debian.xml.in| 100 - + .../debian/debian8/debian-8.7.1-amd64-CD-1.iso.txt | 29 ++ + .../debian9/debian-9.0-amd64-netinst.iso.txt | 29 ++ + .../debian/debian9/debian-9.0-amd64.iso.txt| 29 ++ + 4 files changed, 185 insertions(+), 2 deletions(-) + create mode 100644 test/isodata/debian/debian8/debian-8.7.1-amd64-CD-1.iso.txt + create mode 100644 test/isodata/debian/debian9/debian-9.0-amd64-netinst.iso.txt + create mode 100644 test/isodata/debian/debian9/debian-9.0-amd64.iso.txt + +diff --git a/data/oses/debian.xml.in b/data/oses/debian.xml.in +index 61d4d52..73bc327 100644 +--- a/data/oses/debian.xml.in b/data/oses/debian.xml.in +@@ -238,7 +238,7 @@ + + + +- http://cdimage.debian.org/debian-cd/7.3.0/i386/iso-dvd/debian-7.3.0-i386-DVD-1.iso ++ http://cdimage.debian.org/mirror/cdimage/archive/7.11.0/i386/iso-dvd/debian-7.11.0-i386-DVD-1.iso + + Debian 7.\d.\d i386 1 + +@@ -246,7 +246,7 @@ + install.386/initrd.gz + + +- http://cdimage.debian.org/debian-cd/7.3.0/amd64/iso-dvd/debian-7.3.0-amd64-DVD-1.iso ++
Bug#862997: jessie-pu: package libx11-protocol-other-perl/28-1+deb8u1
On Wed, 28 Jun 2017 01:13:37 +0200, Cyril Brulebois wrote: > gregor herrmann(2017-05-19): > > I've prepared an update for libx11-protocol-other-perl in jessie to > > fix #848060. The only change is to disable a brittle test via > > debian/rules in order to avoid test/build failures. > This looks good to me, feel free to upload (targetting jessie); thanks. Thanks, uploaded. Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Didier Squiban: Marche des conscrits du Faoutet signature.asc Description: Digital Signature
Bug#862986: jessie-pu: package libdata-faker-perl/0.10-1+deb8u1
On Wed, 28 Jun 2017 01:07:24 +0200, Cyril Brulebois wrote: > gregor herrmann(2017-05-19): > > I've prepared an update for libdata-faker-perl which makes sure that > > tests are run under the C locale in order to avoid test failures as > > in #808454. > This looks good to me, feel free to upload (targetting jessie); thanks. Thanks! Uploaded. Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- signature.asc Description: Digital Signature
Bug#862983: jessie-pu: package libsys-syscall-perl/0.25-2+deb8u1
On Wed, 28 Jun 2017 01:05:23 +0200, Cyril Brulebois wrote: > gregor herrmann(2017-05-19): > > I've prepared an update for libsys-syscall-perl that adds support for > > more architectures where the package is silently broken in stable > > right now. The patches are taken unchanged from testing/sid. > > Fixed bugs: #824843, #824936, #826136 > This looks good to me, feel free to upload (targetting jessie). Thank you; uploaded. Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Eagles signature.asc Description: Digital Signature
Bug#862976: jessie-pu: package libhttp-proxy-perl/0.301-1+deb8u1
On Wed, 28 Jun 2017 00:59:29 +0200, Cyril Brulebois wrote: > gregor herrmann(2017-05-19): > > I've prepared an update for libhttp-proxy-perl in jessie to fix > > #788350. The update adds a patch from the recent upstream release > > (which is in testing/unstable, and we've also used the patch before > > it was released). Full debdiff attached. > This looks good to me, feel free to upload (targetting jessie). Thank you; uploaded. Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Bruce Springsteen: Secret Garden signature.asc Description: Digital Signature
Bug#862964: jessie-pu: package libhtml-microformats-perl/0.105-2+deb8u1
On Wed, 28 Jun 2017 00:56:22 +0200, Cyril Brulebois wrote: > > I've prepared an update of libhtml-microformats-perl in stable to fix > > #783656. The only change is the addition of the missing dependency. > This looks good to me, feel free to upload (targetting jessie). Thank you; uploaded. Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Van Morrison signature.asc Description: Digital Signature
Bug#862960: jessie-pu: package libcgi-application-plugin-anytemplate-perl/0.18-1+deb8u1
On Wed, 28 Jun 2017 00:46:01 +0200, Cyril Brulebois wrote: > > I've prepared an update for libcgi-application-plugin-anytemplate-perl > > in stable to fix #788008. Complete debdiff attached. > This looks good to me, but please remember to target jessie. > Feel free to upload, thanks. Thank you! Uploaded. Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Beatles signature.asc Description: Digital Signature
NEW changes in stable-new
Processing changes file: squashfs-tools_4.3-3+deb9u1_arm64.changes ACCEPT Processing changes file: squashfs-tools_4.3-3+deb9u1_armel.changes ACCEPT Processing changes file: squashfs-tools_4.3-3+deb9u1_i386.changes ACCEPT Processing changes file: squashfs-tools_4.3-3+deb9u1_mips.changes ACCEPT Processing changes file: squashfs-tools_4.3-3+deb9u1_mips64el.changes ACCEPT Processing changes file: squashfs-tools_4.3-3+deb9u1_mipsel.changes ACCEPT Processing changes file: squashfs-tools_4.3-3+deb9u1_ppc64el.changes ACCEPT
Bug#865102: jessie-pu: package libdvdnav/5.0.1-1+deb8u1
Hi, On Di 27 Jun 2017 06:18:05 CEST, Cyril Brulebois wrote: Control: tag -1 confirmed Mike Gabriel(2017-06-19): Attached is a .debdiff that fixes various crashes when playing DVDs in VLC. The DVD mostly starts playing for some time, but crashes some 5-10 minutes after the DVD has been started playing. With the attached change, no crashes are observed anymore. The issue is resolved in stretch, but still open in jessie. Please consider accepting this change via jessie-pu. Thanks. Looks good to me, feel free to upload; thanks. There is an update for one uploader in the .debdiff. This one is of course optional, but preferred. OK. KiBi. the package has just been uploaded (by mfv@d.o). Thanks! Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpBh6tOgHupt.pgp Description: Digitale PGP-Signatur
Bug#862481: jessie-pu: package xfce4-weather-plugin/0.8.3-2
On Wed, 2017-06-28 at 15:13 +0200, Emilio Pozuelo Monfort wrote: > On 28/06/17 12:38, Yves-Alexis Perez wrote: > > On Wed, 2017-06-28 at 00:24 +0200, Cyril Brulebois wrote: > > > This looks good to me (also tested locally without then with the patch > > > series). Feel free to upload, targetting jessie; thanks. > > > > Thanks! Should I target 'jessie' (not recognized by dch -r) or 'oldstable- > > proposed-updates'? > > jessie. Can you file a bug against devscripts so codenames are recognized? Done (#866223) -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#863093: jessie-pu: package libwnckmm/0.1.1-1+deb8u1
Hi, Samuel Thibault(2017-06-28): > Cyril Brulebois, on mer. 28 juin 2017 04:11:05 +0200, wrote: > > Wait a minute, this adds a symlink and a dependency, but doesn't > > remove anything; this doesn't look like a duplication fix? > > ln -sf replaces the existing file with the symlink. Sure, I know what ln -sf does. But the said file was never shipped in the first place: kibi@armor:/tmp/binary-libwnckmm-1.0-0-dev$ dpkg --contents libwnckmm-1.0-0-dev_0.1.1-1_amd64.deb | grep jquery.js kibi@armor:/tmp/binary-libwnckmm-1.0-0-dev$ Indeed, after a build in a jessie chroot, there are plenty of references to jquery.js in HTML files, but there's no jquery.js in the build tree. KiBi. signature.asc Description: Digital signature
Bug#862481: jessie-pu: package xfce4-weather-plugin/0.8.3-2
On 28/06/17 12:38, Yves-Alexis Perez wrote: > On Wed, 2017-06-28 at 00:24 +0200, Cyril Brulebois wrote: >> This looks good to me (also tested locally without then with the patch >> series). Feel free to upload, targetting jessie; thanks. > > Thanks! Should I target 'jessie' (not recognized by dch -r) or 'oldstable- > proposed-updates'? jessie. Can you file a bug against devscripts so codenames are recognized? Thanks, Emilio
Bug#862481: jessie-pu: package xfce4-weather-plugin/0.8.3-2
On Wed, 2017-06-28 at 00:24 +0200, Cyril Brulebois wrote: > This looks good to me (also tested locally without then with the patch > series). Feel free to upload, targetting jessie; thanks. Thanks! Should I target 'jessie' (not recognized by dch -r) or 'oldstable- proposed-updates'? Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#865997: [Pkg-pascal-devel] Bug#865997: [release.debian.org] stretch-pu: Fix Local time / UTC conversion in Free Pascal Run Time Library
Hi Jonathan and Adam, On Mon, 2017-06-26 at 14:04 +0100, Jonathan Wiltshire wrote:... > The patch alone is not enough to decide this; please prepare a source > debdiff (i.e. between the .dsc files) of your proposed upload relative > to stretch. The upload target should be 'stretch', not 'stable'. Please find attached the debdiff. -- Cheers, Abou Al Montacirdiff -Nru fpc-3.0.0+dfsg/debian/changelog fpc-3.0.0+dfsg/debian/changelog --- fpc-3.0.0+dfsg/debian/changelog 2017-02-08 10:53:35.0 +0100 +++ fpc-3.0.0+dfsg/debian/changelog 2017-06-10 19:13:48.0 +0200 @@ -1,3 +1,10 @@ +fpc (3.0.0+dfsg-11+deb9u1) stretch; urgency=medium + + * Fix "[fp-units-rtl-3.0.0] Incorrect conversion from local time to +UTC". Backported fix from 3.0.2 (Closes: #864148) + + -- Abou Al MontacirSat, 10 Jun 2017 19:13:48 +0200 + fpc (3.0.0+dfsg-11) unstable; urgency=medium * Team upload diff -Nru fpc-3.0.0+dfsg/debian/patches/Correct-for-different-meaning-of-TZOffset.patch fpc-3.0.0+dfsg/debian/patches/Correct-for-different-meaning-of-TZOffset.patch --- fpc-3.0.0+dfsg/debian/patches/Correct-for-different-meaning-of-TZOffset.patch 1970-01-01 01:00:00.0 +0100 +++ fpc-3.0.0+dfsg/debian/patches/Correct-for-different-meaning-of-TZOffset.patch 2017-06-10 19:13:48.0 +0200 @@ -0,0 +1,35 @@ +From 731f6175a3870c396a7ddaae774ea8a859b4512b Mon Sep 17 00:00:00 2001 +From: michael +Date: Fri, 21 Aug 2015 10:36:30 + +Subject: [PATCH] * Correct for different meaning of TZOffset + +git-svn-id: http://svn.freepascal.org/svn/fpc/trunk@31356 3ad0048d-3df7-0310-abae-a5850022a9f2 +--- + packages/rtl-objpas/src/inc/dateutil.inc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fpcsrc/packages/rtl-objpas/src/inc/dateutil.inc b/fpcsrc/packages/rtl-objpas/src/inc/dateutil.inc +index c90c83deff..fc7f87a13e 100644 +--- a/fpcsrc/packages/rtl-objpas/src/inc/dateutil.inc b/fpcsrc/packages/rtl-objpas/src/inc/dateutil.inc +@@ -2532,7 +2532,7 @@ end; + function UniversalTimeToLocal(UT: TDateTime): TDateTime; + + begin +- Result:=UniversalTimeToLocal(UT,GetLocalTimeOffset); ++ Result:=UniversalTimeToLocal(UT,-GetLocalTimeOffset); + end; + + function UniversalTimeToLocal(UT: TDateTime; TZOffset : Integer): TDateTime; +@@ -2549,7 +2549,7 @@ end; + Function LocalTimeToUniversal(LT: TDateTime): TDateTime; + + begin +- Result:=LocalTimeToUniversal(LT,GetLocalTimeOffset); ++ Result:=LocalTimeToUniversal(LT,-GetLocalTimeOffset); + end; + + Function LocalTimeToUniversal(LT: TDateTime;TZOffset: Integer): TDateTime; +-- +2.11.0 + diff -Nru fpc-3.0.0+dfsg/debian/patches/series fpc-3.0.0+dfsg/debian/patches/series --- fpc-3.0.0+dfsg/debian/patches/series 2017-02-06 20:26:00.0 +0100 +++ fpc-3.0.0+dfsg/debian/patches/series 2017-06-10 19:13:48.0 +0200 @@ -39,3 +39,4 @@ ppdep-fix-else-handling.patch fix-spelling-errors_more.patch armhf-fix-vstr-vld-offset.patch +Correct-for-different-meaning-of-TZOffset.patch signature.asc Description: This is a digitally signed message part
NEW changes in stable-new
Processing changes file: squashfs-tools_4.3-3+deb9u1_armhf.changes ACCEPT Processing changes file: squashfs-tools_4.3-3+deb9u1_s390x.changes ACCEPT
Bug#863093: jessie-pu: package libwnckmm/0.1.1-1+deb8u1
Hello, Cyril Brulebois, on mer. 28 juin 2017 04:11:05 +0200, wrote: > Samuel Thibault(2017-05-21): > > Jessie is still affected by this serious Bug#796530, Adrian Bunk > > requested it to be fixed there. In the attached changes that I have > > uploaded to tpu, I have also fixed the duplication of jquery.js, also > > a serious issue. > > Wait a minute, this adds a symlink and a dependency, but doesn't remove > anything; this doesn't look like a duplication fix? ln -sf replaces the existing file with the symlink. Samuel