Bug#887857: jessie-pu: package openafs/1.6.9-2+deb8u6

2018-01-20 Thread Benjamin Kaduk 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

The recent kernel update in jessie-security with meltdown/spectre remediation
measures introduced some minor ABI changes that cause the version of the openafs
kernel module in jessie to be unable to compile.  More recent upstream versions
of openafs do compile against this kernel, so I need to backport the appropriate
build fixes in order to make openafs-modules-source and openafs-modules-dkms
usable in jessie again.  (The version in jessie-backports is also broken,
not that that is directly relevant here.)

I attach a debdiff with the needed patches, and I have tested the resulting
package in a jessie VM with the latest kernel from jessie-security.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru openafs-1.6.9/debian/changelog openafs-1.6.9/debian/changelog
--- openafs-1.6.9/debian/changelog  2017-12-08 20:59:25.0 -0600
+++ openafs-1.6.9/debian/changelog  2018-01-20 11:48:09.0 -0600
@@ -1,3 +1,11 @@
+openafs (1.6.9-2+deb8u7) jessie-proposed-updates; urgency=high
+
+  * Apply upstream patches needed to fix kernel module build against
+linux 3.16.51-3+deb8u1 kernels after security update-induced ABI changes.
+(Closes: #886719)
+
+ -- Benjamin Kaduk   Sat, 20 Jan 2018 11:48:09 -0600
+
 openafs (1.6.9-2+deb8u6) jessie-security; urgency=high
 
   * CVE-2017-17432: remote triggered Rx assertion failure
diff -Nru 
openafs-1.6.9/debian/patches/0023-Linux-4.9-inode_change_ok-becomes-setattr_prepare.patch
 
openafs-1.6.9/debian/patches/0023-Linux-4.9-inode_change_ok-becomes-setattr_prepare.patch
--- 
openafs-1.6.9/debian/patches/0023-Linux-4.9-inode_change_ok-becomes-setattr_prepare.patch
   1969-12-31 18:00:00.0 -0600
+++ 
openafs-1.6.9/debian/patches/0023-Linux-4.9-inode_change_ok-becomes-setattr_prepare.patch
   2018-01-20 11:46:01.0 -0600
@@ -0,0 +1,57 @@
+From: Mark Vitale 
+Date: Thu, 20 Oct 2016 00:49:37 -0400
+Subject: Linux 4.9: inode_change_ok() becomes setattr_prepare()
+
+Linux commit 31051c85b5e2 "fs: Give dentry to inode_change_ok() instead
+of inode" renames and modifies inode_change_ok(inode, attrs) to
+setattr_prepare(dentry, attrs).
+
+Modify OpenAFS to cope.
+
+Reviewed-on: https://gerrit.openafs.org/12418
+Tested-by: BuildBot 
+Reviewed-by: Benjamin Kaduk 
+(cherry picked from commit 8aeb711eeaa5ddac5a74c354091e2d4f7ac0cd63)
+
+Change-Id: I7f08c57b7f61465a1ea1806f52f77bd65084
+Reviewed-on: https://gerrit.openafs.org/12480
+Tested-by: BuildBot 
+Reviewed-by: Mark Vitale 
+Reviewed-by: Stephan Wiesand 
+Tested-by: Stephan Wiesand 
+(cherry picked from commit 8efca09a5daa3cfc08d0d86e2fb48c9b8d1b270a)
+---
+ acinclude.m4 | 3 +++
+ src/afs/LINUX/osi_file.c | 4 
+ 2 files changed, 7 insertions(+)
+
+diff --git a/acinclude.m4 b/acinclude.m4
+index 80a05b7..e1cdc8c 100644
+--- a/acinclude.m4
 b/acinclude.m4
+@@ -947,6 +947,9 @@ case $AFS_SYSNAME in *_linux* | *_umlinux*)
+AC_CHECK_LINUX_FUNC([set_nlink],
+[#include ],
+[set_nlink(NULL, 1);])
++   AC_CHECK_LINUX_FUNC([setattr_prepare],
++   [#include ],
++   [setattr_prepare(NULL, NULL);])
+AC_CHECK_LINUX_FUNC([sock_create_kern],
+[#include ],
+[sock_create_kern(0, 0, 0, NULL);])
+diff --git a/src/afs/LINUX/osi_file.c b/src/afs/LINUX/osi_file.c
+index b83f736..d6c0fd6 100644
+--- a/src/afs/LINUX/osi_file.c
 b/src/afs/LINUX/osi_file.c
+@@ -184,7 +184,11 @@ osi_UFSTruncate(struct osi_file *afile, afs_int32 asize)
+ newattrs.ia_ctime = CURRENT_TIME;
+ 
+ /* avoid notify_change() since it wants to update dentry->d_parent */
++#ifdef HAVE_LINUX_SETATTR_PREPARE
++code = setattr_prepare(file_dentry(afile->filp), );
++#else
+ code = inode_change_ok(inode, );
++#endif
+ if (!code)
+   code = afs_inode_setattr(afile, );
+ if (!code)
diff -Nru 
openafs-1.6.9/debian/patches/0024-LINUX-Debian-Ubuntu-build-regression-on-kernel-3.16..patch
 
openafs-1.6.9/debian/patches/0024-LINUX-Debian-Ubuntu-build-regression-on-kernel-3.16..patch
---

Bug#887855: stretch-pu: package libvirt/3.0.0-4+deb9u2

2018-01-20 Thread Guido Günther 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,
the above update addresses CVE-2018-5748 as well as a bug where disks
with cache=directsync couldn't be migrated (#883208).
O.k. to upload to stretch-pu?
Cheers,
 -- Guido

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 222b31e543..f9aca519eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+libvirt (3.0.0-4+deb9u2) stretch; urgency=medium
+
+  * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
+(Closes: #887700)
+  * qemu: shared disks with cache=directsync should be safe for migration.
+Thanks to Carsten Burkhardt (Closes: #883208)
+
+ -- Guido Günther   Sat, 20 Jan 2018 17:51:39 +0100
+
 libvirt (3.0.0-4+deb9u1) stretch-security; urgency=high
 
   * CVE-2017-1000256: qemu: ensure TLS clients always verify the server
diff --git 
a/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
 
b/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
new file mode 100644
index 00..5d675ae6c3
--- /dev/null
+++ 
b/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
@@ -0,0 +1,49 @@
+From: "Daniel P. Berrange" 
+Date: Tue, 16 Jan 2018 17:00:11 +
+Subject: qemu: avoid denial of service reading from QEMU monitor
+ (CVE-2018-5748)
+
+We read from QEMU until seeing a \r\n pair to indicate a completed reply
+or event. To avoid memory denial-of-service though, we must have a size
+limit on amount of data we buffer. 10 MB is large enough that it ought
+to cope with normal QEMU replies, and small enough that we're not
+consuming unreasonable mem.
+
+Signed-off-by: Daniel P. Berrange 
+---
+ src/qemu/qemu_monitor.c | 15 +++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
+index 1610ae3..86ce2d1 100644
+--- a/src/qemu/qemu_monitor.c
 b/src/qemu/qemu_monitor.c
+@@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor");
+ #define DEBUG_IO 0
+ #define DEBUG_RAW_IO 0
+ 
++/* We read from QEMU until seeing a \r\n pair to indicate a
++ * completed reply or event. To avoid memory denial-of-service
++ * though, we must have a size limit on amount of data we
++ * buffer. 10 MB is large enough that it ought to cope with
++ * normal QEMU replies, and small enough that we're not
++ * consuming unreasonable mem.
++ */
++#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
++
+ struct _qemuMonitor {
+ virObjectLockable parent;
+ 
+@@ -565,6 +574,12 @@ qemuMonitorIORead(qemuMonitorPtr mon)
+ int ret = 0;
+ 
+ if (avail < 1024) {
++if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) {
++virReportSystemError(ERANGE,
++ _("No complete monitor response found in %d 
bytes"),
++ QEMU_MONITOR_MAX_RESPONSE);
++return -1;
++}
+ if (VIR_REALLOC_N(mon->buffer,
+   mon->bufferLength + 1024) < 0)
+ return -1;
diff --git 
a/debian/patches/qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
 
b/debian/patches/qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
new file mode 100644
index 00..01bcc4ca64
--- /dev/null
+++ 
b/debian/patches/qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
@@ -0,0 +1,41 @@
+From: Hao Peng 
+Date: Sat, 15 Jul 2017 23:01:25 +0800
+Subject: qemu: shared disks with cache=directsync should be safe for
+ migration
+
+At present shared disks can be migrated with either readonly or cache=none. But
+cache=directsync should be safe for migration, because both cache=directsync 
and cache=none
+don't use the host page cache, and cache=direct write through qemu block layer 
cache.
+
+Signed-off-by: Peng Hao 
+Reviewed-by: Wang Yechao 
+---
+ src/qemu/qemu_migration.c | 7 ---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
+index 0f4a6cf..dba5897 100644
+--- a/src/qemu/qemu_migration.c
 b/src/qemu/qemu_migration.c
+@@ -2375,9 +2375,10 @@ qemuMigrationIsSafe(virDomainDefPtr def,
+ const char *src = virDomainDiskGetSource(disk);
+ 
+

Bug#883897: stretch-pu: package congress/4.0.0+dfsg1-3 -> +deb9u1

2018-01-20 Thread Thomas Goirand 
On 01/13/2018 06:11 PM, Julien Cristau wrote:
> Control: tag -1 moreinfo
> 
> On Sat, Dec  9, 2017 at 00:30:01 +0100, Thomas Goirand wrote:
> 
>> Package: release.debian.org
>> Severity: normal
>> Tags: stretch
>> User: release.debian@packages.debian.org
>> Usertags: pu
>>
>> Dear release team,
>>
>> congress-server was built with openstack-pkg-tools *before* it stopped using
>> /sbin/route from net-tools. Therefore, it's using /usr/sbin at setup time
>> even though net-tools isn't a runtime dependency.
>>
>> So I would like to upload a rebuild of Congress to Stretch, so its
>> maintainer scripts would not need net-tools anymore. This would fix #858693.
>>
>> Of course, since I am not planning any modification to the package, I have
>> no debdiff to show (it would only contain a new changelog entry, which isn't
>> very useful to review).
>>
> If the rebuild makes a difference, then please show what that difference
> actually is?  Possibly that means a binary debdiff in addition to the
> normal source diff.
> 
> Cheers,
> Julien

Hi Julien,

Here's the resulting changes on the config script, attached to this
message, together with the debdiff. As you can see, the script now reads
/proc/net/route directly instead of using /sbin/route, so we don't need
the net-tools package which was otherwise missing in dependencies.

Cheers,

Thomas Goirand (zigo)
diff -Nru congress-4.0.0+dfsg1/debian/changelog 
congress-4.0.0+dfsg1/debian/changelog
--- congress-4.0.0+dfsg1/debian/changelog   2016-11-03 11:16:31.0 
+
+++ congress-4.0.0+dfsg1/debian/changelog   2018-01-19 14:59:16.0 
+
@@ -1,3 +1,9 @@
+congress (4.0.0+dfsg1-3+deb9u1) stretch; urgency=medium
+
+  * Rebuilt with openstack-pkg-tools >= 54~.
+
+ -- Thomas Goirand   Fri, 19 Jan 2018 15:59:16 +0100
+
 congress (4.0.0+dfsg1-3) unstable; urgency=medium
 
   * Add patch to remove non-deterministic tests which are randomly failing.
diff -Nru congress-4.0.0+dfsg1/debian/control 
congress-4.0.0+dfsg1/debian/control
--- congress-4.0.0+dfsg1/debian/control 2016-11-03 11:16:31.0 +
+++ congress-4.0.0+dfsg1/debian/control 2018-01-19 14:59:16.0 +
@@ -6,7 +6,7 @@
 Build-Depends: debhelper (>= 9),
dh-python,
dh-systemd,
-   openstack-pkg-tools (>= 52~),
+   openstack-pkg-tools (>= 54~),
po-debconf,
python-all,
python-pbr (>= 1.8),
--- config_4.0.0+dfsg1-3	2018-01-19 15:01:06.435195600 +
+++ config	2018-01-20 13:10:12.214651060 +
@@ -651,8 +651,12 @@
 
 		db_get ${REG_ENDP_PKG_NAME}/endpoint-ip || true
 		if [ -z "${RET}" ] ; then
-			DEFROUTE_IF=`LC_ALL=C /sbin/route | grep default |awk -- '{ print $8 }'`
-			DEFROUTE_IP=`LC_ALL=C ip addr show "${DEFROUTE_IF}" | grep inet | head -n 1 | awk '{print $2}' | cut -d/ -f1 | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'`
+			if [ -x /bin/ip ] ; then
+DEFROUTE_IF=`awk '{ if ( $2 == "" ) print $1 }' /proc/net/route`
+DEFROUTE_IP=`LC_ALL=C ip addr show "${DEFROUTE_IF}" | grep inet | head -n 1 | awk '{print $2}' | cut -d/ -f1 | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'`
+			else
+DEFROUTE_IP=`hostname -i | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'`
+			fi
 			if [ -n "${DEFROUTE_IP}" ] ; then
 db_set ${REG_ENDP_PKG_NAME}/endpoint-ip ${DEFROUTE_IP}
 			fi

Bug#885087: Slightly improved version

2018-01-20 Thread Eduardo M KALINOWSKI 
I've made a small change to the package, changing the new dependency
from gvfs to desktop-file-utils, since that's what's really necessary
(as discovered in #885086).

The new debdiff is attached.

-- 
Eduardo M KALINOWSKI
edua...@kalinowski.com.br


diff -Nru kildclient-3.0.0/debian/changelog kildclient-3.0.0/debian/changelog
--- kildclient-3.0.0/debian/changelog	2014-12-09 20:20:51.0 -0200
+++ kildclient-3.0.0/debian/changelog	2018-01-20 11:06:39.0 -0200
@@ -1,3 +1,10 @@
+kildclient (3.0.0-2+deb8u1) jessie; urgency=low
+
+  * Fix for CVE-2017-17511. New dependency 'desktop-file-utils' required
+in order to use GTK+ function for opening URLs. Closes: #885007
+
+ -- Eduardo M Kalinowski   Sat, 20 Jan 2018 11:06:37 -0200
+
 kildclient (3.0.0-2) unstable; urgency=medium
 
   * Added work-around to enable scroll-to-end feature to work with
diff -Nru kildclient-3.0.0/debian/control kildclient-3.0.0/debian/control
--- kildclient-3.0.0/debian/control	2014-12-09 20:20:51.0 -0200
+++ kildclient-3.0.0/debian/control	2018-01-20 11:06:18.0 -0200
@@ -10,7 +10,7 @@
 
 Package: kildclient
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, liblocale-gettext-perl, libjson-perl
+Depends: ${shlibs:Depends}, ${misc:Depends}, liblocale-gettext-perl, libjson-perl, desktop-file-utils
 Suggests: kildclient-doc, libgtk3-perl
 Description: powerful MUD client with a built-in Perl interpreter
  KildClient is a MUD Client written with the GTK+ windowing toolkit.
diff -Nru kildclient-3.0.0/debian/NEWS.Debian kildclient-3.0.0/debian/NEWS.Debian
--- kildclient-3.0.0/debian/NEWS.Debian	2014-12-09 20:20:51.0 -0200
+++ kildclient-3.0.0/debian/NEWS.Debian	2018-01-20 11:17:50.0 -0200
@@ -1,3 +1,11 @@
+kildclient (3.0.0-2+deb8u1) jessie-security; urgency=high
+
+  * The option to define the command used to run a web browser has been
+removed; the default browser (as selected by MIME types database) is
+now used.
+
+ -- Eduardo M Kalinowski   Sat, 20 Jan 2018 11:06:37 -0200
+
 kildclient (2.8.1-1) experimental; urgency=low
 
   The HTML manual is now in the package kildclient-doc.
diff -Nru kildclient-3.0.0/debian/patches/cve-2017-17511.patch kildclient-3.0.0/debian/patches/cve-2017-17511.patch
--- kildclient-3.0.0/debian/patches/cve-2017-17511.patch	1969-12-31 21:00:00.0 -0300
+++ kildclient-3.0.0/debian/patches/cve-2017-17511.patch	2018-01-20 11:05:35.0 -0200
@@ -0,0 +1,221 @@
+Description: Fix for CVE-2017-17511
+ Uses a GTK+ function to open URLs, instead of using a command
+ supplied by the user or $BROWSER.
+Author: Eduardo M KALINOWSKI 
+Last-Update: 2017-12-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/kildclient.h
 b/src/kildclient.h
+@@ -633,7 +633,6 @@
+   GtkPositionType  tab_position;
+   gboolean hide_single_tab;
+   gboolean urgency_hint;
+-  char*browser_command;
+   char*audio_player_command;
+   char*last_open_world;
+   gboolean no_plugin_help_msg;
+--- a/src/prefs.c
 b/src/prefs.c
+@@ -92,7 +92,6 @@
+   GObject  *txtProxyUser;
+   GObject  *txtProxyPassword;
+ #ifndef __WIN32__
+-  GObject  *txtBrowserCommand;
+   GObject  *txtAudioPlayerCommand;
+ #else
+   GtkWidget*tabPrograms;
+@@ -178,12 +177,6 @@
+ 
+ #ifndef __WIN32__
+ /* Load commands */
+-txtBrowserCommand = gtk_builder_get_object(main_builder, "txtBrowserCommand");
+-gtk_entry_set_text(GTK_ENTRY(txtBrowserCommand),
+-   globalPrefs.browser_command);
+-g_signal_connect(txtBrowserCommand, "focus_out_event",
+- G_CALLBACK(txt_cmd_focus_out_cb),
+- _command);
+ txtAudioPlayerCommand
+   = gtk_builder_get_object(main_builder, "txtAudioPlayerCommand");
+ gtk_entry_set_text(GTK_ENTRY(txtAudioPlayerCommand),
+@@ -319,9 +312,6 @@
+   }
+ 
+   /* Has the commands been set? */
+-  if (!globalPrefs.browser_command) {
+-globalPrefs.browser_command = g_strdup("${BROWSER} \"%s\" &");
+-  }
+   if (!globalPrefs.audio_player_command) {
+ globalPrefs.audio_player_command = g_strdup("play \"%s\" &");
+   }
+@@ -380,8 +370,6 @@
+   globalPrefs.hide_single_tab = atoi(line + pos + 1);
+ } else if (strcmp(first_word, "urgencyhint") == 0) {
+   globalPrefs.urgency_hint = atoi(line + pos + 1);
+-} else if (strcmp(first_word, "browsercommand") == 0) {
+-  globalPrefs.browser_command = g_strdup(line + pos + 1);
+ } else if (strcmp(first_word, "audioplayercommand") == 0) {
+   globalPrefs.audio_player_command = g_strdup(line + pos + 1);
+ } else if (strcmp(first_word, "lastopenworld") == 0) {
+@@ -475,8 +463,6 @@
+   g_string_append_printf(str, "urgencyhint %d\n", globalPrefs.urgency_hint);
+ 
+   g_string_append_printf(str,
+-

Bug#885086: Slightly improved version

2018-01-20 Thread Eduardo M KALINOWSKI 
In the previous message I forgot to change the NEWS.Debian file to
better describe the change; this version fixes it.

-- 
"Atomic batteries to power, turbines to speed."
-- Robin, The Boy Wonder

Eduardo M KALINOWSKI
edua...@kalinowski.com.br

diff -Nru kildclient-3.1.0/debian/changelog kildclient-3.1.0/debian/changelog
--- kildclient-3.1.0/debian/changelog	2016-12-04 20:46:22.0 -0200
+++ kildclient-3.1.0/debian/changelog	2018-01-20 10:50:25.0 -0200
@@ -1,3 +1,10 @@
+kildclient (3.1.0-1+deb9u1) stretch; urgency=low
+
+  * Fix for CVE-2017-17511. New dependency 'desktop-file-utils' required
+in order to use GTK+ function for opening URLs. Closes: #885007
+
+ -- Eduardo M Kalinowski   Sat, 20 Jan 2018 10:50:25 -0200
+
 kildclient (3.1.0-1) unstable; urgency=low
 
   * New upstream version: 3.1.0.
diff -Nru kildclient-3.1.0/debian/control kildclient-3.1.0/debian/control
--- kildclient-3.1.0/debian/control	2016-12-04 20:46:22.0 -0200
+++ kildclient-3.1.0/debian/control	2018-01-20 10:50:25.0 -0200
@@ -10,7 +10,7 @@
 
 Package: kildclient
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl
+Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl, desktop-file-utils
 Suggests: kildclient-doc, libgtk3-perl
 Description: powerful MUD client with a built-in Perl interpreter
  KildClient is a MUD Client written with the GTK+ windowing toolkit.
diff -Nru kildclient-3.1.0/debian/NEWS.Debian kildclient-3.1.0/debian/NEWS.Debian
--- kildclient-3.1.0/debian/NEWS.Debian	2016-12-04 20:46:22.0 -0200
+++ kildclient-3.1.0/debian/NEWS.Debian	2018-01-20 10:50:25.0 -0200
@@ -1,3 +1,11 @@
+kildclient (3.1.0-1+deb9u1) stretch-security; urgency=high
+
+  * The option to define the command used to run a web browser has been
+removed; the default browser (as selected by MIME types database) is
+now used.
+
+ -- Eduardo M Kalinowski   Sat, 20 Jan 2018 10:50:25 -0200
+
 kildclient (2.8.1-1) experimental; urgency=low
 
   The HTML manual is now in the package kildclient-doc.
diff -Nru kildclient-3.1.0/debian/patches/cve-2017-17511.patch kildclient-3.1.0/debian/patches/cve-2017-17511.patch
--- kildclient-3.1.0/debian/patches/cve-2017-17511.patch	1969-12-31 21:00:00.0 -0300
+++ kildclient-3.1.0/debian/patches/cve-2017-17511.patch	2018-01-20 08:44:40.0 -0200
@@ -0,0 +1,183 @@
+Description: Fix for CVE-2017-17511
+ Uses a GTK+ function to open URLs, instead of using a command
+ supplied by the user or $BROWSER.
+Author: Eduardo M KALINOWSKI 
+Last-Update: 2017-12-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/doc/C/kildclient.xml
 b/doc/C/kildclient.xml
+@@ -1233,20 +1233,16 @@
+   
+ 
+ 
+-In this section you can configure the command that will be run
+-when you right-click in a URL that appears in the MUD window and
+-select Open Link. The command will be executed,
+-with %s replaced with the URL's address. The
+-ampersand () in the end means that the command
+-is to be executed in the background, so that you can continue using
+-KildClient while browsing the URL.
+-
+-You can also set a command used to play audio files (see In this section you can set a command used to play audio files (see ). Enter the command, with %s
+ in the place of the file path. The default should work (it uses the
+ SOX program, which is usually installed), but you can use other
+ commands if you use ALSA, ARTS, ESD, JACK, etc.
+ 
++Previously it was also possible to define a command to run a web
++browser. This option has been removed, and the default browser is now
++used instead.
++
+ 
+ 
+ 
+--- a/src/dlgPreferences.ui
 b/src/dlgPreferences.ui
+@@ -521,61 +521,6 @@
+ vertical
+ 6
+ 
+-  
+-False
+-bWeb browser/b
+-True
+-0
+-0
+-  
+-  
+-False
+-True
+-0
+-  
+-
+-
+-  
+-False
+-16
+-vertical
+-6
+-
+-  
+-False
+-Enter the command to run a _web browser. %s will be substituted by the web page address:
+-True
+-True
+-txtBrowserCommand
+-0
+-  
+-  
+-False
+-True
+-0
+-  
+-
+-
+-  
+-True
+-Specify the

Bug#885086: Slightly improved version

2018-01-20 Thread Eduardo M KALINOWSKI 
I've made a small change to the package, changing the new dependency
from gvfs to desktop-file-utils, since that's what's really necessary
(as discovered in #885086).

The new debdiff is attached.

-- 
Eduardo M KALINOWSKI
edua...@kalinowski.com.br

diff -Nru kildclient-3.1.0/debian/changelog kildclient-3.1.0/debian/changelog
--- kildclient-3.1.0/debian/changelog	2016-12-04 20:46:22.0 -0200
+++ kildclient-3.1.0/debian/changelog	2018-01-20 10:50:25.0 -0200
@@ -1,3 +1,10 @@
+kildclient (3.1.0-1+deb9u1) stretch; urgency=low
+
+  * Fix for CVE-2017-17511. New dependency 'desktop-file-utils' required
+in order to use GTK+ function for opening URLs. Closes: #885007
+
+ -- Eduardo M Kalinowski   Sat, 20 Jan 2018 10:50:25 -0200
+
 kildclient (3.1.0-1) unstable; urgency=low
 
   * New upstream version: 3.1.0.
diff -Nru kildclient-3.1.0/debian/control kildclient-3.1.0/debian/control
--- kildclient-3.1.0/debian/control	2016-12-04 20:46:22.0 -0200
+++ kildclient-3.1.0/debian/control	2018-01-20 10:50:25.0 -0200
@@ -10,7 +10,7 @@
 
 Package: kildclient
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl
+Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl, desktop-file-utils
 Suggests: kildclient-doc, libgtk3-perl
 Description: powerful MUD client with a built-in Perl interpreter
  KildClient is a MUD Client written with the GTK+ windowing toolkit.
diff -Nru kildclient-3.1.0/debian/NEWS.Debian kildclient-3.1.0/debian/NEWS.Debian
--- kildclient-3.1.0/debian/NEWS.Debian	2016-12-04 20:46:22.0 -0200
+++ kildclient-3.1.0/debian/NEWS.Debian	2018-01-20 08:44:40.0 -0200
@@ -1,3 +1,10 @@
+kildclient (3.1.0-1+deb9u1) stretch-security; urgency=high
+
+  * The option to define the command used to run a web browser has been
+removed; the default browser (as selected by gvfs) is now used.
+
+ -- Eduardo M Kalinowski   Sun, 17 Dec 2017 09:42:23 -0200
+
 kildclient (2.8.1-1) experimental; urgency=low
 
   The HTML manual is now in the package kildclient-doc.
diff -Nru kildclient-3.1.0/debian/patches/cve-2017-17511.patch kildclient-3.1.0/debian/patches/cve-2017-17511.patch
--- kildclient-3.1.0/debian/patches/cve-2017-17511.patch	1969-12-31 21:00:00.0 -0300
+++ kildclient-3.1.0/debian/patches/cve-2017-17511.patch	2018-01-20 08:44:40.0 -0200
@@ -0,0 +1,183 @@
+Description: Fix for CVE-2017-17511
+ Uses a GTK+ function to open URLs, instead of using a command
+ supplied by the user or $BROWSER.
+Author: Eduardo M KALINOWSKI 
+Last-Update: 2017-12-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/doc/C/kildclient.xml
 b/doc/C/kildclient.xml
+@@ -1233,20 +1233,16 @@
+   
+ 
+ 
+-In this section you can configure the command that will be run
+-when you right-click in a URL that appears in the MUD window and
+-select Open Link. The command will be executed,
+-with %s replaced with the URL's address. The
+-ampersand () in the end means that the command
+-is to be executed in the background, so that you can continue using
+-KildClient while browsing the URL.
+-
+-You can also set a command used to play audio files (see In this section you can set a command used to play audio files (see ). Enter the command, with %s
+ in the place of the file path. The default should work (it uses the
+ SOX program, which is usually installed), but you can use other
+ commands if you use ALSA, ARTS, ESD, JACK, etc.
+ 
++Previously it was also possible to define a command to run a web
++browser. This option has been removed, and the default browser is now
++used instead.
++
+ 
+ 
+ 
+--- a/src/dlgPreferences.ui
 b/src/dlgPreferences.ui
+@@ -521,61 +521,6 @@
+ vertical
+ 6
+ 
+-  
+-False
+-bWeb browser/b
+-True
+-0
+-0
+-  
+-  
+-False
+-True
+-0
+-  
+-
+-
+-  
+-False
+-16
+-vertical
+-6
+-
+-  
+-False
+-Enter the command to run a _web browser. %s will be substituted by the web page address:
+-True
+-True
+-txtBrowserCommand
+-0
+-  
+-  
+-False
+-True
+-0
+-  
+-
+-
+-  
+-True
+-Specify the command used to launch a web browser

Bug#884618: transition: cryptsetup

2018-01-20 Thread Cyril Brulebois 
Hi,

Jonas Meurer  (2018-01-20):
> Am 18.12.2017 um 19:38 schrieb Emilio Pozuelo Monfort:
> > Actually I just read the thread about the -udeb uninstallability.
> > Let's wait until that is fixed or until Cyril says it's alright to
> > break that.
> 
> Now that libargon2-0-udeb and libjson-c3-udeb are in the archive, are
> you all ok with us uploading cryptsetup 2.0.0-1 to unstable?
> 
> @kibi: is there anything more we have to take care of regarding d-i?

The d-i side looks good (as far as udeb installability is concerned), feel
free to trigger the transition whenever you're ready. I'd appreciate a
poke when updated components are built, so that I can finalize checking
what's made available in unstable.

Thanks!


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#884618: transition: cryptsetup

2018-01-20 Thread Jonas Meurer 
Hi there,

Am 18.12.2017 um 19:38 schrieb Emilio Pozuelo Monfort:
> On 18/12/17 19:32, Emilio Pozuelo Monfort wrote:
>> Control: tags -1 confirmed
>>
>> On 17/12/17 19:27, Jonas Meurer wrote:
>>> Package: release.debian.org
>>> Severity: normal
>>> User: release.debian@packages.debian.org
>>> Usertags: transition
>>>
>>> Hey there,
>>>
>>> the upcoming upload of cryptsetup 2.0.0-1 will bump the libcryptsetup
>>> soname from 4 to 12. According to (the very thoughtful) upstream, the
>>> API (old functions) is backwards-compatible, so simple rebuilds of the
>>> reverse depenencies should be enough.
>>>
>>> Here's a list of reverse depends:
>>>
>>> bruteforce-luks
>>> cryptmount
>>> libpam-mount
>>> luksmeta
>>> systemd
>>> volume-key
>>> libblockdev
>>> zulucrypt
>>>
>>> How shall we proceed? The package is ready to be uploaded. Shall we go
>>> ahead? Will you (the Release Managers) trigger the binary rebuilds
>>> afterwards? Or can/shall we do this ourselves?
>>
>> Please upload it to unstable. I will schedule the binNMUs once cryptsetup is 
>> built.
> 
> Actually I just read the thread about the -udeb uninstallability. Let's wait
> until that is fixed or until Cyril says it's alright to break that.

Now that libargon2-0-udeb and libjson-c3-udeb are in the archive, are
you all ok with us uploading cryptsetup 2.0.0-1 to unstable?

@kibi: is there anything more we have to take care of regarding d-i?

Cheers
 jonas



signature.asc
Description: OpenPGP digital signature

Bug#868355: nmu: ceres-solver_1.12.0+dfsg0-1+b3

2018-01-20 Thread Emilio Pozuelo Monfort 
On 29/12/17 17:37, Philipp Huebner wrote:
> Hi,
> 
> Am 27.12.2017 um 10:25 schrieb Emilio Pozuelo Monfort:
> 
>> BTW I was going to schedule this binNMU for the time being in order to have a
>> working ceres-solver, but it seems there was an upload since this request was
>> opened. Do you need a binNMU now? If so I'll schedule it.
> 
> while it's true that there was an upload of ceres, there was also
> another upload of eigen since, causing #883619, so please do schedule a
> binNMU for ceres as well.

Scheduled.

Emilio