Bug#896858: RM: libnet-whois-ripe-perl/1.23-2

2018-04-24 Thread Adrian Bunk 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: rm

The package is completely broken in stretch,
see #896500 for details.

Bug#896841: jessie-pu: package psensor/1.1.3-2

2018-04-24 Thread Markus Koschany 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I have prepared a security update for psensor to fix CVE-2014-10073 in
Jessie. This is Debian bug #896195. The security team has marked this
issue as no-dsa. I am going to upload the new revision shortly. Please
find attached the debdiff.

Regards,

Markus
diff -Nru psensor-1.1.3/debian/changelog psensor-1.1.3/debian/changelog
--- psensor-1.1.3/debian/changelog  2014-10-13 09:20:27.0 +0200
+++ psensor-1.1.3/debian/changelog  2018-04-24 21:23:26.0 +0200
@@ -1,3 +1,12 @@
+psensor (1.1.3-2+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2014-10073: The create_response function in server/server.c in
+Psensor allows Directory Traversal because it lacks a check for whether a
+file is under the webserver directory. (Closes: #896195)
+
+ -- Markus Koschany   Tue, 24 Apr 2018 21:23:26 +0200
+
 psensor (1.1.3-2) unstable; urgency=medium
 
   * debian/control
diff -Nru psensor-1.1.3/debian/patches/CVE-2014-10073.patch 
psensor-1.1.3/debian/patches/CVE-2014-10073.patch
--- psensor-1.1.3/debian/patches/CVE-2014-10073.patch   1970-01-01 
01:00:00.0 +0100
+++ psensor-1.1.3/debian/patches/CVE-2014-10073.patch   2018-04-24 
21:23:26.0 +0200
@@ -0,0 +1,74 @@
+From: Markus Koschany 
+Date: Mon, 23 Apr 2018 23:51:42 +0200
+Subject: CVE-2014-10073
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896195
+Origin: 
http://git.wpitchoune.net/gitweb/?p=psensor.git;a=commitdiff;h=8b10426dcc0246c1712a99460dd470dcb1cc4d9c
+---
+ src/server/server.c | 26 ++
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/server/server.c b/src/server/server.c
+index 5862586..fd5662a 100644
+--- a/src/server/server.c
 b/src/server/server.c
+@@ -23,6 +23,7 @@
+ #include 
+ #define _(str) gettext(str)
+ 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -246,13 +247,24 @@ static struct MHD_Response *
+ create_response(const char *nurl, const char *method, unsigned int *rp_code)
+ {
+   struct MHD_Response *resp = NULL;
++  char *rpath;
++  int n;
+ 
+   if (!strncmp(nurl, URL_BASE_API_1_1, strlen(URL_BASE_API_1_1))) {
+   resp = create_response_api(nurl, method, rp_code);
+   } else {
+   char *fpath = get_path(nurl, server_data.www_dir);
+ 
+-  resp = create_response_file(nurl, method, rp_code, fpath);
++  rpath = realpath(fpath, NULL);
++  if (rpath) {
++  n = strlen(server_data.www_dir);
++  if (!strncmp(server_data.www_dir, rpath, n))
++  resp = create_response_file(nurl,
++  method,
++  rp_code,
++  fpath);
++  free(rpath);
++  }
+ 
+   free(fpath);
+   }
+@@ -347,7 +359,7 @@ int main(int argc, char *argv[])
+   switch (optc) {
+   case 'w':
+   if (optarg)
+-  server_data.www_dir = strdup(optarg);
++  server_data.www_dir = realpath(optarg, NULL);
+   break;
+   case 'p':
+   if (optarg)
+@@ -386,8 +398,14 @@ int main(int argc, char *argv[])
+   exit(EXIT_FAILURE);
+   }
+ 
+-  if (!server_data.www_dir)
+-  server_data.www_dir = strdup(DEFAULT_WWW_DIR);
++  if (!server_data.www_dir) {
++  server_data.www_dir = realpath(DEFAULT_WWW_DIR, NULL);
++  if (!server_data.www_dir) {
++  fprintf(stderr,
++  _("Webserver directory does not exist.\n"));
++  exit(EXIT_FAILURE);
++  }
++  }
+ 
+   if (!log_file)
+   log_file = strdup(DEFAULT_LOG_FILE);
diff -Nru psensor-1.1.3/debian/patches/series 
psensor-1.1.3/debian/patches/series
--- psensor-1.1.3/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ psensor-1.1.3/debian/patches/series 2018-04-24 21:23:26.0 +0200
@@ -0,0 +1 @@
+CVE-2014-10073.patch

Bug#894159: transition: icu

2018-04-24 Thread GCS 
On Tue, Apr 24, 2018 at 6:46 PM, Rene Engelhard  wrote:
> On Mon, Apr 23, 2018 at 09:19:06PM +0200, László Böszörményi wrote:
>> > I would appreciate a number of failing rdeps and how many are due to ICU 
>> > API
>> > changes and how many are due to icu-config removal.
>> [...] I do not
>> recall any API change. In short, there are fifteen packages FTBFS and
>
> Interesting. I do.
 Let me rephrase my sentence. I do not remember any FTBFS reason which
happens due to an ICU API change. I could build all dependent packages
without any code change in those. Sorry for the bad wording.
I'm in a run, but double checked my patches and all about ICU
detection without icu-config installed - expect one. That is OpenTTD
which need an additional build dependency on libicu-le-hb-dev.
To be extra sure about the possible changes needed in the packages,
I'll start the rebuild tests soon.

Kind regards,
Laszlo/GCS

Bug#894159: transition: icu

2018-04-24 Thread Rene Engelhard 
On Mon, Apr 23, 2018 at 09:19:06PM +0200, László Böszörményi wrote:
> > I would appreciate a number of failing rdeps and how many are due to ICU API
> > changes and how many are due to icu-config removal.
> [...] I do not
> recall any API change. In short, there are fifteen packages FTBFS and

Interesting. I do.

https://cgit.freedesktop.org/libreoffice/core/diff/i18npool/source/breakiterator/breakiterator_unicode.cxx?id=3e42714c76b1347babfdea0564009d8d82a83af4

Regards,

Rene

Bug#895943: marked as done (transition: perl 5.26.2)

2018-04-24 Thread Debian Bug Tracking System 
Your message dated Tue, 24 Apr 2018 19:34:12 +0300
with message-id <20180424163412.GB32467@estella.local.invalid>
and subject line Re: Bug#895943: transition: perl 5.26.2
has caused the Debian Bug report #895943,
regarding transition: perl 5.26.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
895943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895943
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi,

perl 5.26.2-1 in experimental. It is binary compatible with 5.26.0 and
5.26.1 and therefore Provides all of perlapi-5.26.0, perlapi-5.26.1
and perlapi-5.26.2.  However, as usual, four packages will need binNMUs
once it enters unstable due to their strict versioned dependencies on
the current perl version:

 libpar-packer-perl
 libdevel-cover-perl
 libclass-xsaccessor-perl
 libcommon-sense-perl

These binNMUs will need the 'extra-depends' wanna-build feature to make
sure the new perl is pulled in.

Please let us know if/when it's OK to upload.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
On Wed, Apr 18, 2018 at 01:46:58PM +0200, Emilio Pozuelo Monfort wrote:
> On 18/04/18 06:38, Niko Tyni wrote:
> > On Tue, Apr 17, 2018 at 06:44:50PM +0200, Emilio Pozuelo Monfort wrote:
> >> Control: tags -1 confirmed
> >>
> >> On 17/04/18 18:38, Niko Tyni wrote:
> >>> Package: release.debian.org
> >>> Severity: normal
> >>> User: release.debian@packages.debian.org
> >>> Usertags: transition

> >>> perl 5.26.2-1 in experimental. It is binary compatible with 5.26.0 and
> >>> 5.26.1 and therefore Provides all of perlapi-5.26.0, perlapi-5.26.1
> >>> and perlapi-5.26.2.  However, as usual, four packages will need binNMUs
> >>> once it enters unstable due to their strict versioned dependencies on
> >>> the current perl version:

> binNMUs scheduled:
> 
> $ wb nmu libpar-packer-perl libdevel-cover-perl libclass-xsaccessor-perl
> libcommon-sense-perl . ANY . -m "Rebuild against perlapi-5.26.2."
> --extra-depends 'perl-base (>= 5.26.2)'

5.26.2-2 is in testing now, so closing this.

Many thanks for the smooth migration!
-- 
Niko--- End Message ---

Please allow paleomix to migrate to testing

2018-04-24 Thread Andreas Tille 
Hello,
 
We have one more case of an arch:all package held up in testing because
of installability issues on i386 due to a dependency on bwa and other
packages. Can paleomix be allowed to migrate to Testing?
 
   https://qa.debian.org/excuses.php?package=paleomix
 
Thanks and regards

  Andreas. 

-- 
http://fam-tille.de

Bug#896811: [Pkg-nagios-devel] Bug#896811: stretch-pu: package icinga2/2.6.0-2+deb9u1

2018-04-24 Thread Bas Couwenberg 

Hi Felix,

Thanks for caring about icinga2.

Please help maintain the package withing the Nagios team.

On 2018-04-24 14:59, Felix Geyer wrote:

I'd like to upload this fix to stretch, debdiff is attached.


Please push your changes to the (to be created) stretch branch of the 
git repository:


 https://salsa.debian.org/nagios-team/pkg-icinga2

Kind Regards,

Bas

Bug#896811: stretch-pu: package icinga2/2.6.0-2+deb9u1

2018-04-24 Thread Felix Geyer 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

Icinga2 2.6.0 stores timestamps as local time instead of UTC in the
database when the PostgreSQL IDO backend is used.

The result is that Icinga Web 2 displays all date/times with an offset
(unless system time is UTC of course).
While you could argue that this is only a cosmetic problem I think it's
important for a monitoring system to display the correct time.

This has been fixed upstream in 2.6.1.
Bug report is at https://github.com/Icinga/icinga2/issues/4874

I'd like to upload this fix to stretch, debdiff is attached.

Felix 
diff -Nru icinga2-2.6.0/debian/changelog icinga2-2.6.0/debian/changelog
--- icinga2-2.6.0/debian/changelog  2016-12-19 16:13:45.0 +0100
+++ icinga2-2.6.0/debian/changelog  2018-04-23 15:47:44.0 +0200
@@ -1,3 +1,9 @@
+icinga2 (2.6.0-2+deb9u1) stretch; urgency=medium
+
+  * Fix timestamps being stored as local time in PostgreSQL.
+
+ -- Felix Geyer   Mon, 23 Apr 2018 15:47:44 +0200
+
 icinga2 (2.6.0-2) unstable; urgency=medium
 
   * [e0f34e4] Add patch 41_ido_mysql57 - for compatibility with MySQL 5.7
diff -Nru icinga2-2.6.0/debian/patches/43_postgres_timezone 
icinga2-2.6.0/debian/patches/43_postgres_timezone
--- icinga2-2.6.0/debian/patches/43_postgres_timezone   1970-01-01 
01:00:00.0 +0100
+++ icinga2-2.6.0/debian/patches/43_postgres_timezone   2018-04-18 
08:17:02.0 +0200
@@ -0,0 +1,23 @@
+From e9db716b26e49a36d733d5e224280fb63943fb9f Mon Sep 17 00:00:00 2001
+From: Michael Friedrich 
+Date: Wed, 11 Jan 2017 17:34:09 +0100
+Subject: [PATCH] Ensure that PostgreSQL timestamps are UTC
+
+fixes #13617
+---
+ lib/db_ido_pgsql/idopgsqlconnection.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/db_ido_pgsql/idopgsqlconnection.cpp 
b/lib/db_ido_pgsql/idopgsqlconnection.cpp
+index f398fda50..c16f9f50f 100644
+--- a/lib/db_ido_pgsql/idopgsqlconnection.cpp
 b/lib/db_ido_pgsql/idopgsqlconnection.cpp
+@@ -636,7 +636,7 @@ bool IdoPgsqlConnection::FieldToEscapedString(const 
String& key, const Value& va
+   } else if (DbValue::IsTimestamp(value)) {
+   long ts = rawvalue;
+   std::ostringstream msgbuf;
+-  msgbuf << "TO_TIMESTAMP(" << ts << ")";
++  msgbuf << "TO_TIMESTAMP(" << ts << ") AT TIME ZONE 'UTC'";
+   *result = Value(msgbuf.str());
+   } else if (DbValue::IsTimestampNow(value)) {
+   *result = "NOW()";
diff -Nru icinga2-2.6.0/debian/patches/series 
icinga2-2.6.0/debian/patches/series
--- icinga2-2.6.0/debian/patches/series 2016-12-16 18:28:37.0 +0100
+++ icinga2-2.6.0/debian/patches/series 2018-04-18 08:56:34.0 +0200
@@ -1,3 +1,4 @@
 21_config_changes
 41_ido_mysql57
 42_mips_boost_bind_workaround
+43_postgres_timezone

Processed: Re: Bug#895633: transition: poppler

2018-04-24 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 pending
Bug #895633 [release.debian.org] transition: poppler
Added tag(s) pending.

-- 
895633: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895633
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#895633: transition: poppler

2018-04-24 Thread Emilio Pozuelo Monfort 
Control: tags -1 pending

On 19/04/18 19:31, Emilio Pozuelo Monfort wrote:
> Control: tags -1 confirmed
> 
> On 13/04/18 20:02, Emilio Pozuelo Monfort wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: transition
>> Control: block -1 with 894371
>>
>> Time for another poppler transition. It's in experimental, and all
>> the rdepends build fine, except for
>>
>> gdcm, due to an unrelated bug #894371.
> 
> This is ongoing now.

Some rdeps failed due to the new texlive-bin, but poppler migrated already.

Cheers,
Emilio