Bug#898934: Uploaded

[Lisandro Damián Nicanor Pérez Meyer]

Sorry, forgot to subscribe to the bug.

libmygpo-qt uploaded.


-- 
Antiguo proverbio del Viejo Machi: "Prefiero que mi cerebro esté en la
cresta de la ola, y mi PC un paso atrás sirviéndolo y no tener mi PC en
el 'estado del arte' y mi cerebro un paso atrás asistiéndola."
  http://www.grulic.org.ar/lurker/message/20090507.020516.ffda0441.es.html

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.

Bug#899085: release.debian.org: excuses terminology: replace "Valid Candidate" with "Trying to migrate"?

[Paul Wise]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: britney

In #898329, pochu had to clarify the meaning of "Valid Candidate":

   Just to clarify things: being a valid candidate means britney will
   try to migrate that package to testing. That can still fail (and
   fails in this case) because the package is not installable on i386
   (which is a requirement).

This comes up a lot in various places, I wonder if replacing "Valid
Candidate" with "Trying to migrate" or similar in the excuses output
would help clarify the situation for people. "Not Considered" could be replaced 
with "Not trying to migrate yet" for a smaller clarification.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part

Bug#899064: nmu: smenu_0.9.12-1

[Sven Joachim]

Package: release.debian.org
Severity: normal

On amd64 only, the smenu package depends on libncurses5.  Not the
maintainer's fault, since the package is new and has been uploaded
before the libncurses6 transition started.

nmu smenu_0.9.12-1 . amd64 . unstable . -m "Rebuild against libncurses6."

Bug#899014: stretch-pu: package blktrace/1.1.0-2

[Bas Zoetekouw]

Hi!

> Please use 1.0.5-1+deb8u1 and as target distribution just 'jessie'.
> Use 1.1.0-2+deb9u1 and targeting 'stretch' instead (not
> stretch-security).
> 

Fixed.  New debdiffs follow:


Jessie:

diff -Nru blktrace-1.0.5/debian/changelog blktrace-
1.0.5/debian/changelog
--- blktrace-1.0.5/debian/changelog 2013-05-05
14:43:17.0 +0200
+++ blktrace-1.0.5/debian/changelog 2018-05-18
21:02:54.0 +0200
@@ -1,3 +1,9 @@
+blktrace (1.0.5-1+deb8u1) jessie; urgency=high
+
+  * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw   Fri, 18 May 2018 15:47:57 +0200
+
 blktrace (1.0.5-1) unstable; urgency=low
 
   * New upstream release [February 2012].
diff -Nru blktrace-1.0.5/debian/patches/cve-2018-10689.patch blktrace-
1.0.5/debian/patches/cve-2018-10689.patch
--- blktrace-1.0.5/debian/patches/cve-2018-10689.patch  1970-01-
01 01:00:00.0 +0100
+++ blktrace-1.0.5/debian/patches/cve-2018-10689.patch  2018-05-
18 16:05:36.0 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe 
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to
avoid overflow.  Patch from https://git.kernel.org/pub/scm/linux/kernel
/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaa
c5b7
+
+Index: blktrace-1.0.5/btt/devmap.c
+===
+--- blktrace-1.0.5.orig/btt/devmap.c
 blktrace-1.0.5/btt/devmap.c
+@@ -23,7 +23,7 @@
+ 
+ struct devmap {
+   struct list_head head;
+-  char device[32], devno[32];
++  char device[PATH_MAX], devno[PATH_MAX];
+ };
+ 
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.0.5/debian/patches/series blktrace-
1.0.5/debian/patches/series
--- blktrace-1.0.5/debian/patches/series2012-12-23
12:30:03.0 +0100
+++ blktrace-1.0.5/debian/patches/series2018-05-18
15:56:41.0 +0200
@@ -1,2 +1,3 @@
 10_btrace_paths.patch
 spelling.patch
+cve-2018-10689.patch



Stretch:


diff -Nru blktrace-1.1.0/debian/changelog blktrace-
1.1.0/debian/changelog
--- blktrace-1.1.0/debian/changelog 2015-05-17
14:35:07.0 +0200
+++ blktrace-1.1.0/debian/changelog 2018-05-16
16:19:54.0 +0200
@@ -1,3 +1,9 @@
+blktrace (1.1.0-2+deb9u1) stretch; urgency=high
+
+  * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw   Wed, 16 May 2018 16:19:54 +0200
+
 blktrace (1.1.0-2) unstable; urgency=low
 
   * Upload to unstable.
diff -Nru blktrace-1.1.0/debian/patches/cve-2018-10689.patch blktrace-
1.1.0/debian/patches/cve-2018-10689.patch
--- blktrace-1.1.0/debian/patches/cve-2018-10689.patch  1970-01-
01 01:00:00.0 +0100
+++ blktrace-1.1.0/debian/patches/cve-2018-10689.patch  2018-05-
16 16:19:54.0 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe 
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to
avoid overflow.  Patch from https://git.kernel.org/pub/scm/linux/kernel
/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaa
c5b7
+
+diff --git a/btt/devmap.c b/btt/devmap.c
+index 0553a9e..5fc1cb2 100644
+--- a/btt/devmap.c
 b/btt/devmap.c
+@@ -23,7 +23,7 @@
+
+ struct devmap {
+   struct list_head head;
+-  char device[32], devno[32];
++  char device[PATH_MAX], devno[PATH_MAX];
+ };
+
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.1.0/debian/patches/series blktrace-
1.1.0/debian/patches/series
--- blktrace-1.1.0/debian/patches/series2015-03-25
08:40:33.0 +0100
+++ blktrace-1.1.0/debian/patches/series2018-05-16
16:19:54.0 +0200
@@ -4,3 +4,4 @@
 pdf-date.patch
 procnum.patch
 spelling.patch
+cve-2018-10689.patch

Processed: tagging 899050

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 899050 + a11y
Bug #899050 [release.debian.org] stretch-pu: package accerciser/3.22.0-2
Added tag(s) a11y.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
899050: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899050
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#899050: stretch-pu: package accerciser/3.22.0-2

[Samuel Thibault]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello,

Accerciser is a debugging tool for accessibility (think of it as an
accessibility inspector)

The version of accerciser currently in stable is actually basically
unusable due to bugs #848119 and #875629. The first prevents the python
console from working, thus preventing from hardcode debugging. The
second prevents from actually selecting a widget to inspect when not
using a desktop compositor, thus preventing basically everything.  The
fixes have been tested for a long time in "testing", and are forwarded
upstream.

It happens that people needing accerciser are usually using the testing
distribution, but it'd be still useful to have these fixed in stable.

Here is the proposed cherry-pick debdiff.

Samuel

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 
'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 
'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Samuel
Be warned that typing \fBkillall \fIname\fP may not have the desired
effect on non-Linux systems, especially when done by a privileged user.
(From the killall manual page)
diff -Nru accerciser-3.22.0/debian/changelog accerciser-3.22.0/debian/changelog
--- accerciser-3.22.0/debian/changelog  2016-11-09 14:05:38.0 +0100
+++ accerciser-3.22.0/debian/changelog  2018-05-18 19:25:43.0 +0200
@@ -1,3 +1,13 @@
+accerciser (3.22.0-2+deb9u1) stretch; urgency=medium
+
+  * Add patches/02_ipython5.patch to fix python console (Closes: #848119)
+  * Add patches/03_get_image.patch to fix accessing items without a compositor
+(Closes: #875629)
+  * control: Add python3-xlib dependency.
+  * control: Add python3-xlib runtime dependency (Closes: #880735)
+
+ -- Samuel Thibault   Fri, 18 May 2018 19:25:43 +0200
+
 accerciser (3.22.0-2) unstable; urgency=medium
 
   * Add missing Depends on gir1.2-glib-2.0 and gir1.2-rsvg-2.0.
diff -Nru accerciser-3.22.0/debian/control accerciser-3.22.0/debian/control
--- accerciser-3.22.0/debian/control2016-11-09 14:05:38.0 +0100
+++ accerciser-3.22.0/debian/control2018-05-18 19:25:43.0 +0200
@@ -17,6 +17,7 @@
  libgtk-3-dev (>= 3.1.13),
  pkg-config,
  python3 (>= 3.2),
+ python3-xlib,
  python-gi-dev (>= 3.4.2),
  python3-pyatspi2 (>= 2.5.2)
 X-Python3-Version: >= 3.2
@@ -39,6 +40,7 @@
  gir1.2-rsvg-2.0,
  gir1.2-wnck-3.0,
  python3-cairo,
+ python3-xlib,
  python3-pyatspi (>= 2.5.2)
 Description: interactive Python accessibility explorer for the GNOME desktop
  It uses AT-SPI to inspect and control widgets, allowing you to check if
diff -Nru accerciser-3.22.0/debian/control.in 
accerciser-3.22.0/debian/control.in
--- accerciser-3.22.0/debian/control.in 2016-11-09 14:03:25.0 +0100
+++ accerciser-3.22.0/debian/control.in 2018-05-18 19:24:04.0 +0200
@@ -13,6 +13,7 @@
  libgtk-3-dev (>= 3.1.13),
  pkg-config,
  python3 (>= 3.2),
+ python3-xlib,
  python-gi-dev (>= 3.4.2),
  python3-pyatspi2 (>= 2.5.2)
 X-Python3-Version: >= 3.2
@@ -35,6 +36,7 @@
  gir1.2-rsvg-2.0,
  gir1.2-wnck-3.0,
  python3-cairo,
+ python3-xlib,
  python3-pyatspi (>= 2.5.2)
 Description: interactive Python accessibility explorer for the GNOME desktop
  It uses AT-SPI to inspect and control widgets, allowing you to check if
diff -Nru accerciser-3.22.0/debian/patches/02_ipython5.patch 
accerciser-3.22.0/debian/patches/02_ipython5.patch
--- accerciser-3.22.0/debian/patches/02_ipython5.patch  1970-01-01 
01:00:00.0 +0100
+++ accerciser-3.22.0/debian/patches/02_ipython5.patch  2018-05-18 
19:21:45.0 +0200
@@ -0,0 +1,33 @@
+diff --git a/plugins/ipython_view.py b/plugins/ipython_view.py
+index 04f2d53..ae3d2be 100755
+--- a/plugins/ipython_view.py
 b/plugins/ipython_view.py
+@@ -125,7 +125,8 @@ class IterableIPShell:
+ self.complete_sep =  re.compile('[\s\{\}\[\]\(\)]')
+ self.updateNamespace({'exit':lambda:None})
+ self.updateNamespace({'quit':lambda:None})
+-self.IP.readline_startup_hook(self.IP.pre_readline)
++if parse_version(IPython.release.version) < parse_version("5.0.0"):
++  

Re: Your upload of goldencheetah to stretch

[Jonathan Wiltshire]

On Thu, May 17, 2018 at 08:10:47PM +0100, Adam D. Barratt wrote:
> On Thu, 2018-05-17 at 18:23 +0100, Jonathan Wiltshire wrote:
> > Hi,
> > 
> > You uploaded goldencheetah 4.0.0~DEV1607-2+deb9u1 to proposed-updates 
> > but
> > with a target suite of stretch-security. Was that meant to go to the
> > security archive?
> 
> It looks like this is part of DSA-4203:

Aha, thanks. It confused queue-viewer and me; sorry for the noise.

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug#899014: stretch-pu: package blktrace/1.1.0-2

[Salvatore Bonaccorso]

Hi Bas,

Not a Release Team member, but some suggestions to change:

On Fri, May 18, 2018 at 04:15:10PM +0200, Bas Zoetekouw wrote:
> +blktrace (1.0.5-2) oldstable-proposed-updates; urgency=high

Please use 1.0.5-1+deb8u1 and as target distribution just 'jessie'.

Same for Stretch, 

> +blktrace (1.1.0-3) stretch-security; urgency=high

Use 1.1.0-2+deb9u1 and targeting 'stretch' instead (not
stretch-security).

Regards,
Salvatore

Bug#899030: jessie-pu: package intel-microcode/3.20180425.1~deb8u1

[Henrique de Moraes Holschuh]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is related to s-p-u bug #899006, and the package for jessie is
basically the same as the package for stretch.  The differences are only
in debian/changelog.


I'd like to update the intel-microcode package in Debian jessie.

This update adds the microcode-side fix for CVE-2017-5715 aka Spectre
v2.

It has been very extensibly tested, as noted in the changelog:

   * RELEASE MANAGER INFORMATION: This update deploys the microcode side
 fix for CVE-2017-5715 (Spectre v2).  On the more recent processors,
 it also fixes other unspecified errata.  This microcode update pack
 has been extensively tested in Debian unstable, testing,
 strech-backports and jessie-backports.  It has been extensively
 deployed by other distributions to their stable branches without
 causing any issues, with one notable exception (a distro-specific
 kernel bug, already fixed by that distro).

The only difference between this package and the ones that have been
uploaded (and tested) in jessie-backports, stretch-backports, testing
and unstable are in debian/changelog.

There is no need to worry about "intel-ucode-with-caveats/06-4f-01", the
"caveat" is described in releasenotes: it must be updated using the
early microcode update mode.  This is irrelevant to Debian, we always
use early microcode update mode since jessie, and I had already
blacklisted that specific microcode update from any attempts to "late
load" a while ago, anyway, because of a documented erratum.

Some upstream stuff is irrelevant to Debian and does not get used or
shipped in the binary packages, such as the linux-kernel-patches/
directory (our kernel team already has that handled).  It can also be
ignored.

Note that, because Intel switched from text files (".dat" format) to
binary format in the upstream microcode distribution, and I use symlinks
in the source package, the debdiff ended up *quite big*.

The source changes required to support the binary format have been
extensively tested, I already had them for a couple (unstable) releases.
They are also only relevant during package build.

As usual, I have removed the noise caused by the binary blob changes
from upstream from the debdiff output for clarity.  The abridged debdiff
is attached.

Full diffstat:
 
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode-with-caveats/06-4f-01
  |binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-03-02   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-05-00   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-05-01   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-05-02   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-05-03   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-06-00   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-06-05   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-06-0a   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-06-0d   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-07-01   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-07-02   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-07-03   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-08-01   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-08-03   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-08-06   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-08-0a   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-09-05   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0a-00   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0a-01   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0b-01   
|binary
 /tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0b-04   
|binary
 

Processed: wrong title

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 899018 jessie-pu: package blktrace/1.0.5-1
Bug #899018 [release.debian.org] jessie-pu: blktrace/1.0.5-1
Changed Bug title to 'jessie-pu: package blktrace/1.0.5-1' from 'jessie-pu: 
blktrace/1.0.5-1'.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
899018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899018
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#899014: stretch-pu: package blktrace/1.1.0-2

[Bas Zoetekouw]

clone 899014 -1
tags  899014 = stretch
tags-1 = jessie
retitle -1 jessie-pu: blktrace/1.0.5-1


Let's split this for jessie en stretch

Processed (with 1 error): Re: stretch-pu: package blktrace/1.1.0-2

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> clone 899014 -1
Bug #899014 [release.debian.org] stretch-pu: package blktrace/1.1.0-2
Bug 899014 cloned as bug 899018
> tags  899014 = stretch
Bug #899014 [release.debian.org] stretch-pu: package blktrace/1.1.0-2
Removed tag(s) jessie.
> tags-1 = jessie
Bug #899018 [release.debian.org] stretch-pu: package blktrace/1.1.0-2
Removed tag(s) stretch.
> retitle -1 jessie-pu: blktrace/1.0.5-1
Bug #899018 [release.debian.org] stretch-pu: package blktrace/1.1.0-2
Changed Bug title to 'jessie-pu: blktrace/1.0.5-1' from 'stretch-pu: package 
blktrace/1.1.0-2'.
> Let's split this for jessie en stretch
Unknown command or malformed arguments to command.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
899014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899014
899018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899018
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#899014: stretch-pu: package blktrace/1.1.0-2

[Bas Zoetekouw]

Package: release.debian.org
Severity: normal
Tags: stretch,jessie
User: release.debian@packages.debian.org
Usertags: pu

I would like to update blktrace in Jessie (1.0.5-1) and Stretch
(1.1.0-2) to fix a buffer overflow (CVE-2018-10689, see
https://security-tracker.debian.org/tracker/CVE-2018-10689).

I've already discussed this with the security team, and they feel this
issue doesn't warrant a DSA, be should be fixed via proposed-updates
instead.

My proposed new packages can be found at https://zoetekouw.net/Zooi/blktrace/
The debdiff are as follows:

For jessie:

diff -Nru blktrace-1.0.5/debian/changelog blktrace-1.0.5/debian/changelog
--- blktrace-1.0.5/debian/changelog 2013-05-05 14:43:17.0 +0200
+++ blktrace-1.0.5/debian/changelog 2018-05-18 15:57:31.0 +0200
@@ -1,3 +1,9 @@
+blktrace (1.0.5-2) oldstable-proposed-updates; urgency=high
+
+  * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw   Fri, 18 May 2018 15:47:57 +0200
+
 blktrace (1.0.5-1) unstable; urgency=low
 
   * New upstream release [February 2012].
diff -Nru blktrace-1.0.5/debian/patches/cve-2018-10689.patch 
blktrace-1.0.5/debian/patches/cve-2018-10689.patch
--- blktrace-1.0.5/debian/patches/cve-2018-10689.patch  1970-01-01 
01:00:00.0 +0100
+++ blktrace-1.0.5/debian/patches/cve-2018-10689.patch  2018-05-18 
16:05:36.0 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe 
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to avoid 
overflow.  Patch from 
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
+
+Index: blktrace-1.0.5/btt/devmap.c
+===
+--- blktrace-1.0.5.orig/btt/devmap.c
 blktrace-1.0.5/btt/devmap.c
+@@ -23,7 +23,7 @@
+ 
+ struct devmap {
+   struct list_head head;
+-  char device[32], devno[32];
++  char device[PATH_MAX], devno[PATH_MAX];
+ };
+ 
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.0.5/debian/patches/series 
blktrace-1.0.5/debian/patches/series
--- blktrace-1.0.5/debian/patches/series2012-12-23 12:30:03.0 
+0100
+++ blktrace-1.0.5/debian/patches/series2018-05-18 15:56:41.0 
+0200
@@ -1,2 +1,3 @@
 10_btrace_paths.patch
 spelling.patch
+cve-2018-10689.patch



For Stretch:

diff -Nru blktrace-1.1.0/debian/changelog blktrace-1.1.0/debian/changelog
--- blktrace-1.1.0/debian/changelog 2015-05-17 14:35:07.0 +0200
+++ blktrace-1.1.0/debian/changelog 2018-05-16 16:19:54.0 +0200
@@ -1,3 +1,9 @@
+blktrace (1.1.0-3) stretch-security; urgency=high
+
+  * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw   Wed, 16 May 2018 16:19:54 +0200
+
 blktrace (1.1.0-2) unstable; urgency=low
 
   * Upload to unstable.
diff -Nru blktrace-1.1.0/debian/patches/cve-2018-10689.patch 
blktrace-1.1.0/debian/patches/cve-2018-10689.patch
--- blktrace-1.1.0/debian/patches/cve-2018-10689.patch  1970-01-01 
01:00:00.0 +0100
+++ blktrace-1.1.0/debian/patches/cve-2018-10689.patch  2018-05-16 
16:19:54.0 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe 
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to avoid 
overflow.  Patch from 
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
+
+diff --git a/btt/devmap.c b/btt/devmap.c
+index 0553a9e..5fc1cb2 100644
+--- a/btt/devmap.c
 b/btt/devmap.c
+@@ -23,7 +23,7 @@
+
+ struct devmap {
+   struct list_head head;
+-  char device[32], devno[32];
++  char device[PATH_MAX], devno[PATH_MAX];
+ };
+
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.1.0/debian/patches/series 
blktrace-1.1.0/debian/patches/series
--- blktrace-1.1.0/debian/patches/series2015-03-25 08:40:33.0 
+0100
+++ blktrace-1.1.0/debian/patches/series2018-05-16 16:19:54.0 
+0200
@@ -4,3 +4,4 @@
 pdf-date.patch
 procnum.patch
 spelling.patch
+cve-2018-10689.patch

-- System Information:
Debian Release: 9.4
  APT prefers stable
  APT policy: (620, 'stable'), (500, 'stable-updates'), (20, 'unstable'), (10, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#899006: stretch-pu: package intel-microcode/3.20180425.1~deb9u1

[Henrique de Moraes Holschuh]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

I'd like to update the intel-microcode package in Debian stretch.

This update adds the microcode-side fix for CVE-2017-5715 aka Spectre
v2.

It has been very extensibly tested, as noted in the changelog:

   * RELEASE MANAGER INFORMATION: This update deploys the microcode side
 fix for CVE-2017-5715 (Spectre v2).  On the more recent processors,
 it also fixes other unspecified errata.  This microcode update pack
 has been extensively tested in Debian unstable, testing,
 strech-backports and jessie-backports.  It has been extensively
 deployed by other distributions to their stable branches without
 causing any issues, with one notable exception (a distro-specific
 kernel bug, already fixed by that distro).

The only difference between this package and the ones that have been
uploaded (and tested) in jessie-backports, stretch-backports, testing
and unstable are in debian/changelog.

There is no need to worry about "intel-ucode-with-caveats/06-4f-01", the
"caveat" is described in releasenotes: it must be updated using the
early microcode update mode.  This is irrelevant to Debian, we always
use early microcode update mode since jessie, and I had already
blacklisted that specific microcode update from any attempts to "late
load" a while ago, anyway, because of a documented erratum.

Some upstream stuff is irrelevant to Debian and does not get used or
shipped in the binary packages, such as the linux-kernel-patches/
directory (our kernel team already has that handled).  It can also be
ignored.

Note that, because Intel switched from text files (".dat" format) to
binary format in the upstream microcode distribution, and I use symlinks
in the source package, the debdiff ended up *quite big*.

The source changes required to support the binary format have been
extensively tested, I already had them for a couple (unstable) releases.
They are also only relevant during package build.

As usual, I have removed the noise caused by the binary blob changes
from upstream from the debdiff output for clarity.  The abridged debdiff
is attached.

Full diffstat:
 
/tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode-with-caveats/06-4f-01
  |binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-03-02   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-05-00   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-05-01   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-05-02   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-05-03   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-06-00   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-06-05   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-06-0a   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-06-0d   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-07-01   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-07-02   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-07-03   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-08-01   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-08-03   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-08-06   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-08-0a   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-09-05   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-0a-00   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-0a-01   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-0b-01   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-0b-04   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-0d-06   
|binary
 /tmp/RcYbLwjZ1B/intel-microcode-3.20180425.1~deb9u1/intel-ucode/06-0e-08   
 

Processed: tagging 892770

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 892770 + jessie
Bug #892770 [release.debian.org] RM: dolibarr/3.5.5+dfsg1-1+deb8u1
Added tag(s) jessie.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
892770: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892770
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#898566: transition: gdal

[Debian Bug Tracking System]

Processing control commands:

> forwarded -1 http://release.debian.org/transitions/html/gdal-2.3.0.html
Bug #898566 [release.debian.org] transition: gdal
Set Bug forwarded-to-address to 
'http://release.debian.org/transitions/html/gdal-2.3.0.html'.

-- 
898566: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898566
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#898566: transition: gdal

[Emilio Pozuelo Monfort]

Control: forwarded -1 http://release.debian.org/transitions/html/gdal-2.3.0.html

On 13/05/18 18:48, Bas Couwenberg wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
> Control: block -1 by 896577
> 
> For the Debian GIS team I'd like to transition to GDAL 2.3.0.
> 
> Like the previous transition to GDAL 2.2.3 (#884504), there is no SONAME
> bump, only the virtual ABI package changed to account for the C++ symbol
> changes.
> 
> All reverse dependencies rebuilt successfully with GDAL 2.3.0 from
> experimental as summarized below, except mysql-workbench. It does build
> successfully with the patch from #896577.
> 
> libgdal-grass doesn't need a binNMU as the 2.3.0 version will be
> uploaded to unstable instead. liblas likewise doesn't need a binNMU,
> the version is experimental will be moved to unstable instead.

Let's wait for icu to migrate to testing, at the very least.

Emilio

Bug#898329: marked as done (release.debian.org: bpfcc not migrating to testing)

[Debian Bug Tracking System]

Your message dated Fri, 18 May 2018 14:43:02 +0200
with message-id 
and subject line Re: Bug#898329: release.debian.org: bpfcc not migrating to 
testing
has caused the Debian Bug report #898329,
regarding release.debian.org: bpfcc not migrating to testing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
898329: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898329
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal


As quoted in Debian Bug #898151

bpfcc didn't migrate to testing. I see you have tried to request RoM
but still not migrated. After consulting on #debian-dev

12:18 I think it is because arch-all packages are depending on 
packages that only exist on some arches 
https://qa.debian.org/excuses.php?package=bpfcc
12:19 IIRC the release team requires those deps to be satisfiable on 
i386, so I think bpfcc will need hinting into testing
12:19 I got this in an i386 chroot: python3-bpfcc : Depends: libbpfcc 
(>= 0.5.0-5) but it is not installable
12:19  oddly, https://qa.debian.org/excuses.php?package=bpfcc says 
"Migration status: OK: Will attempt migration (Any information below is purely 
informational)" -- "Valid candidate"
12:20  so not everything is playing by the same rules if it still 
isn't :)
12:20 yeah, testing migration is sometimes confusing. the log link 
usually explains things
12:21 Maybe that's it
12:21 
https://release.debian.org/doc/britney/short-intro-to-migrations.html#migration-phase-2-installability-regression-testing
12:22 I'd suggest reportbug release.debian.org, chose other, request 
hinting


pabs suggests to request britney hints to get the bpfcc migrated.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'unstable'), (100, 'experimental'), (1, 
'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On 10/05/18 12:17, Ritesh Raj Sarraf wrote:
> Package: release.debian.org
> Severity: normal
> 
> 
> As quoted in Debian Bug #898151
> 
> bpfcc didn't migrate to testing. I see you have tried to request RoM
> but still not migrated. After consulting on #debian-dev
> 
> 12:18 I think it is because arch-all packages are depending on 
> packages that only exist on some arches 
> https://qa.debian.org/excuses.php?package=bpfcc
> 12:19 IIRC the release team requires those deps to be satisfiable 
> on i386, so I think bpfcc will need hinting into testing
> 12:19 I got this in an i386 chroot: python3-bpfcc : Depends: 
> libbpfcc (>= 0.5.0-5) but it is not installable
> 12:19  oddly, https://qa.debian.org/excuses.php?package=bpfcc says 
> "Migration status: OK: Will attempt migration (Any information below is 
> purely informational)" -- "Valid candidate"
> 12:20  so not everything is playing by the same rules if it still 
> isn't :)

Just to clarify things: being a valid candidate means britney will try to
migrate that package to testing. That can still fail (and fails in this case)
because the package is not installable on i386 (which is a requirement). I'm
overriding that in this case with a force-hint hint.

Emilio

> 12:20 yeah, testing migration is sometimes confusing. the log link 
> usually explains things
> 12:21 Maybe that's it
> 12:21 
> https://release.debian.org/doc/britney/short-intro-to-migrations.html#migration-phase-2-installability-regression-testing
> 12:22 I'd suggest reportbug release.debian.org, chose other, 
> request hinting
> 
> 
> pabs suggests to request britney hints to get the bpfcc migrated.
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers testing
>   APT policy: (900, 'testing'), (500, 'unstable-debug'), (500, 
> 'testing-debug'), (500, 'unstable'), (100, 'experimental'), (1, 
> 'experimental-debug')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en 
> (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> --- End Message ---

Processed: Re: Bug#898188: RM: undertow/1.4.8-1+deb9u1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 898188 + stretch
Bug #898188 [release.debian.org] RM: undertow/1.4.8-1+deb9u1
Added tag(s) stretch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
898188: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898188
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Scheduling 9.5

[Laura Arjona Reina]

Hello
Sorry for the delay in answering

El 14/05/18 a las 19:19, Jonathan Wiltshire escribió:
> Hi,
> 
> We're due a point release any day now. Please indicate your availablility
> out of:
> 
>  - May 26th (meaning freeze this coming weekend, which might be a big ask)
>  - Jun 2nd (which may require an unusual SRM)
>  - Jun 9th (getting quite a way out of cadence, but maybe that can't be
>helped)

We (publicity) are available any of the above weekends.

Thanks
-- 
Laura Arjona Reina
https://wiki.debian.org/LauraArjona

Re: Scheduling final Jessie point release, 8.11

[Laura Arjona Reina]

Hello

El 14/05/18 a las 19:26, Jonathan Wiltshire escribió:
> Hi,
> 
> According to my records main security support for Jessie can end any time
> after 17th June. 
> 
> So to the security team: do you have a date in mind?
> 
> I also presume that LTS will take over the existing security suites as
> before. [1] lists the current delta between security and o-p-u-new which
> would ideally be as short as possible before the EOL date.
> 
> For everyone else, assuming it'll be soon after that date please
> indicate your availability from:
> 
>  - 23rd Jun
Publicity available

>  - (30th Jun I already know is impossible, for the sake of completeness)
Publicity we can't

>  - 7th July
> 
Publicity available.

> or adjacent Sundays.
> 
Sundays we are available, with some difficulty if we decide 1 July, but do-able.

Thanks
-- 
Laura Arjona Reina
https://wiki.debian.org/LauraArjona

Bug#876944: jessie-pu: package bwm-ng/0.6-3.1

[Jonathan Wiltshire]

On Sat, Nov 18, 2017 at 10:39:47PM -0200, Samuel Henrique wrote:
> 2017-11-18 17:03 GMT-02:00 Adam D. Barratt :
> 
> > On Wed, 2017-09-27 at 00:53 -0300, Samuel Henrique wrote:
> > > This is a small change on d/rules passing "--without-libstatgrab"
> > > (as advised by upstream on a duplicate bug report[1]) to fix
> > > #855215[2].
> > >
> >
> > While I assume the end result is sane, passing both --with-libstatgrab
> > and --without-libstatgrab to the same configure invocation is at best
> > confusing...
> >
> 
> ​Thanks for catching that, it was my mistake.
> 
> There's an updated debdiff attached, already pushed to git.

For the avoidance of doubt, a confirmed tag means you can go ahead and
upload.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51