Bug#901192: stretch-pu: package openldap/2.4.44+dfsg-5+deb9u2

[Ryan Tandy]

On Wed, Jun 13, 2018 at 07:14:24PM +0100, Adam D. Barratt wrote:

Please go ahead.


Thank you. Uploaded and accepted.

Bug#901194: jessie-pu: package openldap/2.4.40+dfsg-1+deb8u4

[Ryan Tandy]

On Wed, Jun 13, 2018 at 07:13:24PM +0100, Adam D. Barratt wrote:

Please go ahead.


Thank you. Uploaded and accepted.

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: file_5.22+15-2+deb8u4_amd64.changes
  ACCEPT
Processing changes file: file_5.22+15-2+deb8u4_arm64.changes
  ACCEPT
Processing changes file: file_5.22+15-2+deb8u4_armel.changes
  ACCEPT
Processing changes file: file_5.22+15-2+deb8u4_armhf.changes
  ACCEPT
Processing changes file: file_5.22+15-2+deb8u4_mips.changes
  ACCEPT
Processing changes file: file_5.22+15-2+deb8u4_mipsel.changes
  ACCEPT
Processing changes file: file_5.22+15-2+deb8u4_ppc64el.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: patch_2.7.5-1+deb9u1_arm64.changes
  ACCEPT
Processing changes file: patch_2.7.5-1+deb9u1_armel.changes
  ACCEPT
Processing changes file: patch_2.7.5-1+deb9u1_armhf.changes
  ACCEPT
Processing changes file: patch_2.7.5-1+deb9u1_mips.changes
  ACCEPT
Processing changes file: patch_2.7.5-1+deb9u1_mips64el.changes
  ACCEPT
Processing changes file: patch_2.7.5-1+deb9u1_mipsel.changes
  ACCEPT
Processing changes file: patch_2.7.5-1+deb9u1_ppc64el.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: patch_2.7.5-1+deb9u1_i386.changes
  ACCEPT
Processing changes file: patch_2.7.5-1+deb9u1_s390x.changes
  ACCEPT

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: file_5.22+15-2+deb8u4_i386.changes
  ACCEPT
Processing changes file: file_5.22+15-2+deb8u4_s390x.changes
  ACCEPT

Bug#901476: stretch-pu: package systemd/232-25+deb9u4

[Cyril Brulebois]

Hi,

Michael Biebl  (2018-06-13):
> I'd like to make a stable upload fixing a few (minor) issues that were
> requested to be fixed by various users.  Strictly speaking, those
> issues are not important per se and would therefore qualify for a
> stable upload, but given the importance of the systemd package, making
> it work more smoothly seems worthwile nonetheless.
> 
[…]
> 
> Those changes do not touch udeb, so should not be affected d-i.
> That said, I've CCed KiBi, as usual, for a d-i ACK.

Thanks; I'm quite convinced by your assessment regarding the d-i side,
so no objections.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: patch_2.7.5-1+deb9u1_amd64.changes
  ACCEPT

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: plexus-archiver_1.2-1+deb8u1_allonly.changes
  ACCEPT

Processed: patch 2.7.5-1+deb9u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #895936 [release.debian.org] stretch-pu: package patch/2.7.5-1+deb9u1
Ignoring request to alter tags of bug #895936 to the same tags previously set

-- 
895936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895936
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#895936: patch 2.7.5-1+deb9u1 flagged for acceptance

[Adam D Barratt]

Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian stretch.

Thanks for your contribution!

Upload details
==

Package: patch
Version: 2.7.5-1+deb9u1

Explanation: fix arbitrary command execution in ed-style patches 
[CVE-2018-1000156]

Processed: patch 2.7.5-1+deb9u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #895936 [release.debian.org] stretch-pu: package patch/2.7.5-1+deb9u1
Added tag(s) pending.

-- 
895936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895936
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#834854: jessie-pu: package charybdis/3.4.2-5~deb8u1

[Antoine Beaupré]

On 2018-06-13 16:00:41, Adam D. Barratt wrote:
> On Tue, 2016-09-13 at 12:04 +0200, Julien Cristau wrote:
>> On Sun, Sep 11, 2016 at 16:58:34 -0400, Antoine Beaupré wrote:
>> 
>> > 1. ignore the above two extra issues and simply add the patch for
>> > #215
>> > to the pile of patches in jessie
>> > 2. import the new gnutls.c module from an eventual new 3.5 release
>> > upstream directly in jessie - this may be difficult because of
>> > internal
>> > API changes
>> > 3. import 3.5.x directly in jessie
>> > 
>> > I would like to have feedback from the release team as to which
>> > approach
>> > to take forward.
>> > 
>> 
>> I don't think 3 is a reasonable option.  The rest will depend on
>> specifics.
>
> There's been no further activity on this bug since the above, so I
> think it's reasonable to say it's unlikely to be getting fixed in
> jessie at this point?

Hmm... I am not sure what to do with this... 3.4 is pretty much dead at
this point, and I suspect most people will have migrated to 3.5. the
complete fix is pretty invasive so I guess we can just punt this away
for ever and assume people will upgrade to stretch already... :/

a.
-- 
Software gets slower faster than hardware gets faster.
 - Wirth's law

Bug#869573: marked as done (jessie-pu: package kdepim/4:4.14.1-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Wed, 13 Jun 2018 22:24:19 +0100
with message-id <1528925059.2806.84.ca...@adam-barratt.org.uk>
and subject line Re: Bug#869573: jessie-pu: package kdepim/4:4.14.1-1+deb8u1
has caused the Debian Bug report #869573,
regarding jessie-pu: package kdepim/4:4.14.1-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
869573: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869573
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hey,

in order to fix CVE-2017-9604: "Send Later with Delay bypasses
OpenPGP" (Closes: #864804), I want to request a point update for kdepim.
As discussed in #864804, the security team don't want to warrent a DSA on it's
own. But propose to do a pu for kdepim.

Best Regards,

sandro

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'oldstable-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.10

On Tue, 2017-08-22 at 21:27 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2017-07-24 at 16:49 +0200, Sandro Knauß wrote:
> > Control: tags -1 - moreinfo
> > 
> > > We'll need to see a debdiff of the proposed package, built and
> > > tested on
> > > jessie, before going any further, please.
> > 
> > As it was already proposed as security update, I already built and
> > tested it 
> > on jessie.
> 
> +kdepim (4:4.14.1-1+deb8u1) jessie-security; urgency=high
> 
> The distribution needs to be simply "jessie", as this isn't
> targetting
> the security archive now.
> 
> With that change, please go ahead.
> 

That happened, and the patch was released, but this bug wasn't closed
for some reason.

Regards,

Adam--- End Message ---

Bug#799019: marked as done (jessie-pu: package golang/2:1.3.3-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Wed, 13 Jun 2018 22:19:52 +0100
with message-id <1528924792.2806.82.ca...@adam-barratt.org.uk>
and subject line Re: Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1
has caused the Debian Bug report #799019,
regarding jessie-pu: package golang/2:1.3.3-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799019
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Hi!

"src:golang" has recently had a group of non-critical CVEs (#795106);
I've finally got a fix in unstable now, but the security team
requested[1] that I also propose an upload to s-p-u also to update
jessie.

I've attached the proposed debdiff -- the only functional change is
the addition of the .patch file containing the three backported
upstream commits to fix the CVEs.

[1]: https://bugs.debian.org/795106#45

Thanks for your consideration!

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4


golang_2:1.3.3-1.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
On Thu, 2015-11-05 at 06:41 -0800, Tianon Gravi wrote:
> On 5 November 2015 at 06:23, Adam D. Barratt  k> wrote:
> > Do you have an estimate of how many packages that would be? I
> > looked at
> > the output of "dak rm -Rn -s stable golang" and made various sad
> > faces.
> 
> That sad face is 100% warranted. :(  I don't know the number off-
> hand, but I imagine it's pretty large by now.
> 

Unfortunately we all shied away from progressing this any further, and
we're now about to close updates to jessie via point releases as it
moves to LTS.

I'm therefore closing this bug now. Sorry for not dealing with it one
way or another earlier.

Regards,

Adam--- End Message ---

Processed: tagging 897613, tagging 901478, tagging 901479, tagging 901480

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 897613 + pending
Bug #897613 [release.debian.org] RM: redmine -- RoST; no longer security 
supported
Added tag(s) pending.
> tags 901478 + pending
Bug #901478 [release.debian.org] RM: redmine-plugin-pretend -- RoST; depends on 
to-be-removed redmine
Added tag(s) pending.
> tags 901479 + pending
Bug #901479 [release.debian.org] RM: redmine-plugin-recaptcha -- RoST; depends 
on to-be-removed redmine
Added tag(s) pending.
> tags 901480 + pending
Bug #901480 [release.debian.org] RM: redmine-recaptcha -- RoST; depends on 
to-be-removed redmine
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
897613: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897613
901478: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901478
901479: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901479
901480: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901480
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: blktrace_1.1.0-2+deb9u1_amd64.changes REJECTED

[Aurelien Jarno]

Hi,

Your package blktrace_1.1.0-2+deb9u1 has been successfully built on
amd64, however it has been rejected by dak, as you already used the
_amd64.changes extension for the source upload:

On 2018-06-13 04:17, Debian FTP Masters wrote:
> 
> An exception was raised while processing the package:
> Traceback (most recent call last):
>   File "/srv/ftp-master.debian.org/dak/dak/process_policy.py", line 107, in 
> wrapper
> function(upload, srcqueue, comments, transaction)
>   File "/srv/ftp-master.debian.org/dak/dak/process_policy.py", line 231, in 
> comment_accept
> fs.copy(src, dst, mode=upload.target_suite.archive.mode)
>   File "/srv/ftp-master.debian.org/dak/dak/daklib/fstransactions.py", line 
> 151, in copy
> self.actions.append(_FilesystemCopyAction(source, destination, link=link, 
> symlink=symlink, mode=mode))
>   File "/srv/ftp-master.debian.org/dak/dak/daklib/fstransactions.py", line 
> 51, in __init__
> self.check_for_temporary()
>   File "/srv/ftp-master.debian.org/dak/dak/daklib/fstransactions.py", line 
> 32, in check_for_temporary
> raise IOError("Temporary file '{0}' already 
> exists.".format(self.temporary_name))
> IOError: Temporary file 
> '/srv/ftp-master.debian.org/ftp/dists/proposed-updates/blktrace_1.1.0-2+deb9u1_amd64.changes'
>  already exists.
> 
> Original comments:
> blktrace - fix buffer overflow in btt [CVE-2018-10689]

Therefore it can't be uploaded from a build daemon. Please do a
maintainer upload for amd64 and name the changes file differently than
_amd64.changes.

Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net


signature.asc
Description: PGP signature

Bug#841234: jessie-pu: package libiberty/20141014-1

[Anton Gladky]

Hi Adam,

I forgot about this bug. Actually I do not have any interest and time
now to make an upload. So, I think the bug can be closed.

Thanks

Anton


2018-06-13 22:17 GMT+02:00 Adam D. Barratt :
> On Sat, 2016-12-17 at 11:42 +0100, Julien Cristau wrote:
>> Control: tag -1 moreinfo
>>
>> On Tue, Oct 18, 2016 at 20:32:56 +0200, Anton Gladky wrote:
>>
>> > Package: release.debian.org
>> > Severity: normal
>> > Tags: jessie
>> > User: release.debian@packages.debian.org
>> > Usertags: pu
>> >
>> > Dear release team,
>> >
>> > libiberty needs to be updated in Jessie, because the newer version
>> > fixes many security issues:
>> >
>> > CVE-2016-4487 CVE-2016-4488 CVE-2016-4489 CVE-2016-4490
>> > CVE-2016-4492 CVE-2016-4493 CVE-2016-2226 CVE-2016-6131
>> >
>>
>> What makes it impossible to backport just the fixes for the above
>> issues, rather than importing a full new upstream release?  A short
>> description of the issues so we don't have to look them up would also
>> have been helpful.
>>
>
> Ping? The above was 18 months ago, and we're within a few days of
> closing updates to jessie before it becomes LTS.
>
> Regards,
>
> Adam

Processed: tagging 835873, retitle 835873 to RM: openstreetmap-client -- RoM; broken

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 835873 + pending
Bug #835873 [release.debian.org] RM: openstreetmap-client/14.03.1~ds0-1
Added tag(s) pending.
> retitle 835873 RM: openstreetmap-client -- RoM; broken
Bug #835873 [release.debian.org] RM: openstreetmap-client/14.03.1~ds0-1
Changed Bug title to 'RM: openstreetmap-client -- RoM; broken' from 'RM: 
openstreetmap-client/14.03.1~ds0-1'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
835873: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835873
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#884571: [Pkg-privacy-maintainers] Bug#884571: RM: torbrowser-launcher/0.1.9-1+deb8u3

[Adam D. Barratt]

On Sat, 2018-02-24 at 14:03 +0100, intrigeri wrote:
> Adam D. Barratt:
> > # Broken Depends:
> > onionshare/contrib: onionshare
> 
> So I guess Jessie should first get the fix we applied to onionshare
> in
> testing/sid, i.e. move torbrowser-launcher to Recommends.

Ping?

Regards,

Adam

Processed: cloning 897613, user release.debian....@packages.org, usertagging -1 ..., usertagging -2 ...

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> clone 897613 -1 -2 -3
Bug #897613 [release.debian.org] RM: redmine/3.0~20140825-8~deb8u4
Bug 897613 cloned as bugs 901478-901480
> user release.debian@packages.org
Setting user to release.debian@packages.org (was a...@adam-barratt.org.uk).
> usertags -1 rm
There were no usertags set.
Usertags are now: rm.
> retitle -1 RM: redmine-plugin-pretend -- RoST; depends on to-be-removed 
> redmine
Bug #901478 [release.debian.org] RM: redmine/3.0~20140825-8~deb8u4
Changed Bug title to 'RM: redmine-plugin-pretend -- RoST; depends on 
to-be-removed redmine' from 'RM: redmine/3.0~20140825-8~deb8u4'.
> usertags -2 rm
There were no usertags set.
Usertags are now: rm.
> retitle -2 RM: redmine-plugin-recaptcha -- RoST; depends on to-be-removed 
> redmine
Bug #901479 [release.debian.org] RM: redmine/3.0~20140825-8~deb8u4
Changed Bug title to 'RM: redmine-plugin-recaptcha -- RoST; depends on 
to-be-removed redmine' from 'RM: redmine/3.0~20140825-8~deb8u4'.
> usertags -3 rm
There were no usertags set.
Usertags are now: rm.
> retitle -3 RM: redmine-recaptcha -- RoST; depends on to-be-removed redmine
Bug #901480 [release.debian.org] RM: redmine/3.0~20140825-8~deb8u4
Changed Bug title to 'RM: redmine-recaptcha -- RoST; depends on to-be-removed 
redmine' from 'RM: redmine/3.0~20140825-8~deb8u4'.
> retitle 897613 RM: redmine -- RoST; no longer security supported
Bug #897613 [release.debian.org] RM: redmine/3.0~20140825-8~deb8u4
Changed Bug title to 'RM: redmine -- RoST; no longer security supported' from 
'RM: redmine/3.0~20140825-8~deb8u4'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
897613: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897613
901478: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901478
901479: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901479
901480: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901480
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 894123

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 894123 + pending
Bug #894123 [release.debian.org] RM: nvidia-graphics-modules/oldstable -- RoQA; 
license problem; incompatible with current kernel ABI
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
894123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894123
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: cloudprint_0.13-1+deb8u2_amd64.changes
  REJECT
Processing changes file: file_5.22+15-2+deb8u4_powerpc.changes
  ACCEPT

Bug#901476: stretch-pu: package systemd/232-25+deb9u4

[Michael Biebl]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to make a stable upload fixing a few (minor) issues that were
requested to be fixed by various users.
Strictly speaking, those issues are not important per se and would
therefore qualify for a stable upload, but given the importance of the
systemd package, making it work more smoothly seems worthwile
nonetheless.

The full debdiff is attached.
All changes are cherry-picked upstream fixes, i.e. are in
unstable/testing.

systemd (232-25+deb9u4) stretch; urgency=medium

  * core/load-fragment: Add RemoveIPC=
Allow RemoveIPC= to be set in the unit file not only via D-Bus.
(Closes: #892829)

https://salsa.debian.org/systemd-team/systemd/commit/6854cdeb080e5c35a93430f0efcd2fc15c4b7012

  * nspawn: Add missing -E to getopt_long.
The -E alias for --setenv in systemd-nspawn was not working as
documented. This commit fixes that by adding -E to getopt_long.
(Closes: #895798)

https://salsa.debian.org/systemd-team/systemd/commit/c16bbb83f6adbb1766932b21f45dd9a9def8f948

  * login: Respect --no-wall when cancelling a shutdown request
(Closes: #897938)

https://salsa.debian.org/systemd-team/systemd/commit/2aceef88c722b31352c63b403ecc829da23a8e08


Those changes do not touch udeb, so should not be affected d-i.
That said, I've CCed KiBi, as usual, for a d-i ACK.

Regards,
Michael


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 1117655..a81c855 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+systemd (232-25+deb9u4) stretch; urgency=medium
+
+  * core/load-fragment: Add RemoveIPC=
+Allow RemoveIPC= to be set in the unit file not only via D-Bus.
+(Closes: #892829)
+  * nspawn: Add missing -E to getopt_long.
+The -E alias for --setenv in systemd-nspawn was not working as
+documented. This commit fixes that by adding -E to getopt_long.
+(Closes: #895798)
+  * login: Respect --no-wall when cancelling a shutdown request
+(Closes: #897938)
+
+ -- Michael Biebl   Wed, 13 Jun 2018 22:20:36 +0200
+
 systemd (232-25+deb9u3) stretch; urgency=medium
 
   [ Cyril Brulebois ]
diff --git a/debian/patches/core-load-fragment-add-RemoveIPC-7288.patch 
b/debian/patches/core-load-fragment-add-RemoveIPC-7288.patch
new file mode 100644
index 000..b74f2d8
--- /dev/null
+++ b/debian/patches/core-load-fragment-add-RemoveIPC-7288.patch
@@ -0,0 +1,28 @@
+From: Yu Watanabe 
+Date: Fri, 10 Nov 2017 18:15:55 +0900
+Subject: core/load-fragment: add RemoveIPC= (#7288)
+
+PR #3865 introduced RemoveIPC= but the option is not listed in
+load-fragment-gperf.gperf. So, the option could be used only via d-bus.
+This adds RemoveIPC= in load-fragment-gperf.gperf. Then, now we can
+set the option in unit files.
+
+Fixes #7281.
+
+(cherry picked from commit c54515b1e42384ad4c582f7fb13434f9224c148f)
+---
+ src/core/load-fragment-gperf.gperf.m4 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/core/load-fragment-gperf.gperf.m4 
b/src/core/load-fragment-gperf.gperf.m4
+index cb2f384..10a5682 100644
+--- a/src/core/load-fragment-gperf.gperf.m4
 b/src/core/load-fragment-gperf.gperf.m4
+@@ -35,6 +35,7 @@ $1.Environment,  config_parse_environ,   
0,
+ $1.EnvironmentFile,  config_parse_unit_env_file, 0,   
  offsetof($1, exec_context.environment_files)
+ $1.PassEnvironment,  config_parse_pass_environ,  0,   
  offsetof($1, exec_context.pass_environment)
+ $1.DynamicUser,  config_parse_bool,  0,   
  offsetof($1, exec_context.dynamic_user)
++$1.RemoveIPC,config_parse_bool,  0,   
  offsetof($1, exec_context.remove_ipc)
+ $1.StandardInput,config_parse_exec_input,0,   
  offsetof($1, exec_context)
+ $1.StandardOutput,   config_parse_exec_output,   0,   
  offsetof($1, exec_context)
+ $1.StandardError,config_parse_exec_output,   0,   
  offsetof($1, exec_context)
diff --git 
a/debian/patches/login-change-variable-type-of-enable_wall_messages-as-it-.patch
 
b/debian/patches/login-change-variable-type-of-enable_wall_messages-as-it-.patch
new file mode 100644
index 000..1018019
--- /dev/null
+++ 

Processed: tagging 892770 ...

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 892770 + pending
Bug #892770 [release.debian.org] RM: dolibarr/3.5.5+dfsg1-1+deb8u1
Added tag(s) pending.
> retitle 892770 RM: dolibarr -- RoM; too much work to maintain it properly in 
> Debian
Bug #892770 [release.debian.org] RM: dolibarr/3.5.5+dfsg1-1+deb8u1
Changed Bug title to 'RM: dolibarr -- RoM; too much work to maintain it 
properly in Debian' from 'RM: dolibarr/3.5.5+dfsg1-1+deb8u1'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
892770: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892770
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 891346, retitle 891346 to RM: jirc -- RoQA; broken with jessie's libpoe-filter-xml-perl

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 891346 + pending
Bug #891346 [release.debian.org] RM: jirc/1.0-1
Added tag(s) pending.
> retitle 891346 RM: jirc -- RoQA; broken with jessie's libpoe-filter-xml-perl
Bug #891346 [release.debian.org] RM: jirc/1.0-1
Changed Bug title to 'RM: jirc -- RoQA; broken with jessie's 
libpoe-filter-xml-perl' from 'RM: jirc/1.0-1'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
891346: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891346
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 887415, retitle 887415 to RM: electrum -- RoM; unable to connect

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 887415 + pending
Bug #887415 [release.debian.org] RM: electrum/1.9.8-4
Added tag(s) pending.
> retitle 887415 RM: electrum -- RoM; unable to connect
Bug #887415 [release.debian.org] RM: electrum/1.9.8-4
Changed Bug title to 'RM: electrum -- RoM; unable to connect' from 'RM: 
electrum/1.9.8-4'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
887415: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887415
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 837458

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 837458 + confirmed
Bug #837458 [release.debian.org] jessie-pu: package mactelnet/0.4.0-1
Added tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
837458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#800163: marked as done (jessie-pu: package cloudprint/0.11-5)

[Debian Bug Tracking System]

Your message dated Wed, 13 Jun 2018 21:28:37 +0100
with message-id <1528921717.2806.78.ca...@adam-barratt.org.uk>
and subject line Re: Bug#800163: jessie-pu: package cloudprint/0.11-5
has caused the Debian Bug report #800163,
regarding jessie-pu: package cloudprint/0.11-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
800163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu


Google has removed support for SASL authentication for Cloud Print services,
and is now requiring OAuth2 authentication. This breaks the version of
cloudprint which is in Jessie, making the package totally non-functional.

I attempted a targeted patch of upstream changes to pull in only
OAuth2-relevant content. It was neither clean, concise, nor stable.
Instead, I
am proposing to modify the 3-month-old upstream 0.13 release for Jessie.

Changes required:
 - revert to support for the older python-daemon module
 - remove a setup.py version restriction on 'requests'

Debdiff attached, with patch detail on deleted files removed.


The change relative to 0.13 is here:

https://github.com/davesteele/cloudprint-service/compare/debian/0.13-1...updates-jessie


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
diff -Nru cloudprint-0.11/cloudprint/cloudprint.py cloudprint-0.13/cloudprint/cloudprint.py
--- cloudprint-0.11/cloudprint/cloudprint.py	2014-01-05 19:29:25.0 -0500
+++ cloudprint-0.13/cloudprint/cloudprint.py	2015-07-08 23:10:28.0 -0400
@@ -1,231 +1,264 @@
 #!/usr/bin/env python
-import rest
-import platform
+# Copyright 2014 Jason Michalski 
+#
+# This file is part of cloudprint.
+#
+# cloudprint is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cloudprint is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cloudprint.  If not, see .
+
+import argparse
 import cups
+import datetime
 import hashlib
-import time
-import urllib2
-import tempfile
-import shutil
-import os
 import json
-import getpass
-import stat
-import sys
-import getopt
 import logging
 import logging.handlers
+import os
+import re
+import requests
+import shutil
+import stat
+import sys
+import tempfile
+import time
+import uuid
 
 import xmpp
 
 XMPP_SERVER_HOST = 'talk.google.com'
-XMPP_USE_SSL = True
 XMPP_SERVER_PORT = 5223
 
 SOURCE = 'Armooo-PrintProxy-1'
 PRINT_CLOUD_SERVICE_ID = 'cloudprint'
 CLIENT_LOGIN_URL = '/accounts/ClientLogin'
-PRINT_CLOUD_URL = '/cloudprint/'
+PRINT_CLOUD_URL = 'https://www.google.com/cloudprint/'
 
 # period in seconds with which we should poll for new jobs via the HTTP api,
 # when xmpp is connecting properly.
 # 'None' to poll only on startup and when we get XMPP notifications.
 # 'Fast Poll' is used as a workaround when notifications are not working.
-POLL_PERIOD=3600.0
-FAST_POLL_PERIOD=30.0
+POLL_PERIOD = 3600.0
+FAST_POLL_PERIOD = 30.0
 
 # wait period to retry when xmpp fails
-FAIL_RETRY=60
+FAIL_RETRY = 60
 
 # how often, in seconds, to send a keepalive character over xmpp
-KEEPALIVE=600.0
+KEEPALIVE = 600.0
+
+# failed job retries
+RETRIES = 1
+num_retries = 0
 
 LOGGER = logging.getLogger('cloudprint')
 LOGGER.setLevel(logging.INFO)
 
-class CloudPrintProxy(object):
+CLIENT_ID = '607830223128-rqenc3ekjln2qi4m4ntudskhnsqn82gn.apps.googleusercontent.com'
+CLIENT_KEY = 'T0azsx2lqDztSRyPHQaERJJH'
 
-def __init__(self, verbose=True):
-self.verbose = verbose
-self.auth = None
-self.cups= cups.Connection()
-self.proxy =  platform.node() + '-Armooo-PrintProxy'
-self.auth_path = os.path.expanduser('~/.cloudprintauth')
-self.xmpp_auth_path = os.path.expanduser('~/.cloudprintauth.sasl')
-self.username = None
-self.password = None
-self.sleeptime = 0
 
-

Processed: file 5.22+15-2+deb8u4 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #901425 [release.debian.org] jessie-pu: package file/1:5.22+15-2+deb8u3
Ignoring request to alter tags of bug #901425 to the same tags previously set

-- 
901425: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901425
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901425: file 5.22+15-2+deb8u4 flagged for acceptance

[Adam D Barratt]

Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian jessie.

Thanks for your contribution!

Upload details
==

Package: file
Version: 5.22+15-2+deb8u4

Explanation: avoid reading past the end of a buffer [CVE-2018-10360]]

Processed: file 5.22+15-2+deb8u4 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #901425 [release.debian.org] jessie-pu: package file/1:5.22+15-2+deb8u3
Added tag(s) pending.

-- 
901425: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901425
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

[Adam D. Barratt]

Control: tags -1 -moreinfo

On Thu, 2017-01-05 at 20:06 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote:
> 
> > Request for uploading to stable, as there is posted a CVE for a bug
> > in mactelnet-client.
> > This update is a backport of the fix that is done upstream, that
> > fixes only the mentioned bug.
> > 
> > Mor information here: https://security-tracker.debian.org/tracker/C
> > VE-2016-7115
> > and here: https://bugs.debian.org/836320
> 
> +mactelnet (0.4.0-2) stable; urgency=low
> 
> The version should be 0.4.0-1+deb8u1. With that change, please go
> ahead.
> 

And the distribution should be "jessie". If this is still of interest,
please upload *soon*.

Regards,

Adam

Processed: Re: Bug#837458: jessie-pu: package mactelnet/0.4.0-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo
Bug #837458 [release.debian.org] jessie-pu: package mactelnet/0.4.0-1
Removed tag(s) moreinfo.

-- 
837458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#867973: marked as done (jessie-pu: package wordgrinder/0.5.1-1)

[Debian Bug Tracking System]

Your message dated Wed, 13 Jun 2018 21:19:28 +0100
with message-id <1528921168.2806.75.ca...@adam-barratt.org.uk>
and subject line Re: Bug#867973: jessie-pu: package wordgrinder/0.5.1-1
has caused the Debian Bug report #867973,
regarding jessie-pu: package wordgrinder/0.5.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
867973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867973
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

The version in jessie of my package WordGrinder is painfully old and has a
number of showstopping bugs (document corruption and loss of data). The next
available version in Debian is the version in stable, 0.6-3, which has fixed
these bugs and also contains major functionality improvements.

0.6-3 builds on jessie out-of-the-box with no repackaging required, and so I
would like to propose the version from stable to be included in the next jessie
point release.

(No debdiff is attached as it's empty!)

Disclaimer: as well as being the package maintainer I'm also the upstream
author of WordGrinder (and it's my considered opinion that WordGrinder 0.5.1
needs to be taken out of circulation as quickly as possible before it starts
hurting people).

-- System Information:
Debian Release: 8.8
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: armhf (armv7l)

Kernel: Linux 3.18.0-trunk-rpi2 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On Tue, 2017-07-11 at 15:08 +, David Given wrote:
> Unfortunately, that's not feasible --- upstream fixed that bug by
> reworking the entire internal document model, and it's all
> interdependent on the rest of the changes, so it'd be a major
> engineering effort to do. I wouldn't be desireable anyway, as the end
> result would be a version of the package which is substantially
> different from any upstream release of WordGrinder.
> 

Sorry for letting things stall at that point.

The final point release for jessie before it becomes LTS closes this
weekend, and I think it's safe to say that this update isn't going to
make it, so I'm closing the request now.

Regards,

Adam--- End Message ---

Bug#848365: jessie-pu: package coquelicot/0.9.2-4+deb8u1

[Adam D. Barratt]

On Sat, 2017-01-07 at 17:06 +0100, Julien Cristau wrote:
> On Thu, Jan  5, 2017 at 10:20:19 +0100, Jérémy Bobbio wrote:
> 
> > You are right. I agree it's not a minimal change but the initscript
> > using init-d-script has been in Stretch for more than a year. I
> > thought
> > it would be safer to use a version that has received more testing
> > than
> > to patch the older one. I could still do that if you'd prefer.
> > 
> 
> Yes please.
> 

There's been no follow-up since that point, and we're now only a few
days away from closing updates to jessie before it becomes LTS.

Is this something you're still interested in addressing?

Regards,

Adam

Bug#841234: jessie-pu: package libiberty/20141014-1

[Adam D. Barratt]

On Sat, 2016-12-17 at 11:42 +0100, Julien Cristau wrote:
> Control: tag -1 moreinfo
> 
> On Tue, Oct 18, 2016 at 20:32:56 +0200, Anton Gladky wrote:
> 
> > Package: release.debian.org
> > Severity: normal
> > Tags: jessie
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > Dear release team,
> > 
> > libiberty needs to be updated in Jessie, because the newer version
> > fixes many security issues:
> > 
> > CVE-2016-4487 CVE-2016-4488 CVE-2016-4489 CVE-2016-4490
> > CVE-2016-4492 CVE-2016-4493 CVE-2016-2226 CVE-2016-6131
> > 
> 
> What makes it impossible to backport just the fixes for the above
> issues, rather than importing a full new upstream release?  A short
> description of the issues so we don't have to look them up would also
> have been helpful.
> 

Ping? The above was 18 months ago, and we're within a few days of
closing updates to jessie before it becomes LTS.

Regards,

Adam

Bug#804787: jessie-pu: package servefile/0.4.3-1

[Adam D. Barratt]

On Fri, 2016-01-01 at 18:08 +, Adam D. Barratt wrote:
> On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote:
> > I attached a new debdiff with a more meaningful changelog.
> > 
> > +servefile (0.4.4-1~deb8u1) jessie; urgency=high
> > +
> > +  * Upstream bugfix release
> > +  * Fix for path traversal bug in directory listing mode
> > +  * SSL hardening (prefer TLS1.2/TLS1)
> 
> Thanks.
> 
> +   # choose TLS1.2 or TLS1, if available
> +   sslMethod = None
> +   if hasattr(SSL, "TLSv1_2_METHOD"):
> +   sslMethod = SSL.TLSv1_2_METHOD
> +   elif hasattr(SSL, "TLSv1_METHOD"):
> +   sslMethod = SSL.TLSv1_METHOD
> 
> Why is TLS1.1 explicitly avoided here? Might it make more sense to
> use
> TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server
> negotiate
> the highest mutually-supported protocol?
> 

Ping?

The above mail was sent nearly 2.5 years ago, and there's been no
follow-up. The window for getting fixes into jessie before it becomes
LTS closes during the coming weekend.

Regards,

Adam

Bug#819977: jessie-pu: package roger-router/1.8.9-2jessie1

[Adam D. Barratt]

Hi,

The below mail was sent over two years ago now, and there's been no
follow-up from you.

The window for getting fixes into jessie before it becomes LTS closes
during the coming weekend. Are you still interested in addressing these
issues?

Regards,

Adam

On Wed, 2016-04-06 at 17:51 +0100, Adam D. Barratt wrote:
> On 2016-04-06 17:37, Rolf Leggewie wrote:
> > On 04.04.2016 16:58, Adam D. Barratt wrote:
> > > > I'd like to request to upload a bug-fix for the roger-router
> > > > package
> > > > to Jessie.  This would fix bugs #798471 and #774116.
> > > > 
> > > > Roger Router is a tool to interact with Fritzbox hardware from
> > > > AVM.
> > > > One of the things it can do is to send a fax.  This was broken
> > > > until
> > > > version 1.8.9-3 because compilation happened as --with-cups-yes
> > > > assuming this would include cups-support when in fact this
> > > > disabled
> > > > a known-good code base for cups-support and replaced it with a
> > > > known-broken, experimental one.  The patches are cherry-picked
> > > > from
> > > > 1.8.9-3 and 1.8.9-4.
> > > 
> > > Please provide a source debdiff of the proposed package as built
> > > and
> > > tested on Jessie, rather than indvidual patches; that's what
> > > we'll be
> > > acking (or otherwise).
> > 
> > Sure.
> > 
> > I thought the individual patches would be easier to inspect and
> > approve/reject as necessary.  Attached is a single debdiff.
> 
> For one thing, the debdiff that people provide often doesn't
> actually 
> match the result of simply applying the patches...
> 
> +roger-router (1.8.9-2jessie1) jessie; urgency=medium
> 
> That style of version numbering has been discouraged for at least
> two 
> release cycles now - 1.8.9-2+deb8u1, please.
> 
> +  * do not build the experimental (!) cups backend. Closes: #774116
> +Upstream uses a very funny (NOT!) semantics to their make-
> switches.
> +Who would expect that "--with-cups=yes" actually DISABLES a
> working
> +cups support?
> 
> I'd prefer if we could drop the commentary here, or at least make
> the 
> description more factual.
> 
>   Build-Depends: debhelper (>= 9), dh-autoreconf,
>    libappindicator3-dev,
>    libcapi20-dev (>= 1:3.24),
> - libcups2-dev,
>    libebook1.2-dev,
> - libgconf2-dev,
> 
> I'm afraid that I'm somewhat confused here. How does building the
> CUPS 
> backend that does work not require development files for CUPS? Why
> is 
> libgconf2-dev dropped?
> 
> --- a/debian/libroutermanager0.symbols
> +++ b/debian/libroutermanager0.symbols
> @@ -81,7 +81,7 @@ libroutermanager.so.0 libroutermanager0 #MINVER#
>    fax_send@Base 1.8.4
>    fax_set_log_level@Base 1.8.4
>    fax_spandsp_workaround@Base 1.8.4
> - fax_spooler_new_dir_cb@Base 1.8.4
> +#MISSING: 1.8.9-2# fax_spooler_new_dir_cb@Base 1.8.4
>    fax_transfer@Base 1.8.4
>    faxophone_close@Base 1.8.4
>    faxophone_connect@Base 1.8.4
> 
> I realise that libroutermanager0 doesn't have any in-archive users 
> outside of roger-router itself, but that's surely still an ABI
> change.
> 
> Regards,
> 
> Adam
> 
> 

Bug#821239: jessie-pu: package ledgersmb/1.3.40-1~deb8u1

[Adam D. Barratt]

On Sun, 2016-05-15 at 17:37 -0400, Robert James Clay wrote:
> Control: retitle -1 jessie-pu: package ledgersmb/1.3.40-1~deb8u1
> 
> On Sunday, May 15, 2016 09:58:06 AM Julien Cristau wrote:
> > The usual sequence is *not* unstable -> testing -> jessie-pu.  The
> > usual
> > sequence is to fix the bugs in unstable/testing, and then
> > separately
> > cherry-pick the fixes that warrant the stable update to the stable
> > version of the package,
> 
>   Thank you for clarifying that.  (My mistake; I was going too much
> by the 
> last time I did something like this, which was an upstream issue and
> not a 
> packaging issue...) 
> 
> 
> > so in this case that would mean preparing a ledgersmb 1.3.40-
> > 1+deb8u1 with
> > the fixes you want to see in stable, and not the unrelated upstream
> > bits.
> 
>   I'll take care of that and then update the bug again.

That was two years ago, and there's been no further activity.

The window for getting fixes into jessie before it becomes LTS closes
during this weekend. Is there still any interest here?

Regards,

Adam

Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

[Adam D. Barratt]

Ping? We're a few days away from closing the window for the final
jessie point release before it becomes LTS.

Regards,

Adam


On Wed, 2017-06-28 at 01:44 +0200, Cyril Brulebois wrote:
> Control: tag -1 moreinfo
> 
> Hi,
> 
> Comments below:
> 
> Benjamin Drung  (2017-05-22):
> > diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> > salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> > --- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch197
> > 0-01-01 01:00:00.0 +0100
> > +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch201
> > 7-04-18 12:18:56.0 +0200
> > @@ -0,0 +1,46 @@
> > +From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00
> > 2001
> > +From: Tarjei Husøy 
> > +Date: Wed, 19 Aug 2015 11:41:10 -0700
> > +Subject: [PATCH] Git: Don't leak https user/pw to log
> > +Origin: backport, https://github.com/saltstack/salt/commit/28aa9b1
> > 05804ff433d8f663b2f9b804f2b75495a
> > +
> > +---
> > + salt/modules/git.py| 17 ++---
> > + tests/unit/modules/git_test.py | 18 ++
> > + 2 files changed, 32 insertions(+), 3 deletions(-)
> > +
> > +--- a/salt/modules/git.py
> >  b/salt/modules/git.py
> > +@@ -5,6 +5,7 @@
> > + 
> > + # Import python libs
> > + import os
> > ++import re
> > + import tempfile
> > + try:
> > + import pipes
> > +@@ -75,6 +76,7 @@
> > + result = __salt__['cmd.run_all'](cmd,
> > +  cwd=cwd,
> > +  runas=runas,
> > ++ output_loglevel='quiet',
> > +  env=env,
> > +  **kwargs)
> > + 
> > +@@ -86,7 +88,15 @@
> > + if retcode == 0:
> > + return result['stdout']
> > + else:
> > +-raise exceptions.CommandExecutionError(result['stderr'])
> > ++stderr = _remove_sensitive_data(result['stderr'])
> > ++raise exceptions.CommandExecutionError(stderr)
> > ++
> > ++
> > ++def _remove_sensitive_data(sensitive_output):
> > ++'''
> > ++Remove HTTP user and password.
> > ++'''
> > ++return re.sub('(https?)://.*@', r'\1://@',
> > sensitive_output)
> 
> This is possibly going to remove too much stuff if one has something
> like ?
> 
> Anyway, it's probably an acceptable loss compared to the various
> security bug fixes, so it's probably a good idea to proceed anyway.
> 
> I'm tagging this with moreinfo for the time being, as some feedback
> from your side would be welcome.
> 
> 
> KiBi.

Bug#834854: jessie-pu: package charybdis/3.4.2-5~deb8u1

[Adam D. Barratt]

On Tue, 2016-09-13 at 12:04 +0200, Julien Cristau wrote:
> On Sun, Sep 11, 2016 at 16:58:34 -0400, Antoine Beaupré wrote:
> 
> > 1. ignore the above two extra issues and simply add the patch for
> > #215
> > to the pile of patches in jessie
> > 2. import the new gnutls.c module from an eventual new 3.5 release
> > upstream directly in jessie - this may be difficult because of
> > internal
> > API changes
> > 3. import 3.5.x directly in jessie
> > 
> > I would like to have feedback from the release team as to which
> > approach
> > to take forward.
> > 
> 
> I don't think 3 is a reasonable option.  The rest will depend on
> specifics.

There's been no further activity on this bug since the above, so I
think it's reasonable to say it's unlikely to be getting fixed in
jessie at this point?

Regards,

Adam

Processed: Re: Bug#885617: stretch-pu: package libextractor/1:1.3-4

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #885617 [release.debian.org] stretch-pu: package libextractor/1:1.3-4
Removed tag(s) moreinfo.
Bug #885617 [release.debian.org] stretch-pu: package libextractor/1:1.3-4
Added tag(s) confirmed.

-- 
885617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#885619: jessie-pu: package libextractor/1:1.3-2

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Mon, 2018-06-11 at 22:07 +0200, Bertrand Marc wrote:
> Le 08/06/2018 à 22:24, Adam D. Barratt a écrit :
> > Control: tags -1 + moreinfo
> > 
> > On Thu, 2017-12-28 at 17:32 +0100, Bertrand Marc wrote:
> > > Would you allow an update of libextractor 1.3-2 in Jessie to fix
> > > several minor security issues?
> > > 7 issues skipped by the security teams:
> > > 
> > 
> > [...]
> > >    * CVE-2017-15600  > > CVE-
> > > 2017-15600>: In GNU Libextractor 1.4, there is a NULL Pointer
> > > Dereference in the
> > >  EXTRACTOR_nsf_extract_method function of
> > > plugins/nsf_extractor.c.
> > > 
> > 
> > I assume the same issue that Julien raised for the stretch package
> > applies here.
> > 
> > Regards,
> > 
> > Adam
> 
> Indeed. The attached patch would fix the issue.

Thanks. Please go ahead.

Regards,

Adam

Bug#837388: jessie-pu: package scons-doc/2.3.1-1

[Adam D. Barratt]

On Sat, 2017-01-28 at 16:51 +, Adam D. Barratt wrote:
> Ping?
> 
> On Sat, 2016-09-17 at 22:27 +0100, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> > 
> > On Sun, 2016-09-11 at 11:13 +0200, Jörg Frings-Fürst wrote:
> > > the version 2.3.1-1 contains non free svg files[1].
> > > The attached debdiff replace them with free files from upstream.
> > 
> > So far as I can tell, the situation is that:
> > 
> > - the files are "only" non-free, not also non-distributable
> > - "replacing" the files in practice just means changing the license
> > information embedded within the files
> > - Debian has a valid license to distribute the files under, which
> > is
> > already documented in the package in unstable
> > 
> > Is all of the above correct? If so, we have generally treated such
> > situations as representing documentation updates, which means they
> > can
> > be included as part of uploads to stable alongside other fixes, but
> > not
> > usually on their own.
> > 

Ping? We're a few days away from closing the window for the final
jessie point release before it becomes LTS.

Regards,

Adam

Processed: Re: Bug#885619: jessie-pu: package libextractor/1:1.3-2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #885619 [release.debian.org] jessie-pu: package libextractor/1:1.3-2
Removed tag(s) moreinfo.
Bug #885619 [release.debian.org] jessie-pu: package libextractor/1:1.3-2
Added tag(s) confirmed.

-- 
885619: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885619
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#885617: stretch-pu: package libextractor/1:1.3-4

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Sun, 2018-02-25 at 19:18 +0100, Bertrand Marc wrote:
> Le 10/02/2018 à 11:13, Julien Cristau a écrit :
> > Control: tag -1 moreinfo
> > 
> > On Thu, Dec 28, 2017 at 17:11:02 +0100, Bertrand Marc wrote:
> > 
> > > diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch
> > > libextractor-1.3/debian/patches/CVE-2017-15600.patch
> > > --- libextractor-1.3/debian/patches/CVE-2017-15600.patch  1
> > > 970-01-01 01:00:00.0 +0100
> > > +++ libextractor-1.3/debian/patches/CVE-2017-15600.patch  2
> > > 017-12-28 11:39:33.0 +0100
> > > @@ -0,0 +1,29 @@
> > > +From: Bertrand Marc , Markus Koschany  > > ian.org>
> > > +Subject: CVE-2017-15600
> > > +
> > > +Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor
> > > /2017-10/msg4.html
> > > +Origin: https://gnunet.org/git/libextractor.git/commit/?id=38e89
> > > 33539ee9d044057b18a971c2eae3c21aba7
> > > +--- a/src/plugins/nsf_extractor.c
> > >  b/src/plugins/nsf_extractor.c
> > > +@@ -152,13 +152,17 @@
> > > +   char nsfversion[32];
> > > +   const struct header *head;
> > > +   void *data;
> > > ++  ssize_t ds;
> > > + 
> > > +-  if (sizeof (struct header) >
> > > +-  ec->read (ec->cls,
> > > +-,
> > > +-sizeof (struct header)))
> > > ++  ds = ec->read (ec->cls,
> > > ++ ,
> > > ++ sizeof (struct header));
> > > ++  if ( (-1 == ds) ||
> > > ++   (sizeof (struct header) > ds) )
> > > + return;
> > > +   head = data; 
> > > ++  if (NULL == head)
> > > ++return 0; 
> > > + 
> > 
> > Curious how that works.  3 lines above is plain "return", and here
> > "return 0".  What's the type of that function and how did the
> > compiler
> > not flag this?
> > 
> > Cheers,
> > Julien
> 
> Indeed, sorry. The type of the function was changed from void (in
> wheezy) to int (in jessie). I updated the patch attached accordingly.
> 

Please go ahead.

Regards,

Adam

Bug#863862: jessie-pu: package multipath-tools/0.5.0-6+deb8u2

[Adam D. Barratt]

On Wed, 2017-06-28 at 02:04 +0200, Cyril Brulebois wrote:
[...]
> The patches themselves look reasonable to me though.
> 
> 
> To sum it up: please adjust metadata for both bug reports in the BTS,
> and send a cleaner debdiff for a second look.
> 

Ping? We're a few days away from closing the window for the final
jessie point release before it becomes LTS.

Regards,

Adam

Processed: Re: Bug#831459: jessie-pu: package virtualbox-guest-additions-iso

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #831459 [release.debian.org] jessie-pu: package 
virtualbox-guest-additions-iso
Added tag(s) confirmed.

-- 
831459: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831459
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#831459: jessie-pu: package virtualbox-guest-additions-iso

[Adam D. Barratt]

Control: tags -1 + confirmed

On Thu, 2016-09-29 at 17:45 +0100, Adam D. Barratt wrote:
> On 2016-09-29 14:37, Gianfranco Costamagna wrote:
> > control: tags -1 -moreinfo
> > > (I'm not removing moreinfo tag)
> > 
> > removing it now.
> 
> fwiw the mail you're replying to does not appear to have made it to 
> debian-release.
> 

If you're still interested in getting this updated in jessie before it
becomes LTS, please go ahead, bearing in mind the time constraints.

Regards,

Adam

Bug#901276: jessie-pu: package lame/3.99.5+repack1-7+deb8u2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2018-06-10 at 14:59 -0400, Hugo Lefeuvre wrote:
> lame 3.99.5+repack1-7+deb8u1 is affected by several vulnerabilities
> in
> the code used to read the input file. These issues are not present in
> any Debian release after Jessie because the package switched to
> libsndfile to read and write audio files. The upstream code itself
> was
> recently fixed in 3.100.
> 
> Following advices from lame's upstream and from lame's maintainer I
> proposed the attached patch. In this patch we modify the Jessie
> package to use libsndfile instead of the internal code. The security
> team considers these issues not worth a DSA but recommended me to
> submit this patch as jessie-pu.
> 

+lame (3.99.5+repack1-7+deb8u2) oldstable; urgency=high

Please use "jessie" as the distribution there, and feel free to upload.

Regards,

Adam

Processed: Re: Bug#901276: jessie-pu: package lame/3.99.5+repack1-7+deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #901276 [release.debian.org] jessie-pu: package lame/3.99.5+repack1-7+deb8u2
Added tag(s) confirmed.

-- 
901276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901276
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901194: jessie-pu: package openldap/2.4.40+dfsg-1+deb8u4

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2018-06-09 at 18:32 -0700, Ryan Tandy wrote:
> Please consider this openldap update for jessie. I apologize for the 
> late request and will understand if it doesn't make it.
> 
>   * Fix upgrade failure when olcSuffix contains a backslash. (Closes:
> #864719)
> 
[...]
>   * Import upstream patches to fix memory corruption caused by
> calling
> sasl_client_init() multiple times and possibly concurrently.
> (ITS#8648) (Closes: #860947)
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#901194: jessie-pu: package openldap/2.4.40+dfsg-1+deb8u4

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #901194 [release.debian.org] jessie-pu: package 
openldap/2.4.40+dfsg-1+deb8u4
Added tag(s) confirmed.

-- 
901194: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901194
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901192: stretch-pu: package openldap/2.4.44+dfsg-5+deb9u2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2018-06-09 at 18:01 -0700, Ryan Tandy wrote:
> Please consider this openldap update for stretch. I apologize for
> the 
> late request and will understand if it doesn't make it.
> 
> Both fixes have already had some time in testing and stretch-
> backports.
> 
>   * Import upstream patch to fix an out-of-sync issue with delta-
> syncrepl
> replication in multi-master environments, resulting from changes
> losing
> tracking information and being applied multiple times.
> (ITS#8) (Closes: #877166)
> 
> This issue impacts replication when the memberof overlay is used in
> a 
> multi-master setup. Sven Mäder (in X-D-CC) has tested the proposed 
> package on a stretch system and verified the fix.
> 
>   * Really fix upgrades when the config contains backslash-escaped
> special
> characters. The previous fix was incomplete and didn't fully fix
> upgrades
> involving a database reload. (Closes: #864719)
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#901192: stretch-pu: package openldap/2.4.44+dfsg-5+deb9u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #901192 [release.debian.org] stretch-pu: package 
openldap/2.4.44+dfsg-5+deb9u2
Added tag(s) confirmed.

-- 
901192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901192
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#887138: jessie-pu: package python-mimeparse/0.1.4-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #887138 [release.debian.org] jessie-pu: package 
python-mimeparse/0.1.4-1+deb8u1
Added tag(s) confirmed.

-- 
887138: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887138
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#887138: jessie-pu: package python-mimeparse/0.1.4-1+deb8u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2018-01-14 at 13:31 +0100, Andreas Beckmann wrote:
> Let's fix the python3 dependencies for jessie, too: #867439.
> 
> $ debdiff python3-mimeparse_0.1.4-1_all.deb python3-mimeparse_0.1.4-
> 1+deb8u1_all.deb
> File lists identical (after any substitutions)
> 
> Control files: lines which differ (wdiff format)
> 
> {+Depends: python3:any (>= 3.3.2-2~)+}
> Installed-Size: [-48-] {+13+}
> Version: [-0.1.4-1-] {+0.1.4-1+deb8u1+}
> 

Please go ahead.

Regards,

Adam

Summary of discussion regarding improvements needed in autopkgtest and britney

[Paul Gevers]

Hi all,

The last couple of days I have been discussing with you via e-mail and
IRC (much thanks to those involved) about current issues of autopkgtest
running tests for britney. I'll summarize my view of it in this e-mail
with the pro's and con's of different solutions and my proposed way
forward (for now).

 ISSUES 

There are a couple of issues that were the main topic of the discussion.
I'll summarize here so it is clear how I see the issue;

0. autopkgtest needs too much assistance (both in Debian and in Ubuntu)
for cases it should, IMHO, handle automatically. Part of this problem is
in dependency issues that albeit technically present, most of the time
aren't practical problems. Fixing those is my preferred solution. This
is even more true in Debian, as Ubuntu didn't want to bother Debian
maintainers with that and didn't want to carry those patches either.

1. britney triggers tests for packages that are at that moment
non-installable from unstable (especially, or maybe only, during
transitions).

2. autopkgtest enables testing migration candidates by using all
packages from testing except for the binary packages of the candidate
which come from unstable. It achieves that via apt pinning. However,
sometimes this candidate has dependencies that need to come from
unstable. The current solution for that situation is that autopkgtest
contains a fallback which removes all the pinning. This has the drawback
that all packages from unstable are allowed to be installed, including
potentially broken packages or broken combinations.

3. autopkgtest has a needs-recommends restriction which is documented to
"Enable installation of recommended packages in apt for the test
dependencies. This does not affect build dependencies." The way this is
currently implemented is via apt's APT::Install-Recommends option. This
implementation leads to more packages installed than I believe is
desirable for this option. On top of that, installing recommends may
hide real dependency issues.

4. apt doesn't install recommends if an external solver is used. #900989
[no-recommends]

5. autopkgtest (or apt) is silent when recommends can't be installed.
Typically, tests that need the recommends will just fail, but it will
not be obvious why this is. The failure is correct, but the error
message will waste peoples time in debugging. So in my opinion it is a
must to improve the error handling of this situation. The FAIL will
remain a FAIL, but avoids wasting peoples time. #896698 [no-fail]

 SOLUTIONS 

1.a. As already discussed with nthykier some months ago, britney could
do some *recursive* installability checks before requesting a test. This
will drive down the number of false negatives, especially during
transitions. What is more, it will reduce the stress on autopkgtest in
combination with apt to come up with the right solution while there is none.

pro:
- less failures that just need a redo later-> less time spent by humans
  to check
con:
- (some) duplication of logic, as the real installability check of
  britney happens in phase 2, so after the policy checks.
note:
- doesn't need to be perfect, just better than now


2.a. If autopkgtest is told which packages are needed from unstable
(even with the exact version) to have a coherent set, it doesn't need to
guess what is a reasonable solution for britney. Therefore britney could
output a set of packages from unstable per test, instead of just the
current trigger.

pro:
- autopkgtest doesn't need to guess what britney wants
- apt will double check installability of the solution as it is not free
  anymore to do something else.
- with versions autopkgtest could fail if it doesn't test the version
  that britney expected it would find,
con:
- new additional logic in britney (albeit probably similar to the
  installability logic, haven't checked)

2.b. the fallback in autopkgtest could be removed. autopkgtest should
rely on it being told what packages are allowed.

pro:
- removes a hack
- easier to understand and track for manual debuggers what is going on
- less code (it already exists, so not a big one)
- guarantees there is only one entity (britney) that decides what to
  test
con:
- maybe exposes unknown issues currently "hidden" behind this fallback

2.c. apt's internal solver only considers so called candidate versions.
External solvers like aspcud exist, that can optionally search for any
solution as long as installability is guaranteed.

pro:
- use a solver that is better suited for the non-standard use case we
  have at hand. I.e. one that can find solutions for the request:
  "install the following packages a, b, .. z from unstable and testing,
   while taking *as much as possible* from testing and while taking
   binary packages from source Q from unstable if they are to be
   installed."
- solves LP: #1760810 [worker-crash] (worker crashes due to removal of
  packages needed to function)
con:
- non-standard resolver
- apt doesn't install 

Processed: FTBFS in sid: package com.sun.tools.doclets.standard is not visible

[Debian Bug Tracking System]

Processing control commands:

> block 901155 by -1
Bug #901155 [release.debian.org] transition: octave-4.4
901155 was not blocked by any bugs.
901155 was not blocking any bugs.
Added blocking bug(s) of 901155: 901455

-- 
901155: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901155
901455: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901455
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901352: unblock: ca-certificates/20180409

[Michael Shuler]

On 06/13/2018 02:35 AM, Cyril Brulebois wrote:

It seems the block-udeb isn't the only blocker though:
 Migration status: BLOCKED: Rejected/introduces a regression
 Updating ca-certificates introduces new bugs: #895482

and I see no severity downgrade in that bug report?


It was upgraded back to serious again, yesterday, after some testing 
feedback.



Also, I should have mentioned this in my dda@ mail I suppose:
 63 days old (needed 5 days)

If a given package has spent that much time out of testing, it probably
can wait a few days while we're going through the late stages of the d-i
release process. It should only be a matter of days or hours now. ;)

I'll get back to your package later if we spot any issues that would
need to be addressed before we release; or it's going to be unblocked
automatically when I unfreeze udebs.


Thanks for the note, I appreciate it.

--
Michael

Bug#899014: blktrace 1.1.0-2+deb9u1 flagged for acceptance

[Adam D. Barratt]

On 2018-06-12 22:56, 'a...@coccia.debian.org wrote:

Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for
acceptance into the proposed-updates queue for Debian stretch.

Thanks for your contribution!

Upload details
==

Package: blktrace
Version: 1.1.0-2+deb9u1

Explanation: fix buffer overflow in btt [CVE-2018-10689]


I've had to ask ftp-master to rename and reprocess the amd64 buildd 
upload for this, because there was a conflict with the .changes 
filename.


Please do not upload _$ARCH.changes files for (old)stable unless you 
also include binary packages for $ARCH in the upload.


Regards,

Adam

Re: ignore the piuparts failures for gcc-7-cross, gcc-8-cross

[Bastian Blank]

On Wed, Jun 13, 2018 at 12:27:23PM +, Holger Levsen wrote:
> > The failures are in cruft packages. There is a manual decruft requested:
> > #899045, but the cruft packages shouldn't block migration anyway.
> > piuparts does not know about cruft, it just takes everything from the
> > Packages files.
> "#899045 [ftp.debian.org] Please decruft gcc-7-cross and gcc-8-cross"
> has been filed almost 4 weeks ago, and I think this bug should be fixed
> and neither be worked around in piuparts nor in the testing migration
> scripts.

The testing migration stuff already ignores some cruft.  Not sure about
this particular case, but it is not listed as blocking in the excuses
output.

For piuparts: it was asked to test gcc-7-cross/X, but the relevant
binary is from gcc-7-cross/X-1, so a different source package.  I have
no idea how it comes to the conclusion that these belong together.

Hint: A source in the Debian archive is always defined as
package/version, not simply package.

Bastian

-- 
Beam me up, Scotty!  It ate my phaser!

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: blktrace_1.1.0-2+deb9u1_amd64.changes
  REJECT

Re: ignore the piuparts failures for gcc-7-cross, gcc-8-cross

[Holger Levsen]

On Wed, Jun 13, 2018 at 12:02:59PM +0200, Andreas Beckmann wrote:
> please
> 
> ignore-piuparts gcc-7-cross/23
> ignore-piuparts gcc-8-cross/17

I think this is wrong.

> The failures are in cruft packages. There is a manual decruft requested:
> #899045, but the cruft packages shouldn't block migration anyway.
> piuparts does not know about cruft, it just takes everything from the
> Packages files.

"#899045 [ftp.debian.org] Please decruft gcc-7-cross and gcc-8-cross"
has been filed almost 4 weeks ago, and I think this bug should be fixed
and neither be worked around in piuparts nor in the testing migration
scripts.

cc:ing the bug so the ftpmasters can act.


-- 
cheers,
Holger


signature.asc
Description: PGP signature

ignore the piuparts failures for gcc-7-cross, gcc-8-cross

[Andreas Beckmann]

Hi,

please

ignore-piuparts gcc-7-cross/23
ignore-piuparts gcc-8-cross/17

The failures are in cruft packages. There is a manual decruft requested:
#899045, but the cruft packages shouldn't block migration anyway.
piuparts does not know about cruft, it just takes everything from the
Packages files.

Andreas

Bug#901431: RM: ruby-compass/1.0.3~dfsg-5

[Jonas Smedegaard]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

ruby-compass is dead upstream, and does not work with recent ruby-sass.
This is tracked in bug#876608 of severity serious.

For some reason, instead of bug#876608 kicking out (and keeping out)
ruby-compass from testing, apparently instead it has caused recent
ruby-sass to be kept out of testing instead.

Please remove ruby-compass from testing, since it has no future.


 - Jonas

- -- System Information:
Debian Release: buster/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 
'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.17.0-rc3-amd64 (SMP w/4 CPU cores)
Locale: LANG=da_DK.UTF-8, LC_CTYPE=da_DK.UTF-8 (charmap=UTF-8), 
LANGUAGE=da_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlsgzekACgkQLHwxRsGg
ASFr1g/+KMLm7uPgDTzNmau0M0N9ObKluw3rPxlpltlFFGrlmj0GaMJKETFrvo0A
HbrV2p+SAreD3nRMvL/zJCJfwnnaab8VEB9VwyccJjl86c5cl+sdGTnXjZ2m1FSL
iudR9cFc57npEZnPA/S4JflEQArf7Jb8roBH+P15BjIEDSkpEcn8dkfMpSX8QXkY
bd9QRz6TO5tT2ifXgJI7QwW26XT6TQQNVJoxXCRClg2SDlqDOwkE48K68Njq6oxa
sjdUDNXT/KqY3yiNtmZa9Jjtr4oUy/SgardNtFM2/8jFtEWKeGDr4Mh4SQBURrmT
zsU/ic88NW6RXwszRDHKv61io/+qeAtU/p4PIigklg8TPgsy/nCJcLNbvYzNDaUB
9WovAd4axhPxAtMkxvVAdEzEZZTKODF/J9hdo848FmLEWjLmk9GDUFjlzFSV5xrN
/EDGWNV0qRYECLbkDJj+3FJZWT49p00dd4XG7pRVwigaJZcsKPjXyn7esrI0i6/L
0h8eBYF46bLGmIJtwEcK2S5+yG6Ha2ACf96kjtKyi6YD/urZ4EkchDZDl5Dghfnb
RBbdSDlkmTSOFRgbxMMZOY1xf2uc8t2BakKXSt1GfEbjlktv5pF/c4UjsqRTon6K
KX77WDd3TaGul216IfiOMcC2PhiCy+KpqKt88ZqdEMeI0c94I5E=
=2ZtP
-END PGP SIGNATURE-

Bug#901352: unblock: ca-certificates/20180409

[Cyril Brulebois]

Hi Michael,

Michael Shuler  (2018-06-11):
> ca-certificates-udeb is blocked.
> 
> Please unblock the package ca-certificates to transition to testing.
> 
> We just downgraded the severity of a bug, since openssl was updated to
> fix an issue with the processing of CA certificates[0], in order to
> allow ca-certificates to transition to testing. The bug is intended to
> be closed after testing transition, just to be sure all is well, since
> the fix was really in openssl.
> 
> It appears that ca-certificates is now blocked due to udebs being
> frozen[1], as noted a couple days ago on d-d-announce (thank you for
> this note!).

ca-certificates-udeb is used during a debian-installer build, so it
should be fine to unblock it now that the debian-installer upload and
builds have happened, while we're building and checking installation
images.

It seems the block-udeb isn't the only blocker though:
Migration status: BLOCKED: Rejected/introduces a regression
Updating ca-certificates introduces new bugs: #895482

and I see no severity downgrade in that bug report?


Also, I should have mentioned this in my dda@ mail I suppose:
63 days old (needed 5 days)

If a given package has spent that much time out of testing, it probably
can wait a few days while we're going through the late stages of the d-i
release process. It should only be a matter of days or hours now. ;)

I'll get back to your package later if we spot any issues that would
need to be addressed before we release; or it's going to be unblocked
automatically when I unfreeze udebs.


And thanks for following the process. :)


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#896667: marked as done (transition: r-base-3.5)

[Debian Bug Tracking System]

Your message dated Wed, 13 Jun 2018 08:32:06 +0200
with message-id <4b7ad245-1fd6-66ef-06b9-e4301ff49...@debian.org>
and subject line Re: Bug#896667: transition: r-base-3.5
has caused the Debian Bug report #896667,
regarding transition: r-base-3.5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
896667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896667
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: debia...@lists.debian.org

Dear Release Team,

Please schedule a transition for R 3.5, which has just been uploaded to
experimental.

Due to changes in R internals, all R extension packages must be recompiled,
that is 573 packages (of which 260 are arch:all, and will therefore need
sourceful uploads).

The transition will be managed jointly by Dirk Eddelbuettel and the Debian R
Packages Team¹ (which ideally should be kept in CC of replies).

We have not tried to recompile the 500+ packages, but we don’t expect any major
issue. And should some arise, we stand ready to fix them.

Best,


Ben file:

title = "r-base";
is_affected = .depends ~ "r-api-3.4" | .depends ~ "r-api-3.5";
is_good = .depends ~ "r-api-3.5";
is_bad = .depends ~ "r-api-3.4";


¹ https://wiki.debian.org/Teams/r-pkg-team

-- 
⢀⣴⠾⠻⢶⣦⠀  Sébastien Villemot
⣾⠁⢠⠒⠀⣿⡁  Debian Developer
⢿⡄⠘⠷⠚⠋⠀  http://sebastien.villemot.name
⠈⠳⣄  http://www.debian.org


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On 30/05/18 23:40, Emilio Pozuelo Monfort wrote:
> Control: tags -1 confirmed
> 
> On 28/05/18 15:00, Emilio Pozuelo Monfort wrote:
>> On 28/05/18 14:32, Dirk Eddelbuettel wrote:
>>>
>>> On 28 May 2018 at 14:08, Emilio Pozuelo Monfort wrote:
>>> | Control: tags -1 - confirmed
>>> | 
>>> | On 28/05/18 13:08, Emilio Pozuelo Monfort wrote:
>>> | > Control: tags -1 confirmed
>>> | > 
>>> | > On 23/04/18 13:57, Sébastien Villemot wrote:
>>> | >> Package: release.debian.org
>>> | >> Severity: normal
>>> | >> User: release.debian@packages.debian.org
>>> | >> Usertags: transition
>>> | >> X-Debbugs-Cc: debia...@lists.debian.org
>>> | >>
>>> | >> Dear Release Team,
>>> | >>
>>> | >> Please schedule a transition for R 3.5, which has just been uploaded to
>>> | >> experimental.
>>> | >>
>>> | >> Due to changes in R internals, all R extension packages must be 
>>> recompiled,
>>> | >> that is 573 packages (of which 260 are arch:all, and will therefore 
>>> need
>>> | >> sourceful uploads).
>>> | >>
>>> | >> The transition will be managed jointly by Dirk Eddelbuettel and the 
>>> Debian R
>>> | >> Packages Team¹ (which ideally should be kept in CC of replies).
>>> | >>
>>> | >> We have not tried to recompile the 500+ packages, but we don’t expect 
>>> any major
>>> | >> issue. And should some arise, we stand ready to fix them.
>>> | > 
>>> | > Go ahead with the transition.
>>> | 
>>> | NACK. Let's wait for the curl transition, as this would clash with that 
>>> one.
>>>
>>> What is your expectation concerning the timeline?
>>>
>>> R 3.5.0 is already over one month old. It would be good to have the
>>> transition going.
>>
>> This can go after the curl transition, which has just started. So whatever 
>> that
>> takes, which will depend on whether any packages fail to build and how long 
>> it
>> takes to solve them. curl was waiting for longer and is blocking other
>> transitions, so that's why it went first, but after that there should be no
>> blockers for R 3.5.
> 
> curl migrated to testing today. Please go ahead with R 3.5.

And it went in:

r-base | 3.5.0-5| testing| source, all
r-base | 3.5.0-5| unstable   | source, all

Thanks for your work on this.

Emilio--- End Message ---

Bug#901425: jessie-pu: package file/1:5.22+15-2+deb8u3

[Christoph Biedl]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello release team,

yet another security issue was found in file/libmagic: "The do_core_note
function in readelf.c in libmagic.a in file 5.33 allows remote attackers
to cause a denial of service (out-of-bounds read and application crash)
via a crafted ELF file" (CVE-2018-10360)

https://security-tracker.debian.org/tracker/CVE-2018-10360
https://bugs.debian.org/901351

After a brief discussion with the security team we agreed this should be
addressed in the upcoming point release, so here we go.

Following the new policy, I've already uploaded file_5.22+15-2+deb8u4 to
oldstable.

Kind regards,

Christoph Biedl

-- System Information:
Debian Release: 8.10
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-proposed-updates'), 
(500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.48 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -Nru file-5.22+15/debian/changelog file-5.22+15/debian/changelog
--- file-5.22+15/debian/changelog   2016-12-04 10:00:07.0 +0100
+++ file-5.22+15/debian/changelog   2018-06-11 23:24:19.0 +0200
@@ -1,3 +1,10 @@
+file (1:5.22+15-2+deb8u4) oldstable; urgency=high
+
+  * Avoid reading past the end of buffer. Closes: #901351
+[CVE-2018-10360]
+
+ -- Christoph Biedl   Mon, 11 Jun 2018 
23:24:19 +0200
+
 file (1:5.22+15-2+deb8u3) stable; urgency=medium
 
   * Fix memory leak in magic loader. Closes: #840754
diff -Nru 
file-5.22+15/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch
 
file-5.22+15/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch
--- 
file-5.22+15/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch
1970-01-01 01:00:00.0 +0100
+++ 
file-5.22+15/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch
2018-06-11 23:24:19.0 +0200
@@ -0,0 +1,19 @@
+Subject: Avoid reading past the end of buffer (Rui Reis)
+ID: CVE-2018-10360
+Origin: FILE5_33-31-ga642587a
+Upstream-Author: Christos Zoulas 
+Date: Sat Jun 9 16:00:06 2018 +
+Bug-Debian: https://bugs.debian.org/901351
+
+--- a/src/readelf.c
 b/src/readelf.c
+@@ -789,7 +789,8 @@
+ 
+   cname = (unsigned char *)
+   [doff + prpsoffsets(i)];
+-  for (cp = cname; *cp && isprint(*cp); cp++)
++  for (cp = cname; cp < nbuf + size && *cp
++  && isprint(*cp); cp++)
+   continue;
+   /*
+* Linux apparently appends a space at the end
diff -Nru file-5.22+15/debian/patches/series file-5.22+15/debian/patches/series
--- file-5.22+15/debian/patches/series  2016-12-04 09:50:30.0 +0100
+++ file-5.22+15/debian/patches/series  2018-06-11 23:23:32.0 +0200
@@ -15,3 +15,4 @@
 CVE-2015-8865.6713ca4.patch
 
cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch
 cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch
+cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch


signature.asc
Description: PGP signature

Bug#901426: stretch-pu: package file/1:5.30-1+deb9u1

[Christoph Biedl]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello release team,

[ same as for jessie in #-1, so just for completeness ]

yet another security issue was found in file/libmagic: "The do_core_note 
function in readelf.c in libmagic.a in file 5.33 allows remote attackers
to cause a denial of service (out-of-bounds read and application crash)
via a crafted ELF file" (CVE-2018-10360)

https://security-tracker.debian.org/tracker/CVE-2018-10360
https://bugs.debian.org/901351

After a brief discussion with the security team we agreed this should be
addressed in the upcoming point release, so here we go.

Following the new policy, I've already uploaded file_5.30-1+deb9u2 to
stable.

Kind regards,

Christoph Biedl

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.48 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -Nru file-5.30/debian/changelog file-5.30/debian/changelog
--- file-5.30/debian/changelog  2017-09-01 21:23:02.0 +0200
+++ file-5.30/debian/changelog  2018-06-11 23:16:09.0 +0200
@@ -1,3 +1,10 @@
+file (1:5.30-1+deb9u2) stable; urgency=high
+
+  * Avoid reading past the end of buffer. Closes: #901351
+[CVE-2018-10360]
+
+ -- Christoph Biedl   Mon, 11 Jun 2018 
23:16:09 +0200
+
 file (1:5.30-1+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru 
file-5.30/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch
 
file-5.30/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch
--- 
file-5.30/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch
   1970-01-01 01:00:00.0 +0100
+++ 
file-5.30/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch
   2018-06-11 23:16:09.0 +0200
@@ -0,0 +1,19 @@
+Subject: Avoid reading past the end of buffer (Rui Reis)
+ID: CVE-2018-10360
+Origin: FILE5_33-31-ga642587a
+Upstream-Author: Christos Zoulas 
+Date: Sat Jun 9 16:00:06 2018 +
+Bug-Debian: https://bugs.debian.org/901351
+
+--- a/src/readelf.c
 b/src/readelf.c
+@@ -824,7 +824,8 @@
+ 
+   cname = (unsigned char *)
+   [doff + prpsoffsets(i)];
+-  for (cp = cname; *cp && isprint(*cp); cp++)
++  for (cp = cname; cp < nbuf + size && *cp
++  && isprint(*cp); cp++)
+   continue;
+   /*
+* Linux apparently appends a space at the end
diff -Nru file-5.30/debian/patches/series file-5.30/debian/patches/series
--- file-5.30/debian/patches/series 2017-09-01 21:23:02.0 +0200
+++ file-5.30/debian/patches/series 2018-06-11 23:15:30.0 +0200
@@ -25,6 +25,7 @@
 cherry-pick.FILE5_30-49-gbf90083a.fix-memory-handling.patch
 cherry-pick.FILE5_30-52-gd8233d09.check-one-more-read-found-by-oss-fuzz.patch
 
cherry-pick.FILE5_31-36-g35c94dc6.Fix-always-true-condition-Thomas-Jarosch.patch
+cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch
 
 # local modifications
 local.support-local-definitions-in-etc-magic.patch


signature.asc
Description: PGP signature

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: postgresql-9.6_9.6.9-0+deb9u1_armel.changes
  ACCEPT
Processing changes file: postgresql-9.6_9.6.9-0+deb9u1_armhf.changes
  ACCEPT
Processing changes file: postgresql-9.6_9.6.9-0+deb9u1_mipsel.changes
  ACCEPT