toulbar2: What will happen if testing migration takes longer than removal from testing
Hi, toulbar2 is Marked for autoremoval on 22 February: #916715 However, this bug was closed in toulbar2 (1.0.0+dfsg3-1.1) unstable; urgency=medium * Non-maintainer upload. * Add the missing build dependency on zlib1g-dev. (Closes: #916715) -- Adrian Bunk Fri, 11 Jan 2019 13:47:51 +0200 The problem is that the package did not migrated due to #920459 (doxygen currently breaks lots of packages and I wonder in general what will happen with those packages). I now uploaded toulbar2 (1.0.0+dfsg3-2) unstable; urgency=medium ... * Prevent generation of PDF documentation since otherwise toulbar2 does not build (see bug #920459). This means should be reverted once doxygen is fixed. ... -- Andreas Tille Mon, 18 Feb 2019 22:17:10 +0100 Which enabled the build on all release architectures. I'm simply wondering what will happen with toulbar2 (and other packages - I'm actually not that much involved in this, it is just a random Debian Science package) once it was removed from testing. As far as I understood there will be no migrations from unstable to testing any more if there is no version of that package in testing. Does that mean that the doxygen issues will kick several packages out of Buster or is there any way to prevent this? Kind regards Andreas. -- http://fam-tille.de
NEW changes in stable-new
Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_mips64el.changes ACCEPT
NEW changes in stable-new
Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_armhf.changes ACCEPT Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_mipsel.changes ACCEPT
NEW changes in stable-new
Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_armel.changes ACCEPT Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_mips.changes ACCEPT
NEW changes in stable-new
Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_armhf.changes ACCEPT Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_mipsel.changes ACCEPT
NEW changes in stable-new
Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_armel.changes ACCEPT Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_mips64el.changes ACCEPT Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_arm64.changes ACCEPT Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_ppc64el.changes ACCEPT
NEW changes in stable-new
Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_arm64.changes ACCEPT Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_mips.changes ACCEPT Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_i386.changes ACCEPT Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_s390x.changes ACCEPT
NEW changes in stable-new
Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_amd64.changes ACCEPT Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_i386.changes ACCEPT Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_ppc64el.changes ACCEPT Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_s390x.changes ACCEPT Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_all.changes ACCEPT
NEW changes in stable-new
Processing changes file: firefox-esr_60.5.1esr-1~deb9u1_source.changes ACCEPT Processing changes file: firefox-esr_60.5.1esr-1~deb9u1_all.changes ACCEPT Processing changes file: firefox-esr_60.5.1esr-1~deb9u1_amd64.changes ACCEPT Processing changes file: firefox-esr_60.5.1esr-1~deb9u1_arm64.changes ACCEPT Processing changes file: firefox-esr_60.5.1esr-1~deb9u1_armel.changes ACCEPT Processing changes file: firefox-esr_60.5.1esr-1~deb9u1_armhf.changes ACCEPT Processing changes file: firefox-esr_60.5.1esr-1~deb9u1_i386.changes ACCEPT Processing changes file: firefox-esr_60.5.1esr-1~deb9u1_ppc64el.changes ACCEPT Processing changes file: firefox-esr_60.5.1esr-1~deb9u1_s390x.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_source.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_all.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_amd64.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_arm64.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_armel.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_armhf.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_i386.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_mips.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_mips64el.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_mipsel.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_ppc64el.changes ACCEPT Processing changes file: flatpak_0.8.9-0+deb9u2_s390x.changes ACCEPT Processing changes file: gnome-chemistry-utils_0.14.15-1+deb9u1_source.changes ACCEPT Processing changes file: libu2f-host_1.1.2-2+deb9u1_amd64.changes ACCEPT Processing changes file: libu2f-host_1.1.2-2+deb9u1_arm64.changes ACCEPT Processing changes file: libu2f-host_1.1.2-2+deb9u1_armel.changes ACCEPT Processing changes file: libu2f-host_1.1.2-2+deb9u1_armhf.changes ACCEPT Processing changes file: libu2f-host_1.1.2-2+deb9u1_i386.changes ACCEPT Processing changes file: libu2f-host_1.1.2-2+deb9u1_mips.changes ACCEPT Processing changes file: libu2f-host_1.1.2-2+deb9u1_mips64el.changes ACCEPT Processing changes file: libu2f-host_1.1.2-2+deb9u1_mipsel.changes ACCEPT Processing changes file: libu2f-host_1.1.2-2+deb9u1_ppc64el.changes ACCEPT Processing changes file: libu2f-host_1.1.2-2+deb9u1_s390x.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_sourceonly.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_all.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_amd64.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_arm64.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_armel.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_armhf.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_i386.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_mips.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_mips64el.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_mipsel.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_ppc64el.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u3_s390x.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_sourceonly.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_all.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_amd64.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_arm64.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_armel.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_armhf.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_i386.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_mips.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_mips64el.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_mipsel.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_ppc64el.changes ACCEPT Processing changes file: mosquitto_1.4.10-3+deb9u4_s390x.changes ACCEPT Processing changes file: postgresql-9.6_9.6.12-0+deb9u1_source.changes ACCEPT Processing changes file: systemd_232-25+deb9u9_sourceonly.changes ACCEPT Processing changes file: systemd_232-25+deb9u9_amd64.changes ACCEPT Processing changes file: systemd_232-25+deb9u9_arm64.changes ACCEPT Processing changes file: systemd_232-25+deb9u9_armel.changes ACCEPT Processing changes file: systemd_232-25+deb9u9_armhf.changes ACCEPT Processing changes file: systemd_232-25+deb9u9_i386.changes ACCEPT Processing changes file: systemd_232-25+deb9u9_mips.changes ACCEPT Processing changes file: systemd_232-25+deb9u9_mips64el.changes ACCEPT Processing changes file: systemd_232-25+deb9u9_mipsel.changes ACCEPT Processing changes file: systemd_232-25+deb9u9_ppc64el.changes ACCEPT Processing
Processed: gnome-chemistry-utils 0.14.15-1+deb9u1 flagged for acceptance
Processing control commands: > tags -1 + pending Bug #921983 [release.debian.org] stretch-pu: package gnome-chemistry-utils/0.14.15-1+deb9u1 Ignoring request to alter tags of bug #921983 to the same tags previously set -- 921983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921983 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: gnome-chemistry-utils 0.14.15-1+deb9u1 flagged for acceptance
Processing control commands: > tags -1 + pending Bug #921983 [release.debian.org] stretch-pu: package gnome-chemistry-utils/0.14.15-1+deb9u1 Added tag(s) pending. -- 921983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921983 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#921983: gnome-chemistry-utils 0.14.15-1+deb9u1 flagged for acceptance
Control: tags -1 + pending Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian stretch. Thanks for your contribution! Upload details == Package: gnome-chemistry-utils Version: 0.14.15-1+deb9u1 Explanation: drop the obsolete gcu-plugin package
Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
fre 2019-02-15 klockan 13:06 + skrev Adam D. Barratt:
> Control: tags -1 + moreinfo
>
> On 2019-02-15 10:12, Mattias Ellert wrote:
> > This is a proposal to fix CVE-2019-7659 in stretch.
> >
> > The update also addresses one additional advisory published by the
> > upstream developers.
>
> +-soap_encode_url(const char *s, char *t, size_t len)
> ++soap_encode_url(const char *s, char *t, int len)
>
> If soap_encode_url is a public symbol, that's an ABI break - int and
> size_t may well not be the same size, but they're definitely different
> signedness.
>
> Regards,
>
> Adam
Hi Adam.
After you closed the corresponding request for jessie I sent the jessie
update to debian-lts as suggested.
This triggered the same discussion regarding this function being
public. This is a quite long discussion - se the archive for details:
https://lists.debian.org/debian-lts/2019/02/msg00131.html
The outcome of the discussion was that using ssize_t instead of int in
the patch was a better idea, and that version was accepted.
I propose the same change for stretch.
Updated debdiff attached.
Mattias
diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200
+++ gsoap-2.8.35/debian/changelog 2019-02-14 17:12:12.0 +0100
@@ -1,3 +1,18 @@
+gsoap (2.8.35-4+deb9u2) stretch; urgency=medium
+
+ * Fix for CVE-2019-7659
+Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
+denial of service (application abort) or possibly have unspecified other
+impact if a server application is built with the -DWITH_COOKIES flag. This
+affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
+libraries, as these are built with that flag.
+ * Fix issue with DIME protocol receiver and malformed DIME headers
+This patch addresses a critical issue with the DIME protocol receiver that
+may cause the receiver to become unresponsive when a malformed DIME
+protocol message is received. -- https://www.genivia.com/advisory.html
+
+ -- Mattias Ellert Thu, 14 Feb 2019 17:12:12 +0100
+
gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
* Fix for CVE-2017-9765
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 17:12:12.0 +0100
@@ -0,0 +1,50 @@
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.c gsoap-2.8.35/gsoap/stdsoap2.c
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.c 2016-09-18 10:56:10.0 +0200
gsoap-2.8.35/gsoap/stdsoap2.c 2019-02-13 17:21:44.18800 +0100
+@@ -7037,11 +7037,12 @@
+
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++ssize_t
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, ssize_t len)
+ { int c;
+- size_t n = len;
++ ssize_t n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.cpp gsoap-2.8.35/gsoap/stdsoap2.cpp
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.cpp 2016-09-18 10:56:10.0 +0200
gsoap-2.8.35/gsoap/stdsoap2.cpp 2019-02-13 17:21:44.18800 +0100
+@@ -7037,11 +7037,12 @@
+
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++ssize_t
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, ssize_t len)
+ { int c;
+- size_t n = len;
++ ssize_t n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.h gsoap-2.8.35/gsoap/stdsoap2.h
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.h 2016-09-18 10:56:10.0 +0200
gsoap-2.8.35/gsoap/stdsoap2.h 2019-02-13 17:19:31.08800 +0100
+@@ -3380,7 +3380,7 @@
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url(struct soap *soap, const char*, const char*);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url_query(struct soap *soap, const char*, const char*);
+ SOAP_FMAC1 void SOAP_FMAC2 soap_url_query(struct soap *soap, const char*, const char*);
+-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t);
++SOAP_FMAC1 ssize_t SOAP_FMAC2 soap_encode_url(const char*, char*, ssize_t);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*);
+ #ifdef WITH_COOKIES
+ SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val);
diff -Nru gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch
--- gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 2019-02-14 11:33:00.0 +0100
Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
[Adding 922...@bugs.debian.org to CC for completeness / BTS archive] Chris Lamb wrote: > > So using the ssize_t version that preserves the sizes of the arguments > > and return type of the function is the safer choice, regardless of > > upstream's claim that the function is private. > > Upstream have not replied so I will upload and release the ssize_t > version shortly. I've gone ahead and done this as DLA 1681-1, the only change being: - gsoap (2.8.17-1+deb8u2) jessie; urgency=medium + gsoap (2.8.17-1+deb8u2) jessie-security; urgency=high Thanks for your help, Mattias. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: redmine testing migration
On Mon, Feb 18, 2019 at 10:56:19 -0300, Lucas Kanashiro wrote: > Hi release team, > > Marc and I have spent some time updating redmine package to the latest > upstream version (that was a huge change due to rails 5 transition) and > unfortunately we didn't make it before the soft freeze started. I've > just uploaded the version 4.0.1-1 to unstable and we hope we can still > include it in the next release. All the autopkgtests are passing so the > supported features are still working. We don't expect too much trouble > since this is a leaf package. Is there anything missing that we can do > to get redmine in the next release? > Please file a freeze exception request in the BTS (reportbug release.debian.org, "unblock" option). Cheers, Julien
redmine testing migration
Hi release team, Marc and I have spent some time updating redmine package to the latest upstream version (that was a huge change due to rails 5 transition) and unfortunately we didn't make it before the soft freeze started. I've just uploaded the version 4.0.1-1 to unstable and we hope we can still include it in the next release. All the autopkgtests are passing so the supported features are still working. We don't expect too much trouble since this is a leaf package. Is there anything missing that we can do to get redmine in the next release? Thanks in advance! -- Lucas Kanashiro signature.asc Description: OpenPGP digital signature
