Bug#928185: unblock: openjdk-11/11.0.3+7-4
On Fri, Jun 21, 2019 at 11:18:14PM +0200, Aurelien Jarno wrote: > On 2019-06-21 21:40, Steve McIntyre wrote: > > > I know there have been disk issues reported on one of the new machines > > (yay!), possibly that's the cause here. I don't have direct login > > access myself to be able to check. Aurelien - could you take a look > > The failure on arm-ubc-02 is just due to the VM shutting down, likely > when there was some issues with the disk or migrating the VMs. That's > why the package has been given-back immediately. Hi Aurelien, As of 2019-06-21 23:34:12 UTC, the buildd status page [1] indicates "BD-Uninstallable": > Dependency installability problem for openjdk-11 on arm64: > > Installability of build dependencies not tested yet I'm not sure what that means. Perhaps it needs to be poked again? Thank you for helping us with this! tony [1] https://buildd.debian.org/status/package.php?p=openjdk-11=buster signature.asc Description: PGP signature
Bug#930794: unblock: intel-microcode/3.20190618.1
On Fri, 21 Jun 2019, Paul Gevers wrote: > On 20-06-2019 20:05, Henrique de Moraes Holschuh wrote: > > unblock intel-microcode/3.20190618.1 > > Unblocked, thanks. Thanks! > Just one question, the reason why all the binary blobs are different in > the package is that because the builds by Intel aren't reproducible? > I.e. they are rebuild every time? git tells me they're the same on the source tree, and diff -ru after a dpkg-deb -x also told me they're the same on the binary debs... debdiff told me they differ on the source package, but I haven't managed to find out why. I decided to trust dpkg-deb + diff on the generated binaries... For the record, this was the first time something like this happened, but this was also the first time I tried debdiff from devscripts 2.19.5~bpo9+1. And it also told me the data on the older packages also differed -- but they went through older versions of debdiff just fine! -- so I went with "this release of debdiff seems broken". Might have something to do with the use of a symlink. -- Henrique Holschuh
Bug#928185: unblock: openjdk-11/11.0.3+7-4
Hi, On 2019-06-21 21:40, Steve McIntyre wrote: > On Fri, Jun 21, 2019 at 04:29:18PM -0400, Sam Hartman wrote: > >> "tony" == tony mancill writes: > > > >tony> Hi Paul, > > > >tony> I emailed ar...@buildd.debian.org regarding that this morning > >tony> (at 13:35 UTC), but haven't received a response yet. Perhaps > >tony> related, but the first arm64 build failed for the upload to > >tony> unstable last week. The build failed on arm-ubc-02 but then > >tony> succeeded on arm-conova-02. I don't know if someone manually > >tony> triggered the retry, but a few hours after the arm64 failure, > >tony> another build was underway and successful. > > > >Happened to be in the room with SteMcIntyre, who is not actually an > >arm64 buildd admin, but who volunteered to prod people. > >He also suggested that you could copy the debian-arm list as well as > >buildd admins. > Hey Tony, > > Looking at that log now... > > The build is running and failing on arm-ubc-03, which is one of the > new buildds at UBC that have just been recently commissioned. It's odd > that there's no explicit failure message for the build, just a build > timeout. The new buildds are way slower per core than the existing arm64 buildds, however they also have much more cores. It means that some timeout might have to be adjusted. For now I have given-back the package, let's see what happens. > I know there have been disk issues reported on one of the new machines > (yay!), possibly that's the cause here. I don't have direct login > access myself to be able to check. Aurelien - could you take a look The failure on arm-ubc-02 is just due to the VM shutting down, likely when there was some issues with the disk or migrating the VMs. That's why the package has been given-back immediately. Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
Bug#930757: marked as done (unblock: grub2/2.02+dfsg1-19)
Your message dated Fri, 21 Jun 2019 23:10:25 +0200
with message-id
and subject line Re: Bug#930757: unblock: grub2/2.02+dfsg1-19
has caused the Debian Bug report #930757,
regarding unblock: grub2/2.02+dfsg1-19
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
930757: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930757
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock grub2.
I hope this is the final grub2 update for the buster release. It
consists mainly of a number of patches from Steve McIntyre to clean up
problems with our UEFI Secure Boot support.
diff -Nru grub2-2.02+dfsg1/debian/.git-dpm grub2-2.02+dfsg1/debian/.git-dpm
--- grub2-2.02+dfsg1/debian/.git-dpm2019-05-04 22:58:32.0 +0100
+++ grub2-2.02+dfsg1/debian/.git-dpm2019-06-14 19:04:01.0 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-9569221816a2a1a832be106440375a612e0121b7
-9569221816a2a1a832be106440375a612e0121b7
+6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e
+6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e
59aeb1cfaa3d5bfd7bb0f0d37f6d9eed51fe
59aeb1cfaa3d5bfd7bb0f0d37f6d9eed51fe
grub2_2.02+dfsg1.orig.tar.xz
diff -Nru grub2-2.02+dfsg1/debian/build-efi-images
grub2-2.02+dfsg1/debian/build-efi-images
--- grub2-2.02+dfsg1/debian/build-efi-images2019-05-04 22:58:32.0
+0100
+++ grub2-2.02+dfsg1/debian/build-efi-images2019-06-14 19:04:01.0
+0100
@@ -20,16 +20,17 @@
# Make EFI boot images for signing.
-if [ $# -lt 5 ]; then
- echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY PLATFORM
EFI-NAME [EFI-VENDOR]"
+if [ $# -lt 6 ]; then
+ echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH
PLATFORM EFI-NAME [EFI-VENDOR]"
fi
grub_mkimage="$1"
grub_core="$2"
outdir="$3"
-platform="$4"
-efi_name="$5"
-efi_vendor="${6:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
+deb_arch="$4"
+platform="$5"
+efi_name="$6"
+efi_vendor="${7:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
# mkfs.msdos may not be on the default PATH.
export PATH="$PATH:/sbin:/usr/sbin"
@@ -115,6 +116,7 @@
memdisk
minicmd
normal
+ ntfs
part_apple
part_msdos
part_gpt
@@ -141,7 +143,9 @@
case $platform in
x86_64-efi|i386-efi)
CD_MODULES="$CD_MODULES
+ cpuid
linuxefi
+ play
"
;;
esac
@@ -181,15 +185,29 @@
tftp
"
+# CD boot image
"$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \
-d "$grub_core" \
-c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
-p /boot/grub \
$CD_MODULES
+
+# Normal disk boot image
"$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
-d "$grub_core" -p "/EFI/$efi_vendor" $GRUB_MODULES
+
+# Normal network boot image
"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
- -m "$workdir/memdisk-netboot.fat" -p /grub $NET_MODULES
+ -m "$workdir/memdisk-netboot.fat" \
+ -p /grub $NET_MODULES
+
+# Special network boot image for d-i to use. Just the same as the
+# normal network boot image, but with a different value baked in for
+# the prefix setting
+"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
+ -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
+ -m "$workdir/memdisk-netboot.fat" \
+ -p "${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES
exit 0
diff -Nru grub2-2.02+dfsg1/debian/changelog grub2-2.02+dfsg1/debian/changelog
--- grub2-2.02+dfsg1/debian/changelog 2019-05-04 22:58:32.0 +0100
+++ grub2-2.02+dfsg1/debian/changelog 2019-06-14 19:04:01.0 +0100
@@ -1,3 +1,18 @@
+grub2 (2.02+dfsg1-19) unstable; urgency=medium
+
+ [ Colin Watson ]
+ * Fix format of debian/copyright.
+
+ [ Steve McIntyre ]
+ * Add the ntfs module to signed UEFI images. Closes: #923855
+ * Add the cpuid module to signed UEFI images. Closes: #928628
+ * Add the play module to signed UEFI images. Closes: #930290
+ * Add an extra di-specific version of the UEFI netboot image with a
+different baked-in prefix value. Helps to fix #928750.
+ * Deal with --force-extra-removable with signed shim too. Closes: #930531
+
+ -- Colin Watson Fri, 14 Jun 2019 19:04:01 +0100
+
grub2 (2.02+dfsg1-18) unstable; urgency=medium
* Apply patches from Alexander Graf to fix
Bug#930882: unblock: schleuder/3.4.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear release team, Please unblock schleuder 3.4.0-2. I've just uploaded it to unstable, it ships a fix to allow Schleuder handle mails produced by Mutt 1.12.0, which was recently released, with protected headers. Without this fix, Schleuder is unable to handle these messages, and crashes. The problem was reported by a user some days ago [1]; a fix was proposed [2], which is tested and already used in production. Please find the debdiff attached. unblock schleuder/3.4.0-2 Thanks for your work, cheers, Georg [1] https://0xacab.org/schleuder/schleuder/issues/430 [2] https://0xacab.org/schleuder/schleuder/merge_requests/290 diff -Nru schleuder-3.4.0/debian/changelog schleuder-3.4.0/debian/changelog --- schleuder-3.4.0/debian/changelog 2019-02-14 17:10:34.0 + +++ schleuder-3.4.0/debian/changelog 2019-06-21 19:05:42.0 + @@ -1,3 +1,15 @@ +schleuder (3.4.0-2) unstable; urgency=medium + + * debian/patches: +- Pull in upstream patch to handle mails with protected headers as + introduced in Mutt 1.12.0, which was recently released. These headers + are just contained within the plain body of a mail produced by Mutt, + they are not further wrapped into a specifically marked MIME-part. + Schleuder fails to handle such messages, accordingly, this patch fixes + this behaviour. (Closes: #930870) + + -- Georg Faerber Fri, 21 Jun 2019 19:05:42 + + schleuder (3.4.0-1) unstable; urgency=medium * New upstream release. diff -Nru schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch --- schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch 1970-01-01 00:00:00.0 + +++ schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch 2019-06-21 19:05:42.0 + @@ -0,0 +1,107 @@ +Description: Handle protected headers produced by Mutt 1.12.0 + Mutt 1.12.0, which was recently released, introduced protected headers. These + headers are just contained within the plain body of a mail produced by Mutt, + they are not further wrapped into a specifically marked MIME-part. Schleuder + fails to handle such messages, accordingly, this patch fixes this behaviour. +Origin: upstream +Forwarded: not-needed +Applied-Upstream: 0651daf54a520906583aa6de4bb3854575fcb963 +Last-Update: 2019-06-20 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: schleuder/lib/schleuder/mail/message.rb +=== +--- schleuder.orig/lib/schleuder/mail/message.rb schleuder/lib/schleuder/mail/message.rb +@@ -55,7 +55,7 @@ module Mail + new.protected_headers_subject = self.subject.dup + + # Delete the protected headers which might leak information. +-if new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1" ++if new.parts.first && new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1" + new.parts.shift + end + end +Index: schleuder/spec/fixtures/mutt_protected_headers.txt +=== +--- /dev/null schleuder/spec/fixtures/mutt_protected_headers.txt +@@ -0,0 +1,47 @@ ++From schleu...@example.org Thu Jun 13 15:19:33 2019 ++Received: from 127.0.0.1 (helo=localhost.localdomain) ++ by mail.example.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) ++ (Exim 4.92) ++ id 1hbPdc-0007GN-6b ++ for schleu...@example.org; Thu, 13 Jun 2019 15:19:32 +0200 ++Date: Thu, 13 Jun 2019 15:19:30 +0200 ++From: dev ++To: schleu...@example.org ++Subject: ... ++Message-ID: <20190613131930.ABC@xyz> ++MIME-Version: 1.0 ++Content-Type: multipart/encrypted; protocol="application/pgp-encrypted"; ++ boundary="z6Eq5LdranGa6ru8" ++Content-Disposition: inline ++ ++ ++--z6Eq5LdranGa6ru8 ++Content-Type: application/pgp-encrypted ++Content-Disposition: attachment ++ ++Version: 1 ++ ++--z6Eq5LdranGa6ru8 ++Content-Type: application/octet-stream ++Content-Disposition: attachment; filename="msg.asc" ++ ++-BEGIN PGP MESSAGE- ++ ++hQIMA691X8Gl2MArAQ//SFZyc/TD/9PYMddJcUIp4F85wsoCUZUaVLpKBzUZdrLv ++rln9bgaou4MiUXF8ZTSqq2ET6A3X7+wpDjs79KiDJnILUmguGDT2KTkyD8lxP9nd ++oIKtqKdf95AYGmItYkaQqdZf1No2q4ZBQNWXp8+LZgxINn5AW+9wuOo8F9w+tyZJ ++8r9jlj5TJ0YnVp5FieKMMyxiSOCGX8lAaqi4TbML35OWrnL8Decsz5tTX4jfqr8L ++cvNuIpa863WkbZxMxLEEn4/yC6upmOnU3eSZ9M/UoXiqgBsd01KEoOvmIIPOgGce ++IaCxO4zuoPvtcQsuinlLCI2oX9mpex6iTMGmD1J0G9FNGI3OHkwZcahw+4/3dv9K ++jfUjm6XwndtYi6ifAPAf8M8RT84hFlZKqR7IpGmpqWnLZx6BcFV0RDu8GCIPD6Fr ++UeLu1hGLD3SMbKy9zSR4lDSkMRvCUumXAebtEvfp7dfQ9Z8I866J5/9EZIDH88M1 ++Rb9agaBlwwr8Oy0hzC3rwvLyqXi1KD79f+YmGL0yatYPTm37qCE+QdfXCkesN6jg ++SV3zjtpBalP0KMCtAhouFf6xDz615nWvC5NRh2yzYOhSVfmZEVrB9Zz7GZx8rsMi ++2U0ALYJIc6EI0uc/sLZ9dYu6hBa72VmSe90zS5IE2ZYB24GnzXV95iMsvH35/4vS
Bug#928185: unblock: openjdk-11/11.0.3+7-4
On Fri, Jun 21, 2019 at 04:29:18PM -0400, Sam Hartman wrote: >> "tony" == tony mancill writes: > >tony> Hi Paul, > >tony> I emailed ar...@buildd.debian.org regarding that this morning >tony> (at 13:35 UTC), but haven't received a response yet. Perhaps >tony> related, but the first arm64 build failed for the upload to >tony> unstable last week. The build failed on arm-ubc-02 but then >tony> succeeded on arm-conova-02. I don't know if someone manually >tony> triggered the retry, but a few hours after the arm64 failure, >tony> another build was underway and successful. > >Happened to be in the room with SteMcIntyre, who is not actually an >arm64 buildd admin, but who volunteered to prod people. >He also suggested that you could copy the debian-arm list as well as >buildd admins. Hey Tony, Looking at that log now... The build is running and failing on arm-ubc-03, which is one of the new buildds at UBC that have just been recently commissioned. It's odd that there's no explicit failure message for the build, just a build timeout. I know there have been disk issues reported on one of the new machines (yay!), possibly that's the cause here. I don't have direct login access myself to be able to check. Aurelien - could you take a look please? -- Steve McIntyre, Cambridge, UK.st...@einval.com < Aardvark> I dislike C++ to start with. C++11 just seems to be handing rope-creating factories for users to hang multiple instances of themselves.
Bug#928185: unblock: openjdk-11/11.0.3+7-4
> "tony" == tony mancill writes: tony> Hi Paul, tony> I emailed ar...@buildd.debian.org regarding that this morning tony> (at 13:35 UTC), but haven't received a response yet. Perhaps tony> related, but the first arm64 build failed for the upload to tony> unstable last week. The build failed on arm-ubc-02 but then tony> succeeded on arm-conova-02. I don't know if someone manually tony> triggered the retry, but a few hours after the arm64 failure, tony> another build was underway and successful. Happened to be in the room with SteMcIntyre, who is not actually an arm64 buildd admin, but who volunteered to prod people. He also suggested that you could copy the debian-arm list as well as buildd admins.
Bug#928185: unblock: openjdk-11/11.0.3+7-4
On Fri, Jun 21, 2019 at 09:35:29PM +0200, Paul Gevers wrote: > Hi tony, > > On 20-06-2019 15:44, tony mancill wrote: > > I interpret this exchange to mean that 11.0.3+7-5 is still the version > > preferred by the OpenJDK Team and so have uploaded that, built against > > buster and with distribution set the buster. > > > > Let me know if I misinterpreted and should upload with a different > > version, and thank you for the discussion and patience with this one. > > The build on arm64 failed. Can you please investigate? > > https://buildd.debian.org/status/fetch.php?pkg=openjdk-11=arm64=11.0.3%2B7-5=1561082322=0 Hi Paul, I emailed ar...@buildd.debian.org regarding that this morning (at 13:35 UTC), but haven't received a response yet. Perhaps related, but the first arm64 build failed for the upload to unstable last week. The build failed on arm-ubc-02 but then succeeded on arm-conova-02. I don't know if someone manually triggered the retry, but a few hours after the arm64 failure, another build was underway and successful. I mention the machine names because arm-ubc-02 and arm-ubc-03 are running the same version of sbuild, which is newer than the version of sbuild running on arm-conova-02. But perhaps there are other differences as well. If I don't hear something back by tonight, I'll try to reach the arm64 buildd admins via IRC. Thanks, tony signature.asc Description: PGP signature
Processed: Re: Bug#930797: unblock: xen/4.11.1+92-g6c33308a8d-1
Processing control commands: > tags -1 moreinfo Bug #930797 [release.debian.org] unblock: xen/4.11.1+92-g6c33308a8d-1 Added tag(s) moreinfo. -- 930797: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930797 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#930797: unblock: xen/4.11.1+92-g6c33308a8d-1
Control: tags -1 moreinfo Hi Hans, On 20-06-2019 21:14, Hans van Kranenburg wrote: > * Note that the fixes for XSA-297 will only have effect when also loading > updated cpu microcode with MD_CLEAR functionality. When using the > intel-microcode package to include microcode in the dom0 initrd, it > has to > be loaded by Xen. Please refer to the hypervisor command line > documentation about the 'ucode=scan' option. I asked this question recently for another unblock report (not by you) as well, but don't you think this is worth mentioning in NEWS? So that people that use apt-listchanges are warned about this? Paul signature.asc Description: OpenPGP digital signature
Processed: Re: Bug#930795: unblock: ruby-airbrussh/1.3.2-1
Processing control commands: > tags -1 moreinfo Bug #930795 [release.debian.org] unblock: ruby-airbrussh/1.3.2-1 Added tag(s) moreinfo. -- 930795: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930795 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#930795: unblock: ruby-airbrussh/1.3.2-1
Control: tags -1 moreinfo Hi Samuel On 20-06-2019 20:38, Samuel Henrique wrote: > I'm asking for the unblock of ruby-airbrussh > because a critical bug was solved in the last upload. > > The bug is related to the package throwing an exception when dealing > with non UTF-8 characters coming from SSH. Can you elaborate a bit why the severity? (Would have been nice to have that description in the bug you didn't file). Looking at the upstream bug, it may just be confusing to the user and ugly of course as rsync was said to keep on running. Is rsync in Debian broken in the same way? > I decided to upload the latest release instead of patching the previous > release Which still means review work by us. We do have quite some unblocks coming in this last freeze moment. Paul signature.asc Description: OpenPGP digital signature
Bug#930875: unblock: pdns/4.1.6-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear Release Team,
Please unblock package pdns 4.1.6-3 which contains fixes for two CVEs:
CVE-2019-10162: Denial of service via crafted zone records
CVE-2019-10163: Denial of service via NOTIFY packets
Please find the debdiff from -2 below.
Thanks,
Chris
unblock pdns/4.1.6-3
diff -Nru pdns-4.1.6/debian/changelog pdns-4.1.6/debian/changelog
--- pdns-4.1.6/debian/changelog 2019-03-31 12:48:59.0 +
+++ pdns-4.1.6/debian/changelog 2019-06-21 19:07:07.0 +
@@ -1,3 +1,12 @@
+pdns (4.1.6-3) unstable; urgency=medium
+
+ * Fix Denial of service via crafted zone records (CVE-2019-10162)
+using patch from upstream.
+ * Fix Denial of service via NOTIFY packets (CVE-2019-10163)
+using patch from upstream.
+
+ -- Chris Hofstaedtler Fri, 21 Jun 2019 19:07:07 +
+
pdns (4.1.6-2) unstable; urgency=high
[ Salvatore Bonaccorso ]
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch
pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch
--- pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch
1970-01-01 00:00:00.0 +
+++ pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch
2019-06-21 19:07:07.0 +
@@ -0,0 +1,29 @@
+diff --git pdns-4.1.8/pdns/mastercommunicator.cc
pdns-4.1.8-invalidrecords/pdns/mastercommunicator.cc
+index 456957a..ce0355c 100644
+--- pdns-4.1.8/pdns/mastercommunicator.cc
pdns-4.1.8-invalidrecords/pdns/mastercommunicator.cc
+@@ -50,6 +50,7 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo&
di, UeberBackend* B)
+ FindNS fns;
+
+
++ try {
+ if (d_onlyNotify.size()) {
+ B->lookup(QType(QType::NS), di.zone);
+ while(B->get(rr))
+@@ -77,6 +78,16 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo&
di, UeberBackend* B)
+ hasQueuedItem=true;
+ }
+ }
++ }
++ catch (PDNSException ) {
++L << Logger::Error << "Error looking up name servers for " << di.zone <<
", cannot notify: " << ae.reason << endl;
++return;
++ }
++ catch (std::exception ) {
++L << Logger::Error << "Error looking up name servers for " << di.zone <<
", cannot notify: " << e.what() << endl;
++return;
++ }
++
+
+ set alsoNotify(d_alsoNotify);
+ B->alsoNotifies(di.zone, );
diff -Nru
pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc
pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc
--- pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc
1970-01-01 00:00:00.0 +
+++ pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc
2019-06-21 19:07:07.0 +
@@ -0,0 +1,12 @@
+-BEGIN PGP SIGNATURE-
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAl0I6mcaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZxXgf9G4rXQ3xmE6pPTnwkN+9P
+nrqhjIrbhIS8t2KNVqLjUADhxHOli8lLj84f/fLnJgRabA5mz7iFVhpcHmocJADI
+lldJsjke6qbG+oduP90TsOD0wTWvibdxpoyrQlE0KvZua7geI5nSudEAVFW/SdhQ
+ynWGCgEodG35QkLOYlF19iSkd7x52Hx8MvMUF3YDZU/IjAVIIVmS4ZdaYz32T3ih
+OfpMFcOsu7Lsk8RkecK9Hegkv9ohqXGGcfz8rGsyF0gBGqTOhZ2rPqEj66jG4x++
+wLNPOkFpJYKLW+tkPzj0ra56/zjmOPrWbZWlEORnlmrU9ZS9nYG5gfYJuPNAveCq
+Mw==
+=SR9f
+-END PGP SIGNATURE-
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch
pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch
--- pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch
1970-01-01 00:00:00.0 +
+++ pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch
2019-06-21 19:07:07.0 +
@@ -0,0 +1,16 @@
+diff --git pdns-4.1.8/pdns/communicator.cc
pdns-4.1.8-busyloop/pdns/communicator.cc
+index 7db5a3e..7fd59e4 100644
+--- pdns-4.1.8/pdns/communicator.cc
pdns-4.1.8-busyloop/pdns/communicator.cc
+@@ -136,7 +136,10 @@ void CommunicatorClass::mainloop(void)
+ if (extraSlaveRefresh)
+ slaveRefresh();
+ }
+-else {
++else {
++ // eat up extra posts to avoid busy looping if many posts were done
++ while (d_any_sem.tryWait() == 0) {
++ }
+ break; // something happened
+ }
+ // this gets executed at least once every second
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc
pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc
--- pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc
1970-01-01 00:00:00.0 +
+++ pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc
2019-06-21 19:07:07.0 +
@@ -0,0 +1,12 @@
+-BEGIN PGP SIGNATURE-
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAl0I6mcaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZbcQf/XTC6bDxmwt4tEXXN6hXQ
++ArS6zRED2pbxCAipxvHtbj9xqhk343aNfrG4Y8kl32AmJuP76yGfNrFeiNtPWgA
Bug#930794: marked as done (unblock: intel-microcode/3.20190618.1)
Your message dated Fri, 21 Jun 2019 21:46:34 +0200 with message-id <8da60c25-1121-e2cf-bf83-b7d4cb07e...@debian.org> and subject line Re: Bug#930794: unblock: intel-microcode/3.20190618.1 has caused the Debian Bug report #930794, regarding unblock: intel-microcode/3.20190618.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930794: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930794 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package intel-microcode This is an update that adds the MDS mitigations for Sandybridge server and HEDT (Core-X). Other than those two updated microcode files, there are just changes to text files. It has been the subject of a security update (DSA 4447-2, and soon DLA 1789-2), please refer to https://security-tracker.debian.org/tracker/CVE-2019-11091 for details. diff attached (with the microcode blob changes removed for clarity). diffstat (git, ignores rename of symlink): changelog|7 +++ debian/changelog | 106 +-- intel-ucode/06-2d-06 |binary intel-ucode/06-2d-07 |binary releasenote | 46 ++ 5 files changed, 74 insertions(+), 85 deletions(-) unblock intel-microcode/3.20190618.1 Thank you -- Henrique Holschuh diff --git a/changelog b/changelog index b6f59a6..f3579cf 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,10 @@ +2019-06-18: + * Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 +CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + * Updated Microcodes: +sig 0x000206d6, pf_mask 0x6d, 2019-05-21, rev 0x061f, size 18432 +sig 0x000206d7, pf_mask 0x6d, 2019-05-21, rev 0x0718, size 19456 + 2019-05-14: * Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 diff --git a/debian/changelog b/debian/changelog index f7c67ce..ac6bfe1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,50 +1,68 @@ +intel-microcode (3.20190618.1) unstable; urgency=medium + + * New upstream microcode datafile 20190618 ++ SECURITY UPDATE + Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 + CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + for Sandybridge server and Core-X processors ++ Updated Microcodes: + sig 0x000206d6, pf_mask 0x6d, 2019-05-21, rev 0x061f, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2019-05-21, rev 0x0718, size 19456 + * Add some missing (minor) changelog entries to 3.20190514.1 + * Reformat 3.20190514.1 changelog entry to match rest of changelog + + -- Henrique de Moraes Holschuh Wed, 19 Jun 2019 09:05:54 -0300 + intel-microcode (3.20190514.1) unstable; urgency=high * New upstream microcode datafile 20190514 - * SECURITY UPDATE -Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 -CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 - * New Microcodes: -sig 0x00030678, pf_mask 0x02, 2019-04-22, rev 0x0838, size 52224 -sig 0x00030678, pf_mask 0x0c, 2019-04-22, rev 0x0838, size 52224 -sig 0x00030679, pf_mask 0x0f, 2019-04-23, rev 0x090c, size 52224 -sig 0x000406c3, pf_mask 0x01, 2019-04-23, rev 0x0368, size 69632 -sig 0x000406c4, pf_mask 0x01, 2019-04-23, rev 0x0411, size 68608 -sig 0x00050657, pf_mask 0xbf, 2019-02-27, rev 0x521, size 47104 - * Updated Microcodes: -sig 0x000206a7, pf_mask 0x12, 2019-02-17, rev 0x002f, size 12288 -sig 0x000306a9, pf_mask 0x12, 2019-02-13, rev 0x0021, size 14336 -sig 0x000306c3, pf_mask 0x32, 2019-02-26, rev 0x0027, size 23552 -sig 0x000306d4, pf_mask 0xc0, 2019-03-07, rev 0x002d, size 19456 -sig 0x000306e4, pf_mask 0xed, 2019-03-14, rev 0x042e, size 16384 -sig 0x000306e7, pf_mask 0xed, 2019-03-14, rev 0x0715, size 17408 -sig 0x000306f2, pf_mask 0x6f, 2019-03-01, rev 0x0043, size 34816 -sig 0x000306f4, pf_mask 0x80, 2019-03-01, rev 0x0014, size 18432 -sig 0x00040651, pf_mask 0x72, 2019-02-26, rev 0x0025, size 21504 -sig 0x00040661, pf_mask 0x32, 2019-02-26, rev 0x001b, size 25600 -sig 0x00040671, pf_mask 0x22, 2019-03-07, rev 0x0020, size 14336 -sig 0x000406e3, pf_mask 0xc0, 2019-04-01, rev 0x00cc, size 100352 -sig 0x000406f1, pf_mask 0xef, 2019-03-02, rev 0xb36, size 30720 -sig 0x00050654, pf_mask 0xb7, 2019-04-02, rev 0x25e, size 32768 -
Bug#928185: unblock: openjdk-11/11.0.3+7-4
Hi tony, On 20-06-2019 15:44, tony mancill wrote: > I interpret this exchange to mean that 11.0.3+7-5 is still the version > preferred by the OpenJDK Team and so have uploaded that, built against > buster and with distribution set the buster. > > Let me know if I misinterpreted and should upload with a different > version, and thank you for the discussion and patience with this one. The build on arm64 failed. Can you please investigate? https://buildd.debian.org/status/fetch.php?pkg=openjdk-11=arm64=11.0.3%2B7-5=1561082322=0 Paul signature.asc Description: OpenPGP digital signature
Bug#928882: unblock: [pre-approval] ghc/8.4.4+dfsg1-3
Control: retitle -1 unblock: ghc/8.4.4+dfsg1-3 Hi Ilias, On 20-06-2019 04:20, Ilias Tsitsimpis wrote: > Attached is the updated file. Scheduling as we speak. Can you please keep an eye on it and ping this bug if you spot something not going well or when everything is finished? It's unclear to me how I should track that properly. Paul signature.asc Description: OpenPGP digital signature
Processed: Re: Bug#928882: unblock: [pre-approval] ghc/8.4.4+dfsg1-3
Processing control commands: > retitle -1 unblock: ghc/8.4.4+dfsg1-3 Bug #928882 [release.debian.org] unblock: [pre-approval] ghc/8.4.4+dfsg1-3 Changed Bug title to 'unblock: ghc/8.4.4+dfsg1-3' from 'unblock: [pre-approval] ghc/8.4.4+dfsg1-3'. -- 928882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928882 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#930776: marked as done (unblock: ionit/0.3.2-1)
Your message dated Fri, 21 Jun 2019 21:06:19 +0200
with message-id <0afd01d4-17bd-f43c-5877-a0919e6ed...@debian.org>
and subject line Re: Bug#930776: unblock: ionit/0.3.2-1
has caused the Debian Bug report #930776,
regarding unblock: ionit/0.3.2-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
930776: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930776
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package ionit
ionit runs too late for /etc/network/interfaces (RC bug #919690). This
is fixed in 0.3.2-1. The debdiff is attached.
ionit is a quite new and very small tool (popcon count: 4), which is
developed and used by us. It has 100% test coverage (run at build time
and as autopkgtest).
unblock ionit/0.3.2-1
--
Benjamin Drung
System Developer
Debian & Ubuntu Developer
1&1 IONOS Cloud GmbH | Greifswalder Str. 207 | 10405 Berlin | Germany
E-mail: benjamin.dr...@cloud.ionos.com | Web: www.ionos.de
Head Office: Berlin, Germany
District Court Berlin Charlottenburg, Registration number: HRB 125506 B
Executive Management: Christoph Steffens, Matthias Steinberg, Achim
Weiss
Member of United Internet
diff -Nru ionit-0.2.1/debian/changelog ionit-0.3.2/debian/changelog
--- ionit-0.2.1/debian/changelog2019-01-07 14:22:30.0 +0100
+++ ionit-0.3.2/debian/changelog2019-06-20 12:21:44.0 +0200
@@ -1,3 +1,13 @@
+ionit (0.3.2-1) unstable; urgency=medium
+
+ * New upstream release.
+- Support specifying a configuration file
+- Support specifying --config multiple times
+- Run ionit.service before systemd-modules-load.service
+- Run ionit.service before systemd-udev-trigger.service (Closes: #919690)
+
+ -- Benjamin Drung Thu, 20 Jun 2019 12:21:44
+0200
+
ionit (0.2.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru ionit-0.2.1/ionit ionit-0.3.2/ionit
--- ionit-0.2.1/ionit 2019-01-07 14:01:10.0 +0100
+++ ionit-0.3.2/ionit 2019-06-20 12:17:42.0 +0200
@@ -28,6 +28,7 @@
import ionit_plugin
+DEFAULT_CONFIG = "/etc/ionit"
LOG_FORMAT = '%(asctime)s %(name)s %(levelname)s: %(message)s'
SCRIPT_NAME = "ionit"
@@ -86,23 +87,34 @@
return context
-def collect_context(directory):
+def get_config_files(paths):
+"""Return files for the given paths (could either be files or
directories)."""
+logger = logging.getLogger(SCRIPT_NAME)
+files = []
+for path in paths:
+logger.debug("Searching for configuration files in '%s'...", path)
+try:
+if os.path.isfile(path):
+files.append(path)
+else:
+files += sorted([os.path.join(path, f) for f in
os.listdir(path)])
+except OSError as error:
+logger.warning("Failed to read configuration directory: %s", error)
+logger.debug("Configuration files: %s", files)
+return files
+
+
+def collect_context(paths):
"""Collect context that will be used when rendering the templates"""
logger = logging.getLogger(SCRIPT_NAME)
-logger.debug("Collecting context from '%s'...", directory)
-try:
-files = sorted(os.listdir(directory))
-except OSError as error:
-logger.warning("Failed to read configuration directory: %s", error)
-files = []
+logger.debug("Collecting context...")
failures = 0
context = {}
-for filename in files:
+for file in get_config_files(paths):
file_context = None
-file = os.path.join(directory, filename)
-extension = os.path.splitext(filename)[1]
+extension = os.path.splitext(file)[1]
try:
if extension == ".json":
logger.info("Reading configuration file '%s'...", file)
@@ -184,9 +196,9 @@
def main(argv):
"""Main function with argument parsing"""
parser = argparse.ArgumentParser()
-parser.add_argument("-c", "--config", default="/etc/ionit",
-help="Configuration directory containing context for
rendering (default: "
- "%(default)s)")
+parser.add_argument("-c", "--config", action="append",
+help="Configuration directory/file containing context
for rendering "
+ "(default: %s)" % (DEFAULT_CONFIG,))
parser.add_argument("-t", "--templates", default="/etc",
help="Directory to search for Jinja templates
(default: %(default)s)")
Processed: Re: Bug#930687: unblock: rdesktop/1.8.6-2
Processing commands for cont...@bugs.debian.org: > close 930687 Bug #930687 [release.debian.org] unblock: rdesktop/1.8.6-2 Marked Bug as done > thanks Stopping processing here. Please contact me if you need assistance. -- 930687: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930687 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#930687: unblock: rdesktop/1.8.6-2
Hi László, On 18-06-2019 18:19, László Böszörményi (GCS) wrote: > The debdiff is a bit large, but hopefully can be accepted for Buster. Unblocked because of the security team position. Thanks. Paul signature.asc Description: OpenPGP digital signature
Bug#930687: unblock: rdesktop/1.8.6-2
On Tue, Jun 18, 2019 at 06:19:33PM +0200, László Böszörményi (GCS) wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Hi Release Team, > > There's several security issues fixed with rdesktop 1.8.6 and while it > has some regressions, I've backported the needed fixes for the -2 > package version. > As upstream notes: "This is a security release to address various > buffer overflow and overrun issues in the rdesktop protocol handling. > rdesktop will now detect any attempts to access invalid areas and > refuse to continue. Users are adviced to upgrade as soon as possible." > > The debdiff is a bit large, but hopefully can be accepted for Buster. JFTR, we'll likely also rebase stretch to that version (we did similarly for 1.8.4 in a previous DSA). Cheers, Moritz
Bug#930867: unblock: libvirt/5.0.0-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libvirt It fixes 4 CVEs and adds an apparmor rule to make the life of people using spice with certificates easier. Cheers, -- Guido unblock libvirt/5.0.0-4 -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#930865: unblock: bochs/2.6.9+dfsg-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock package bochs It adds a couple of missing files which are required for some features added for Buster. (#930770.) diff --git a/debian/bochs.install b/debian/bochs.install index 3574eb6..ba50552 100644 --- a/debian/bochs.install +++ b/debian/bochs.install @@ -6,6 +6,7 @@ usr/lib/bochs/plugins/libbx_biosdev.so* usr/lib/bochs/plugins/libbx_busmouse.so* usr/lib/bochs/plugins/libbx_cmos.so* usr/lib/bochs/plugins/libbx_dma.so* +usr/lib/bochs/plugins/libbx_e1000.so* usr/lib/bochs/plugins/libbx_es1370.so* usr/lib/bochs/plugins/libbx_eth_*.so* usr/lib/bochs/plugins/libbx_extfpuirq.so* @@ -33,6 +34,7 @@ usr/lib/bochs/plugins/libbx_svga_cirrus.so* usr/lib/bochs/plugins/libbx_unmapped.so* usr/lib/bochs/plugins/libbx_usb_*.so* usr/lib/bochs/plugins/libbx_vga.so* +usr/lib/bochs/plugins/libbx_voodoo.so* usr/share/bochs/keymaps usr/share/man/man1/bochs.1.gz usr/share/man/man5/bochsrc.5.gz diff --git a/debian/changelog b/debian/changelog index 49ef391..03212f7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +bochs (2.6.9+dfsg-3) unstable; urgency=medium + + * Ship the Voodoo and e1000 plugins; thanks to Christian Ehrhardt for +the patch. Closes: #930770. LP: #1830094. + + -- Stephen Kitt Thu, 20 Jun 2019 10:37:44 +0200 + bochs (2.6.9+dfsg-2) unstable; urgency=medium * Discard .note.gnu.property section explicitly when building BIOS ROM unblock bochs/2.6.9+dfsg-3 Regards, Stephen -- System Information: Debian Release: 9.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-9-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#930864: unblock: bind9/1:9.11.5.P4+dfsg-5.1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi
Please unblock package bind9 (it builds udeb's so would need an ack
from kibi as well). It fixes CVE-2019-6471, #930746 ("A race condition
when discarding malformed packets can cause BIND to exit with an
assertion failure").
I realize this is very short before the last date possible for unblock
requests.
unblock bind9/1:9.11.5.P4+dfsg-5.1
Regards,
Salvatore
diff -Nru bind9-9.11.5.P4+dfsg/debian/changelog
bind9-9.11.5.P4+dfsg/debian/changelog
--- bind9-9.11.5.P4+dfsg/debian/changelog 2019-05-03 19:44:57.0
+0200
+++ bind9-9.11.5.P4+dfsg/debian/changelog 2019-06-21 11:24:31.0
+0200
@@ -1,3 +1,11 @@
+bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * move item_out test inside lock in dns_dispatch_getnext() (CVE-2019-6471)
+(Closes: #930746)
+
+ -- Salvatore Bonaccorso Fri, 21 Jun 2019 11:24:31 +0200
+
bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
* AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
diff -Nru
bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
---
bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
1970-01-01 01:00:00.0 +0100
+++
bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
2019-06-21 11:24:31.0 +0200
@@ -0,0 +1,56 @@
+From: Mark Andrews
+Date: Tue, 19 Mar 2019 14:14:21 +1100
+Subject: move item_out test inside lock in dns_dispatch_getnext()
+Origin:
https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb80d4a609b86427406d9dd783199920b5b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6471
+Bug-Debian: https://bugs.debian.org/930746
+
+(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712)
+---
+ lib/dns/dispatch.c | 12
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
+index 408beda3679d..3278db4a07c2 100644
+--- a/lib/dns/dispatch.c
b/lib/dns/dispatch.c
+@@ -134,7 +134,7 @@ struct dns_dispentry {
+ isc_task_t *task;
+ isc_taskaction_taction;
+ void *arg;
+- boolitem_out;
++ boolitem_out;
+ dispsocket_t*dispsocket;
+ ISC_LIST(dns_dispatchevent_t) items;
+ ISC_LINK(dns_dispentry_t) link;
+@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp,
dns_dispatchevent_t **sockevent) {
+ disp = resp->disp;
+ REQUIRE(VALID_DISPATCH(disp));
+
+- REQUIRE(resp->item_out == true);
+- resp->item_out = false;
+-
+ ev = *sockevent;
+ *sockevent = NULL;
+
+ LOCK(>lock);
++
++ REQUIRE(resp->item_out == true);
++ resp->item_out = false;
++
+ if (ev->buffer.base != NULL)
+ free_buffer(disp, ev->buffer.base, ev->buffer.length);
+ free_devent(disp, ev);
+@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
+ isc_task_send(disp->task[0], >ctlevent);
+ }
+
++/*
++ * disp must be locked.
++ */
+ static void
+ do_cancel(dns_dispatch_t *disp) {
+ dns_dispatchevent_t *ev;
+--
+2.20.1
+
diff -Nru bind9-9.11.5.P4+dfsg/debian/patches/series
bind9-9.11.5.P4+dfsg/debian/patches/series
--- bind9-9.11.5.P4+dfsg/debian/patches/series 2019-05-03 19:44:57.0
+0200
+++ bind9-9.11.5.P4+dfsg/debian/patches/series 2019-06-21 11:24:31.0
+0200
@@ -12,3 +12,4 @@
0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch
0013-Replace-atomic-operations-in-bin-named-client.c-with.patch
0014-Disable-broken-Ed448-support.patch
+0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
Re: Bug#927667: gnome: please confirm or revert choice of Wayland for default desktop
On 19/06/19 22:19, Simon McVittie wrote: [...] I would very much appreciate input from the rest of the team, particularly: - Laurent: I know you've had strong opinions about using Wayland for GNOME. Do you feel strongly that Debian should be defaulting to Wayland? Are there any reasons for that default that are missing from my attempt to summarize earlier on the bug? [...] I'm personally using wayland for more than 3 years on my work laptop (Intel card) and my home desktop (ATI/AMD with OSS driver) and even if there were transient issues at some point, everything is pretty stable now with 3.30 (the version that will be released with buster). Like Iain the main annoyance I have in my daily use is with the desktop/window sharing in firefox. Wayland has been (re)made the default in debian back in July 2017 (beginning of the dev cycle for buster), I don't remember receiving any objections at the time. The question about using it by default was raised by Jonathan in Apr 2019, two months in the (soft) freeze, it was already quite late at that point IMHO to switch back. This makes me wonder, are there even people using GNOME in sid/testing? Are there people testing with the default settings or has everybody switch back to X11? Because we had a full development cycle and we didn't have a massive number of bugs being filled about this, how should we interpret that? It's also important to note that we are not pioneer in this, Fedora is defaulting to GNOME Wayland since Fedora 25 (Nov 2016). Both RHEL 8 (just released and using GNOME 3.28, so one release lower) and SUSE Linux Enterprise Desktop 15 (released in end of June last year using GNOME 3.26) are also defaulting to GNOME Wayland. We could indeed revert to X11 in a point release if things are going horribly wrong, some first step could be to put more information about this in the release notes. RHEL has https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.0_release_notes/index#desktop but I don't think that everything there applies to Debian
