Bug#943594: buster-pu: package libapache-mod-auth-kerb/5.4-2.4~deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
This brings the fix for a use after free crash to buster.
Since there were no other changes between buster and bullseye,
I elected to just add a "backport to buster" changelog.
--
bye,
pabs
https://wiki.debian.org/PaulWise
diff -u libapache-mod-auth-kerb-5.4/debian/changelog libapache-mod-auth-kerb-5.4/debian/changelog
--- libapache-mod-auth-kerb-5.4/debian/changelog
+++ libapache-mod-auth-kerb-5.4/debian/changelog
@@ -1,3 +1,16 @@
+libapache-mod-auth-kerb (5.4-2.4~deb10u1) buster; urgency=medium
+
+ * Rebuild for buster
+
+ -- Paul Wise Sun, 27 Oct 2019 13:58:04 +0800
+
+libapache-mod-auth-kerb (5.4-2.4) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Apply patch from upstream issue tracker to fix crash (Closes: #934043)
+
+ -- Paul Wise Mon, 21 Oct 2019 11:15:20 +0800
+
libapache-mod-auth-kerb (5.4-2.3) unstable; urgency=medium
* Don't apply the delegation patch, it can break gssapi auth. (Closes:
diff -u libapache-mod-auth-kerb-5.4/debian/patches/series libapache-mod-auth-kerb-5.4/debian/patches/series
--- libapache-mod-auth-kerb-5.4/debian/patches/series
+++ libapache-mod-auth-kerb-5.4/debian/patches/series
@@ -10,0 +11 @@
+mod_auth_kerb-krb5_kt_close.patch
only in patch2:
unchanged:
--- libapache-mod-auth-kerb-5.4.orig/debian/patches/mod_auth_kerb-krb5_kt_close.patch
+++ libapache-mod-auth-kerb-5.4/debian/patches/mod_auth_kerb-krb5_kt_close.patch
@@ -0,0 +1,20 @@
+Description: fix use after free in authenticate_user_krb5pwd()
+Origin: https://sourceforge.net/p/modauthkerb/bugs/61/attachment/mod_auth_kerb-krb5_kt_close.patch
+Bug: https://sourceforge.net/p/modauthkerb/bugs/61/
+Bug-Debian: https://bugs.debian.org/934043
+Author: Johan Ymerson (https://sourceforge.net/u/ymerson/)
+diff -ruN mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
+--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2018-12-12 16:59:43.762013269 +0100
mod_auth_kerb-5.4/src/mod_auth_kerb.c 2018-12-12 16:59:59.151945123 +0100
+@@ -799,11 +799,9 @@
+ "failed to verify krb5 credentials: %s",
+ krb5_get_err_text(context, ret));
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+- krb5_kt_close(context, keytab);
+ goto end;
+}
+krb5_kt_end_seq_get(context, keytab, &cursor);
+- krb5_kt_close(context, keytab);
+ }
+ else {
+if ((ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) {
signature.asc
Description: This is a digitally signed message part
NEW changes in oldstable-new
Processing changes file: cargo_0.35.0-2~deb9u2_s390x.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: rust-cbindgen_0.8.7-1~deb9u1_armhf.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: cargo_0.35.0-2~deb9u2_mipsel.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: cargo_0.35.0-2~deb9u2_mips64el.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: cargo_0.35.0-2~deb9u2_armhf.changes ACCEPT Processing changes file: cargo_0.35.0-2~deb9u2_mips.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: cargo_0.35.0-2~deb9u2_armel.changes ACCEPT
Bug#942106: (some kind of) transition: add python3.8 as a supported python3 version
On 26/10/2019 22:50, Matthias Klose wrote: Ubuntu already dropped python-pandas, I wasn't involved with that. This seems to have been done by the "let things break" approach that isn't allowed in Debian, e.g. they can no longer build python-matplotlib: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934870 https://launchpad.net/ubuntu/+source/matplotlib2/2.2.4-2/+build/17968574 pandas is part of the big tangle discussed in https://lists.debian.org/debian-python/2019/10/msg00092.html I haven't yet had time to investigate whether it can be removed from that tangle (by e.g. dropping Build-Depends and accepting skipped tests). There's also the possibility that upgrading pandas to 0.25 will break API enough to break some reverse dependencies. I intend to look into this tomorrow.
NEW changes in oldstable-new
Processing changes file: cargo_0.35.0-2~deb9u2_amd64.changes ACCEPT Processing changes file: cargo_0.35.0-2~deb9u2_arm64.changes ACCEPT Processing changes file: cargo_0.35.0-2~deb9u2_ppc64el.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: cargo_0.35.0-2~deb9u2_all.changes ACCEPT Processing changes file: cargo_0.35.0-2~deb9u2_i386.changes ACCEPT
Bug#942106: (some kind of) transition: add python3.8 as a supported python3 version
On 26.10.19 22:09, Rebecca N. Palmer wrote: What should be done with modules where Python 3.8 compatibility requires moving to a new upstream release that doesn't support Python 2, but the Python 2 package still has dependencies (so can't be removed yet under existing rules)? - Split them into two source packages with different upstream versions, as was done for matplotlib and numpy? - Remove the Python 2 package anyway? - Let them be broken in Python 3.8 for now? e.g. pandas dropped python2 support in 0.25.0, and gained python3.8 support in 0.25.2: https://github.com/pandas-dev/pandas/issues/29043 yes, that will be an ongoing problem, I see the same for pillow (latest 2.7 supporting release is 6.2.1) and numpy (1.16 not supporting 3.8, and 1.17 not supporting 2.7). Ubuntu got pandas 0.23 to build with python3.8, but only by ignoring 268 test failures (I haven't yet had time to assess their severity): https://bugs.launchpad.net/ubuntu/+source/pandas/+bug/1849374 https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-focal/focal/amd64/p/pandas/20191024_181815_7c017@/log.gz yes, https://bugs.launchpad.net/bugs/1849374 documents where I ignored test results for a first build, and numpy test results are ignored as well due to a packaging bug. Ubuntu already dropped python-pandas, I wasn't involved with that. So this should be possible to do. Please ask Steve Langasek for details. In the case for pandas it should be possible to remove it now with some work, avoiding a second Pandas source. Having a first build in the archive allows you to get more packages built, and more people working on the stack. For example the whole astropy stack builds and passes tests (except astropy itself). So there is value. Lets enable to build stuff first for 3.8 as a supported non-default option.
Bug#942106: (some kind of) transition: add python3.8 as a supported python3 version
On October 26, 2019 8:09:47 PM UTC, "Rebecca N. Palmer" wrote: >What should be done with modules where Python 3.8 compatibility >requires >moving to a new upstream release that doesn't support Python 2, but the > >Python 2 package still has dependencies (so can't be removed yet under >existing rules)? > >- Split them into two source packages with different upstream versions, > >as was done for matplotlib and numpy? >- Remove the Python 2 package anyway? >- Let them be broken in Python 3.8 for now? > >e.g. pandas dropped python2 support in 0.25.0, and gained python3.8 >support in 0.25.2: >https://github.com/pandas-dev/pandas/issues/29043 > >Ubuntu got pandas 0.23 to build with python3.8, but only by ignoring >268 >test failures (I haven't yet had time to assess their severity): >https://bugs.launchpad.net/ubuntu/+source/pandas/+bug/1849374 >https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-focal/focal/amd64/p/pandas/20191024_181815_7c017@/log.gz I certainly can't provide an authoritative answer to the question, but if it were me, unless there are important rdepends that might cause pandas to be kept if we end up not being able to completely ditch python2, I would drop the python-* package(s) and move on. Transient support for things soon to be removed/updated isn't worth the trouble. I haven't checked the rdepends, so I don't have any opinion about which case applies in this instance. Scott K
Bug#942106: (some kind of) transition: add python3.8 as a supported python3 version
What should be done with modules where Python 3.8 compatibility requires moving to a new upstream release that doesn't support Python 2, but the Python 2 package still has dependencies (so can't be removed yet under existing rules)? - Split them into two source packages with different upstream versions, as was done for matplotlib and numpy? - Remove the Python 2 package anyway? - Let them be broken in Python 3.8 for now? e.g. pandas dropped python2 support in 0.25.0, and gained python3.8 support in 0.25.2: https://github.com/pandas-dev/pandas/issues/29043 Ubuntu got pandas 0.23 to build with python3.8, but only by ignoring 268 test failures (I haven't yet had time to assess their severity): https://bugs.launchpad.net/ubuntu/+source/pandas/+bug/1849374 https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-focal/focal/amd64/p/pandas/20191024_181815_7c017@/log.gz
Bug#942349: buster-pu: package ublock-origin/1.18.4+dfsg-2
Am 26.10.19 um 18:38 schrieb Adam D. Barratt:
> On Sat, 2019-10-26 at 16:35 +0200, Markus Koschany wrote:
>>
>> Am 26.10.19 um 16:27 schrieb Adam D. Barratt:
>> [...]
>>> What does the binary debdiff for that look like?
>>
>> The debdiff is 6 MB. It consists mostly of translation updates and
>> changes to the various ad blocker lists.
>
> Preinst files of package webext-ublock-origin: lines which differ
> (wdiff format)
> -
> ---
> [-#!/bin/sh-]{+#! /bin/sh+}
> {+case "$1" in+}
> {+upgrade)+}
> {+ if dpkg --compare-versions "$2" lt 3.0-1; then+}
>
> Why is the compared version there 3.0-1 when the extension is only at
> 1.22.2?
I don't know. I presume Michael wanted the preinst script to execute in
any circumstances?
Regards,
Markus
signature.asc
Description: OpenPGP digital signature
Bug#942349: buster-pu: package ublock-origin/1.18.4+dfsg-2
On Sat, 2019-10-26 at 16:35 +0200, Markus Koschany wrote:
>
> Am 26.10.19 um 16:27 schrieb Adam D. Barratt:
> [...]
> > What does the binary debdiff for that look like?
>
> The debdiff is 6 MB. It consists mostly of translation updates and
> changes to the various ad blocker lists.
Preinst files of package webext-ublock-origin: lines which differ
(wdiff format)
-
---
[-#!/bin/sh-]{+#! /bin/sh+}
{+case "$1" in+}
{+upgrade)+}
{+ if dpkg --compare-versions "$2" lt 3.0-1; then+}
Why is the compared version there 3.0-1 when the extension is only at
1.22.2?
Regards,
Adam
NEW changes in oldstable-new
Processing changes file: cargo_0.35.0-2~deb9u2_source.changes ACCEPT
Processed: FTBFS with nettle 3.5.1
Processing control commands: > block 941150 by -1 Bug #941150 [release.debian.org] transition: nettle 941150 was blocked by: 941101 940985 941041 941150 was not blocking any bugs. Added blocking bug(s) of 941150: 943566 -- 941150: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941150 943566: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943566 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#942349: buster-pu: package ublock-origin/1.18.4+dfsg-2
Control: tags -1 -moreinfo On Sat, 2019-10-26 at 16:46 +0200, Markus Koschany wrote: > > Am 26.10.19 um 16:41 schrieb Adam D. Barratt: > > On Sat, 2019-10-26 at 16:35 +0200, Markus Koschany wrote: > > > Am 26.10.19 um 16:27 schrieb Adam D. Barratt: > > > [...] > > > > What does the binary debdiff for that look like? > > > > > > The debdiff is 6 MB. It consists mostly of translation updates > > > and > > > changes to the various ad blocker lists. > > > > That sounds like the source debdiff. I was interested in the binary > > debdiff of the resulting packages, to confirm whether there are any > > changes to dependencies, other metadata, etc.. [...] > There are no changes to dependencies or other metadata. It is just a > Firefox/Chromium addon that embeds all necessary Javascript and fonts > because of Firefox' sandbox mechanism that blocks symlinks to system > libs. Well then including it shouldn't have been an issue. In any case, please go ahead. Regards, Adam
Processed: cargo 0.35.0-2~deb9u2 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 942841 = stretch pending Bug #942841 [release.debian.org] stretch-pu: package cargo 0.35.0-2~deb9u1 Ignoring request to alter tags of bug #942841 to the same tags previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 942841: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942841 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#942841: cargo 0.35.0-2~deb9u2 flagged for acceptance
package release.debian.org tags 942841 = stretch pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian stretch. Thanks for your contribution! Upload details == Package: cargo Version: 0.35.0-2~deb9u2 Explanation: fix bootstrap for armhf
Processed: Re: Bug#942349: buster-pu: package ublock-origin/1.18.4+dfsg-2
Processing control commands: > tags -1 -moreinfo Bug #942349 [release.debian.org] buster-pu: package ublock-origin/1.18.4+dfsg-2 Removed tag(s) moreinfo. -- 942349: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942349 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#943564: stretch-pu: package ublock-origin/1.16.14+dfsg-2~deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu similar to ublock-origin's buster-pu, there must be a pu for Stretch as well. See https://bugs.debian.org/942349 for further information. The dependency on fonts-font-awesome has been removed. Due to the Firefox' sandbox mechanism that prevents symlinks to external system libs/fonts, we ship all necessary files with ublock-origin now. Regards, Markus
Bug#942349: buster-pu: package ublock-origin/1.18.4+dfsg-2
Am 26.10.19 um 16:41 schrieb Adam D. Barratt: > On Sat, 2019-10-26 at 16:35 +0200, Markus Koschany wrote: >> >> Am 26.10.19 um 16:27 schrieb Adam D. Barratt: >> [...] >>> What does the binary debdiff for that look like? >> >> The debdiff is 6 MB. It consists mostly of translation updates and >> changes to the various ad blocker lists. > > That sounds like the source debdiff. I was interested in the binary > debdiff of the resulting packages, to confirm whether there are any > changes to dependencies, other metadata, etc.. > > Regards, > > Adam There are no changes to dependencies or other metadata. It is just a Firefox/Chromium addon that embeds all necessary Javascript and fonts because of Firefox' sandbox mechanism that blocks symlinks to system libs. Markus signature.asc Description: OpenPGP digital signature
Bug#942349: buster-pu: package ublock-origin/1.18.4+dfsg-2
Control: tags -1 + moreinfo On Tue, 2019-10-15 at 00:05 +0200, Markus Koschany wrote: > there will be a new Firefox ESR version in Buster and Stretch soon. > Unfortunately the popular Firefox/Chromium addon ublock-origin in > Buster and Stretch will not work anymore with Firefox 68. Chromium > users are not affected. This is Debian bug > > https://bugs.debian.org/925337 > > I propose to backport the current version in testing to Buster and > Stretch to resolve the issue. This is really straightforward because > ublock-origin is a leaf package that consists mostly of Javascript, > HTML and some CSS files. What does the binary debdiff for that look like? > If you agree with the backport I will upload > > 1.22.2+dfsg-1~deb10u1 to Buster > > and > > 1.22.2+dfsg-1~deb9u1 to Stretch Note that a stretch update needs a second p-u bug. Each bug tracks a single upload. Regards, Adam
Bug#942349: buster-pu: package ublock-origin/1.18.4+dfsg-2
On Sat, 2019-10-26 at 16:35 +0200, Markus Koschany wrote: > > Am 26.10.19 um 16:27 schrieb Adam D. Barratt: > [...] > > What does the binary debdiff for that look like? > > The debdiff is 6 MB. It consists mostly of translation updates and > changes to the various ad blocker lists. That sounds like the source debdiff. I was interested in the binary debdiff of the resulting packages, to confirm whether there are any changes to dependencies, other metadata, etc.. Regards, Adam
Processed: Re: Bug#942349: buster-pu: package ublock-origin/1.18.4+dfsg-2
Processing control commands: > tags -1 + moreinfo Bug #942349 [release.debian.org] buster-pu: package ublock-origin/1.18.4+dfsg-2 Added tag(s) moreinfo. -- 942349: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942349 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#939364: stretch-pu: package python-acme/0.28.0-1~deb9u2
On Fri, 2019-10-25 at 19:21 +0100, Adam D. Barratt wrote: > On Fri, 2019-10-25 at 10:58 -0700, Brad Warren wrote: > > I’m an upstream maintainer of python-acme. > > > > Both Let’s Encrypt [1] and the Certbot client which uses this > > library encourage people to use Let’s Encrypt’s staging endpoint to > > test that they have things working correctly before using Let’s > > Encrypt’s production endpoint which has strict rate limits. Certbot > > uses the staging endpoint when —dry-run is provided which we tell > > all Debian Stretch users to use [2] and we have been doing so for > > years. > > Thanks for the extra context. I've included a draft for an SUA below; comments welcome. For reference, previous announcements can be found via the web archives at https://lists.debian.org/debian-stable-announce/ Regards, Adam --- Debian Stable Updates Announcement SUA 173-1 https://www.debian.org debian-release@lists.debian.org Harlan Lieberman-Berg October 26th, 2019 --- Package : python-acme Version : 0.28.0-1~deb9u2 Importance : high python-acme is part of an implementation of the ACME protocol, as used by the Let's Encrypt certification authority to issue TLS certificates. The ACME protocol has deprecated support for the use of unauthenicated GET requests in favour of authenticated POST requests. On November 1st, Let's Encrypt's staging ACME v2 endpoint will stop supporting the older protocol, with the production endpoint following at a later point. The staging endpoint is used by applications such as certbot in order to perform tests before issuing a certificate. This update moves python-acme to use the newer protocol. If you use python-acme, we strongly recommend that you install this update. Upgrade Instructions You can get the updated packages by adding the stable-updates archive for your distribution to your /etc/apt/sources.list: deb http://deb.debian.org/debian stretch-updates main deb-src http://deb.debian.org/debian stretch-updates main You can also use any of the Debian archive mirrors. See https://www.debian.org/mirrors/list for the full list of mirrors. For further information about stable-updates, please refer to https://lists.debian.org/debian-devel-announce/2011/03/msg00010.html If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at debian-release@lists.debian.org
Bug#942349: buster-pu: package ublock-origin/1.18.4+dfsg-2
Am 26.10.19 um 16:27 schrieb Adam D. Barratt: [...] > What does the binary debdiff for that look like? The debdiff is 6 MB. It consists mostly of translation updates and changes to the various ad blocker lists. > >> If you agree with the backport I will upload >> >> 1.22.2+dfsg-1~deb10u1 to Buster >> >> and >> >> 1.22.2+dfsg-1~deb9u1 to Stretch > > Note that a stretch update needs a second p-u bug. Each bug tracks a > single upload. I will file another bug report for a stretch-pu shortly. Regards. Markus signature.asc Description: OpenPGP digital signature
Processed: block 941150 with 941101 940985 941041, tagging 940985
Processing commands for cont...@bugs.debian.org: > block 941150 with 941101 940985 941041 Bug #941150 [release.debian.org] transition: nettle 941150 was not blocked by any bugs. 941150 was not blocking any bugs. Added blocking bug(s) of 941150: 941041, 941101, and 940985 > tags 940985 + ftbfs Bug #940985 [dnsmasq] dnsmasq WFTBFS: Accesses ECC curves directly Added tag(s) ftbfs. > thanks Stopping processing here. Please contact me if you need assistance. -- 940985: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940985 941150: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941150 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
