Bug#984788: (pre-approval) unblock: octave/6.2.0-1

2021-03-08 Thread Sébastien Villemot 
Hi Paul !

Le lundi 08 mars 2021 à 22:17 +0100, Paul Gevers a écrit :
> On 08-03-2021 13:19, Sébastien Villemot wrote:
> > This is a pre-approval request for unblocking package octave, version 
> > 6.2.0-1
> > 
> > Currently, bullseye contains a hand-crafted mercurial snapshot of octave.
> > Uploading a snapshot was made necessary because the previous official 
> > release
> > (6.1.0) had serious bugs, which were fixed in the mercurial repository.
> > 
> > Since then, a new official upstream bugfix release has been made (6.2.0). 
> > For
> > various reasons, it would be better to ship an official release in bullseye,
> > hence this request.
> > 
> > The debdiff is attached. I have filtered out all unrelevant stuff (copyright
> > header changes, regenerated files).
> 
> What you showed looks OK. Under the assumption that the upload happens
> in the next week or so, go ahead.

Thanks, I have made the upload.

-- 
⢀⣴⠾⠻⢶⣦⠀  Sébastien Villemot
⣾⠁⢠⠒⠀⣿⡁  Debian Developer
⢿⡄⠘⠷⠚⠋⠀  https://sebastien.villemot.name
⠈⠳⣄  https://www.debian.org



signature.asc
Description: This is a digitally signed message part

NEW changes in stable-new

2021-03-08 Thread Debian FTP Masters 
Processing changes file: fwupdate-amd64-signed_12+4+deb10u2_source.changes
  ACCEPT
Processing changes file: fwupdate-arm64-signed_12+4+deb10u2_source.changes
  ACCEPT
Processing changes file: fwupdate-i386-signed_12+4+deb10u2_source.changes
  ACCEPT
Processing changes file: linux-signed-i386_4.19.177+1_source.changes
  ACCEPT

NEW changes in stable-new

2021-03-08 Thread Debian FTP Masters 
Processing changes file: libbsd_0.9.1-2+deb10u1_amd64.changes
  ACCEPT
Processing changes file: libbsd_0.9.1-2+deb10u1_arm64-buildd.changes
  ACCEPT
Processing changes file: libbsd_0.9.1-2+deb10u1_armel-buildd.changes
  ACCEPT
Processing changes file: libbsd_0.9.1-2+deb10u1_armhf-buildd.changes
  ACCEPT
Processing changes file: libbsd_0.9.1-2+deb10u1_i386.changes
  ACCEPT
Processing changes file: libbsd_0.9.1-2+deb10u1_mips-buildd.changes
  ACCEPT
Processing changes file: libbsd_0.9.1-2+deb10u1_mips64el-buildd.changes
  ACCEPT
Processing changes file: libbsd_0.9.1-2+deb10u1_mipsel-buildd.changes
  ACCEPT
Processing changes file: libbsd_0.9.1-2+deb10u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: libbsd_0.9.1-2+deb10u1_s390x.changes
  ACCEPT

Re: Bug#984546: cpl-plugin-hawki-calib: move downloader package to contrib

2021-03-08 Thread Sean Whitton 
Hello,

On Mon 08 Mar 2021 at 04:55PM -07, Sean Whitton wrote:

> On Thu 04 Mar 2021 at 09:00PM +01, Andreas Beckmann wrote:
>
>> cpl-plugin-hawki-calib is a downloader package and needs to be moved to
>> contrib. All other cpl-plugin-*-calib packages are already in contrib.
>
> I just reached this package during NEW processing.  Could we get a
> release team ACK on letting this into unstable at the current stage of
> the freeze, please?

ACKed by ivodd in #debian-release.

-- 
Sean Whitton


signature.asc
Description: PGP signature

Re: Bug#984546: cpl-plugin-hawki-calib: move downloader package to contrib

2021-03-08 Thread Sean Whitton 
Hello,

On Thu 04 Mar 2021 at 09:00PM +01, Andreas Beckmann wrote:

> cpl-plugin-hawki-calib is a downloader package and needs to be moved to
> contrib. All other cpl-plugin-*-calib packages are already in contrib.

I just reached this package during NEW processing.  Could we get a
release team ACK on letting this into unstable at the current stage of
the freeze, please?

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#984837: unblock: gsoap/2.8.104-3

2021-03-08 Thread Mattias Ellert 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

I have submitted an update for the gsoap package, back-porting several
fixes for CVEs from upstream. It fixes the RC bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983596

Due to the current soft freeze, the migration delay is 10 days, which
would mean 18 March. However the hard freeze starts March 12, after
which migration requires an explicit unblock. Hence this unblock
request.

Due to the RC bug, the package is marked for auto-removal, together
with many packages that depend on it:

Marked for autoremoval on 11 April: #983596 high
Version 2.8.104-2 of gsoap is marked for autoremoval from testing on
Sun 11 Apr 2021. It is affected by #983596. The removal of gsoap will
also cause the removal of (transitive) reverse dependencies: arc-gui-
clients, cgsi-gsoap, davix, gfal2, gridsite, lcas-lcmaps-gt4-interface,
lcmaps, lcmaps-plugins-basic, lcmaps-plugins-jobrep, lcmaps-plugins-
verify-proxy, lcmaps-plugins-voms, myproxy, nordugrid-arc, nordugrid-
arc-nagios-plugins, openstack-cluster-installer, srm-ifce, voms, voms-
mysql-plugin, xrootd. You should try to prevent the removal by fixing
these RC bugs.

I hope you will consider unblocking the update.

Debdiff attached.

Mattias

diff -Nru gsoap-2.8.104/debian/changelog gsoap-2.8.104/debian/changelog
--- gsoap-2.8.104/debian/changelog	2020-07-25 08:30:12.0 +0200
+++ gsoap-2.8.104/debian/changelog	2021-03-08 14:06:23.0 +0100
@@ -1,3 +1,12 @@
+gsoap (2.8.104-3) unstable; urgency=high
+
+  * Backporting upstream fixes (Closes: #983596)
+- Fixes CVE: CVE-2020-13574 CVE-2020-13575 CVE-2020-13577 CVE-2020-13578
+- Fixes CVE: CVE-2020-13576
+  * Urgency high due to fixing RC bug
+
+ -- Mattias Ellert   Mon, 08 Mar 2021 14:06:23 +0100
+
 gsoap (2.8.104-2) unstable; urgency=medium
 
   * Re-upload source only
diff -Nru gsoap-2.8.104/debian/control gsoap-2.8.104/debian/control
--- gsoap-2.8.104/debian/control	2020-07-22 15:23:55.0 +0200
+++ gsoap-2.8.104/debian/control	2021-03-08 14:06:23.0 +0100
@@ -13,7 +13,7 @@
 Build-Depends-Indep:
  doxygen,
  graphviz
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
 Section: devel
 Vcs-Browser: https://salsa.debian.org/ellert/gsoap
 Vcs-Git: https://salsa.debian.org/ellert/gsoap.git
diff -Nru gsoap-2.8.104/debian/copyright gsoap-2.8.104/debian/copyright
--- gsoap-2.8.104/debian/copyright	2020-07-22 15:23:55.0 +0200
+++ gsoap-2.8.104/debian/copyright	2021-03-08 14:06:23.0 +0100
@@ -171,7 +171,7 @@
 Files: debian/*
 Copyright:
  2003-2007, Thomas Wana 
- 2011-2020, Mattias Ellert 
+ 2011-2021, Mattias Ellert 
 License: GPL-2+
  On Debian systems, the complete text of the GPL version 2 license can be
  found in '/usr/share/common-licenses/GPL-2'.
diff -Nru gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch
--- gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch	1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch	2021-03-08 11:28:34.0 +0100
@@ -0,0 +1,336 @@
+diff -ur gsoap2-code-r191/gsoap/plugin/httpda.c gsoap2-code-r192/gsoap/plugin/httpda.c
+--- gsoap2-code-r191/gsoap/plugin/httpda.c	2020-06-30 21:06:47.0 +0200
 gsoap2-code-r192/gsoap/plugin/httpda.c	2020-11-19 19:29:25.0 +0100
+@@ -1460,7 +1460,7 @@
+   MUTEX_LOCK(http_da_session_lock);
+ 
+   for (session = http_da_session; session; session = session->next)
+-if (!strcmp(session->realm, realm) && !strcmp(session->nonce, nonce) && !strcmp(session->opaque, opaque))
++if (session->realm && session->nonce && session->opaque && !strcmp(session->realm, realm) && !strcmp(session->nonce, nonce) && !strcmp(session->opaque, opaque))
+   break;
+ 
+   if (session)
+diff -ur gsoap2-code-r191/gsoap/plugin/wsaapi.c gsoap2-code-r192/gsoap/plugin/wsaapi.c
+--- gsoap2-code-r191/gsoap/plugin/wsaapi.c	2020-06-30 21:06:47.0 +0200
 gsoap2-code-r192/gsoap/plugin/wsaapi.c	2020-11-19 19:29:25.0 +0100
+@@ -1056,7 +1056,7 @@
+   oldheader->SOAP_WSA(FaultTo)->Address = oldheader->SOAP_WSA(ReplyTo)->Address;
+   }
+   /* use FaultTo */
+-  if (oldheader && oldheader->SOAP_WSA(FaultTo) && !strcmp(oldheader->SOAP_WSA(FaultTo)->Address, soap_wsa_noneURI))
++  if (oldheader && oldheader->SOAP_WSA(FaultTo) && oldheader->SOAP_WSA(FaultTo)->Address && !strcmp(oldheader->SOAP_WSA(FaultTo)->Address, soap_wsa_noneURI))
+ return soap_send_empty_response(soap, SOAP_OK); /* HTTP ACCEPTED */
+   soap->header = NULL;
+   /* allocate a new header */
+diff -ur gsoap2-code-r191/gsoap/plugin/wsseapi.c gsoap2-code-r192/gsoap/plugin/wsseapi.c
+--- gsoap2-code-r191/gsoap/plugin/wsseapi.c	2020-10-16 23:01:09.0 +0200
 gsoap2-code-r192/gsoap/plugin/wsseapi.c	2020-11-19 19:29:25.0 +0100
+@@ -2957,7 +2957,7 @@
+ else
+ {
+   /* check

Bug#983071: unblock: xz-utils/5.2.5-1.1

2021-03-08 Thread Sebastian Andrzej Siewior 
On 2021-03-08 18:54:22 [+0100], Paul Gevers wrote:
> Hi,
Hi,

> Please upload to unstable. As said, we'll let it age a bit there.

Thanks, uploaded.

> Paul

Sebastian

Bug#983918: buster-pu: package libbsd/0.9.1-2

2021-03-08 Thread Adam D. Barratt 
I somehow missed that libbsd produces a udeb when I was processing
stable-new, so CCing KiBi and -boot now.

Regards,

Adam

On Wed, 2021-03-03 at 12:05 +0100, Gianfranco Costamagna wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: buster
> Severity: normal
> 
> CVE-2019-20367 (no DSA) has been fixed for stretch in 0.8.3-1+deb9u1
> and
> for bullseye, sid with version 0.10.0-1
> Buster has been left out from the patches, and since the patch is
> trivial, I propose to apply it for buster too
> 
> 
> diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
> --- libbsd-0.9.1/debian/changelog 2019-02-25 01:33:03.0
> +0100
> +++ libbsd-0.9.1/debian/changelog 2021-03-03 12:03:12.0
> +0100
> @@ -1,3 +1,12 @@
> +libbsd (0.9.1-2+deb10u1) buster; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * CVE-2019-20367
> +A non-NUL terminated symbol name in the string table might
> +result in a out-of-bounds read.
> +
> + -- Gianfranco Costamagna   Wed, 03 Mar
> 2021 12:03:12 +0100
> +
>  libbsd (0.9.1-2) unstable; urgency=medium
>  
>* Perform a proper and correct /usr-merge transition by moving the
> package
> diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch libbsd-
> 0.9.1/debian/patches/CVE-2019-20367.patch
> --- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch  1970-01-01
> 01:00:00.0 +0100
> +++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch  2021-03-03
> 12:00:40.0 +0100
> @@ -0,0 +1,42 @@
> +From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00
> 2001
> +From: Guillem Jover 
> +Date: Wed, 7 Aug 2019 22:58:30 +0200
> +Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
> +
> +When doing a string comparison for a symbol name from the string
> table,
> +we should make sure we do a bounded comparison, otherwise a non-NUL
> +terminated string might make the code read out-of-bounds.
> +
> +Warned-by: coverity
> +---
> + src/nlist.c | 6 --
> + 1 file changed, 4 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/nlist.c b/src/nlist.c
> +index 8aa46a2..228c220 100644
> +--- a/src/nlist.c
>  b/src/nlist.c
> +@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
> + symsize -= cc;
> + for (s = sbuf; cc > 0 && nent > 0; ++s, cc -=
> sizeof(*s)) {
> + char *name;
> ++Elf_Word size;
> + struct nlist *p;
> + 
> + name = strtab + s->st_name;
> + if (name[0] == '\0')
> + continue;
> ++size = symstrsize - s->st_name;
> + 
> + for (p = list; !ISLAST(p); p++) {
> + if ((p->n_un.n_name[0] == '_' &&
> +-strcmp(name, p->n_un.n_name+1) ==
> 0)
> +-|| strcmp(name, p->n_un.n_name) ==
> 0) {
> ++ strncmp(name, p->n_un.n_name+1,
> size) == 0) ||
> ++strncmp(name, p->n_un.n_name, size)
> == 0) {
> + elf_sym_to_nlist(p, s, shdr,
> + ehdr.e_shnum);
> + if (--nent <= 0)
> +-- 
> +GitLab
> +
> diff -Nru libbsd-0.9.1/debian/patches/series libbsd-
> 0.9.1/debian/patches/series
> --- libbsd-0.9.1/debian/patches/series1970-01-01
> 01:00:00.0 +0100
> +++ libbsd-0.9.1/debian/patches/series2021-03-03
> 12:01:48.0 +0100
> @@ -0,0 +1 @@
> +CVE-2019-20367.patch

Bug#984501: unblock: libqb/2.0.3-1

2021-03-08 Thread Sebastian Ramacher 
Control: tags -1 confirmed

On 2021-03-04 11:59:35 +0100, Ferenc Wágner wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package libqb
> 
> Dear Release Team,
> 
> Upstream made a new minor release of libqb yesterday.  Since a new
> upload wouldn't migrate before the hard freeze with the current 10 day
> delay, I'm asking for an unblock in advance.
> 
> 2.0.3 contains a single new feature extending the API and ABI in a
> backwards-compatible way with a message-id parameter, which isn't the
> main reason for this request.
> 
> Included are two doxygen2man fixes, one of them already present in the
> current 2.0.2-1 package as a Debian patch, and another fixing a groff
> error in libqb's own manual pages.
> 
> The really interesting stuff is a memory safety fix in the internal
> strlcpy() implementation and a more thorough cleanup procedure, which
> avoids filling up /dev/shm with stale files in certain error and
> recovery conditions.
> 
> Locking errors (insufficient locking) are also fixed in the timer code,
> and the unit tests are extended appropriately.
> 
> The last fix corrects another unit test but entails no change in
> behaviour.
> 
> It would be possible to cherry pick the fix commits into Debian patches
> leaving out the final one adding the new API, but I'd prefer the
> cleaner solution of uploading 2.0.3 at this stage.

The changes look ok. Under the assumption that the upload happens soon,
please go ahead.

Cheers

> 
> debdiff against the package in testing:
> 
> diff -Nru libqb-2.0.2/ChangeLog libqb-2.0.3/ChangeLog
> --- libqb-2.0.2/ChangeLog 2020-12-03 14:07:32.0 +0100
> +++ libqb-2.0.3/ChangeLog 2021-03-03 09:34:26.0 +0100
> @@ -1,3 +1,57 @@
> +2021-03-03  Christine Caulfield  
> +
> + release: bump library version for 2.0.3 release
> +
> +2021-03-01  Aleksei Burlakov  
> + root  
> +
> + syslog: Add a message-id parameter for messages (#433)
> + The message-id parameter will enable systemd catalogs.
> + To enable message-id's the libqb should be configured with the
> +  --enable-systemd-journal option.
> +
> +2021-02-08  Chrissie Caulfield  
> +
> + tests: Fix up resources.test (#435)
> + resources.test has not checked the right filenames for a while.
> + Fix this, and also make sure we don't count (but remove) the dlock
> + test files.
> +
> + timers: Add some locking (#436)
> + Fix several locking issues reported by helgrind
> +
> +2021-01-25  Chrissie Caulfield  
> +
> + ipcc: Have a few goes at tidying up after a dead server (#434)
> + This is an attempt to make sure that /dev/shm is cleaned up when a
> + server exits unexpectedly. Normally it's the server's responsibility
> + to tidy up sockets, but if it crashes or is killed with SIGKILL then
> + the client (us) makes a reasonable attempt to tidy up the server sockets
> + we have connected. The extra delay here just gives the server chance to
> + disappear fully. As a client we can get here pretty quickly but shutting
> + down a large server may take a little longer even when SIGKILLed.
> + The 1/100th of a second is an arbitrary delay (of course) but seems to
> + catch most servers in 2 tries or less.
> +
> +2021-01-13  Chrissie Caulfield  
> +
> + strlcpy: Check for maxlen underflow (#432)
> + * strlcpy: Check for maxlen underflow
> + https://github.com/ClusterLabs/libqb/issues/429
> + * Always terminate the string if maxlen is > 0
> +
> +2021-01-07  Chrissie Caulfield  
> +
> + doxygen2man: fix printing of lines starting with '.' (#431)
> + if a line starts with a '.' (eg the '...' in qbarray.h) then
> + nroff thinks it's looking for a macro called '..'.
> + The easiest solution is to add a dummy format at the start of the line
> + (just adding \ seems not to work).
> +
> +2021-01-04  wferi  
> +
> + doxygen2man: ignore all-whitespace brief descriptions (#430)
> +
>  2020-12-03  Christine Caulfield  
>  
>   lib: Update library version for 2.0.2 release
> diff -Nru libqb-2.0.2/configure libqb-2.0.3/configure
> --- libqb-2.0.2/configure 2020-12-03 14:07:14.0 +0100
> +++ libqb-2.0.3/configure 2021-03-03 09:34:07.0 +0100
> @@ -1,6 +1,6 @@
>  #! /bin/sh
>  # Guess values for system-dependent variables and create Makefiles.
> -# Generated by GNU Autoconf 2.69 for libqb 2.0.2.
> +# Generated by GNU Autoconf 2.69 for libqb 2.0.3.
>  #
>  # Report bugs to .
>  #
> @@ -590,8 +590,8 @@
>  # Identity of this package.
>  PACKAGE_NAME='libqb'
>  PACKAGE_TARNAME='libqb'
> -PACKAGE_VERSION='2.0.2'
> -PACKAGE_STRING='libqb 2.0.2'
> +PACKAGE_VERSION='2.0.3'
> +PACKAGE_STRING='libqb 2.0.3'
>  PACKAGE_BUGREPORT='develop...@clusterlabs.org'
>  PACKAGE_URL=''
>  
> @@ -1426,7 +1426,7 @@
># Omit some internal or obsolete options to make the list less imposing.
># This

Processed: Re: Bug#984501: unblock: libqb/2.0.3-1

2021-03-08 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 confirmed
Bug #984501 [release.debian.org] unblock: libqb/2.0.3-1
Added tag(s) confirmed.

-- 
984501: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984501
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

NEW changes in stable-new

2021-03-08 Thread Debian FTP Masters 
Processing changes file: avahi_0.7-4+deb10u1_mips64el-buildd.changes
  ACCEPT

Bug#984788: (pre-approval) unblock: octave/6.2.0-1

2021-03-08 Thread Paul Gevers 
Control: tags -1 confirmed

Hi Sébastien,

On 08-03-2021 13:19, Sébastien Villemot wrote:
> This is a pre-approval request for unblocking package octave, version 6.2.0-1
> 
> Currently, bullseye contains a hand-crafted mercurial snapshot of octave.
> Uploading a snapshot was made necessary because the previous official release
> (6.1.0) had serious bugs, which were fixed in the mercurial repository.
> 
> Since then, a new official upstream bugfix release has been made (6.2.0). For
> various reasons, it would be better to ship an official release in bullseye,
> hence this request.
> 
> The debdiff is attached. I have filtered out all unrelevant stuff (copyright
> header changes, regenerated files).

What you showed looks OK. Under the assumption that the upload happens
in the next week or so, go ahead.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Processed: Re: Bug#984788: (pre-approval) unblock: octave/6.2.0-1

2021-03-08 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 confirmed
Bug #984788 [release.debian.org] (pre-approval) unblock: octave/6.2.0-1
Added tag(s) confirmed.

-- 
984788: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984788
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#984834: unblock firmware-nonfree 20210208-3 upload

2021-03-08 Thread maximilian attems 
Package: release.debian.org
Thanks

please unblock firmware-nonfree 20210208-3

it is the version that has the relevant firmware packages for
the targeted version of linux in bullseye.

It will need a small amount of fixes on top that are preprared
in git and will be uploaded as soon it has migrated.

thank you.

-- 
maks


signature.asc
Description: PGP signature

NEW changes in stable-new

2021-03-08 Thread Debian FTP Masters 
Processing changes file: avahi_0.7-4+deb10u1_arm64-buildd.changes
  ACCEPT
Processing changes file: avahi_0.7-4+deb10u1_armel-buildd.changes
  ACCEPT
Processing changes file: avahi_0.7-4+deb10u1_armhf-buildd.changes
  ACCEPT
Processing changes file: avahi_0.7-4+deb10u1_i386-buildd.changes
  ACCEPT
Processing changes file: avahi_0.7-4+deb10u1_mips-buildd.changes
  ACCEPT
Processing changes file: avahi_0.7-4+deb10u1_mipsel-buildd.changes
  ACCEPT
Processing changes file: avahi_0.7-4+deb10u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: fwupdate_12-4+deb10u2_amd64-buildd.changes
  ACCEPT
Processing changes file: fwupdate_12-4+deb10u2_arm64-buildd.changes
  ACCEPT
Processing changes file: fwupdate_12-4+deb10u2_i386-buildd.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_amd64-buildd.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_arm64-buildd.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_armhf-buildd.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_i386-buildd.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_mips-buildd.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_mips64el-buildd.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_mipsel-buildd.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_ppc64el-buildd.changes
  ACCEPT
Processing changes file: linux-signed-amd64_4.19.177+1_amd64-buildd.changes
  ACCEPT
Processing changes file: linux-signed-arm64_4.19.177+1_arm64-buildd.changes
  ACCEPT

NEW changes in stable-new

2021-03-08 Thread Debian FTP Masters 
Processing changes file: avahi_0.7-4+deb10u1_s390x.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_all.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_armel-buildd.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_s390x.changes
  ACCEPT

NEW changes in stable-new

2021-03-08 Thread Debian FTP Masters 
Processing changes file: libbsd_0.9.1-2+deb10u1_source.changes
  ACCEPT
Processing changes file: ruby-mechanize_2.7.6-1+deb10u1_amd64.changes
  ACCEPT

Processed: ruby-mechanize 2.7.6-1+deb10u1 flagged for acceptance

2021-03-08 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 983113 = buster pending
Bug #983113 [release.debian.org] buster-pu: package 
ruby-mechanize/2.7.6-1+deb10u1
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
983113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983113
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#983918: libbsd 0.9.1-2+deb10u1 flagged for acceptance

2021-03-08 Thread Adam D Barratt 
package release.debian.org
tags 983918 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: libbsd
Version: 0.9.1-2+deb10u1

Explanation: fix out-of-bounds read issue [CVE-2019-20367]

Processed: libbsd 0.9.1-2+deb10u1 flagged for acceptance

2021-03-08 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 983918 = buster pending
Bug #983918 [release.debian.org] buster-pu: package libbsd/0.9.1-2
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
983918: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983918
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#983113: ruby-mechanize 2.7.6-1+deb10u1 flagged for acceptance

2021-03-08 Thread Adam D Barratt 
package release.debian.org
tags 983113 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: ruby-mechanize
Version: 2.7.6-1+deb10u1

Explanation: fix command injection issue [CVE-2021-21289]

Processed: more info is provided

2021-03-08 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tag 984635 - moreinfo
Bug #984635 [release.debian.org] unblock: tqdm/4.57.0-2
Removed tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
984635: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984635
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: firmware-nonfree 20210208-1 upload

2021-03-08 Thread Paul Gevers 
Hi

On 08-03-2021 20:50, maximilian attems wrote:
> so please unblock firmware-nonfree 20210208-3

Please file a bug, as this message has a high chance to get lost (the
volume of traffic is rising) as it's not actionable right now.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Re: firmware-nonfree 20210208-1 upload

2021-03-08 Thread maximilian attems 
> https://udd.debian.org/cgi-bin/key_packages.yaml.cgi disagrees. The
> release team uses this list as the canonical source for the
> implementation for the automatic blocks.

so please unblock firmware-nonfree 20210208-3

it is the version that has the relevant firmware packages for
the targeted version of linux in bullseye.

It will need a small amount of fixes on top that are preprared
in git and will be uploaded as soon it has migrated.

thank you.

-- 
maks


signature.asc
Description: PGP signature

Bug#984679: marked as done (pre-approval: unblock elfutils/0.183-2)

2021-03-08 Thread Debian Bug Tracking System 
Your message dated Mon, 8 Mar 2021 20:47:17 +0100
with message-id 
and subject line Re: Bug#984679: unblock elfutils/0.183-2
has caused the Debian Bug report #984679,
regarding pre-approval: unblock elfutils/0.183-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984679: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984679
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hi,

Please unblock elfutils/0.183-2.

I have just uploaded this version to address
, which is
about enabling the use of https://debuginfod.debian.net by default if
the user chooses to do so when presented with a new debconf question.

This is not an upload of a new upstream version, but it adds a new
binary package (libdebuginfod-common) which holds the debconf
template for the new question.  The package is currently in NEW.

In all fairness, I am not entirely sure whether this requires an unblock
bug, but I decided to be safe and file one.

Thanks in advance,

-- 
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF  31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
https://sergiodj.net/


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On 2021-03-06 19:03:17 -0500, Sergio Durigan Junior wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: unblock
> Severity: normal
> 
> Hi,
> 
> Please unblock elfutils/0.183-2.
> 
> I have just uploaded this version to address
> , which is
> about enabling the use of https://debuginfod.debian.net by default if
> the user chooses to do so when presented with a new debconf question.
> 
> This is not an upload of a new upstream version, but it adds a new
> binary package (libdebuginfod-common) which holds the debconf
> template for the new question.  The package is currently in NEW.
> 
> In all fairness, I am not entirely sure whether this requires an unblock
> bug, but I decided to be safe and file one.

It does, since elfutils is a key package.

It's too late in the cycle to add new binary to a key package. From the
discussion on debian-devel I understand that users can enable the
service without the new package. So I'd recommend to document
debuginfod.d.n and how to configure it in the release notes instead.

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature
--- End Message ---

NEW changes in stable-new

2021-03-08 Thread Debian FTP Masters 
Processing changes file: avahi_0.7-4+deb10u1_amd64.changes
  ACCEPT
Processing changes file: fwupdate_12-4+deb10u2_source.changes
  ACCEPT
Processing changes file: linux-latest_105+deb10u10_source.changes
  ACCEPT
Processing changes file: linux-signed-amd64_4.19.177+1_source.changes
  ACCEPT
Processing changes file: linux-signed-arm64_4.19.177+1_source.changes
  ACCEPT

Bug#982796: avahi 0.7-4+deb10u1 flagged for acceptance

2021-03-08 Thread Adam D Barratt 
package release.debian.org
tags 982796 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: avahi
Version: 0.7-4+deb10u1

Explanation: remove avahi-daemon-check-dns mechanism, no longer needed

Processed: avahi 0.7-4+deb10u1 flagged for acceptance

2021-03-08 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 982796 = buster pending
Bug #982796 [release.debian.org] buster-pu: package avahi/0.7-4
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
982796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982796
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: firmware-nonfree 20210208-1 upload

2021-03-08 Thread Paul Gevers 
Hi maks,

On 08-03-2021 19:46, maximilian attems wrote:
> non-free packages were never considered key by Debian afair.

https://udd.debian.org/cgi-bin/key_packages.yaml.cgi disagrees. The
release team uses this list as the canonical source for the
implementation for the automatic blocks.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Re: firmware-nonfree 20210208-1 upload

2021-03-08 Thread maximilian attems 
On Mon, Mar 08, 2021 at 06:52:33PM +0100, Paul Gevers wrote:
> On 08-03-2021 10:39, maximilian attems wrote:
> > Tomorrow once firmware-nonfree has migrated 20210208-4 will be uploaded
> > with important small fixes to Raspberry Pi 4B and BananaPi M2 ultra and
> > BananaPi M3 supports. As all changes are quite small and current window
> > allows important fixes, I do not expect to need an unblock.
> 
> Ehm, firmware-nonfree is a key package. If the upload didn't happen
> somewhere before 2-3-2021 it will require an unblock.

the upload of 20210208-3 happened on 26/2/2021 [1].
[1] https://tracker.debian.org/pkg/firmware-nonfree

the next upload will happen *after* 2-3-2021, as it it is planned for
tomorrow. non-free packages were never considered key by Debian afair.
of course I am happy to ask for unblock for 20210208-4 should that be.

best,

-- 
maks


signature.asc
Description: PGP signature

Re: Issues regarding input methods for Bullseye

2021-03-08 Thread Shengjing Zhu 
On Mon, Mar 8, 2021 at 6:45 AM Holger Wansing  wrote:
>
> Hi all,
>
> currently we have 4 bugreports open regarding input methods:
>
> #983704 Switch to fcitx5 for Simplified and Traditional Chinese desktop
> #941624 Recommending ibus breaks fcitx
> #983653 task-japanese-gnome-desktop: no Japanese input method available out 
> of the box
> #982175 task-japanese-desktop: should explicitly prefer mozc over anthy
>
> This correlates with Gnome's changing to Recommends: ibus.
>
> So, what's the way to solve these issues for Bullseye?
> What are the options?
>
> 1. Since Gnome only supports ibus, all relevant languages would need to get
>an ibus-* package installed, to run Gnome.
>Would that work? Is ibus working fine for all relevant languages?
>
> 2. There are of course people, who don't want to use ibus, but fcitx or uim.
>In that case, would it be ok, to install both (ibus + fctix|uim) ?
>It has been stated, that it's no problem, when more than one input method
>is installed, im-config is there to take care of that.
>
> 3. Getting Gnome reverting the Recommends:ibus dependency is probably no
>longer possible in this development status of Bullseye ... (?)
>
> 4. What about other desktop environments?
>Apart from the fcitx -> fcitx5 switch, are there any other changings
>needed?
>
> 5. 

Just FTR, as there's another thread in #983695.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983695#85

It may be better to recommend gnome-initial-setup for gnome tasks like
task-korean-gnome-desktop, to workaround that ibus doesn't have a
default config for all languages.

Processed: Re: Bug#983071: unblock: xz-utils/5.2.5-1.1

2021-03-08 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 confirmed
Bug #983071 [release.debian.org] unblock: xz-utils/5.2.5-1.1
Added tag(s) confirmed.

-- 
983071: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983071
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#983071: unblock: xz-utils/5.2.5-1.1

2021-03-08 Thread Paul Gevers 
Control: tags -1 confirmed

Hi,

On 04-03-2021 12:32, Paul Gevers wrote:
> What I *think* we're going to do is accept the package in unstable, but
> have it age a bit in unstable before unblocking (which is going to
> happen automatically due to the hard freeze).

Please upload to unstable. As said, we'll let it age a bit there.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Re: firmware-nonfree 20210208-1 upload

2021-03-08 Thread Paul Gevers 
Hi,

On 08-03-2021 10:39, maximilian attems wrote:
> Tomorrow once firmware-nonfree has migrated 20210208-4 will be uploaded
> with important small fixes to Raspberry Pi 4B and BananaPi M2 ultra and
> BananaPi M3 supports. As all changes are quite small and current window
> allows important fixes, I do not expect to need an unblock.

Ehm, firmware-nonfree is a key package. If the upload didn't happen
somewhere before 2-3-2021 it will require an unblock.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

NEW changes in stable-new

2021-03-08 Thread Debian FTP Masters 
Processing changes file: gnome-chemistry-utils_0.14.17-6_source.changes
  REJECT

Re: Issues regarding input methods for Bullseye

2021-03-08 Thread Shengjing Zhu 
On Mon, Mar 8, 2021 at 11:52 PM Holger Wansing  wrote:
>
> Am 8. März 2021 16:34:54 MEZ schrieb Shengjing Zhu :
> >I just looked at tasksel, but it seems it's not straightforward to
> >implement,
> >1. install ibus for GNOME
> >2. install other input method for DE except GNOME.
> >Since it's seems hard to express all DE without GNOME, except
> >enumerating them?
>
> I guess it would go like this:
>
> 1. install the IM method prefered by language team
> for all DE
>
> 2. install (additionally) ibus-* , if DE is Gnome.
>
> That way we would have two IM systems installed
> for Gnome, but im-config would take care of  that just
> fine, since ibus is the preferred choice.
>
> And for all other DEs we had that IM installed, what's
> preferred by the language team.
>
> Would that be reasonable?

Agree, it seems it's the feasible option currently.

But we need to add some new packages, task--gnome-desktop, for
languages which prefer non-ibus.

Which are:
1. task-amharic-gnome-desktop, *maybe NEW*, I didn't find amharic for ibus?
2. task-chinese-s-gnome-desktop, *NEW*, probably ibus-libpinyin
3. task-chinese-t-gnome-desktop, *NEW*, probably ibus-chewing
4. task-kannada-gnome-desktop, *NEW*, probably ibus-m17n
5. task-malayalam-gnome-desktop, *maybe NEW*, I didn't find malayalam for ibus?
6. task-telugu-gnome-desktop, already has, probably ibus-m17n
7. task-japanese-gnome-desktop, already has, patch in #983653

@Release Team, could you look at this? It's OK for these new packages.

-- 
Shengjing Zhu

Re: Issues regarding input methods for Bullseye

2021-03-08 Thread Holger Wansing 
Am 8. März 2021 16:34:54 MEZ schrieb Shengjing Zhu :
>I just looked at tasksel, but it seems it's not straightforward to
>implement,
>1. install ibus for GNOME
>2. install other input method for DE except GNOME.
>Since it's seems hard to express all DE without GNOME, except
>enumerating them?

I guess it would go like this:

1. install the IM method prefered by language team
for all DE

2. install (additionally) ibus-* , if DE is Gnome.

That way we would have two IM systems installed
for Gnome, but im-config would take care of  that just
fine, since ibus is the preferred choice.

And for all other DEs we had that IM installed, what's
preferred by the language team.

Would that be reasonable?


Holger


Hi,
-- 
Sent from /e/ Mail on Fairphone3

Your "gnome-chemistry-utils" stable upload

2021-03-08 Thread Adam D. Barratt 
Hi,

I noticed that you've uploaded 0.14.17-6 to stable:

Base version: gnome-chemistry-utils_0.14.17-1.1
Target version: gnome-chemistry-utils_0.14.17-6
[...]
 18 files changed, 12939 insertions(+), 44 deletions(-)

diff -Nru gnome-chemistry-utils-0.14.17/debian/changelog 
gnome-chemistry-utils-0.14.17/debian/changelog
--- gnome-chemistry-utils-0.14.17/debian/changelog  2018-10-27 
22:35:58.0 +
+++ gnome-chemistry-utils-0.14.17/debian/changelog  2021-03-08 
14:06:12.0 +
@@ -1,3 +1,69 @@
+gnome-chemistry-utils (0.14.17-6) buster; urgency=medium
+
+  * d/patches/gchempaint-merge-molecules-fix.patch: Add patch.
+- Fix Merge molecules functionality in gchempaint (thanks to
+  Jean Bréfort).
+  * d/patches/series: Enable new patch.
+
+ -- Daniel Leidert   Mon, 08 Mar 2021 15:06:12 +0100

I assume this was either intended for unstable or a local repo?

Regards,

Adam

Re: Issues regarding input methods for Bullseye

2021-03-08 Thread Shengjing Zhu 
Hi,

On Mon, Mar 8, 2021 at 6:39 PM Shengjing Zhu  wrote:
>
> On Mon, Mar 8, 2021 at 5:05 PM Holger Wansing  wrote:
> >
> > Hi,
> >
> > Shengjing Zhu  wrote (Mon, 8 Mar 2021 13:14:26 +0800):
> > > IMO, we have 3 choice here:
> > >
> > > 1. All languages in tasksel should have a separate task for GNOME, and
> > > a separate task for other DE.
> > >
> > >The GNOME task installs ibus related language modules. And the
> > > other DE task installs the local team prefered input method and the
> > > corresponding language module.
> > >
> > >This is my preference, since the choice of GNOME upstream and
> > > maintainer shouldn't have influence on other DE. But we also respect
> > > the GNOME upstream and maintainer's choice.
> > >
> > >However currently only Japanese has the standalone GNOME task.
> >
> > This option requires to add new binary packages to tasksel, if I understand
> > correctly, but that is no longer possible for Bullseye, due to the freeze,
> > right?

I just looked at tasksel, but it seems it's not straightforward to implement,
1. install ibus for GNOME
2. install other input method for DE except GNOME.
Since it's seems hard to express all DE without GNOME, except enumerating them?

-- 
Shengjing Zhu

Processed: submitter 981664

2021-03-08 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> submitter 981664 rol...@debian.org
Bug #981664 [release.debian.org] buster-pu: package privoxy/3.0.28-2
Changed Bug submitter to 'rol...@debian.org' from 'Roland Rosenfeld 
'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
981664: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981664
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#984648: unblock: packages with unversioned python dependencies

2021-03-08 Thread Debian Bug Tracking System 
Processing control commands:

> reopen -1
Bug #984648 {Done: Paul Gevers } [release.debian.org] 
unblock: packages with unversioned python dependencies
Bug reopened
Ignoring request to alter fixed versions of bug #984648 to the same values 
previously set

-- 
984648: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984648
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#984648: unblock: packages with unversioned python dependencies

2021-03-08 Thread Matthias Klose 
Control: reopen -1

there are more packages to fix/unblock:

 - b-d on python-dev,
   #942912, bagel, has a fix in the VCS

 - #942960, announced NMU, but never NMU'd
   now fixed in catch/1.12.1-1.1

 - #936950, link-checker, reopened

 - apertium-arg-cat, filed new #984785
   fixed in 0.2.0-2

 - apertium-separable, filed new #984786
   fixed in 0.3.6-2

Bug#981664: buster-pu: package privoxy/3.0.28-2

2021-03-08 Thread Roland Rosenfeld 
Hi release team!

In the meantime privoxy 3.0.32 was released, which contains five more
CVEs, I applied four of them to 3.0.28-2+deb10u1.patch-v4 now, while
CVE-2021-20274 applies to code, that was introduced in 3.0.29, so
doesn't affect buster.

An updated version of my patch is attached.

Greetings
Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog
--- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.0 +0100
+++ privoxy-3.0.28/debian/changelog 2021-03-08 13:57:15.0 +0100
@@ -1,3 +1,41 @@
+privoxy (3.0.28-2+deb10u1) buster; urgency=medium
+
+  * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+(CVE-2021-20217).
+  * 39_decompress_iob: Fix detection of insufficient data.
+  * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+  * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and
+the buffer limit is reached or Privoxy is running out of memory
+(CVE-2020-35502).
+  * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler
+when no action files are configured (CVE-2021-20209).
+  * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler
+when no filter files are configured (CVE-2021-20210).
+  * 44_CVE-2021-20211: Fixes a memory leak when client tags are active
+(CVE-2021-20211).
+  * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are
+executed and the last one is skipped due to a pcre error (CVE-2021-20212).
+  * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer
+that could result in a crash if accept-intercepted-requests was
+enabled, Privoxy failed to get the request destination from the Host
+header and a memory allocation failed (CVE-2021-20213).
+  * 47_CVE-2021-20214: Fixed memory leaks in the client-tags CGI handler
+when client tags are configured and memory allocations fail
+(CVE-2021-20214).
+  * 48_CVE-2021-20215: Fixed memory leaks in the show-status CGI handler
+when memory allocations fail (CVE-2021-20215).
+  * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be
+triggered with a crafted CGI request (CVE-2021-20272).
+  * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types.
+Prevents a crash with a crafted CGI request if Privoxy is toggled off
+(CVE-2021-20273).
+  * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of
+size two (CVE-2021-20275).
+  * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses
+(CVE-2021-20276).
+
+ -- Roland Rosenfeld   Mon, 08 Mar 2021 13:57:15 +0100
+
 privoxy (3.0.28-2) unstable; urgency=medium
 
   * d/tests/privoxy-regression-test: Remove tmpdir on exit.
diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml 
privoxy-3.0.28/debian/gitlab-ci.yml
--- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.0 +0100
+++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.0 +0100
@@ -1,16 +0,0 @@
-include: 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
-extends: .build-unstable
-
-reprotest:
-extends: .test-reprotest
-
-lintian:
-extends: .test-lintian
-
-autopkgtest:
-extends: .test-autopkgtest
-
-piuparts:
-extends: .test-piuparts
diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 
privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch   1970-01-01 
01:00:00.0 +0100
+++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch   2021-03-08 
13:57:15.0 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil 
+Date:   Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream: 
https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+parse_cgi_parameters(): Make sure the maximum number of segments is large 
enough
+
+... for ssplit() to succeed.
+
+Prevents an assertion from getting triggered. OVE-20210130-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
 b/cgi.c
+@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters(
+ *  The same hack is used in get_last_url() so it looks like
+ *  a real solution is needed.
+ */
+-   size_t max_segments = strlen(argstring) / 2;
+-   if (max_segments == 0)
+-   {
+-  /*
+-   * XXX: If the argstring is empty, there's really
+-   *  no point in creating a param list, but currently
+-   *  other parts of Privoxy depend on the list's existence.
+-   */
+-  max_segments = 1;
+-   }
++   size_t max_segments = strlen(argstring) / 2 + 1;
+vector = malloc_or_die(max_segments * sizeof(char *));
+ 
+cgi_params = new_map();
diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch 
privoxy-3.0.28/debian/patches/39_decompress_iob.patch
---

Bug#960396: web security flaws in src:adminer/4.7.1-1 in stable?

2021-03-08 Thread Alexandre Rossi 
Hi,

Here is an updated debdiff per the security team advice adding also
changes from the original request.

Adding fixes for:

Fix open redirect if Adminer is accessible at //adminer.php%2F@
https://github.com/vrana/adminer/commit/6a2de873e194cf4bf3f2edb489ba98580a17a632

Fix XSS if Adminer is accessible at URL /data
https://github.com/vrana/adminer/commit/789ebc07bdac01ab8b99ad831eba872849eaa7fe

CVE-2020-35572

CVE-2021-21311

Thanks,

Alex


adminer_4.7.1-1+deb10u1.debian.tar.xz
Description: application/xz

Bug#984790: buster-pu: package libreoffice/1:6.1.5-3+deb10u7

2021-03-08 Thread Rene Engelhard 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984703.

The Security Team suggests to fix this via the next point release
instead of a DSA, so here it is :-)

Diff:

diff -Nru libreoffice-6.1.5/debian/changelog libreoffice-6.1.5/debian/changelog
--- libreoffice-6.1.5/debian/changelog  2020-02-01 15:13:43.0 +0100
+++ libreoffice-6.1.5/debian/changelog  2021-03-08 13:13:24.0 +0100
@@ -1,3 +1,11 @@
+libreoffice (1:6.1.5-3+deb10u7) buster; urgency=medium
+
+  * debian/patches/fix-PYTHONPATH.diff: backport upstream fix to
+not leave a bare trailing : in PYTHONPATH as it causes unconditional
+loading of encodings.py from . (closes: #984703)
+
+ -- Rene Engelhard   Mon, 08 Mar 2021 13:13:24 +0100
+
 libreoffice (1:6.1.5-3+deb10u6) buster; urgency=medium
 
   * debian/patches/glm-0.9.9-ctor.diff: add from master, fix opengl slide
diff -Nru libreoffice-6.1.5/debian/patches/fix-PYTHONPATH.diff 
libreoffice-6.1.5/debian/patches/fix-PYTHONPATH.diff
--- libreoffice-6.1.5/debian/patches/fix-PYTHONPATH.diff1970-01-01 
01:00:00.0 +0100
+++ libreoffice-6.1.5/debian/patches/fix-PYTHONPATH.diff2021-03-08 
00:15:24.0 +0100
@@ -0,0 +1,66 @@
+From f463cbd6ea2fd8ab80b812425eb05ae83fa6a426 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= 
+Date: Fri, 19 Jun 2020 11:32:00 +0100
+Subject: tdf#121384 don't leave a bare trailing : in PYTHONPATH
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+and don't insert any empty path entries if that situation
+was to arise
+
+Change-Id: I8d8183485f457c3e4385181fee07390c4bfef603
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/96707
+Reviewed-by: Tomáš Chvátal 
+Reviewed-by: Adolfo Jayme Barrientos 
+Tested-by: Jenkins
+(cherry picked from commit b72705d5391b849fc70a0a4cac33523c0ea5d054)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/96803
+Tested-by: Stephan Bergmann 
+Reviewed-by: Stephan Bergmann 
+---
+ pyuno/source/loader/pyuno_loader.cxx | 14 --
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/pyuno/source/loader/pyuno_loader.cxx 
b/pyuno/source/loader/pyuno_loader.cxx
+index ffdb81143961..e35148f8ddbc 100644
+--- a/pyuno/source/loader/pyuno_loader.cxx
 b/pyuno/source/loader/pyuno_loader.cxx
+@@ -145,6 +145,7 @@ static void setPythonHome ( const OUString & pythonHome )
+ static void prependPythonPath( const OUString & pythonPathBootstrap )
+ {
+ OUStringBuffer bufPYTHONPATH( 256 );
++bool bAppendSep = false;
+ sal_Int32 nIndex = 0;
+ while( true )
+ {
+@@ -160,15 +161,24 @@ static void prependPythonPath( const OUString & 
pythonPathBootstrap )
+ }
+ OUString systemPath;
+ osl_getSystemPathFromFileURL( fileUrl.pData, &(systemPath.pData) );
+-bufPYTHONPATH.append( systemPath );
+-bufPYTHONPATH.append( static_cast(SAL_PATHSEPARATOR) );
++if (!systemPath.isEmpty())
++{
++if (bAppendSep)
++
bufPYTHONPATH.append(static_cast(SAL_PATHSEPARATOR));
++bufPYTHONPATH.append(systemPath);
++bAppendSep = true;
++}
+ if( nNew == -1 )
+ break;
+ nIndex = nNew + 1;
+ }
+ const char * oldEnv = getenv( "PYTHONPATH");
+ if( oldEnv )
++{
++if (bAppendSep)
++bufPYTHONPATH.append( static_cast(SAL_PATHSEPARATOR) 
);
+ bufPYTHONPATH.append( OUString(oldEnv, strlen(oldEnv), 
osl_getThreadTextEncoding()) );
++}
+ 
+ OUString envVar("PYTHONPATH");
+ OUString envValue(bufPYTHONPATH.makeStringAndClear());
+-- 
+cgit v1.2.1
+
diff -Nru libreoffice-6.1.5/debian/patches/series 
libreoffice-6.1.5/debian/patches/series
--- libreoffice-6.1.5/debian/patches/series 2020-02-01 14:28:40.0 
+0100
+++ libreoffice-6.1.5/debian/patches/series 2021-03-08 00:19:35.0 
+0100
@@ -65,3 +65,4 @@
 allow-link-updates-in-an-intermediate-linked-document.diff
 Postgresql-12-no-adsrc.diff
 glm-0.9.9-ctor.diff
+fix-PYTHONPATH.diff

Regards,

Rene

Re: ruby-vcr: DFSG violation (Hippocratic license)

2021-03-08 Thread Antonio Terceiro 
On Mon, Mar 08, 2021 at 02:50:18PM +0530, Pirate Praveen wrote:
> 
> 
> On 2021, മാർച്ച് 8 1:24:48 AM IST, Antonio Terceiro  
> wrote:
[...]
> >I don't think that will be needed. I reverted to 5.0.0 locally, added a
> >few patches, and at least all of our reverse dependencies seem to pass
> >their tests with it:
> >
> >
> >=  Testing reverse (build) dependencies
> >
> >
> >rebuild  nanoc   ... PASS
> >rebuild  ruby-coveralls  ... PASS
> >autopkgtest  ruby-faraday... PASS
> >rebuild  ruby-graphlient ... PASS
> >rebuild  ruby-mixlib-install ... PASS
> >rebuild  ruby-octokit... PASS
> >
> >So in principle we could fix this issue without touching anything else.
> 
> Thanks. Are you waiting for an ack from release team to upload it?

No, I will upload it soon™.


signature.asc
Description: PGP signature

Re: Issues regarding input methods for Bullseye

2021-03-08 Thread Shengjing Zhu 
On Mon, Mar 8, 2021 at 5:05 PM Holger Wansing  wrote:
>
> Hi,
>
> Shengjing Zhu  wrote (Mon, 8 Mar 2021 13:14:26 +0800):
> > IMO, we have 3 choice here:
> >
> > 1. All languages in tasksel should have a separate task for GNOME, and
> > a separate task for other DE.
> >
> >The GNOME task installs ibus related language modules. And the
> > other DE task installs the local team prefered input method and the
> > corresponding language module.
> >
> >This is my preference, since the choice of GNOME upstream and
> > maintainer shouldn't have influence on other DE. But we also respect
> > the GNOME upstream and maintainer's choice.
> >
> >However currently only Japanese has the standalone GNOME task.
>
> This option requires to add new binary packages to tasksel, if I understand
> correctly, but that is no longer possible for Bullseye, due to the freeze,
> right?

Let's loop debian-release@ as well.

Dear RT, the thread is started from
https://lists.debian.org/msgid-search/20210307232906.14715b8e982b03f94068d...@mailbox.org

I think there's always another option,

4. Document the incorrect default behavior of GNOME DE in the
release-notes. Tell the user to change the input method manually after
installing. And if something strange happens, uninstall ibus by hand.

-- 
Shengjing Zhu

Re: Update luajit to git master version

2021-03-08 Thread YunQiang Su 
John Paul Adrian Glaubitz  于2021年3月8日周一 下午5:57写道:
>
> Hello YunQiang!
>
> On 3/8/21 10:50 AM, YunQiang Su wrote:
> > I upload the cur exp version to unstable with 2 days delay.
>
> That's probably not such a good idea at this point of the release.
>
> You should better check back with the release team as we're in the middle
> of a freeze.

OK, dcuted. and CC release team.

>
> Adrian
>
> --
>  .''`.  John Paul Adrian Glaubitz
> : :' :  Debian Developer - glaub...@debian.org
> `. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
>   `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
>


-- 
YunQiang Su

Re: firmware-nonfree 20210208-1 upload

2021-03-08 Thread maximilian attems 
Tomorrow once firmware-nonfree has migrated 20210208-4 will be uploaded
with important small fixes to Raspberry Pi 4B and BananaPi M2 ultra and
BananaPi M3 supports. As all changes are quite small and current window
allows important fixes, I do not expect to need an unblock.

best,

-- 
maks


signature.asc
Description: PGP signature

Re: ruby-vcr: DFSG violation (Hippocratic license)

2021-03-08 Thread Pirate Praveen 



On 2021, മാർച്ച് 8 1:24:48 AM IST, Antonio Terceiro  wrote:
>On Sun, Mar 07, 2021 at 11:01:16PM +0530, Pirate Praveen wrote:
>> [adding release team]
>> 
>> On Sun, Mar 7, 2021 at 10:49 pm, Utkarsh Gupta  wrote:
>> > Hi Praveen,
>> > 
>> > On Sun, Mar 7, 2021 at 10:15 PM Pirate Praveen
>> >  wrote:
>> > >  It looks like we will have to remove ruby-vcr and we will have to
>> > >  disable tests for the following packages. I don't think there is
>> > >  another way, thoughts?
>> > 
>> > Maybe worth opening an issue upstream and discuss the cons of this
>> > change or something? Or if that doesn't work out
>> > and we need this
>> 
>> I doubt discussing with upstream will yield any possitive outcome as this is
>> a specific philosophical movement.
>> 
>> See https://github.com/vcr/vcr/pull/792
>> and
>> https://github.com/vcr/vcr/issues/804
>> 
>> > package or something, would forking be an option?
>> 
>> https://github.com/vcr/vcr/blob/master/CHANGELOG.md#510-feb-5-2020
>> 
>> We will have to go back to 5.0 and someone will have to maintain it
>> independently.
>> 
>> Hi Release team,
>> 
>> Do you think this needs to be fixed before bullseye? If yes, do you agree to
>> change the reverse dependencies listed in my previous message to this bug?
>
>I don't think that will be needed. I reverted to 5.0.0 locally, added a
>few patches, and at least all of our reverse dependencies seem to pass
>their tests with it:
>
>
>=  Testing reverse (build) dependencies
>
>
>rebuild  nanoc   ... PASS
>rebuild  ruby-coveralls  ... PASS
>autopkgtest  ruby-faraday... PASS
>rebuild  ruby-graphlient ... PASS
>rebuild  ruby-mixlib-install ... PASS
>rebuild  ruby-octokit... PASS
>
>So in principle we could fix this issue without touching anything else.

Thanks. Are you waiting for an ack from release team to upload it?
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Bug#984740: marked as done (nmu: cnrun_2.1.0-1)

2021-03-08 Thread Debian Bug Tracking System 
Your message dated Mon, 8 Mar 2021 10:45:29 +0200
with message-id 

and subject line Re: Bug#984740: nmu: cnrun_2.1.0-1
has caused the Debian Bug report #984740,
regarding nmu: cnrun_2.1.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984740: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984740
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

nmu cnrun_2.1.0-1 . ANY . experimental . -m "Rebuild against libgsl25."

Depends on libgsl23 which is cruft.

Andreas
--- End Message ---
--- Begin Message ---
On Mon, 8 Mar 2021 at 00:03, Andreas Beckmann  wrote:
> nmu cnrun_2.1.0-1 . ANY . experimental . -m "Rebuild against libgsl25."

Scheduled, thanks.--- End Message ---

Bug#984739: marked as done (nmu: singular_1:4.1.2-p1+ds-2)

2021-03-08 Thread Debian Bug Tracking System 
Your message dated Mon, 8 Mar 2021 10:44:35 +0200
with message-id 

and subject line Re: Bug#984739: nmu: singular_1:4.1.2-p1+ds-2
has caused the Debian Bug report #984739,
regarding nmu: singular_1:4.1.2-p1+ds-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984739: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984739
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

nmu singular_1:4.1.2-p1+ds-2 . ANY . experimental . -m "Rebuild against 
libflint-2.6.1."

libflint-2.5.2 is gone ...

Andreas
--- End Message ---
--- Begin Message ---
On Sun, 7 Mar 2021 at 23:51, Andreas Beckmann  wrote:
> nmu singular_1:4.1.2-p1+ds-2 . ANY . experimental . -m "Rebuild against 
> libflint-2.6.1."

Scheduled, thanks.--- End Message ---

Bug#984738: marked as done (nmu: eeshow_0.git20170731-2)

2021-03-08 Thread Debian Bug Tracking System 
Your message dated Mon, 8 Mar 2021 10:43:21 +0200
with message-id 

and subject line Re: Bug#984738: nmu: eeshow_0.git20170731-2
has caused the Debian Bug report #984738,
regarding nmu: eeshow_0.git20170731-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984738: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984738
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

nmu eeshow_0.git20170731-2 . ANY . experimental . -m "Rebuild against libgit2 
1.1"

That package still depends on no longer available libgit2-27

Andreas
--- End Message ---
--- Begin Message ---
On Sun, 7 Mar 2021 at 23:33, Andreas Beckmann  wrote:
> nmu eeshow_0.git20170731-2 . ANY . experimental . -m "Rebuild against libgit2 
> 1.1"

Scheduled, thanks.--- End Message ---

Bug#984737: marked as done (nmu: mupen64plus-video-glide64mk2_2.5.9-1)

2021-03-08 Thread Debian Bug Tracking System 
Your message dated Mon, 8 Mar 2021 10:42:14 +0200
with message-id 

and subject line Re: Bug#984737: nmu: mupen64plus-video-glide64mk2_2.5.9-1
has caused the Debian Bug report #984737,
regarding nmu: mupen64plus-video-glide64mk2_2.5.9-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984737
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

nmu mupen64plus-video-glide64mk2_2.5.9-1 . ANY . experimental . -m "Rebuild 
against Boost 1.74"

That package still depends on Boost 1.67 packages.


Andreas
--- End Message ---
--- Begin Message ---
On Sun, 7 Mar 2021 at 23:30, Andreas Beckmann  wrote:
> nmu mupen64plus-video-glide64mk2_2.5.9-1 . ANY . experimental . -m "Rebuild 
> against Boost 1.74"

Scheduled, thanks.--- End Message ---