Bug#984899: buster-pu: package hwloc-contrib/1.11.12-3+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hello,
I have uploaded a proposed 1.11.12-3+deb10u1 version of hwloc-contrib
for buster.
[ Reason ]
PowerPC systems provide much better bandwidth between CPUs and NVIDIA
GPUs thanks to NVLink, they are thus currently very often used for
running NVIDIA GPUs (top500.org has a lot of them for instance). But
hwloc currently does not show NVIDIA GPUs on ppc64el because the
hwloc-contrib package is not getting built there. This makes it much
harder for applications to determine the locality of GPUs in the system
and thus where to place data etc. to get efficient execution.
This is not a regression over oldstable, which did not have it built on
ppc64el either.
[ Impact ]
If this isn't included, people will have to build hwloc by hand to get
the locality information and thus efficient execution.
[ Tests ]
The hwloc-contrib package has a full testsuite which I could run on a
ppc64el system.
[ Risks ]
There is no risk for the only other arch (amd64), because the change
disables the libcuda1 build-dep only on ppc64el, and it drops libcuda
from the link of a test which is not getting shipped anyway.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
There is no libcuda1 on ppc64el, so this dependency had to be disabled.
This disables one test (cuda), but otherwise the functionalities of the
built package are the same.
The cudart test used to be linked against libcuda, but that was actually
spurious, upstream doesn't link it against libcuda any more since a long
time actually.
With regards,
Samuel
diff -Nru hwloc-contrib-1.11.12/debian/changelog
hwloc-contrib-1.11.12/debian/changelog
--- hwloc-contrib-1.11.12/debian/changelog 2019-02-09 00:46:55.0
+0100
+++ hwloc-contrib-1.11.12/debian/changelog 2021-03-10 00:22:29.0
+0100
@@ -1,3 +1,11 @@
+hwloc-contrib (1.11.12-3+deb10u1) buster; urgency=medium
+
+ * control: Enable build on ppc64el with libcuda1 build-dep disabled.
+ * patches/cuda-ppc64el: Upstream fix for cudart test that does not actually
+need libcuda1.
+
+ -- Samuel Thibault Wed, 10 Mar 2021 00:22:29 +0100
+
hwloc-contrib (1.11.12-3) unstable; urgency=medium
* control: Add libcuda1 dependency, not brought by nvidia-cuda-dev any more.
diff -Nru hwloc-contrib-1.11.12/debian/control
hwloc-contrib-1.11.12/debian/control
--- hwloc-contrib-1.11.12/debian/control2019-02-09 00:46:06.0
+0100
+++ hwloc-contrib-1.11.12/debian/control2021-03-09 23:55:17.0
+0100
@@ -3,7 +3,7 @@
Maintainer: Samuel Thibault
Build-Depends: debhelper (>= 9), libltdl-dev,
valgrind [amd64 arm64 armhf i386 mips mipsel powerpc ppc64el s390x mips64el
ppc64],
- libx11-dev, libxext-dev, nvidia-cuda-dev, libcuda1, libxnvctrl-dev,
+ libx11-dev, libxext-dev, nvidia-cuda-dev, libcuda1 [!ppc64el],
libxnvctrl-dev,
libpciaccess-dev, pkg-config,
libibverbs-dev [linux-any],
ocl-icd-opencl-dev [!hurd-i386] | opencl-dev, opencl-headers,
@@ -18,7 +18,7 @@
Vcs-Browser: https://github.com/open-mpi/hwloc-debian/tree/contrib
Package: libhwloc-contrib-plugins
-Architecture: amd64
+Architecture: amd64 ppc64el
Multi-Arch: same
Depends: ${shlibs:Depends}, ${misc:Depends}, libhwloc5 (>=
${source:Upstream-Version}~), libhwloc5 (<< ${source:Upstream-Version}A)
Description: Hierarchical view of the machine - contrib plugins
diff -Nru hwloc-contrib-1.11.12/debian/patches/cuda-ppc64el
hwloc-contrib-1.11.12/debian/patches/cuda-ppc64el
--- hwloc-contrib-1.11.12/debian/patches/cuda-ppc64el 1970-01-01
01:00:00.0 +0100
+++ hwloc-contrib-1.11.12/debian/patches/cuda-ppc64el 2021-03-10
00:21:15.0 +0100
@@ -0,0 +1,21 @@
+commit 542fb5677723e13980056ea5f1023b5120bd2e0d
+Author: Samuel Thibault
+Date: Wed Mar 10 00:20:05 2021 +0100
+
+tests/cudart: Do not link against libcuda
+
+ppc64el doesn't have libcuda and the cudart test does not need it anyway.
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index cc9ce5039..5129b8a34 100644
+--- a/tests/Makefile.am
b/tests/Makefile.am
+@@ -104,7 +104,7 @@ openfabrics_verbs_LDADD = $(LDADD) -libverbs
+ myriexpress_LDADD = $(LDADD) -lmyriexpress
+ opencl_LDADD = $(LDADD) $(HWLOC_OPENCL_LIBS) $(HWLOC_OPENCL_LDFLAGS)
+ cuda_LDADD = $(LDADD) -lcuda
+-cudart_LDADD = $(LDADD) -lcuda -lcudart
++cudart_LDADD = $(LDADD) -lcudart
+ nvml_LDADD = $(LDADD) -lnvidia-ml
+ hwloc_bind_LDADD = $(LDADD)
+ if HWLOC_HAVE_PTHREAD
diff -Nru hwloc-contrib-1.11.12/debian/patches/series
hwloc-contrib-1.11.12/debian/patches/series
--- hwloc-contrib-1.11.12/debian/patches/series 2019-02-09 00:46:08.0
+0100
+++ hwloc-contrib-1.11.12/debian/patches/series 2021-03-10 00:02:11.0
+0100
@@ -1,2 +1,3 @@
Bug#984896: buster-pu: package jquery/3.3.1~dfsg-3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Dear Release Team,
[ Reason ]
I would like to fix CVE-2020-11022 and CVE-2020-11023. The same fix has
been prepared for stretch and will be uploaded concurrently with the
buster fix. The security team has marked these issues as no-dsa.
[ Impact ]
jquery would be vulnerable if not approved.
[ Tests ]
Backported patch was reviewed and approved by the Debian package
maintainers. Sadly, no reproducers were released.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them, along with the
maintainers of jquery
[x] attach debdiff against the package in (old)stable
[N/A] the issue is verified as fixed in unstable (jquery is not
present in unstable/testing)
Regards,
- -Roberto
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmBH//4ACgkQldFmTdL1
kULu7w/+KzQq0SMV/rDPj/BUs+wyoeqGfvLiMhOcA019wDblB17wW2x/4kWQWCMa
75tXD7kep+6b1lLNBPj75fcC9xHNiV9XTGgAwViHOBQ85bxfbc1Zi0YEnXfrgjeG
vi1xtHeLUNgDrCG/+UQP8qJn7+asURfism9v1WhmH93jd8+J9AleHOvUR0WjUVz2
tKIHXPBNQ0yDbJO34HXzvXio7IvJxXlNZ+ivK0AlUQVwam1LThy+tCk4hob8NXQg
JGvomGG/GDbMnQ/yNMc3IRHVDas0nLbmaa026kcHE05pQjhdPYOYckL/Jl5MW84s
5L+foc1dfAi7A4a3Bo898FDkaJqD41VCAgKjUbjD0aBc38D310ksqGlep3scOqn0
uX5GUCWcvTg05OHCKGrd28YyYckUDDRaL1Ln0MtSfYGQGgG3DyXqAGpAPCxA6PeW
gGMuBDy3t68kkCQoAqYzqkpn/oTS+3T6LWm35/c2X5FJAChM9gsDAaJ3IaofX84x
pzPu6VX7O3cPLMaV7cBKj4Ix85iBdKNHKRZlbruiCxRtzWgiMyyDLhsaj4Fbp989
hWddYqdb6Wj01CCAoDkHvsfg6GuSd/WGiEt1MCP0EqDUQ6WRJjmugELCThYj7c3U
PXxNmveHtehpN7+5MG1lNlLJ8hLydLS5CfphwwCrsOF2+MfRzRk=
=WoIV
-END PGP SIGNATURE-
diff -Nru jquery-3.3.1~dfsg/debian/changelog jquery-3.3.1~dfsg/debian/changelog
--- jquery-3.3.1~dfsg/debian/changelog 2019-04-19 02:52:35.0 -0400
+++ jquery-3.3.1~dfsg/debian/changelog 2021-03-09 14:42:16.0 -0500
@@ -1,3 +1,13 @@
+jquery (3.3.1~dfsg-3+deb10u1) buster; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Prevent untrusted code execution when passing untrusted HTML to DOM
+manipulation methods. (CVE-2020-11022)
+ * Prevent untrusted code execution when passing HTML containing
+elements to DOM manipulation methods. (CVE-2020-11023)
+
+ -- Roberto C. Sánchez Tue, 09 Mar 2021 14:42:16 -0500
+
jquery (3.3.1~dfsg-3) unstable; urgency=medium
* Team upload
diff -Nru jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch
jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch
--- jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch 1969-12-31
19:00:00.0 -0500
+++ jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch 2021-03-09
14:42:16.0 -0500
@@ -0,0 +1,1749 @@
+From 1d61fd9407e6fbe82fe55cb0b938307aa0791f77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?=
+
+Date: Mon, 16 Mar 2020 21:49:29 +0100
+Subject: [PATCH] Manipulation: Make jQuery.htmlPrefilter an identity function
+
+Closes gh-4642
+
+(cherry picked from 90fed4b453a5becdb7f173d9e3c1492390a1441f)
+---
+ src/manipulation.js | 9 +--
+ test/data/testinit.js | 2 +-
+ test/localfile.html | 2 +-
+ test/unit/ajax.js | 8 +--
+ test/unit/attributes.js | 46 ++---
+ test/unit/basic.js| 24 +++
+ test/unit/core.js | 14 ++--
+ test/unit/css.js | 112 +++
+ test/unit/data.js | 20 +++---
+ test/unit/deprecated.js | 2 +-
+ test/unit/dimensions.js | 30 -
+ test/unit/effects.js | 22 +++---
+ test/unit/event.js| 26 +++
+ test/unit/manipulation.js | 138 ++
+ test/unit/offset.js | 10 +--
+ test/unit/selector.js | 4 +-
+ test/unit/traversing.js | 22 +++---
+ test/unit/wrap.js | 12 ++--
+ 18 files changed, 246 insertions(+), 257 deletions(-)
+
+--- a/src/manipulation.js
b/src/manipulation.js
+@@ -32,13 +32,6 @@
+
+ var
+
+- /* eslint-disable max-len */
+-
+- // See https://github.com/eslint/eslint/issues/3229
+- rxhtmlTag =
/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi,
+-
+- /* eslint-enable */
+-
+ // Support: IE <=10 - 11, Edge 12 - 13 only
+ // In IE/Edge using regex groups here causes severe slowdowns.
+ // See https://connect.microsoft.com/IE/feedback/details/1736512/
+@@ -235,7 +228,7 @@
+
+ jQuery.extend( {
+ htmlPrefilter: function( html ) {
+- return html.replace( rxhtmlTag, "<$1>" );
++ return html;
+ },
+
+ clone: function( elem, dataAndEvents, deepDataAndEvents ) {
+--- a/test/data/testinit.js
b/test/data/testinit.js
+@@ -244,7 +244,7 @@
+ }
+ wrapper.call( QUnit, title, function( assert ) {
+ var done = assert.async(),
+-
NEW changes in stable-new
Processing changes file: fwupdate_12-4+deb10u3_amd64-buildd.changes ACCEPT Processing changes file: fwupdate_12-4+deb10u3_arm64-buildd.changes ACCEPT Processing changes file: fwupdate_12-4+deb10u3_armhf-buildd.changes ACCEPT Processing changes file: fwupdate_12-4+deb10u3_i386-buildd.changes ACCEPT
Bug#984892: marked as done (unblock: libbio-db-ncbihelper-perl/1.7.6-4)
Your message dated Tue, 09 Mar 2021 21:09:46 + with message-id and subject line unblock libbio-db-ncbihelper-perl has caused the Debian Bug report #984892, regarding unblock: libbio-db-ncbihelper-perl/1.7.6-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984892: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984892 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libbio-db-ncbihelper-perl [ Reason ] Current version of libbio-db-ncbihelper-perl in Testing, in version 1.7.6-2, is affected by release critical bugs #983239 and #984475. Due to the autopkgtest now marked "superficial", I don't expect it will reach Testing on it's own past the hard freeze date this Friday. [ Impact ] Removal of libbio-db-ncbihelper-perl from Testing would trigger the removal of bioperl, and the entire ecosystem of Med packages which are based on bioperl. That represents more than 40 source packages, some with relatively high popcon by Debian Med standards. [ Tests ] I manually ran the test needing Internet on version 1.7.6-4 in Sid and Testing, architectures amd64 and arm64 (schroot + qemu), and modulo the minor failing test which is triggered by events outside of our control and documented in #983239, they ran fine. I also ran the build and autopkgtest suite in normal conditions (superficial) without any issues on Sid and Testing, amd64 and arm64, just in case. [ Risks ] Changes affect diverse test suites to not depend on the network anymore, so should be more stable, yet superficial. Also, I don't see how the Breaks+Replace statement added to the control file could break the package (but I might be surprised of course). Overall I think the risk of upgrading the package in Testing is rather low. [ Checklist ] [*] all changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in testing [ Other info ] The similar libbio-db-embl-perl, which had the same transitive removal implications, made it's way to Testing fortunately. But I'm not too sure of the timing yet for libbio-db-biofetch-perl, nor it's impact on the bioperl ecosystem. I might open one other unblock request for libbio-db-biofetch-perl this week end if it turns out to be necessary. unblock libbio-db-ncbihelper-perl/1.7.6-4 Have a nice day, :) -- Étienne Mollier Fingerprint: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da Sent from /dev/pts/1, please excuse my verbosity. diff -Nru libbio-db-ncbihelper-perl-1.7.6/debian/changelog libbio-db-ncbihelper-perl-1.7.6/debian/changelog --- libbio-db-ncbihelper-perl-1.7.6/debian/changelog2020-01-05 07:56:13.0 +0100 +++ libbio-db-ncbihelper-perl-1.7.6/debian/changelog2021-03-04 09:01:01.0 +0100 @@ -1,3 +1,24 @@ +libbio-db-ncbihelper-perl (1.7.6-4) unstable; urgency=medium + + * Team upload. + * Breaks+Replaces: bioperl (<< 1.7.3) +Closes: #984475 + + -- Andreas Tille Thu, 04 Mar 2021 09:01:01 +0100 + +libbio-db-ncbihelper-perl (1.7.6-3) unstable; urgency=medium + + * Team upload. + * Prevent build time tests and autodep8-perl test to fetch resources on the +Internet. +Closes: #983238 + * Ensured autopkgtest remained offline, and marked the smoke test as +superficial, since all tests within are skipped without Internet access. + * Side-tracked maintainer notifications from debian-...@lists.debian.org to +debian-med-packag...@lists.alioth.debian.org like the other packages. + + -- Étienne Mollier Mon, 22 Feb 2021 22:45:11 +0100 + libbio-db-ncbihelper-perl (1.7.6-2) unstable; urgency=medium * Be more strict about the libbio-asn1-entrezgene-perl dependency diff -Nru libbio-db-ncbihelper-perl-1.7.6/debian/control libbio-db-ncbihelper-perl-1.7.6/debian/control --- libbio-db-ncbihelper-perl-1.7.6/debian/control 2020-01-05 07:55:51.0 +0100 +++ libbio-db-ncbihelper-perl-1.7.6/debian/control 2021-03-04 09:01:01.0 +0100 @@ -1,8 +1,7 @@ Source: libbio-db-ncbihelper-perl -Maintainer: Debian Med team -Uploaders: Michael R. Crusoe +Maintainer: Debian Med Packaging Team +Uploaders: Michael R. Crusoe Section: perl -Testsuite: autopkgtest-pkg-perl Priority: optional Build-Depends: debhelper-compat (= 12) Build-Depends-Indep: libbio-perl-perl, @@ -34,6 +33,8 @@ liburi-perl, libwww-perl, libxml-twig-perl +Breaks: bioperl (<< 1.7.3) +Replaces: bioperl (<< 1.7.3)
Bug#984895: unblock: geeqie/1.6-8
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package geeqie
The version in unstable has a patch cherry-picked from upstream which
fixes showing images when using wayland, which has been problematic
before, and it hasn't worked with some combinations of wayland and
libclutter. This fixes two bugs (#983207, #977189) with severity
important (and I fully believe that more bugs would be reported on the
package if the fix isn't included).
The patch fixes showing only a white image on some setups (wayland),
which before the patch needs a setting change, or cli option to fix.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock geeqie/1.6-8
-- Andreas Rönnquist
gus...@debian.org
diff -Nru geeqie-1.6/debian/changelog geeqie-1.6/debian/changelog
--- geeqie-1.6/debian/changelog 2021-02-27 13:36:57.0 +0100
+++ geeqie-1.6/debian/changelog 2021-03-09 20:17:40.0 +0100
@@ -1,3 +1,11 @@
+geeqie (1:1.6-8) unstable; urgency=medium
+
+ * Add patch to make image visible on wayland too, independent on
+if we are using the clutter library or not
+(Closes: #983207, #977189)
+
+ -- Andreas Rönnquist Tue, 09 Mar 2021 20:17:40 +0100
+
geeqie (1:1.6-7) unstable; urgency=medium
* Add patch fixing regression --remote option failing
diff -Nru geeqie-1.6/debian/patches/0007-Fix-644-Images-fail-to-render-on-MacOS.patch geeqie-1.6/debian/patches/0007-Fix-644-Images-fail-to-render-on-MacOS.patch
--- geeqie-1.6/debian/patches/0007-Fix-644-Images-fail-to-render-on-MacOS.patch 1970-01-01 01:00:00.0 +0100
+++ geeqie-1.6/debian/patches/0007-Fix-644-Images-fail-to-render-on-MacOS.patch 2021-03-09 20:17:16.0 +0100
@@ -0,0 +1,317 @@
+From: Colin Clark
+Date: Sat, 6 Mar 2021 13:23:46 +
+Subject: Fix #644: Images fail to render on MacOS
+
+https://github.com/BestImageViewer/geeqie/issues/644
+
+Change the way the "draw" signal is handled.
+
+Overlay guidelines are disabled.
+
+This patch also fixes showing the image on Wayland, without it we often
+only get a white rectangle where the image was supposed to show.
+
+---
+ src/image-overlay.c | 51 +++--
+ src/renderer-tiles.c | 127 +++
+ 2 files changed, 143 insertions(+), 35 deletions(-)
+
+diff --git a/src/image-overlay.c b/src/image-overlay.c
+index 6116b5a..ff377e8 100644
+--- a/src/image-overlay.c
b/src/image-overlay.c
+@@ -202,7 +202,6 @@ gint image_osd_histogram_get_mode(ImageWindow *imd)
+ void image_osd_toggle(ImageWindow *imd)
+ {
+ OsdShowFlags show;
+-
+ if (!imd) return;
+
+ show = image_osd_get(imd);
+@@ -522,30 +521,32 @@ static GdkPixbuf *image_osd_guidelines_render(OverlayStateData *osd)
+ GdkPixbuf *rectangles;
+ ImageWindow *imd = osd->imd;
+
+- pixbuf_renderer_get_scaled_size((PixbufRenderer *)imd->pr, , );
+-
+- if (width && height)
+- {
+- rectangles = gdk_pixbuf_new(GDK_COLORSPACE_RGB, TRUE, 8, width, height);
+- if (rectangles)
+- {
+- pixbuf_set_rect_fill(rectangles, 0, 0, width, height, 255, 255, 255, 0);
+- pixbuf_set_rect(rectangles, 0, 0 + (height / 3), width, height / 3,
+-0, 0, 0, 255,
+-1, 1, 1, 1);
+- pixbuf_set_rect(rectangles, 0, 0 + (height / 3 + 1), width, height / 3 - 2,
+-255, 255, 255, 255,
+-1, 1, 1, 1);
+-
+- pixbuf_set_rect(rectangles, 0 + width / 3, 0 , width / 3, height,
+-0, 0, 0, 255,
+-1, 1, 1, 1);
+- pixbuf_set_rect(rectangles, 0 + width / 3 + 1, 0, width / 3 - 2, height,
+-255, 255, 255, 255,
+-1, 1, 1, 1);
+- return rectangles;
+- }
+- }
++/* FIXME: guidelines does not work with revised draw signal handling
++ */
++ //~ pixbuf_renderer_get_scaled_size((PixbufRenderer *)imd->pr, , );
++
++ //~ if (width && height)
++ //~ {
++ //~ rectangles = gdk_pixbuf_new(GDK_COLORSPACE_RGB, TRUE, 8, width, height);
++ //~ if (rectangles)
++ //~ {
++ //~ pixbuf_set_rect_fill(rectangles, 0, 0, width, height, 255, 255, 255, 0);
++ //~ pixbuf_set_rect(rectangles, 0, 0 + (height / 3), width, height / 3,
++//~ 0, 0, 0, 255,
++//~ 1, 1, 1, 1);
++ //~ pixbuf_set_rect(rectangles, 0, 0 + (height / 3 + 1), width, height / 3 - 2,
++//~ 255, 255, 255, 255,
++//~ 1, 1, 1, 1);
++
++ //~ pixbuf_set_rect(rectangles, 0 + width / 3, 0 , width / 3, height,
++//~ 0, 0, 0, 255,
++//~ 1, 1, 1, 1);
++ //~ pixbuf_set_rect(rectangles, 0 + width / 3 + 1, 0, width / 3 - 2, height,
++//~ 255, 255, 255, 255,
++//~ 1, 1, 1, 1);
++ //~ return rectangles;
++ //~ }
++ //~ }
+
+ return NULL;
+ }
+diff --git a/src/renderer-tiles.c b/src/renderer-tiles.c
+index 9b4f049..cc0483a 100644
+--- a/src/renderer-tiles.c
b/src/renderer-tiles.c
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright (C) 2006 John Ellis
+- *
Bug#984635: marked as done (unblock: tqdm/4.57.0-2)
Your message dated Tue, 9 Mar 2021 21:19:15 +0100
with message-id <3d72f61b-7fe6-edc1-7c05-602f040c1...@debian.org>
and subject line Re: unblock: tqdm/4.57.0-2
has caused the Debian Bug report #984635,
regarding unblock: tqdm/4.57.0-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
984635: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984635
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package tqdm
[ Reason ]
the last upload of tqdm fixes a RC bug
the effects of that bug are only visible in reverse dependencies, and they were
caused by disabling setuptools_scm during build (as that interferes with our
build process). That result in a package that would ship a egginfo with version
equals to 0.0.0.
Packages requiring a specific version would fail because that versoin would be
higher that 0.0.0.
the fix was using one of the common practices (documented via a link) of
retrieving the module version from a source file in setup.py, and update the
existing patch for disabling setuptools_scm to include this change.
[ Impact ]
(What is the impact for the user if the unblock isn't granted?)
[ Tests ]
i waited to open this request until all rdeps autopkgtests have completed
[ Risks ]
trivial fix
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock tqdm/4.57.0-2
-- System Information:
Debian Release: 10.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.6.0-1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index ea9325b..0904f85 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tqdm (4.57.0-2) unstable; urgency=medium
+
+ * debian/patches/dont-use-setuptools-scm.patch
+- since we disabled setuptools_scm, we need to explicly retrieve and set
+ tqdm version, so that egginfo has the right version too; Closes: #983007
+
+ -- Sandro Tosi Fri, 05 Mar 2021 03:57:27 -0500
+
tqdm (4.57.0-1) unstable; urgency=medium
* New upstream release
diff --git a/debian/patches/dont-use-setuptools-scm.patch
b/debian/patches/dont-use-setuptools-scm.patch
index 88aad5f..d34c346 100644
--- a/debian/patches/dont-use-setuptools-scm.patch
+++ b/debian/patches/dont-use-setuptools-scm.patch
@@ -1,11 +1,24 @@
--- a/setup.py
+++ b/setup.py
-@@ -13,4 +13,4 @@ if sys.argv[1].lower().strip() == 'make'
+@@ -5,6 +5,12 @@ from os import path
+
+ from setuptools import setup
+
++
++# https://packaging.python.org/guides/single-sourcing-package-version/
++version = {}
++with open('tqdm/_dist_ver.py') as fp:
++exec(fp.read(), version)
++
+ src_dir = path.abspath(path.dirname(__file__))
+ if sys.argv[1].lower().strip() == 'make': # exec Makefile commands
+ import pymake
+@@ -13,4 +19,4 @@ if sys.argv[1].lower().strip() == 'make'
# Stop to avoid setup.py raising non-standard command error
sys.exit(0)
-setup(use_scm_version=True)
-+setup()
++setup(version=version['__version__'])
--- a/setup.cfg
+++ b/setup.cfg
@@ -74,7 +74,7 @@ classifiers =
--- End Message ---
--- Begin Message ---
Hi,
On Fri, 05 Mar 2021 23:42:46 -0500 Sandro Tosi wrote:
> Please unblock package tqdm
unblocked.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
NEW changes in stable-new
Processing changes file: fwupdate_12-4+deb10u3_source.changes ACCEPT
Bug#984892: unblock: libbio-db-ncbihelper-perl/1.7.6-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libbio-db-ncbihelper-perl [ Reason ] Current version of libbio-db-ncbihelper-perl in Testing, in version 1.7.6-2, is affected by release critical bugs #983239 and #984475. Due to the autopkgtest now marked "superficial", I don't expect it will reach Testing on it's own past the hard freeze date this Friday. [ Impact ] Removal of libbio-db-ncbihelper-perl from Testing would trigger the removal of bioperl, and the entire ecosystem of Med packages which are based on bioperl. That represents more than 40 source packages, some with relatively high popcon by Debian Med standards. [ Tests ] I manually ran the test needing Internet on version 1.7.6-4 in Sid and Testing, architectures amd64 and arm64 (schroot + qemu), and modulo the minor failing test which is triggered by events outside of our control and documented in #983239, they ran fine. I also ran the build and autopkgtest suite in normal conditions (superficial) without any issues on Sid and Testing, amd64 and arm64, just in case. [ Risks ] Changes affect diverse test suites to not depend on the network anymore, so should be more stable, yet superficial. Also, I don't see how the Breaks+Replace statement added to the control file could break the package (but I might be surprised of course). Overall I think the risk of upgrading the package in Testing is rather low. [ Checklist ] [*] all changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in testing [ Other info ] The similar libbio-db-embl-perl, which had the same transitive removal implications, made it's way to Testing fortunately. But I'm not too sure of the timing yet for libbio-db-biofetch-perl, nor it's impact on the bioperl ecosystem. I might open one other unblock request for libbio-db-biofetch-perl this week end if it turns out to be necessary. unblock libbio-db-ncbihelper-perl/1.7.6-4 Have a nice day, :) -- Étienne Mollier Fingerprint: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da Sent from /dev/pts/1, please excuse my verbosity. diff -Nru libbio-db-ncbihelper-perl-1.7.6/debian/changelog libbio-db-ncbihelper-perl-1.7.6/debian/changelog --- libbio-db-ncbihelper-perl-1.7.6/debian/changelog2020-01-05 07:56:13.0 +0100 +++ libbio-db-ncbihelper-perl-1.7.6/debian/changelog2021-03-04 09:01:01.0 +0100 @@ -1,3 +1,24 @@ +libbio-db-ncbihelper-perl (1.7.6-4) unstable; urgency=medium + + * Team upload. + * Breaks+Replaces: bioperl (<< 1.7.3) +Closes: #984475 + + -- Andreas Tille Thu, 04 Mar 2021 09:01:01 +0100 + +libbio-db-ncbihelper-perl (1.7.6-3) unstable; urgency=medium + + * Team upload. + * Prevent build time tests and autodep8-perl test to fetch resources on the +Internet. +Closes: #983238 + * Ensured autopkgtest remained offline, and marked the smoke test as +superficial, since all tests within are skipped without Internet access. + * Side-tracked maintainer notifications from debian-...@lists.debian.org to +debian-med-packag...@lists.alioth.debian.org like the other packages. + + -- Étienne Mollier Mon, 22 Feb 2021 22:45:11 +0100 + libbio-db-ncbihelper-perl (1.7.6-2) unstable; urgency=medium * Be more strict about the libbio-asn1-entrezgene-perl dependency diff -Nru libbio-db-ncbihelper-perl-1.7.6/debian/control libbio-db-ncbihelper-perl-1.7.6/debian/control --- libbio-db-ncbihelper-perl-1.7.6/debian/control 2020-01-05 07:55:51.0 +0100 +++ libbio-db-ncbihelper-perl-1.7.6/debian/control 2021-03-04 09:01:01.0 +0100 @@ -1,8 +1,7 @@ Source: libbio-db-ncbihelper-perl -Maintainer: Debian Med team -Uploaders: Michael R. Crusoe +Maintainer: Debian Med Packaging Team +Uploaders: Michael R. Crusoe Section: perl -Testsuite: autopkgtest-pkg-perl Priority: optional Build-Depends: debhelper-compat (= 12) Build-Depends-Indep: libbio-perl-perl, @@ -34,6 +33,8 @@ liburi-perl, libwww-perl, libxml-twig-perl +Breaks: bioperl (<< 1.7.3) +Replaces: bioperl (<< 1.7.3) Description: collection of routines useful for queries to NCBI databases Provides a single place to setup some common methods for querying NCBI web databases. Bio::DB::NCBIHelper just centralizes the methods for constructing diff -Nru libbio-db-ncbihelper-perl-1.7.6/debian/rules libbio-db-ncbihelper-perl-1.7.6/debian/rules --- libbio-db-ncbihelper-perl-1.7.6/debian/rules2020-01-04 12:44:53.0 +0100 +++ libbio-db-ncbihelper-perl-1.7.6/debian/rules2021-03-04 09:01:01.0 +0100 @@ -1,10 +1,7 @@ #!/usr/bin/make -f -ifneq (,$(DEB_MAINTAINER_MODE)) -NETWORK = --network -else() -export NO_NETWORK_TESTING -endif +# prevent the test suite to fetch resources on the Internet at build time. +export NO_NETWORK_TESTING=1 %: dh $@ diff -Nru
Re: Update luajit to git master version
Hi, On 3/8/21 11:05 AM, YunQiang Su wrote: John Paul Adrian Glaubitz 于2021年3月8日周一 下午5:57写道: Hello YunQiang! On 3/8/21 10:50 AM, YunQiang Su wrote: I upload the cur exp version to unstable with 2 days delay. That's probably not such a good idea at this point of the release. You should better check back with the release team as we're in the middle of a freeze. OK, dcuted. and CC release team. You Cc-ed the release list without a specific question, so that's not very clear. If you want to ask for an unblock, please file an unblock request as described in https://release.debian.org/bullseye/FAQ.html However, if you are asking if it's a good idea to do an upload of luajit to unstable based on the current version in experimental, the answer is no. Also, please note that your upload is still in the deferred queue, so if you tried to remove it, that must have failed somehow. Cheers, Ivo
Bug#984697: marked as done (unblock: setuptools/52.0.0-3)
Your message dated Tue, 9 Mar 2021 20:01:10 +0100 with message-id <93670f8a-1407-2a18-347e-ec506cc56...@debian.org> and subject line Re: Bug#984697: unblock: setuptools/52.0.0-3 has caused the Debian Bug report #984697, regarding unblock: setuptools/52.0.0-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984697 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org X-Debbugs-CC: Stefano Rivera please unblock: setuptools/52.0.0-3, fixing the same issue #982921 as fixed in python-packaging in https://tracker.debian.org/news/1232090/accepted-python-packaging-209-2-source-into-unstable/ and already migrated to testing. Discussed with Stefano Rivero, that we don't want to unvendor packaging at this point. --- End Message --- --- Begin Message --- Hi, On 07-03-2021 12:45, Matthias Klose wrote: > please unblock: setuptools/52.0.0-3, fixing the same issue #982921 as fixed in unblocked. Next time, can you please make sure the meta data is correct? user/usertags. There's a high risk it slips otherwise. Paul OpenPGP_signature Description: OpenPGP digital signature --- End Message ---
Bug#984861: marked as done (unblock: gnome-remote-desktop/0.1.9-5)
Your message dated Tue, 9 Mar 2021 19:54:37 +0100
with message-id <83a46acd-3669-fdf7-7bd5-a87fab9a6...@debian.org>
and subject line Re: Bug#984861: unblock: gnome-remote-desktop/0.1.9-5
has caused the Debian Bug report #984861,
regarding unblock: gnome-remote-desktop/0.1.9-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
984861: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984861
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: David Mohammed
Please unblock package gnome-remote-desktop.
[ Reason ]
Change gnome-shell dependency to gnome-shell|budgie-desktop,
plus appropriate version constraints. What gnome-remote-desktop actually
needs is any compositor based on a version of mutter that was compiled with
pipewire 0.3, and those two are the mutter-based compositors in Debian.
[ Impact ]
Previously, budgie-desktop users could not use gnome-remote-desktop
to provide screen-sharing in Budgie unless they also unnecessarily
installed gnome-shell.
[ Tests ]
Manually smoke-tested: I installed the proposed package on a bullseye GNOME
system, enabled screen sharing in gnome-control-center and connected to
it with remmima.
Budgie maintainer David Mohammed has confirmed that the alternative
dependency has the desired effect.
[ Risks ]
Low-risk dependency change.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock gnome-remote-desktop/0.1.9-5
diffstat for gnome-remote-desktop-0.1.9 gnome-remote-desktop-0.1.9
changelog | 10 ++
control|2 +-
control.in |2 +-
3 files changed, 12 insertions(+), 2 deletions(-)
diff -Nru gnome-remote-desktop-0.1.9/debian/changelog gnome-remote-desktop-0.1.9/debian/changelog
--- gnome-remote-desktop-0.1.9/debian/changelog 2021-02-11 16:14:14.0 +
+++ gnome-remote-desktop-0.1.9/debian/changelog 2021-03-09 10:31:04.0 +
@@ -1,3 +1,13 @@
+gnome-remote-desktop (0.1.9-5) unstable; urgency=medium
+
+ * Team upload
+
+ [ David Mohammed ]
+ * debian/control: add budgie-desktop as an alternate for gnome-shell
+(Closes: #982937)
+
+ -- Simon McVittie Tue, 09 Mar 2021 10:31:04 +
+
gnome-remote-desktop (0.1.9-4) unstable; urgency=medium
* debian/patches: Fix use-after-free crash on repeated VNC connections
diff -Nru gnome-remote-desktop-0.1.9/debian/control gnome-remote-desktop-0.1.9/debian/control
--- gnome-remote-desktop-0.1.9/debian/control 2021-02-11 16:14:14.0 +
+++ gnome-remote-desktop-0.1.9/debian/control 2021-03-09 10:31:04.0 +
@@ -28,7 +28,7 @@
Architecture: linux-any
Depends: ${misc:Depends},
${shlibs:Depends},
- gnome-shell (>= 3.37.92-2~),
+ gnome-shell (>= 3.37.92-2~) | budgie-desktop (>= 10.5.2),
libmutter-7-0 (>= 3.37.92-1~),
pipewire (>= 0.3.0)
Description: Remote desktop daemon for GNOME using PipeWire
diff -Nru gnome-remote-desktop-0.1.9/debian/control.in gnome-remote-desktop-0.1.9/debian/control.in
--- gnome-remote-desktop-0.1.9/debian/control.in 2021-02-11 16:14:14.0 +
+++ gnome-remote-desktop-0.1.9/debian/control.in 2021-03-09 10:31:04.0 +
@@ -24,7 +24,7 @@
Architecture: linux-any
Depends: ${misc:Depends},
${shlibs:Depends},
- gnome-shell (>= 3.37.92-2~),
+ gnome-shell (>= 3.37.92-2~) | budgie-desktop (>= 10.5.2),
libmutter-7-0 (>= 3.37.92-1~),
pipewire (>= 0.3.0)
Description: Remote desktop daemon for GNOME using PipeWire
--- End Message ---
--- Begin Message ---
Hi Simon,
On 09-03-2021 11:58, Simon McVittie wrote:
> Please unblock package gnome-remote-desktop.
unblocked.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
Bug#984885: marked as done (unblock: vlc/3.0.12-3)
Your message dated Tue, 09 Mar 2021 18:52:46 +
with message-id
and subject line unblock vlc
has caused the Debian Bug report #984885,
regarding unblock: vlc/3.0.12-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
984885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984885
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sramac...@debian.org
Please unblock package vlc/3.0.12-3.
[ Reason ]
vlc 3.0.x suffers from a long standing issue that causes vlc to freeze
on exit when running with a mesa GPU driver. A proper fix would also
require changes to mesa (cf
https://gitlab.freedesktop.org/mesa/mesa/-/issues/116 for the mesa bug),
but attempts to fix mesa caused other regressions, so this fix was
reverted. vlc upstream now added a workaround to no longer trigger the
condition that leads to the freeze.
[ Impact ]
Users with affected drivers can reenable hardware accelerated video
decoding.
[ Tests ]
No automated test coverage, but manually tested.
[ Risks ]
Even if the fix was incomplete, users can continue to disable hardware
acceleration or kill the stuck vlc process.
vlc is a key package, so requires an unblock.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock vlc/3.0.12-3
--
Sebastian Ramacher
diff --git a/debian/changelog b/debian/changelog
index b96fc96a8..1b3237d27 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+vlc (3.0.12-3) unstable; urgency=medium
+
+ * debian/patches: Apply upstream patches to prevent process freeze on exit
+(Closes: #916595) (LP: #1819543)
+
+ -- Sebastian Ramacher Tue, 09 Mar 2021 17:42:00 +0100
+
vlc (3.0.12-2) unstable; urgency=medium
* debian/: Disable live555 plugin due to #981439
diff --git
a/debian/patches/0004-qt-add-a-private-structure-for-window-provider.patch
b/debian/patches/0004-qt-add-a-private-structure-for-window-provider.patch
new file mode 100644
index 0..7788dd33b
--- /dev/null
+++ b/debian/patches/0004-qt-add-a-private-structure-for-window-provider.patch
@@ -0,0 +1,88 @@
+From: =?utf-8?q?R=C3=A9mi_Denis-Courmont?=
+Date: Sat, 6 Feb 2021 15:00:02 +0200
+Subject: qt: add a private structure for window provider
+
+---
+ modules/gui/qt/qt.cpp | 33 ++---
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/modules/gui/qt/qt.cpp b/modules/gui/qt/qt.cpp
+index ab912fd..d5a22d9 100644
+--- a/modules/gui/qt/qt.cpp
b/modules/gui/qt/qt.cpp
+@@ -708,6 +708,10 @@ static void ShowDialog( intf_thread_t *p_intf, int
i_dialog_event, int i_arg,
+ */
+ static int WindowControl( vout_window_t *, int i_query, va_list );
+
++typedef struct {
++MainInterface *mi;
++} vout_window_qt_t;
++
+ static int WindowOpen( vout_window_t *p_wnd, const vout_window_cfg_t *cfg )
+ {
+ if( cfg->is_standalone )
+@@ -737,21 +741,26 @@ static int WindowOpen( vout_window_t *p_wnd, const
vout_window_cfg_t *cfg )
+ if (unlikely(!active))
+ return VLC_EGENERIC;
+
+-MainInterface *p_mi = p_intf->p_sys->p_mi;
++vout_window_qt_t *sys = new vout_window_qt_t;
++
++sys->mi = p_intf->p_sys->p_mi;
+ msg_Dbg( p_wnd, "requesting video window..." );
+
+-if( !p_mi->getVideo( p_wnd, cfg->width, cfg->height, cfg->is_fullscreen )
)
++if (!sys->mi->getVideo(p_wnd, cfg->width, cfg->height,
cfg->is_fullscreen))
++{
++delete sys;
+ return VLC_EGENERIC;
++}
+
+ p_wnd->info.has_double_click = true;
+ p_wnd->control = WindowControl;
+-p_wnd->sys = (vout_window_sys_t*)p_mi;
++p_wnd->sys = (vout_window_sys_t *)sys;
+ return VLC_SUCCESS;
+ }
+
+ static int WindowControl( vout_window_t *p_wnd, int i_query, va_list args )
+ {
+-MainInterface *p_mi = (MainInterface *)p_wnd->sys;
++vout_window_qt_t *sys = (vout_window_qt_t *)p_wnd->sys;
+ QMutexLocker locker ();
+
+ if (unlikely(!active))
+@@ -759,12 +768,12 @@ static int WindowControl( vout_window_t *p_wnd, int
i_query, va_list args )
+ msg_Warn (p_wnd, "video already released before control");
+ return VLC_EGENERIC;
+ }
+-return p_mi->controlVideo( i_query, args );
++return sys->mi->controlVideo(i_query, args);
+ }
+
+ static void WindowClose( vout_window_t *p_wnd )
+ {
+-MainInterface *p_mi = (MainInterface *)p_wnd->sys;
++vout_window_qt_t *sys =
Bug#983071: marked as done (unblock: xz-utils/5.2.5-1.1)
Your message dated Tue, 9 Mar 2021 19:40:49 +0100 with message-id <97b3dd45-509d-b22d-4ed1-f68c953b3...@debian.org> and subject line Re: Bug#983071: unblock: xz-utils/5.2.5-1.1 has caused the Debian Bug report #983071, regarding unblock: xz-utils/5.2.5-1.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 983071: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983071 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Please unblock package xz-utils. I NMUed xz-utils to 5.2.5-1.0 fixing a few bugs including #844770 and #975981. Both bugs were fixed by upstream differently / more complete. I prepared an NMU 5.2.5-1.1, #983067 by replacing my patches with upstream patches: - #844770 "xzcmp: SIGPIPE is raised because CMP does exit while the XZ commands are still writing to the pipe" https://git.tukaani.org/?p=xz.git;a=commitdiff;h=194029ffaf74282a81f0c299c07f73caca3232ca - #975981 "xz-utils: "unxz -k" should not refuse to decompress a file because it has more than one hard link" https://git.tukaani.org/?p=xz.git;a=commitdiff;h=074259f4f3966aeac6edb205fecbc1a8d2b58bb2 I would like to avoid having different changes to the package (and possibly creating new bugs) and therefore keep what upstream applied here. The patches were reviewed at least by the maintainer of the upstream package. During that review a similar SIGPIPE problem was found and fixed in xzgrep: Scripts: Fix exit status of xzgrep. https://git.tukaani.org/?p=xz.git;a=commitdiff;h=73c555b3077c19dda29b6f4592ced2af876f8333 This bug was never reported and fixed within the Debian package. If it is okay with the release then I would backport the patch and NMU it as part of the 5.2.5-1.1 upload. Otherwise I would stick with the replacement of the two patches as can been seen in the attached debdiff. The package was not yet uploaded, I plan to upload it to delayed/5 once the release team agrees. unblock xz-utils/5.2.5-1.1 Sebastian diff -Nru xz-utils-5.2.5/debian/changelog xz-utils-5.2.5/debian/changelog --- xz-utils-5.2.5/debian/changelog 2020-12-28 11:25:06.0 +0100 +++ xz-utils-5.2.5/debian/changelog 2021-02-18 23:12:30.0 +0100 @@ -1,3 +1,10 @@ +xz-utils (5.2.5-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Update the patches for #844770 and #975981 to what upstream applied. + + -- Sebastian Andrzej Siewior Thu, 18 Feb 2021 23:12:30 +0100 + xz-utils (5.2.5-1.0) unstable; urgency=medium * Non-maintainer upload. diff -Nru xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch --- xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch 1970-01-01 01:00:00.0 +0100 +++ xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch 2021-02-17 23:52:05.0 +0100 @@ -0,0 +1,118 @@ +From: Lasse Collin +Date: Mon, 11 Jan 2021 22:01:51 +0200 +Subject: Scripts: Fix exit status of xzdiff/xzcmp. +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +This is a minor fix since this affects only the situation when +the files differ and the exit status is something else than 0. +In such case there could be SIGPIPE from a decompression tool +and that would result in exit status of 2 from xzdiff/xzcmp +while the correct behavior would be to return 1 or whatever +else diff or cmp may have returned. + +This commit omits the -q option from xz/gzip/bzip2/lzop arguments. +I'm not sure why the -q was used in the first place, perhaps it +hides warnings in some situation that I cannot see at the moment. +Hopefully the removal won't introduce a new bug. + +With gzip the -q option was harmful because it made gzip return 2 +instead of >= 128 with SIGPIPE. Ignoring exit status 2 (warning +from gzip) isn't practical because bzip2 uses exit status 2 to +indicate corrupt input file. It's better if SIGPIPE results in +exit status >= 128. + +With bzip2 the removal of -q seems to be good because with -q +it prints nothing if input is corrupt. The other tools aren't +silent in this situation even with -q. On the other hand, if +zstd support is added, it will need -q since otherwise it's +noisy in normal situations. + +Thanks to Étienne Mollier and Sebastian Andrzej Siewior. +--- + src/scripts/xzdiff.in | 35 +-- + 1 file changed, 21 insertions(+),
Bug#984886: buster-pu: package xcftools/1.0.7-6
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org
Dear release team,
[ Reason ]
I would like to fix CVE-2019-5086 and CVE-2019-5087. The same fix has
been applied in unstable and stretch already. The security team marked
these issues as no-dsa.
[ Impact ]
xcftools would still be vulnerable if not approved.
[ Tests ]
Tested with a manipulated xcf file.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Regards,
Markus
diff -Nru xcftools-1.0.7/debian/changelog xcftools-1.0.7/debian/changelog
--- xcftools-1.0.7/debian/changelog 2016-05-18 12:34:05.0 +0200
+++ xcftools-1.0.7/debian/changelog 2021-02-09 23:17:14.0 +0100
@@ -1,3 +1,16 @@
+xcftools (1.0.7-6+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2019-5086 and CVE-2019-5087:
+An exploitable integer overflow vulnerability exists in the
+flattenIncrementally function in the xcf2png and xcf2pnm binaries of
+xcftools. An integer overflow can occur while walking through tiles that
+could be exploited to corrupt memory and execute arbitrary code. In order
+to trigger this vulnerability, a victim would need to open a specially
+crafted XCF file.
+
+ -- Markus Koschany Tue, 09 Feb 2021 23:17:14 +0100
+
xcftools (1.0.7-6) unstable; urgency=medium
* Team upload (collab-maint)
diff -Nru xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch
xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch
--- xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch
1970-01-01 01:00:00.0 +0100
+++ xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch
2021-02-09 23:17:14.0 +0100
@@ -0,0 +1,53 @@
+From: Markus Koschany
+Date: Mon, 8 Feb 2021 17:57:56 +0100
+Subject: CVE-2019-5086 and CVE-2019-5087
+
+Patch by Anton Gladky and Markus Koschany.
+
+Bug-Debian: https://bugs.debian.org/945317
+Origin: https://github.com/j-jorge/xcftools/pull/15
+---
+ xcf-general.c | 23 +++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/xcf-general.c b/xcf-general.c
+index 9d0b4dc..7cb1613 100644
+--- a/xcf-general.c
b/xcf-general.c
+@@ -19,6 +19,8 @@
+ #include "xcftools.h"
+ #include
+ #include
++#include
++#include
+ #ifdef HAVE_ICONV
+ # include
+ #elif !defined(ICONV_CONST)
+@@ -182,6 +184,27 @@ xcfString(uint32_t ptr,uint32_t *after)
+ void
+ computeDimensions(struct tileDimensions *d)
+ {
++ // [ CVE-2019-5086 and CVE-2019-5087 ]
++ // This part of the code is the check to prevent integer overflow, see
CVE-2019-5086 and CVE-2019-5087
++
++ if (d->c.l < INT_MIN/4) {
++fprintf(stderr,("d->c.l is too small (%d)! Stopping execution...\n"),
(d->c.l));
++exit(0);
++ }
++ if (d->c.t < INT_MIN/4) {
++fprintf(stderr,("d->c.t is too small (%d)! Stopping execution...\n"),
(d->c.t));
++exit(0);
++ }
++ if (d->width > (INT_MAX - d->c.l)/4) {
++fprintf(stderr,("Width is too large (%d)! Stopping execution...\n"),
(d->c.l + d->width));
++exit(0);
++ }
++ if (d->height > (INT_MAX - d->c.t)/4) {
++fprintf(stderr,("Height is too large (%d)! Stopping execution...\n"),
(d->c.t + d->height));
++exit(0);
++ }
++ // [ CVE-2019-5086 and CVE-2019-5087 ]
++
+ d->c.r = d->c.l + d->width ;
+ d->c.b = d->c.t + d->height ;
+ d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ;
diff -Nru xcftools-1.0.7/debian/patches/series
xcftools-1.0.7/debian/patches/series
--- xcftools-1.0.7/debian/patches/series2016-05-18 12:27:32.0
+0200
+++ xcftools-1.0.7/debian/patches/series2021-02-09 23:17:14.0
+0100
@@ -4,3 +4,4 @@
fix-as-needed-linking
libpng16.patch
fix-test-UTF8.patch
+CVE-2019-5086-and-CVE-2019-5087.patch
Bug#984648: unblock: packages with unversioned python dependencies
linkchecker is fixed in 10.0.1-2
Bug#984885: unblock: vlc/3.0.12-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sramac...@debian.org
Please unblock package vlc/3.0.12-3.
[ Reason ]
vlc 3.0.x suffers from a long standing issue that causes vlc to freeze
on exit when running with a mesa GPU driver. A proper fix would also
require changes to mesa (cf
https://gitlab.freedesktop.org/mesa/mesa/-/issues/116 for the mesa bug),
but attempts to fix mesa caused other regressions, so this fix was
reverted. vlc upstream now added a workaround to no longer trigger the
condition that leads to the freeze.
[ Impact ]
Users with affected drivers can reenable hardware accelerated video
decoding.
[ Tests ]
No automated test coverage, but manually tested.
[ Risks ]
Even if the fix was incomplete, users can continue to disable hardware
acceleration or kill the stuck vlc process.
vlc is a key package, so requires an unblock.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock vlc/3.0.12-3
--
Sebastian Ramacher
diff --git a/debian/changelog b/debian/changelog
index b96fc96a8..1b3237d27 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+vlc (3.0.12-3) unstable; urgency=medium
+
+ * debian/patches: Apply upstream patches to prevent process freeze on exit
+(Closes: #916595) (LP: #1819543)
+
+ -- Sebastian Ramacher Tue, 09 Mar 2021 17:42:00 +0100
+
vlc (3.0.12-2) unstable; urgency=medium
* debian/: Disable live555 plugin due to #981439
diff --git
a/debian/patches/0004-qt-add-a-private-structure-for-window-provider.patch
b/debian/patches/0004-qt-add-a-private-structure-for-window-provider.patch
new file mode 100644
index 0..7788dd33b
--- /dev/null
+++ b/debian/patches/0004-qt-add-a-private-structure-for-window-provider.patch
@@ -0,0 +1,88 @@
+From: =?utf-8?q?R=C3=A9mi_Denis-Courmont?=
+Date: Sat, 6 Feb 2021 15:00:02 +0200
+Subject: qt: add a private structure for window provider
+
+---
+ modules/gui/qt/qt.cpp | 33 ++---
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/modules/gui/qt/qt.cpp b/modules/gui/qt/qt.cpp
+index ab912fd..d5a22d9 100644
+--- a/modules/gui/qt/qt.cpp
b/modules/gui/qt/qt.cpp
+@@ -708,6 +708,10 @@ static void ShowDialog( intf_thread_t *p_intf, int
i_dialog_event, int i_arg,
+ */
+ static int WindowControl( vout_window_t *, int i_query, va_list );
+
++typedef struct {
++MainInterface *mi;
++} vout_window_qt_t;
++
+ static int WindowOpen( vout_window_t *p_wnd, const vout_window_cfg_t *cfg )
+ {
+ if( cfg->is_standalone )
+@@ -737,21 +741,26 @@ static int WindowOpen( vout_window_t *p_wnd, const
vout_window_cfg_t *cfg )
+ if (unlikely(!active))
+ return VLC_EGENERIC;
+
+-MainInterface *p_mi = p_intf->p_sys->p_mi;
++vout_window_qt_t *sys = new vout_window_qt_t;
++
++sys->mi = p_intf->p_sys->p_mi;
+ msg_Dbg( p_wnd, "requesting video window..." );
+
+-if( !p_mi->getVideo( p_wnd, cfg->width, cfg->height, cfg->is_fullscreen )
)
++if (!sys->mi->getVideo(p_wnd, cfg->width, cfg->height,
cfg->is_fullscreen))
++{
++delete sys;
+ return VLC_EGENERIC;
++}
+
+ p_wnd->info.has_double_click = true;
+ p_wnd->control = WindowControl;
+-p_wnd->sys = (vout_window_sys_t*)p_mi;
++p_wnd->sys = (vout_window_sys_t *)sys;
+ return VLC_SUCCESS;
+ }
+
+ static int WindowControl( vout_window_t *p_wnd, int i_query, va_list args )
+ {
+-MainInterface *p_mi = (MainInterface *)p_wnd->sys;
++vout_window_qt_t *sys = (vout_window_qt_t *)p_wnd->sys;
+ QMutexLocker locker ();
+
+ if (unlikely(!active))
+@@ -759,12 +768,12 @@ static int WindowControl( vout_window_t *p_wnd, int
i_query, va_list args )
+ msg_Warn (p_wnd, "video already released before control");
+ return VLC_EGENERIC;
+ }
+-return p_mi->controlVideo( i_query, args );
++return sys->mi->controlVideo(i_query, args);
+ }
+
+ static void WindowClose( vout_window_t *p_wnd )
+ {
+-MainInterface *p_mi = (MainInterface *)p_wnd->sys;
++vout_window_qt_t *sys = (vout_window_qt_t *)p_wnd->sys;
+ QMutexLocker locker ();
+
+ /* Normally, the interface terminates after the video. In the contrary,
the
+@@ -776,11 +785,13 @@ static void WindowClose( vout_window_t *p_wnd )
+ * That assumes the video output will behave sanely if it window is
+ * destroyed asynchronously.
+ * XCB and Xlib-XCB are fine with that. Plain Xlib wouldn't, */
+-if (unlikely(!active))
++if (likely(active))
+ {
+-msg_Warn (p_wnd, "video already released");
+-return;
++msg_Dbg(p_wnd, "releasing video...");
++sys->mi->releaseVideo();
+ }
+-msg_Dbg (p_wnd, "releasing video...");
+-p_mi->releaseVideo();
++else
++msg_Warn (p_wnd, "video already released");
++
++
Bug#983407: marked as done (Pam: Multiple issues Affecting Upgrades)
Your message dated Tue, 09 Mar 2021 12:36:03 -0500 with message-id and subject line PAm Upgrades Migrated to Testing has caused the Debian Bug report #983407, regarding Pam: Multiple issues Affecting Upgrades to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 983407: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983407 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal X-Debbugs-Cc: vor...@debian.org Hi. I'm writing with my pam uploader hat on to give you a heads up about two issues that are kind of nasty and affect upgrades. This is just a FYI, opened as a bug because you've expressed a preference for that communication style. Feel free to close now; if this is still open when I have an unblock ready, I'll close and file the unblock. I hope to have something in experimental or unstable by end of this week. Depending on my confidence in the fixes, I may be ready for an unblock at that point, or I may want to ask for additional review before I'm ready to recommend inclusion in testing. * 982530: removal of pam_tally Up through buster, there were pam_tally and pam_tally2 modules available to provide lockout. These modules were not in the default configuration, but apparently various hardening guides turned them on. They were deprecated upstream, and we've chosen to remove them from bullseye. Unfortunately, if your pam config includes these modules, then probably you can't login until you boot with rescue media and fix the pam config. Moreover, while you probably get reasonable errors in the journal, you probably can't see that because you can't log in. Plan is to detect the situation and scream in the preinst. Down side is that means new strings that need translation (debconf templates) * 982295: pam won't deal with upgrades without an init script Pam restarts various services on upgrade (including buster to bullseye). The consequence of not restarting can be segfaults or failed pam authentications going forward. (libpam-modules gets out of sync with libpam0g and ether fails to dlopen or segfaults depending). The logic in libpam0g.postinst is init-script specific. Our current policy allows init scripts to be removed, and apparently various users and downstreams are removing init scripts even when the package still contains them. I'm testing a patch to use systemd facilities for doing restarts if booted with systemd as init. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing'), (500, 'stable'), (200, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-3-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled --- End Message --- --- Begin Message --- Fixes to the two upgrade issues we discussed migrated to bullseye. However, there are some bugs discovered in code review I requested of the fixes as well as a whole slew of translation updates. I will be submitting an unblock in the next few days, but this tracking bug has been dealt with.--- End Message ---
Bug#984882: unblock: debian-science/1.14.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: debian-science-maintain...@lists.alioth.debian.org Please unblock package debian-science (Please provide enough (but not too much) information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] The debian-science metapackages should have been uploaded right before the freeze. Due to an unfortunate sequence of blockers (specifically an additional binary (meta)package) it was to late to meet the deadline. [ Impact ] I consider it important to have this version in testing right now to have a potentially minimum diff (or may be no need for another upload) in case some of the dependencies will be removed in the deep freeze period. [ Tests ] The metapackages do not contain any real code, just dependencies. So there are no real tests. [ Risks ] The code is trivial - I do not see any risk. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [ ] attach debdiff against the package in testing (I do not see any reason for a debdiff of the autogenerated package) unblock debian-science/1.14.1
Bug#984642: unblock refpolicy / policycoreutils
Hi Russell Neither refpolicy nor policycoreutils are in the list of key packages. In the upcoming hard freeze, for non-key packages with (non-trivial) autopkgtests, the rules of the soft freeze still apply [1]. So you could avoid the need for unblocks for these packages by adding an autopkgtest that tests the as-installed packages in a new upload. Regards Graham [1] https://release.debian.org/bullseye/freeze_policy.html#hard
Re: Bug#984852: firmware-amd-graphics: Please add cezanne ("green sardine")
On dinsdag 9 maart 2021 10:31:33 CET maximilian attems wrote: > > I've received my new laptop with a Ryzen R7 5800U ... > > The relevant files are amdgpu/green_sardine_* > > right, they only got pushed upstream in linux-firmware git on 11/2/2021 > after the latest 20210208 release, hence unfortunately they miss out the > next debian release > https://release.debian.org/bullseye/freeze_policy.html I realize that kernel and firmware are not the (exact) same thing, but the impression I got wrt freeze is: - new features: NO - new hardware support: YES It looks to me that this falls in the latter category. The update should only contain the amdgpu/green_sardine_* firmware files and nothing else. A manual unblock is needed ofc, but that can be requested. Maybe the Release Team could clarify this? signature.asc Description: This is a digitally signed message part.
Bug#984861: unblock: gnome-remote-desktop/0.1.9-5
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: David Mohammed
Please unblock package gnome-remote-desktop.
[ Reason ]
Change gnome-shell dependency to gnome-shell|budgie-desktop,
plus appropriate version constraints. What gnome-remote-desktop actually
needs is any compositor based on a version of mutter that was compiled with
pipewire 0.3, and those two are the mutter-based compositors in Debian.
[ Impact ]
Previously, budgie-desktop users could not use gnome-remote-desktop
to provide screen-sharing in Budgie unless they also unnecessarily
installed gnome-shell.
[ Tests ]
Manually smoke-tested: I installed the proposed package on a bullseye GNOME
system, enabled screen sharing in gnome-control-center and connected to
it with remmima.
Budgie maintainer David Mohammed has confirmed that the alternative
dependency has the desired effect.
[ Risks ]
Low-risk dependency change.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock gnome-remote-desktop/0.1.9-5
diffstat for gnome-remote-desktop-0.1.9 gnome-remote-desktop-0.1.9
changelog | 10 ++
control|2 +-
control.in |2 +-
3 files changed, 12 insertions(+), 2 deletions(-)
diff -Nru gnome-remote-desktop-0.1.9/debian/changelog gnome-remote-desktop-0.1.9/debian/changelog
--- gnome-remote-desktop-0.1.9/debian/changelog 2021-02-11 16:14:14.0 +
+++ gnome-remote-desktop-0.1.9/debian/changelog 2021-03-09 10:31:04.0 +
@@ -1,3 +1,13 @@
+gnome-remote-desktop (0.1.9-5) unstable; urgency=medium
+
+ * Team upload
+
+ [ David Mohammed ]
+ * debian/control: add budgie-desktop as an alternate for gnome-shell
+(Closes: #982937)
+
+ -- Simon McVittie Tue, 09 Mar 2021 10:31:04 +
+
gnome-remote-desktop (0.1.9-4) unstable; urgency=medium
* debian/patches: Fix use-after-free crash on repeated VNC connections
diff -Nru gnome-remote-desktop-0.1.9/debian/control gnome-remote-desktop-0.1.9/debian/control
--- gnome-remote-desktop-0.1.9/debian/control 2021-02-11 16:14:14.0 +
+++ gnome-remote-desktop-0.1.9/debian/control 2021-03-09 10:31:04.0 +
@@ -28,7 +28,7 @@
Architecture: linux-any
Depends: ${misc:Depends},
${shlibs:Depends},
- gnome-shell (>= 3.37.92-2~),
+ gnome-shell (>= 3.37.92-2~) | budgie-desktop (>= 10.5.2),
libmutter-7-0 (>= 3.37.92-1~),
pipewire (>= 0.3.0)
Description: Remote desktop daemon for GNOME using PipeWire
diff -Nru gnome-remote-desktop-0.1.9/debian/control.in gnome-remote-desktop-0.1.9/debian/control.in
--- gnome-remote-desktop-0.1.9/debian/control.in 2021-02-11 16:14:14.0 +
+++ gnome-remote-desktop-0.1.9/debian/control.in 2021-03-09 10:31:04.0 +
@@ -24,7 +24,7 @@
Architecture: linux-any
Depends: ${misc:Depends},
${shlibs:Depends},
- gnome-shell (>= 3.37.92-2~),
+ gnome-shell (>= 3.37.92-2~) | budgie-desktop (>= 10.5.2),
libmutter-7-0 (>= 3.37.92-1~),
pipewire (>= 0.3.0)
Description: Remote desktop daemon for GNOME using PipeWire
Bug#984837: marked as done (unblock: gsoap/2.8.104-3)
Your message dated Tue, 09 Mar 2021 10:43:24 + with message-id and subject line unblock gsoap has caused the Debian Bug report #984837, regarding unblock: gsoap/2.8.104-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984837: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984837 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock I have submitted an update for the gsoap package, back-porting several fixes for CVEs from upstream. It fixes the RC bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983596 Due to the current soft freeze, the migration delay is 10 days, which would mean 18 March. However the hard freeze starts March 12, after which migration requires an explicit unblock. Hence this unblock request. Due to the RC bug, the package is marked for auto-removal, together with many packages that depend on it: Marked for autoremoval on 11 April: #983596 high Version 2.8.104-2 of gsoap is marked for autoremoval from testing on Sun 11 Apr 2021. It is affected by #983596. The removal of gsoap will also cause the removal of (transitive) reverse dependencies: arc-gui- clients, cgsi-gsoap, davix, gfal2, gridsite, lcas-lcmaps-gt4-interface, lcmaps, lcmaps-plugins-basic, lcmaps-plugins-jobrep, lcmaps-plugins- verify-proxy, lcmaps-plugins-voms, myproxy, nordugrid-arc, nordugrid- arc-nagios-plugins, openstack-cluster-installer, srm-ifce, voms, voms- mysql-plugin, xrootd. You should try to prevent the removal by fixing these RC bugs. I hope you will consider unblocking the update. Debdiff attached. Mattias diff -Nru gsoap-2.8.104/debian/changelog gsoap-2.8.104/debian/changelog --- gsoap-2.8.104/debian/changelog 2020-07-25 08:30:12.0 +0200 +++ gsoap-2.8.104/debian/changelog 2021-03-08 14:06:23.0 +0100 @@ -1,3 +1,12 @@ +gsoap (2.8.104-3) unstable; urgency=high + + * Backporting upstream fixes (Closes: #983596) +- Fixes CVE: CVE-2020-13574 CVE-2020-13575 CVE-2020-13577 CVE-2020-13578 +- Fixes CVE: CVE-2020-13576 + * Urgency high due to fixing RC bug + + -- Mattias Ellert Mon, 08 Mar 2021 14:06:23 +0100 + gsoap (2.8.104-2) unstable; urgency=medium * Re-upload source only diff -Nru gsoap-2.8.104/debian/control gsoap-2.8.104/debian/control --- gsoap-2.8.104/debian/control 2020-07-22 15:23:55.0 +0200 +++ gsoap-2.8.104/debian/control 2021-03-08 14:06:23.0 +0100 @@ -13,7 +13,7 @@ Build-Depends-Indep: doxygen, graphviz -Standards-Version: 4.5.0 +Standards-Version: 4.5.1 Section: devel Vcs-Browser: https://salsa.debian.org/ellert/gsoap Vcs-Git: https://salsa.debian.org/ellert/gsoap.git diff -Nru gsoap-2.8.104/debian/copyright gsoap-2.8.104/debian/copyright --- gsoap-2.8.104/debian/copyright 2020-07-22 15:23:55.0 +0200 +++ gsoap-2.8.104/debian/copyright 2021-03-08 14:06:23.0 +0100 @@ -171,7 +171,7 @@ Files: debian/* Copyright: 2003-2007, Thomas Wana - 2011-2020, Mattias Ellert + 2011-2021, Mattias Ellert License: GPL-2+ On Debian systems, the complete text of the GPL version 2 license can be found in '/usr/share/common-licenses/GPL-2'. diff -Nru gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch --- gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch 2021-03-08 11:28:34.0 +0100 @@ -0,0 +1,336 @@ +diff -ur gsoap2-code-r191/gsoap/plugin/httpda.c gsoap2-code-r192/gsoap/plugin/httpda.c +--- gsoap2-code-r191/gsoap/plugin/httpda.c 2020-06-30 21:06:47.0 +0200 gsoap2-code-r192/gsoap/plugin/httpda.c 2020-11-19 19:29:25.0 +0100 +@@ -1460,7 +1460,7 @@ + MUTEX_LOCK(http_da_session_lock); + + for (session = http_da_session; session; session = session->next) +-if (!strcmp(session->realm, realm) && !strcmp(session->nonce, nonce) && !strcmp(session->opaque, opaque)) ++if (session->realm && session->nonce && session->opaque && !strcmp(session->realm, realm) && !strcmp(session->nonce, nonce) && !strcmp(session->opaque, opaque)) + break; + + if (session) +diff -ur gsoap2-code-r191/gsoap/plugin/wsaapi.c gsoap2-code-r192/gsoap/plugin/wsaapi.c +--- gsoap2-code-r191/gsoap/plugin/wsaapi.c 2020-06-30 21:06:47.0 +0200 gsoap2-code-r192/gsoap/plugin/wsaapi.c 2020-11-19 19:29:25.0 +0100 +@@ -1056,7 +1056,7 @@ + oldheader->SOAP_WSA(FaultTo)->Address =
NEW changes in stable-new
Processing changes file: fwupdate-amd64-signed_12+4+deb10u2_amd64-buildd.changes ACCEPT Processing changes file: fwupdate-arm64-signed_12+4+deb10u2_arm64-buildd.changes ACCEPT Processing changes file: linux-signed-i386_4.19.177+1_i386.changes ACCEPT
NEW changes in stable-new
Processing changes file: fwupdate-i386-signed_12+4+deb10u2_i386.changes ACCEPT
Bug#984501: marked as done (unblock: libqb/2.0.3-1)
Your message dated Tue, 09 Mar 2021 08:30:20 + with message-id and subject line unblock libqb has caused the Debian Bug report #984501, regarding unblock: libqb/2.0.3-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984501: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984501 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libqb Dear Release Team, Upstream made a new minor release of libqb yesterday. Since a new upload wouldn't migrate before the hard freeze with the current 10 day delay, I'm asking for an unblock in advance. 2.0.3 contains a single new feature extending the API and ABI in a backwards-compatible way with a message-id parameter, which isn't the main reason for this request. Included are two doxygen2man fixes, one of them already present in the current 2.0.2-1 package as a Debian patch, and another fixing a groff error in libqb's own manual pages. The really interesting stuff is a memory safety fix in the internal strlcpy() implementation and a more thorough cleanup procedure, which avoids filling up /dev/shm with stale files in certain error and recovery conditions. Locking errors (insufficient locking) are also fixed in the timer code, and the unit tests are extended appropriately. The last fix corrects another unit test but entails no change in behaviour. It would be possible to cherry pick the fix commits into Debian patches leaving out the final one adding the new API, but I'd prefer the cleaner solution of uploading 2.0.3 at this stage. debdiff against the package in testing: diff -Nru libqb-2.0.2/ChangeLog libqb-2.0.3/ChangeLog --- libqb-2.0.2/ChangeLog 2020-12-03 14:07:32.0 +0100 +++ libqb-2.0.3/ChangeLog 2021-03-03 09:34:26.0 +0100 @@ -1,3 +1,57 @@ +2021-03-03 Christine Caulfield + + release: bump library version for 2.0.3 release + +2021-03-01 Aleksei Burlakov + root + + syslog: Add a message-id parameter for messages (#433) + The message-id parameter will enable systemd catalogs. + To enable message-id's the libqb should be configured with the +--enable-systemd-journal option. + +2021-02-08 Chrissie Caulfield + + tests: Fix up resources.test (#435) + resources.test has not checked the right filenames for a while. + Fix this, and also make sure we don't count (but remove) the dlock + test files. + + timers: Add some locking (#436) + Fix several locking issues reported by helgrind + +2021-01-25 Chrissie Caulfield + + ipcc: Have a few goes at tidying up after a dead server (#434) + This is an attempt to make sure that /dev/shm is cleaned up when a + server exits unexpectedly. Normally it's the server's responsibility + to tidy up sockets, but if it crashes or is killed with SIGKILL then + the client (us) makes a reasonable attempt to tidy up the server sockets + we have connected. The extra delay here just gives the server chance to + disappear fully. As a client we can get here pretty quickly but shutting + down a large server may take a little longer even when SIGKILLed. + The 1/100th of a second is an arbitrary delay (of course) but seems to + catch most servers in 2 tries or less. + +2021-01-13 Chrissie Caulfield + + strlcpy: Check for maxlen underflow (#432) + * strlcpy: Check for maxlen underflow + https://github.com/ClusterLabs/libqb/issues/429 + * Always terminate the string if maxlen is > 0 + +2021-01-07 Chrissie Caulfield + + doxygen2man: fix printing of lines starting with '.' (#431) + if a line starts with a '.' (eg the '...' in qbarray.h) then + nroff thinks it's looking for a macro called '..'. + The easiest solution is to add a dummy format at the start of the line + (just adding \ seems not to work). + +2021-01-04 wferi + + doxygen2man: ignore all-whitespace brief descriptions (#430) + 2020-12-03 Christine Caulfield lib: Update library version for 2.0.2 release diff -Nru libqb-2.0.2/configure libqb-2.0.3/configure --- libqb-2.0.2/configure 2020-12-03 14:07:14.0 +0100 +++ libqb-2.0.3/configure 2021-03-03 09:34:07.0 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libqb 2.0.2. +# Generated by GNU Autoconf 2.69 for libqb
Bug#984501: unblock: libqb/2.0.3-1
Sebastian Ramacher writes: > The changes look ok. Under the assumption that the upload happens soon, > please go ahead. Thank you, uploaded. -- Regards, Feri
Bug#984834: marked as done (unblock firmware-nonfree 20210208-3 upload)
Your message dated Tue, 9 Mar 2021 09:08:08 +0100 with message-id and subject line Re: Bug#984834: Acknowledgement (unblock firmware-nonfree 20210208-3 upload) has caused the Debian Bug report #984834, regarding unblock firmware-nonfree 20210208-3 upload to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984834 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Thanks please unblock firmware-nonfree 20210208-3 it is the version that has the relevant firmware packages for the targeted version of linux in bullseye. It will need a small amount of fixes on top that are preprared in git and will be uploaded as soon it has migrated. thank you. -- maks signature.asc Description: PGP signature --- End Message --- --- Begin Message --- closing as "firmware-nonfree 20210208-3 MIGRATED to testing".--- End Message ---
