Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package spip [ Reason ] Upstream just released a new minor version to improve PHP 7.4 compat (latest version already improved PHP 7.3 compat). Since Bullseye ship with PHP 7.4, including those fixes should avoid future issues (I had to backport a PHP 7.3 compatibility issue with a buster-security upload already to fix a serious issue with plugins handling). [ Impact ] On top of fixing possible problems, this update avoids filling the web server error.log due to multiple warnings and deprecation notices. [ Tests ] I only tested the package manually, but I’m keeping an eye on upstream issues that may arise about this new release. [ Risks ] It’s a leaf, non-key package. Even if there are various changes, they are mostly trivial. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] I’ve filtered the debdiff with the following command (excluding getid3 changes because the package depends on an already up to date php-getid3 rather than the version vendored in, and some documentation), but the result is still big, sorry: 61 files changed, 647 insertions(+), 334 deletions(-) git diff debian/3.2.9-1 --ignore-all-space --ignore-blank-lines | \ filterdiff --exclude=*/plugins-dist/medias/lib/getid3/* \ --exclude=*NEWS --exclude=*README.md > /tmp/spip_ign_filtered.diff unblock spip/3.2.11-2 diff --git a/CHANGELOG.TXT b/CHANGELOG.TXT index d9db953dec..f69be25c84 100644 --- a/CHANGELOG.TXT +++ b/CHANGELOG.TXT @@ -1,3 +1,99 @@ +SPIP-Core v3.2.10 -> v3.2.11 (26 March 2021) + + +b52a4a5b3 | cedric | 2021-03-12 | twitterbot est aussi notre ami pour le laisser scraper l'url qu'on veut touitter (fil) +58d5d6190 | cedric | 2021-02-15 | Report de https://git.spip.net/spip-contrib-outils/securite/commit/e7b571681a92eb40edda24b45dc472e113c1 qui fix #4.. +6611fd50b | cedric | 2021-02-15 | Report de https://git.spip.net/spip-contrib-outils/securite/commit/3eccaf41426d4f3c8f28b50d81e12fbe5f8af4c2 +62d33c975 | marcimat | 2021-03-26 | Notice-- : Attribut sans ses quotes... (realet) + + + +SPIP-Core v3.2.9 -> v3.2.10 (26 mars 2021) +--- + +0b1bd0542 | marcimat | 2018-09-05 | Compat PHP 7.x : Scorie résiduelle du passage à mysqli. Mais ces fonctions ne semblent plus utilisées. +7621a660a | marcimat | 2021-03-19 | Retour partiel sur 31df72005 pour compat PHP 5.4 ... +4de4b3c34 | marcimat | 2021-03-19 | Correction deprecated php 7.4 : ordre de join inversé. +0ea620c9a | marcimat | 2018-09-05 | Tickets #4059 et #4138 : meilleure compat PHP 7.2 +f69b39c9e | marcimat | 2021-03-18 | Suppression du fichier .gitattributes inutile. +a54ab9a89 | rastapopoulos | 2021-03-14 | Backport de 2e55e3a60e à la main car plus dans le même fichier en 3.3. +bdc53dcc9 | marcimat | 2021-03-11 | Lorsqu'on déclare un traitement à un champ de rubrique, tel que `$table_des_traitements['DEMO']['rubriques'] = ...`, c.. +510983b09 | cedric| 2021-03-09 | Fix https://core.spip.net/issues/4442 : le vieux parseur xml a la main (qu'il faudrait virer) ne tolerait pas l'utilis.. +31df72005 | marcimat | 2021-03-05 | Suite de e11b28be4 : plus éviter une fatale en PHP 8 si unicode2charset cherche à utiliser un charset inexistant +00c2038da | marcimat | 2021-03-05 | Correction d'une Fatale Suite à 27e4f1bcc. C'est sport mais le commit ajoute des accents dans le squelettes prive/sque.. +e380b0afd | cy.altern | 2021-03-04 | report a4cdf3b633 +916b67198 | marcimat | 2021-03-04 | Ticket #4348 : Compat PHP 7.4 (deprecated curly braces array) +910c245ea | marcimat | 2020-03-26 | Compat PHP 7.4 : éviter une notice lorsque la pagination ne trouve aucune entrée. +1b5549e51 | marcimat | 2019-08-26 | Ticket #4348 : Compat PHP 7.4 (notice). +c5492ea3e | marcimat | 2019-08-26 | Ticket #4348 : Compat PHP 7.4 (deprecated curly braces array) +da6dfc068 | marcimat | 2019-08-26 | Ticket #4348 : Compat PHP 7.4, Trying to access array offset on value of type null. +db1814dc5 | marcimat | 2019-08-25 | Compat PHP 7.4, Deprecated: Array and string offset access syntax with curly braces (Francky) +330eb930f | marcimat | 2019-06-17 | Ticket #4348 : Correction pour PHP 7.4 (Left-associative ternary operator deprecation) +130ada180 | marcimat | 2018-02-09 | Compatibilité PHP 7.2 : create_function => function xxx each => key, current, next +8075d79f2 | marcimat | 2017-12-11 | Ticket #4059 : Compat PHP 7.2, remplacer un create_function. +061107f80 | marcimat | 2017-12-11 | Ticket #4059 : Compat PHP 7.2, remplacer des create_function. +af94fa5d9 | marcimat | 2017-12-11 | Ticket #4059 : Compat PHP 7.2, remplacer des
Bug#985759: marked as done (unblock: mosquitto/2.0.9-1)
Your message dated Fri, 26 Mar 2021 19:28:38 + with message-id and subject line unblock mosquitto has caused the Debian Bug report #985759, regarding unblock: mosquitto/2.0.9-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985759: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985759 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package mosquitto [ Reason ] Mosquitto 2.0.8 is currently in testing, Mosquitto 2.0.9 was released on 2021-03-11 and has sufficiently important fixes in it that I believe should be in a Debian release. The full debdiff is 1110 lines. If I reduce that to code-only changes it drops to 387 (the remainder are documentation and extra tests), with about 150 lines of actual affected code. It is a small bugfix release with low risk but some reasonably important fixes. [ Impact ] I have listed the fixes below that I think are worth mentioning. The other changes are of minor impact or are fixing strict compiler warnings. Client and library: There is a fairly minor security issue that affects outgoing client connections only - if an empty or corrupt CA certificate is provided to a client, then the initial connection would fail but subsequent connections would succeed without verifying the remote server certificate. There is a new test for this behaviour, but it is not in the 2.0.9 release. Build: The CMake build script was not enabling epoll(), so poll() was being used instead which has a very detrimental impact on performance. Server: Messages published with QoS 0 were not being delivered when `max_queued_bytes` was configured. This has a big impact on users wanting to use QoS 0, which is the most common QoS, but also set some client limits. There is a new test to check this behaviour. Server: If the `max_keepalive` option was set, this did not apply to clients connecting with keepalive set to 0 (which means "infinite keepalive"). This gives a very straightforward means to circumvent the wishes of the server operator, although in itself it isn't very important. Server: The behaviour setting acceptable TLS versions did not match the documentation. Server: Messages to '$' prefixed MQTT topics were being rejected. This is not security critical but very annoying for a user wanting to use that feature. [ Tests ] The release introduces a new test that covers one issue. A test exists for the CA issue but is not part of this release. [ Risks ] I believe this to be low risk. Most of the code changes are reasonably simple. shairport-sync, kamailio-mqtt-module, and baresip-core depend on libmosquitto1. The changes to the library code are trivial. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] mosquitto_2.0.8-mosquitto-2.0.9.debdiff is the full debdiff. mosquitto_2.0.8-mosquitto-2.0.9-code.debdiff is the code only debdiff. unblock mosquitto/2.0.9-1 -- System Information: Debian Release: bullseye/sid APT prefers focal-updates APT policy: (500, 'focal-updates'), (500, 'focal-security'), (500, 'focal-proposed'), (500, 'focal'), (100, 'focal-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-48-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru mosquitto-2.0.8/ChangeLog.txt mosquitto-2.0.9/ChangeLog.txt --- mosquitto-2.0.8/ChangeLog.txt 2021-02-25 17:28:19.0 + +++ mosquitto-2.0.9/ChangeLog.txt 2021-03-11 22:37:20.0 + @@ -1,3 +1,39 @@ +2.0.9 - 2021-03-11 +== + +Security: +- If an empty or invalid CA file was provided to the client library for + verifying the remote broker, then the initial connection would fail but + subsequent connections would succeed without verifying the remote broker + certificate. Closes #2130. +- If an empty or invalid CA file was provided to the broker for verifying the + remote broker for an outgoing bridge connection then the initial connection + would fail but subsequent connections would succeed without verifying the + remote broker certificate. Closes #2130. + +Broker: +- Fix encrypted bridge connections incorrectly connecting when `bridge_cafile` + is empty or invalid. Closes #2130. +- Fix
Bug#985490: marked as done (unblock: flamerobin/0.9.3.6-2)
Your message dated Fri, 26 Mar 2021 19:29:25 +
with message-id
and subject line unblock flamerobin
has caused the Debian Bug report #985490,
regarding unblock: flamerobin/0.9.3.6-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
985490: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985490
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package flamerobin
Version 0.9.3.6-2 fixes a serious bug in handling dir->symlink and symlink->dir
migration when the package is upgraded from stable
(https://bugs.debian.org/985289). Full source debdiff attached.
First I confirmed that the problem is present: removed the package, installed
stable version (0.9.3~+20160512.c75f8618-2), upgraded to testing version
(0.9.3.6-1), noted /usr/share/doc/flamerobin/html is still a symlink to
/usr/share/flamerobin/docs instead of the reverse.
Then I tested whether the new package fixes the problem: removed the package
again, installed the stable version and upgraded to the proposed version
(0.9.3.6-2). /usr/share/doc/flamerobin/html now is a directory, and
/usr/share/flamerobin/docs is a symlink to it. This is the wanted state, and
this is what happens if the proposed version is installed anew.
I also checked that the small in-built documentation browser still finds its
docs.
unblock flamerobin/0.9.3.6-2
Thanks,
dam
diff -Nru flamerobin-0.9.3.6/debian/changelog
flamerobin-0.9.3.6/debian/changelog
--- flamerobin-0.9.3.6/debian/changelog 2021-01-11 10:07:02.0 +0200
+++ flamerobin-0.9.3.6/debian/changelog 2021-03-19 07:54:27.0 +0200
@@ -1,3 +1,25 @@
+flamerobin (0.9.3.6-2) unstable; urgency=medium
+
+ * ensure proper migration from docs symlink to directory and vice versa
+.
+In 0.9.3.5-1 /usr/share/flamerobin/docs was moved to
+/usr/share/doc/flamerobin/html with a symlink at the old location
+.
+Old state
+ /usr/share/doc/flamerobin/html -> ../../flamerobin/docs
+ /usr/share/flamerobin/docs -- a directory with HTML files
+New state
+ /usr/share/doc/flamerobin/html -- a directory with HTML files
+ /usr/share/flamerobin/docs -> ../doc/flamerobin/html
+.
+Since dpkg won't do dir<->symlink conversions, add maintscript for the
+two transitions. Also add Pre-Depends on dpkg 1.17.14 for maintscript
+support.
+.
+Thanks to Andreas Beckmann for reporting (Closes: #985289)
+
+ -- Damyan Ivanov Fri, 19 Mar 2021 05:54:27 +
+
flamerobin (0.9.3.6-1) unstable; urgency=medium
* New upstream snapshot release
diff -Nru flamerobin-0.9.3.6/debian/control flamerobin-0.9.3.6/debian/control
--- flamerobin-0.9.3.6/debian/control 2021-01-11 10:02:34.0 +0200
+++ flamerobin-0.9.3.6/debian/control 2021-03-19 07:49:24.0 +0200
@@ -17,6 +17,7 @@
Package: flamerobin
Architecture: any
+Pre-Depends: dpkg (>= 1.17.14)
Depends: ${shlibs:Depends}, ${misc:Depends}
Suggests: firebird3.0-server
Description: graphical database administration tool for Firebird DBMS
diff -Nru flamerobin-0.9.3.6/debian/flamerobin.maintscript
flamerobin-0.9.3.6/debian/flamerobin.maintscript
--- flamerobin-0.9.3.6/debian/flamerobin.maintscript1970-01-01
02:00:00.0 +0200
+++ flamerobin-0.9.3.6/debian/flamerobin.maintscript2021-03-19
07:49:24.0 +0200
@@ -0,0 +1,3 @@
+symlink_to_dir /usr/share/doc/flamerobin/html ../../flamerobin/docs 0.9.3.4-1
+
+dir_to_symlink /usr/share/flamerobin/docs ../doc/flamerobin/html 0.9.3.4-1
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---
Bug#985922: marked as done (unblock: u-boot/2021.01+dfsg-4)
Your message dated Fri, 26 Mar 2021 19:27:21 + with message-id and subject line unblock u-boot has caused the Debian Bug report #985922, regarding unblock: u-boot/2021.01+dfsg-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985922: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985922 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: vagr...@debian.org, debian-b...@lists.debian.org Severity: normal Please unblock package u-boot [ Reason ] This version adds support for the pinetab platform and fixes a bug that fails to detect some pinephone platforms. This also re-adds debugging symbols that were lost late in the bullseye release cycle due to upstream buildsystem changes. [ Impact ] Hardware support for another platform (pinetab) and working installation process for another platform (pinephone). Ability to debug u-boot using debugging symbols. [ Tests ] None. [ Risks ] Very low risk to existing platforms as this involves no code changes to u-boot itself. Increases the installed size (~2MB) and .deb size nominally for the u-boot-sunxi:arm64 package. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] This is depended on by debian-installer for the arm64/armhf images, so leaving this in a blocked state could impact debian-installer update process. unblock u-boot/2021.01+dfsg-4 Thanks for your work managing the release! live well, vagrant diff -Nru u-boot-2021.01+dfsg/debian/bin/u-boot-install-sunxi u-boot-2021.01+dfsg/debian/bin/u-boot-install-sunxi --- u-boot-2021.01+dfsg/debian/bin/u-boot-install-sunxi 2021-02-28 18:14:48.0 -0800 +++ u-boot-2021.01+dfsg/debian/bin/u-boot-install-sunxi 2021-03-12 11:10:45.0 -0800 @@ -38,7 +38,9 @@ "OrangePi Zero Plus2") TARGET="/usr/lib/u-boot/orangepi_zero_plus2/" ;; "OrangePi One Plus") TARGET="/usr/lib/u-boot/orangepi_one_plus/" ;; "Pinebook") TARGET="/usr/lib/u-boot/pinebook" ;; - "Pine64 PinePhone (1."[12]")") TARGET='/usr/lib/u-boot/pinephone' ;; + "Pine64 PinePhone Braveheart (1.1)") TARGET='/usr/lib/u-boot/pinephone' ;; + "Pine64 PinePhone (1.2)") TARGET='/usr/lib/u-boot/pinephone' ;; + "PineTab") TARGET="/usr/lib/u-boot/pinetab" ;; "Pine64+") TARGET="/usr/lib/u-boot/pine64_plus" ;; "Pine64 LTS") TARGET="/usr/lib/u-boot/pine64-lts" ;; "PineRiver Mini X-Plus") TARGET="/usr/lib/u-boot/Mini-X" ;; diff -Nru u-boot-2021.01+dfsg/debian/changelog u-boot-2021.01+dfsg/debian/changelog --- u-boot-2021.01+dfsg/debian/changelog2021-03-01 00:00:18.0 -0800 +++ u-boot-2021.01+dfsg/debian/changelog2021-03-12 15:00:43.0 -0800 @@ -1,3 +1,18 @@ +u-boot (2021.01+dfsg-4) unstable; urgency=medium + + [ Arnaud Ferraris ] + * Add support for the pinetab platform (Closes: #982982) + * u-boot-install-sunxi: fix device tree model for PinePhone 1.1 +(Closes: #984704) + + [ Vagrant Cascadian ] + * debian/patches: Update PineTab patch use default bootdelay. + * debian/patches: Add Forwarded link to PineTab patch. + * debian/rules: Ensure debugging symbols are enabled. + * debian/rules: Pass argument to remove build path from debug symbols. + + -- Vagrant Cascadian Fri, 12 Mar 2021 15:00:43 -0800 + u-boot (2021.01+dfsg-3) unstable; urgency=medium [ Domenico Andreoli ] diff -Nru u-boot-2021.01+dfsg/debian/patches/pinetab/0001-configs-add-PineTab-defconfig.patch u-boot-2021.01+dfsg/debian/patches/pinetab/0001-configs-add-PineTab-defconfig.patch --- u-boot-2021.01+dfsg/debian/patches/pinetab/0001-configs-add-PineTab-defconfig.patch 1969-12-31 16:00:00.0 -0800 +++ u-boot-2021.01+dfsg/debian/patches/pinetab/0001-configs-add-PineTab-defconfig.patch 2021-03-12 11:15:15.0 -0800 @@ -0,0 +1,45 @@ +From 2c346cacb4b0841051bceb27a57058020860ab8b Mon Sep 17 00:00:00 2001 +From: Arnaud Ferraris +Date: Wed, 2 Sep 2020 09:53:50 +0200 +Subject: [PATCH] configs: add PineTab defconfig +Forwarded: https://patchwork.ozlabs.org/project/uboot/list/?series=232582 + +The PineTab device-tree is already in u-boot, this commit adds the corresponding +defconfig, based on pinephone_defconfig. + +Signed-off-by: Arnaud Ferraris + +--- + configs/pinetab_defconfig | 22 ++ + 1 file
Bug#985206: marked as done (unblock: puppet-module-puppetlabs-rabbitmq/8.5.0-6)
Your message dated Fri, 26 Mar 2021 19:26:02 +
with message-id
and subject line unblock puppet-module-puppetlabs-rabbitmq
has caused the Debian Bug report #985206,
regarding unblock: puppet-module-puppetlabs-rabbitmq/8.5.0-6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
985206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985206
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package puppet-module-puppetlabs-rabbitmq
The version while the version 8.5.0-5 works for Bullseye, it introduced a
regression where it wouldn't work for Buster. Due to the nature of the
package, it is desirable to have it to work for both Buster and Bullseye,
especially to make RabbitMQ cluster upgrade from Buster to Bullseye easier.
What happened is that the Rabbitmq-server version detection was broken
because of a change in the output of "rabbitmqctl -q status". So my first
approach was to add code like this:
version = output.match(%r{\{rabbit,"RabbitMQ","([\d\.]+)"\}})
@rabbitmq_version = version[1] if version
+if @rabbitmq_version == nil
+ version = output.match /RabbitMQ version: ([\d\.]+)/
+ @rabbitmq_version = version[1] if version
+end
this worked in Bullseye, but broke version detection in Buster. Then I
decided to simply change the original regular expression instead:
-version = output.match(%r{\{rabbit,"RabbitMQ","([\d\.]+)"\}})
+version = output.match(%r{(?:\{rabbit,"RabbitMQ","|RabbitMQ version:
)([\d\.]+)})
@rabbitmq_version = version[1] if version
This is what works, and what I would like to see in the Bullseye package,
that I uploaded in version 8.5.0-6.
Note that the debdiff (which I am not attaching because everything is well
explained above) also contains a patch refresh (un-fuzz line numbers), due to
the change of the original patch, but no other change. Let me know if you
still require a debdiff despite the (IMO) complete explanation above.
So, please unblock puppet-module-puppetlabs-rabbitmq/8.5.0-6 to get the
correct version detection in.
Cheers,
Thomas Goirand (zigo)
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---
Bug#985943: buster-pu: package node-hosted-git-info/2.7.1-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
[ Reason ]
node-hosted-git-info is vulnerable to RegExp Denial of Service
[ Impact ]
Medium security risk
[ Tests ]
Upstream test still pass with this patch
[ Risks ]
Trivial change
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
shortcutMatch regex is cut in two piece:
- a more simple regexp
- a distinc change to remove .git suffix
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index b4038a0..f8baeef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-hosted-git-info (2.7.1-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix ReDoS risk (Closes: CVE-2021-23362)
+
+ -- Yadd Fri, 26 Mar 2021 15:17:21 +0100
+
node-hosted-git-info (2.7.1-1) unstable; urgency=medium
* New upstream version 2.7.1
diff --git a/debian/patches/CVE-2021-23362.patch
b/debian/patches/CVE-2021-23362.patch
new file mode 100644
index 000..cadac62
--- /dev/null
+++ b/debian/patches/CVE-2021-23362.patch
@@ -0,0 +1,28 @@
+Description: avoid ReDoS
+Author: nlf
+Origin: upstream, https://github.com/npm/hosted-git-info/commit/bede0dc3
+Bug: https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2021-03-26
+
+--- a/index.js
b/index.js
+@@ -42,7 +42,7 @@
+ isGitHubShorthand(giturl) ? 'github:' + giturl : giturl
+ )
+ var parsed = parseGitUrl(url)
+- var shortcutMatch = url.match(new
RegExp('^([^:]+):(?:(?:[^@:]+(?:[^@]+)?@)?([^/]*))[/](.+?)(?:[.]git)?($|#)'))
++ var shortcutMatch = url.match(/^([^:]+):(?:[^@]+@)?(?:([^/]*)\/)?([^#]+)/)
+ var matches = Object.keys(gitHosts).map(function (gitHostName) {
+ try {
+ var gitHostInfo = gitHosts[gitHostName]
+@@ -56,7 +56,7 @@
+ var defaultRepresentation = null
+ if (shortcutMatch && shortcutMatch[1] === gitHostName) {
+ user = shortcutMatch[2] && decodeURIComponent(shortcutMatch[2])
+-project = decodeURIComponent(shortcutMatch[3])
++project = decodeURIComponent(shortcutMatch[3].replace(/\.git$/, ''))
+ defaultRepresentation = 'shortcut'
+ } else {
+ if (parsed.host && parsed.host !== gitHostInfo.domain &&
parsed.host.replace(/^www[.]/, '') !== gitHostInfo.domain) return
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..cc0f664
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23362.patch
Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
On Fri, Mar 26, 2021 at 09:12:08AM +0100, Salvatore Bonaccorso wrote: > Hi Arnaud, > > On Fri, Jul 31, 2020 at 10:20:12AM +0200, Salvatore Bonaccorso wrote: > > Hi, > > > > On Mon, Mar 30, 2020 at 10:08:50PM +0100, Adam D. Barratt wrote: > > > Hi, > > > > > > On Sat, 2019-10-12 at 11:41 +0200, Julien Cristau wrote: > > > > Control: tag -1 - moreinfo > > > > Control: tag -1 + confirmed > > > > > > > > On Thu, Aug 08, 2019 at 02:47:55PM +0700, Arnaud Rebillout wrote: > > > > > The debdiff attached brings in an upstream patch to fix > > > > > CVE-2019-1020014, hence closes #933801. > > > > > > > > > > This is my first contribution to Debian Stable, please check for > > > > > beginners mistake ;) > > > > > > > > > Please go ahead with the upload. > > > > > > Ping on that. > > > > Friendly ping on that. > > As there was a go ahead from the SRMs, could you do the update or > were some problems encountered with the update? Looks that the collabora address is not anymore valid and mail bounced. Let me try directy arna...@debian.org. Regards, Salvatore
Bug#983110: buster-pu: package ipmitool/1.8.18-6 (CVE-2020-5208)
Hi Thomas, On Wed, Mar 17, 2021 at 07:01:35PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2021-02-20 at 22:43 +0100, Thomas Goirand wrote: > > On 2/19/21 8:38 PM, Salvatore Bonaccorso wrote: > > > Thanks for preparing this update! For the buster update, please > > > adjust > > > the target distribution to 'buster'. > > > > > > Regards, > > > Salvatore > > > > Sure. I just attached the debdiff that I prepared for buster- > > security, > > without rebuilding. I'll rebuild accordingly when I get the go-head > > from > > Adam or Julien. > > Please go ahead (with the distribution changed as noted). Did you saw the acknowledgement from Adam? If so can you do the upload? It will be missed for 10.9 now but so we still can have the fix in the 10.10 point release. Regards, Salvatore
Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1
Hi Moritz, On Fri, Jul 31, 2020 at 10:25:13AM +0200, Salvatore Bonaccorso wrote: > Hi Moritz, > > On Tue, Jan 28, 2020 at 10:43:25PM +, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Wed, 2019-11-27 at 11:18 +0100, Moritz Schlarb wrote: > > > Fixes CVE-2019-14857 (Open redirect in logout url when using URLs > > > with backslashes) by improving validation of the post-logout URL > > > parameter (backported from upstream, see > > > https://salsa.debian.org/debian/libapache2-mod- > > > auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375) > > > > > > > Please go ahead; sorry for the delay. > > Friendly ping on the acknowledgement from Adam. Moritz did you > recieved it? Can you upload for the 10.6 point release? Friendly ping for the inclusion in the 10.10 point release. Did you got the above conversation? Regards, Salvatore
Bug#941901: buster-pu: package octavia/3.0.0-3
Hi, On Sun, Nov 10, 2019 at 05:08:54PM +0100, Thomas Goirand wrote: > On 11/9/19 2:31 PM, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Mon, 2019-10-07 at 14:35 +0200, Thomas Goirand wrote: > >> Since Buster was frozen, I worked quite a long time on Octavia, and > >> was > >> able to make the octavia-agent work properly, as well as building an > >> Octavia base image using Debian only stuff [1]. It works super well > >> using the next version of OpenStack, ie: Stein, while Buster has > >> Rocky. > >> > >> Though I'd like to be able to provide a working Amphorae image using > >> only stuff from Buster, if possible. This is what this update is > >> about. > >> > > > > Please go ahead. > > > > Regards, > > > > Adam > > Hi Adam, > > On top of what you already approved, I'd like to also add what's in this > commit: > > https://salsa.debian.org/openstack-team/services/octavia/commit/25eb5debecfc53e3394ca9d5dcf2bc01c563915f > > The reason is, instead of adding so many things when building the > Octavia virtual machine image, it makes a lot of sense to instead push > all of this in the Debian package. At the time of writing the package > for Buster, I had no experience with this, though that's how I am > building the image using Sid these days. > > When we have these in the Octavia package, then building the official > Buster image for Octavia will be super simple, and will integrate easily > in the cloud team's scripts. Hopefully, we can publish such an Octavia > image right after the next Buster point release. > > I've uploaded the above. If you think that's not reasonable changes, > please reject the package and let me know, then we can decide what you > think can go in the Buster package and what shouldn't (though I really > think all of the above is better suited in the package than in the image > build script). What is the status here? Should the package be rejected and only the original changes included or should be the additional changes accepted as well? Regards, Salvatore
Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
Hi Arnaud, On Fri, Jul 31, 2020 at 10:20:12AM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Mon, Mar 30, 2020 at 10:08:50PM +0100, Adam D. Barratt wrote: > > Hi, > > > > On Sat, 2019-10-12 at 11:41 +0200, Julien Cristau wrote: > > > Control: tag -1 - moreinfo > > > Control: tag -1 + confirmed > > > > > > On Thu, Aug 08, 2019 at 02:47:55PM +0700, Arnaud Rebillout wrote: > > > > The debdiff attached brings in an upstream patch to fix > > > > CVE-2019-1020014, hence closes #933801. > > > > > > > > This is my first contribution to Debian Stable, please check for > > > > beginners mistake ;) > > > > > > > Please go ahead with the upload. > > > > Ping on that. > > Friendly ping on that. As there was a go ahead from the SRMs, could you do the update or were some problems encountered with the update? Regards, Salvatore
Bug#985782: unblock: cif2cell/2.0.0a1+dfsg-4
On 2021-03-25 22:05, Ivo De Decker wrote: > On Tue, Mar 23, 2021 at 02:48:01PM +0200, Andrius Merkys wrote: >> I am seeking unblocking of cif2cell/2.0.0a1+dfsg-4. > The deadline for packages that are not testing has passed. Sorry. I see. Thank you for information, and sorry for the noise. Best, Andrius
Bug#933637: Bug#933636: CVE-2019-14934
Hi Francois, On Fri, Jul 31, 2020 at 10:18:23AM +0200, Salvatore Bonaccorso wrote: > Hi Francois, > > On Mon, Feb 10, 2020 at 03:59:22PM -0800, Francois Marier wrote: > > On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote: > > > > It looks OK to me. Tagging moreinfo until there's a final diff. > > > > > > Friendly ping, any news? (It's too late now for the upcoming point > > > release though). > > > > It's still on my list, but not a very high priority. Definitely won't happen > > until at least after the Ubuntu 20.04 Debian merge deadline. > > It would now be too late for the 10.5 buster point release, but do you > found time to finalize the debdiff for review for SRM? Then we might > target for 10.6. There are in meanwhile one more CVE which might be included. They are at this time CVE-2019-14267, CVE-2020-9549, CVE-2019-14934 and CVE-2020-20740 which are all marked no-dsa or unimportant (with negligible security impact), but maybe if you still would like to fix those for buster, we can close this report and then open a new one with a revisited debdiff? What do you think? Regards, Salvatore
