Bug#992827: marked as done (nmu: step_4:21.08.0-1)
Your message dated Wed, 25 Aug 2021 08:39:00 +0900 with message-id and subject line Re: Bug#992827: nmu: step_4:21.08.0-1 has caused the Debian Bug report #992827, regarding nmu: step_4:21.08.0-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 992827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992827 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: debian-qt-...@lists.debian.org step depends on the KDE PIM libraries that have recently been uploaded in version 21.08. To ensure co-installability, a rebuild is necessary. nmu step_4:21.08.0-1 . ANY . unstable . -m "Rebuild against KDE Gears 21.08 libraries." --- End Message --- --- Begin Message --- On Tue, 24 Aug 2021, Sebastian Ramacher wrote: > > step depends on the KDE PIM libraries that have recently been uploaded > > in version 21.08. To ensure co-installability, a rebuild is necessary. > > I'm not sure I can follow. What issues are you trying to solve with this > binNMU? Sorry, that was incorrect and is a different issue with respect to qalculate and newer versions I am packaging. Sorry for the noise, closing this. Best Norbert -- PREINING Norbert https://www.preining.info Fujitsu Research + IFMGA Guide + TU Wien + TeX Live + Debian Dev GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13--- End Message ---
Bug#992826: marked as done (nmu: kgpg_4:21.08.0-1)
Your message dated Tue, 24 Aug 2021 23:44:21 +0200 with message-id and subject line Re: Bug#992826: nmu: kgpg_4:21.08.0-1 has caused the Debian Bug report #992826, regarding nmu: kgpg_4:21.08.0-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 992826: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992826 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: debian-qt-...@lists.debian.org kgpg depends on the KDE PIM libraries which have been recently uploaded. To ensure co-installability, it needs a rebuild. nmu kgpg_4:21.08.0-1 . ANY . unstable . -m "Rebuild against KDE Gears 21.08 libraries." --- End Message --- --- Begin Message --- On 2021-08-24 08:10:32 +0900, Norbert Preining wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > X-Debbugs-Cc: debian-qt-...@lists.debian.org > > kgpg depends on the KDE PIM libraries which have been recently uploaded. > To ensure co-installability, it needs a rebuild. Scheduled Cheers > > nmu kgpg_4:21.08.0-1 . ANY . unstable . -m "Rebuild against KDE Gears 21.08 > libraries." > -- Sebastian Ramacher signature.asc Description: PGP signature --- End Message ---
Bug#992825: marked as done (nmu: kmymoney_5.1.2-1)
Your message dated Tue, 24 Aug 2021 23:44:08 +0200 with message-id and subject line Re: Bug#992825: nmu: kmymoney_5.1.2-1 has caused the Debian Bug report #992825, regarding nmu: kmymoney_5.1.2-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 992825: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992825 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: debian-qt-...@lists.debian.org kmymoney depends on the KDE PIM libraries which have recently been uploaded, and thus need a rebuild to be co-installable. nmu kmymoney_5.1.2-1 . ANY . unstable . -m "Rebuild against KDE Gears 21.08 libraries." --- End Message --- --- Begin Message --- On 2021-08-24 08:07:39 +0900, Norbert Preining wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > X-Debbugs-Cc: debian-qt-...@lists.debian.org > > kmymoney depends on the KDE PIM libraries which have recently been > uploaded, and thus need a rebuild to be co-installable. > > nmu kmymoney_5.1.2-1 . ANY . unstable . -m "Rebuild against KDE Gears 21.08 > libraries." Scheduled Cheers > -- Sebastian Ramacher signature.asc Description: PGP signature --- End Message ---
Bug#992827: nmu: step_4:21.08.0-1
Control: tags -1 moreinfo On 2021-08-24 08:13:56 +0900, Norbert Preining wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > X-Debbugs-Cc: debian-qt-...@lists.debian.org > > step depends on the KDE PIM libraries that have recently been uploaded > in version 21.08. To ensure co-installability, a rebuild is necessary. I'm not sure I can follow. What issues are you trying to solve with this binNMU? Cheers > > nmu step_4:21.08.0-1 . ANY . unstable . -m "Rebuild against KDE Gears 21.08 > libraries." > -- Sebastian Ramacher signature.asc Description: PGP signature
Processed: Re: Bug#992827: nmu: step_4:21.08.0-1
Processing control commands: > tags -1 moreinfo Bug #992827 [release.debian.org] nmu: step_4:21.08.0-1 Added tag(s) moreinfo. -- 992827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992827 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#992371: marked as done (transition: opensubdiv)
Your message dated Tue, 24 Aug 2021 23:39:09 +0200 with message-id and subject line Re: Bug#992371: transition: opensubdiv has caused the Debian Bug report #992371, regarding transition: opensubdiv to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 992371: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992371 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi Release Team! Following advice/request from fellow DD elbrus, I'm filing this transition bug report to track down the one-package transition of opensubdiv library. The only reverse dependency for osd is blender, as in [1]; I've already test-built it to check any FTBFS and it builds fine. Thanks for your time and patience. mfv [1] https://release.debian.org/transitions/html/auto-opensubdiv.html Ben file: title = "opensubdiv"; is_affected = .depends ~ "libosdcpu3.4.3" | .depends ~ "libosdgpu3.4.3" | .depends ~ "libosdcpu3.4.4" | .depends ~ "libosdgpu3.4.4"; is_good = .depends ~ "libosdcpu3.4.4" | .depends ~ "libosdgpu3.4.4"; is_bad = .depends ~ "libosdcpu3.4.3" | .depends ~ "libosdgpu3.4.3"; -- Matteo F. Vescovi || Debian Developer GnuPG KeyID: 4096R/0x8062398983B2CF7A signature.asc Description: PGP signature --- End Message --- --- Begin Message --- On 2021-08-18 23:12:29 +0200, Matteo F. Vescovi wrote: > Control: tags -1 -moreinfo > > Hi again! > > On 2021-08-18 at 21:46 (+02), Paul Gevers wrote: > > [...] > > > Please go ahead. > > [...] > > I've just uploaded the library to unstable/sid; thus removing > the 'moreinfo' tag accordingly. The old binary packages got removed. Closing. Cheers > > Thanks. > > > -- > Matteo F. Vescovi || Debian Developer > GnuPG KeyID: 4096R/0x8062398983B2CF7A -- Sebastian Ramacher signature.asc Description: PGP signature --- End Message ---
Bug#992870: transition: GNOME 40 (libmutter-8-0 and friends)
On Tue, 24 Aug 2021 at 15:23:24 +0100, Simon McVittie wrote: > Core packages: > > - gsettings-desktop-schemas (must go first) > - gnome-settings-daemon > - gnome-control-center > - mutter > - gnome-shell > - gnome-desktop3 > - this one is not strictly versioned, but it'll be less confusing > for everyone if we upload it as part of the same transaction > - budgie-desktop (non-GNOME package, fixed version in Ubuntu but not > experimental) It looks as though we should be able to limit the libmutter-8-0 transition to just this cluster of packages. A suitable budgie-desktop version is available in experimental now (kudos to its maintainer for doing that so quickly). > Entanglement that I know about so far: > > - libgweather has some sort of incompatible behaviour changes without > a SONAME bump. I need to look into this. What has happened here is that the network services libgweather relies on are now requiring more info, which the old libgweather literally did not have available to it. No symbols have been removed from its ABI, so no SONAME bump; but to actually get weather information, callers now need to provide an application ID and developer contact info, by setting properties that previously didn't exist. Additionally, there is an API (but not ABI) change as a result of one of the network services being renamed. It looks as though we should be able to cut the knot by applying some small patches to gnome-shell (making it provide the new properties if and only if it sees a new version) and to gnome-settings-daemon (it doesn't use this part of the API, and its dependency was bumped because it stopped using now-deprecated functions; we can add a version-check guard). The new libgweather is still entangled with the new evolution-data-server, but that can be for someone else to sort out. It's compile-time-compatible with either version, but is currently forced to use the new version because we only have one experimental. smcv
Processed: fwupd: binNMUs produce broken Built-Using for fwupd-*-signed
Processing control commands: > block 981078 by -1 Bug #981078 [release.debian.org] transition: libxmlb 981078 was not blocked by any bugs. 981078 was not blocking any bugs. Added blocking bug(s) of 981078: 992910 -- 981078: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981078 992910: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992910 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1
Hi Salvatore!! On Tue, Aug 24, 2021 at 03:17:36PM +0200, Salvatore Bonaccorso wrote: > Hi Alberto, > > On Tue, Aug 24, 2021 at 01:57:26PM +0200, Alberto Gonzalez Iniesta wrote: > > Package: release.debian.org > > Severity: normal > > Tags: buster > > User: release.debian@packages.debian.org > > Usertags: pu > > > > Hi, > > > > This [1] security bug was found in modsecurity-crs. > > As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA > > does not seem necessary (security team on Cc:) so I'm targeting buster > > proposed updates instead. > > > > Here's the debdiff. Hope it's all OK. > > > > I'll wait for your instructions before uploading. > > Correct, we marked the CVE as no-dsa for both buster an bullseye. I > would suggest to first fix this in unstable, which is sort of > aprerequisite to get the fix in stable and oldstable via the point > releases. Yes, updated package got in unstable today. > Do you have an update as well pending for bullseye? Yes, I'll open a new PU request for it too. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, This [1] security bug was found in modsecurity-crs. As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA does not seem necessary (security team on Cc:) so I'm targeting buster proposed updates instead. Here's the debdiff. Hope it's all OK. I'll wait for your instructions before uploading. Cheers, Alberto [1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000 -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 diff -Nru modsecurity-crs-3.1.0/debian/changelog modsecurity-crs-3.1.0/debian/changelog --- modsecurity-crs-3.1.0/debian/changelog 2019-11-03 14:34:05.0 +0100 +++ modsecurity-crs-3.1.0/debian/changelog 2021-08-24 12:37:59.0 +0200 @@ -1,3 +1,10 @@ +modsecurity-crs (3.1.0-1+deb10u2) buster; urgency=medium + + * Add upstream patch to fix request body bypass +CVE-2021-35368 (Closes: #992000) + + -- Alberto Gonzalez Iniesta Tue, 24 Aug 2021 12:37:59 +0200 + modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium * Add upstream patch to fix php script upload rules. diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch --- modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch 1970-01-01 01:00:00.0 +0100 +++ modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch 2021-08-24 12:32:08.0 +0200 @@ -0,0 +1,130 @@ +From d3b116fce6c0dc8c8f6e4fbb4e3304af312b4812 Mon Sep 17 00:00:00 2001 +From: Walter Hop +Date: Wed, 30 Jun 2021 12:56:51 +0200 +Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini) + +--- +diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +index 1f511c38..c9bb8693 100644 +--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +@@ -64,6 +64,14 @@ + + SecRule :crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ + "id:9001000,\ ++phase:1,\ ++pass,\ ++t:none,\ ++nolog,\ ++skipAfter:END-DRUPAL-RULE-EXCLUSIONS" ++ ++SecRule :crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ ++"id:9001001,\ + phase:2,\ + pass,\ + t:none,\ +@@ -254,52 +262,58 @@ + # + # Extensive checks make sure these uploads are really legitimate. + # +-SecRule REQUEST_METHOD "@streq POST" \ +-"id:9001180,\ +-phase:1,\ +-pass,\ +-t:none,\ +-nolog,\ +-noauditlog,\ +-chain" +-SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ +-"chain" +-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +-"ctl:requestBodyAccess=Off" +- +-SecRule REQUEST_METHOD "@streq POST" \ +-"id:9001182,\ +-phase:1,\ +-pass,\ +-t:none,\ +-nolog,\ +-noauditlog,\ +-chain" +-SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ +-"chain" +-SecRule ARGS:destination "@streq admin/content/assets" \ +-"chain" +-SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +-"chain" +-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +-"ctl:requestBodyAccess=Off" +- +-SecRule REQUEST_METHOD "@streq POST" \ +-"id:9001184,\ +-phase:1,\ +-pass,\ +-t:none,\ +-nolog,\ +-noauditlog,\ +-chain" +-SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ +-"chain" +-SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +-"chain" +-SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \ +-"chain" +-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +-"ctl:requestBodyAccess=Off" ++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368. ++# ++#SecRule REQUEST_METHOD "@streq POST" \ ++#"id:9001180,\ ++#phase:1,\ ++#pass,\ ++#t:none,\ ++#nolog,\ ++#noauditlog,\ ++#chain" ++#SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ ++#"chain" ++#SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ ++#"ctl:requestBodyAccess=Off" ++ ++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368. ++# ++#SecRule REQUEST_METHOD "@streq POST" \ ++#"id:9001182,\ ++#phase:1,\ ++#pass,\ ++#t:none,\ ++#nolog,\ ++#noauditlog,\ ++#chain" ++#SecRule
Processed: block 992870 with 992872
Processing commands for cont...@bugs.debian.org: > block 992870 with 992872 Bug #992870 [release.debian.org] transition: GNOME 40 (libmutter-8-0 and friends) 992870 was not blocked by any bugs. 992870 was not blocking any bugs. Added blocking bug(s) of 992870: 992872 > thanks Stopping processing here. Please contact me if you need assistance. -- 992870: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992870 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#992870: transition: GNOME 40 (libmutter-8-0 and friends)
Package: release.debian.org Severity: normal Tags: moreinfo User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org We're heading towards the point where GNOME 40 is ready for unstable. This involves the usual libmutter transition. In addition, there have been various functionality moves and other reshuffles among core GNOME packages. I think it will be best if we deliberately *avoid* uploading some of the core GNOME packages to unstable until we are fully ready for the transition. We are *not* ready for a transition slot yet (hence moreinfo tag), but I'm opening this bug early so we can mark it with its blockers. Core packages: - gsettings-desktop-schemas (must go first) - gnome-settings-daemon - gnome-control-center - mutter - gnome-shell - gnome-desktop3 - this one is not strictly versioned, but it'll be less confusing for everyone if we upload it as part of the same transaction - budgie-desktop (non-GNOME package, fixed version in Ubuntu but not experimental) Additionally, libgweather entangles the transition with: - libgweather (has Breaks on lots of things) - evolution-data-server :-( - gnome-applets - gnome-calendar - gnome-panel - gnome-weather - wmforecast (non-GNOME package, fixed version in experimental) Entanglement that I know about so far: - libgweather has some sort of incompatible behaviour changes without a SONAME bump. I need to look into this. I hope this part can be broken out into a separate transition or something, perhaps by backporting support for the new libgweather into old callers or by temporarily adding compatibility with the old libgweather to new callers, because it links the mutter and evolution-data-server transitions and that doesn't seem ideal. - Many new packages need the new gsettings-desktop-schemas. - As usual, the new gnome-shell requires the new mutter, while the old gnome-shell requires the old mutter. We have to do this part in lockstep. - GNOME Shell has changed its workspace layout from vertical to horizontal, and the default keybindings in gsettings-desktop-schemas have changed Super+PgUp, Super+PgDn to match. The new default keybindings will make no sense for the old Shell. I don't think this is necessarily important enough to need a Depends/Breaks, but we should minimize the time that this situation exists for. - Mouse settings have moved from gnome-settings-daemon to gsettings-desktop-schemas. If we have the new g-s-d and the old g-d-s, things will still technically work, but gnome-tweaks will seem broken (because it's using the new settings that the old g-s-d ignores). - Responsibility for audible feedback when taking a screenshot moved from gnome-settings-daemon to gnome-shell. Again, this isn't important enough to need Depends/Breaks, but we should minimize the skew. - gnome-control-center configures all the other core packages so its version should not diverge. Ben file for the mutter transition, which is the key thing here: title = "mutter"; is_affected = .depends ~ "libmutter-7-0" | .depends ~ "libmutter-8-0"; is_good = .depends ~ "libmutter-8-0"; is_bad = .depends ~ "libmutter-7-0";
Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1
Hi On Tue, Aug 24, 2021 at 03:17:40PM +0200, Salvatore Bonaccorso wrote: > Hi Alberto, > > On Tue, Aug 24, 2021 at 01:57:26PM +0200, Alberto Gonzalez Iniesta wrote: > > Package: release.debian.org > > Severity: normal > > Tags: buster > > User: release.debian@packages.debian.org > > Usertags: pu > > > > Hi, > > > > This [1] security bug was found in modsecurity-crs. > > As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA > > does not seem necessary (security team on Cc:) so I'm targeting buster > > proposed updates instead. > > > > Here's the debdiff. Hope it's all OK. > > > > I'll wait for your instructions before uploading. > > Correct, we marked the CVE as no-dsa for both buster an bullseye. I > would suggest to first fix this in unstable, which is sort of > aprerequisite to get the fix in stable and oldstable via the point > releases. > > Do you have an update as well pending for bullseye? This should have gone as well to the actual bug, #992863. Apologies for the doubled message now. Regards, Salvatore
Bug#992868: transition: schroedinger-coordgenlibs
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello, I would like to request a transition slot for schroedinger-coordgenlibs (experimental -> unstable) due to soname bump. Current ben tracker [1] is fine, ratt successfully rebuilds all reverse build dependencies. Thanks, Andrius [1] https://release.debian.org/transitions/html/auto-schroedinger-coordgenlibs.html
Processed: Re: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
Processing commands for cont...@bugs.debian.org: > user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was elb...@debian.org). > usertag 991811 = pu Usertags were: unblock. Usertags are now: pu. > tags 991811 = buster Bug #991811 {Done: Paul Gevers } [release.debian.org] unblock: libapache2-mod-auth-openidc/2.4.9-1 Added tag(s) buster. > reopen 991811 Bug #991811 {Done: Paul Gevers } [release.debian.org] unblock: libapache2-mod-auth-openidc/2.4.9-1 Bug reopened Ignoring request to alter fixed versions of bug #991811 to the same values previously set > retitle 991811 buster-pu:package libapache2-mod-auth-openidc/2.4.9-1~deb10u1 > (pre-approval) Bug #991811 [release.debian.org] unblock: libapache2-mod-auth-openidc/2.4.9-1 Changed Bug title to 'buster-pu:package libapache2-mod-auth-openidc/2.4.9-1~deb10u1 (pre-approval)' from 'unblock: libapache2-mod-auth-openidc/2.4.9-1'. > thanks Stopping processing here. Please contact me if you need assistance. -- 991811: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991811 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
user release.debian@packages.debian.org usertag 991811 = pu tags 991811 = buster reopen 991811 retitle 991811 buster-pu:package libapache2-mod-auth-openidc/2.4.9-1~deb10u1 (pre-approval) thanks Hi Christoph, On 24-08-2021 13:10, Christoph Martin wrote: > @Release Team: What do you recommend? This bug was closed, so most communication wasn't really visible in the SRM workflow. I hope I got the meta info right now. Paul OpenPGP_signature Description: OpenPGP digital signature
Re: Bug#991811: unblock: libapache2-mod-auth-openidc/2.4.9-1
Hi Salvatore, dear Release Team, Am 23.08.21 um 14:46 schrieb Salvatore Bonaccorso: > Hi Christoph, > > On Mon, Aug 23, 2021 at 01:17:18PM +0200, Christoph Martin wrote: >> Hi Salvatore, >> >> Am 19.08.21 um 21:32 schrieb Salvatore Bonaccorso: >>> Hi Christoph, >>> >>> On Tue, Aug 10, 2021 at 01:42:32PM +0200, Christoph Martin wrote: Dear Security Team, the fixed version is now in bullseye. Thanks for that. What is the plan for buster and stretch? Do you prepare fixes? >>> >>> thanks for following up on that. For buster, can you fix those issues, >>> and ideally as well CVE-2019-14857 (#942165) and CVE-2019-20479 via an >>> upcoming buster point release? >> >> Ok. I prepare that update. That would be a version 2.4.9-1~deb11u1 ? > > Depends (but then ~deb10u1). You are right. My fault. > Why i say depends: buster has currently > 2.3.10.2-1, and I'm not sure if we can be confident to bump the > version from 2.3.10.2 upstream to 2.4.9? This has to be acked by the > release team if suitable. > > If SRM agree on importing the 2.4.9 version: if it is merely a rebuild > of the bullseye package back for buster, then 2.4.9-1~deb10u1 would be > good, if it's an import of new upstream on top of the current > packaging instead I would choose 2.4.9-0+deb10u1. It would be a rebuild of the bullseye package for buster. As I commented in the fix for bullseye in Bug 991811: > The fix to CVE-2021-32791 looks quite big, so that I think it is not > safe to backport it to 2.4.4.1 like the others could be. So a backport seams not to be a good solution. I tested the bullseye package on buster and even that works without a problem in buster. > But the most important question here is if SRM agree on bumping the > version to 2.4.9. > > If feasible to cherry-pick the needed patches then this would be > 2.3.10.2-1+deb10u1. > @Release Team: What do you recommend? Christoph OpenPGP_signature Description: OpenPGP digital signature
Bug#992646: transition: ace
On Mon, Aug 23, 2021 at 7:42 PM Sebastian Ramacher wrote: > > > > > Small transition with only two affected packages: diagnostics, ivtools, > > Both of them builds fine with ace 7.0.3+dfsg-1 version in experimental. > > > > The autogenerated ben tracker looks good. Please consider 'ace' for > > transition. > > Thanks in advance. > > Please go ahead Thanks. Uploaded to unstable. -- Regards Sudip
Bug#992843: bullseye-pu: package apr/1.7.0-6+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. [ Impact ] Medium vulnerability [ Tests ] No change in test (test launched only during build, no autopkgtest here) [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] This patch just adds some little checks (a month should not be outside of [1-12] Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 2331e3e..355b51a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +apr (1.7.0-6+deb11u1) bullseye; urgency=medium + + * Team upload + + [ Salvatore Bonaccorso ] + * Out-of-bounds array dereference in apr_time_exp*() functions +(CVE-2021-35940) (Closes: #992789) + + -- Yadd Tue, 24 Aug 2021 09:18:26 +0200 + apr (1.7.0-6) unstable; urgency=medium [ John Paul Adrian Glaubitz ] diff --git a/debian/patches/CVE-2021-35940.patch b/debian/patches/CVE-2021-35940.patch new file mode 100644 index 000..6f215fc --- /dev/null +++ b/debian/patches/CVE-2021-35940.patch @@ -0,0 +1,47 @@ +Description: SECURITY: CVE-2021-35940 (cve.mitre.org) + Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though + was addressed in 1.6.x in 1.6.3 and later via r1807976. + . + The fix was merged back to 1.7.x in r1891198. + . + Since this was a regression in 1.7.0, a new CVE name has been assigned + to track this, CVE-2021-35940. +Origin: upstream, https://svn.apache.org/viewvc?view=revision=1891198 +Bug-Debian: https://bugs.debian.org/992789 +Forwarded: not-needed +Last-Update: 2021-08-20 + +--- a/time/unix/time.c b/time/unix/time.c +@@ -142,6 +142,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) +--- a/time/win32/time.c b/time/win32/time.c +@@ -54,6 +54,9 @@ static void SystemTimeToAprExpTime(apr_t + static const int dayoffset[12] = + {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334}; + ++if (tm->wMonth < 1 || tm->wMonth > 12) ++return APR_EBADDATE; ++ + /* Note; the caller is responsible for filling in detailed tm_usec, + * tm_gmtoff and tm_isdst data when applicable. + */ +@@ -228,6 +231,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) diff --git a/debian/patches/series b/debian/patches/series index 6d8be19..4003573 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -12,3 +12,4 @@ use_fcntl_locking.patch cross.patch python3-hashbang.patch generic-64bit-atomics.patch +CVE-2021-35940.patch