Bug#1007905: transition: icu
On Sat, Mar 19, 2022 at 8:28 AM Adrian Bunk wrote: > On Fri, Mar 18, 2022 at 06:05:38PM +, Simon McVittie wrote: > > Obviously all these copies of essentially the same codebase are quite > > unfortunate, but mozjs and ICU seem to be sufficiently tightly-coupled > > that perhaps using its vendored version of ICU, at least temporarily, > > would be wiser than using the system copy? > > IMHO unblocking GNOME by temporarily making mozjs91 use its vendored > version until the ICU transition would be a reasonable approach. OK. > > On Fri, 18 Mar 2022 at 18:26:41 +0100, László Böszörményi (GCS) wrote: > > > Speak of the devil. ICU 71.1 RC [1] just released. Final is expected > > > in April (two-three weeks). Would you two mind if I package it and ask > > > for testing of your packages (mozjs91 and nodejs) against it? > > > > Speaking only for myself, I'm flexible about timings for this; but Ubuntu > > has already done the ICU 70.1 transition and is currently using it for > > their next LTS release, and 2-3 weeks is probably too late for them to > > do another transition before their freeze deadline. Can you elucidate why Ubuntu would be forced to do the ICU 71.1 transition for their current to be released LTS version? > Does Ubuntu even care either way? I think no. > AFAIK both now and in 2-3 weeks is inside their freeze. Exactly. As Matthias noted, we were in contact and helped them a bit for doing the transition in Ubuntu. Blame me that I didn't start ICU transition at the same time for Debian. Now a status update in short. ICU 71.1 RC looks identical in API sense to ICU 70.1 meaning all packages fail or build the same way with both versions. I've packaged ICU 71.1 RC at least and restarted the rebuilds on i386 _and_ amd64 parallel. This slowed me down, but I can report the following. Package haskell-text-icu FTBFS, but the patch I've provided [1] still fixes the issue. As noted, mozjs78 and 0ad FTBFS in my pbuilder setups. Other packages are built with ICU 70.1 and I'm at level3 with ICU 71.1 RC. Already built ceph, chromium and postgresql-14 with it on that level. Any objection not to upload ICU 71.1 RC to experimental right now? Regards, Laszlo/GCS [1] https://bugs.debian.org/1004093
Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
On Mon, Mar 21, 2022 at 12:12:11AM +0100, Sebastian Andrzej Siewior wrote:
>
> The change in openssl is commit
>cc7c6eb8135b ("Check that the default signature type is allowed")
So that's:
commit cc7c6eb8135be665d0acc176a5963e1eaf52e4e2
Author: Kurt Roeckx
Date: Thu Jan 2 22:53:32 2020 +0100
Check that the default signature type is allowed
TLS < 1.2 has fixed signature algorithms: MD5+SHA1 for RSA and SHA1 for the
others. TLS 1.2 sends a list of supported ciphers, but allows not sending
it in which case SHA1 is used. TLS 1.3 makes sending the list mandatory.
When we didn't receive a list from the client, we always used the
defaults without checking that they are allowed by the configuration.
Reviewed-by: Paul Dale
GH: #10784
(cherry picked from commit b0031e5dc2c8c99a6c04bc7625aa00d3d20a59a5)
Kurt
Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
On 2022-03-20 23:15:57 [+0100], Kurt Roeckx wrote:
> > https://ci.debian.net/data/autopkgtest/oldstable/amd64/g/gnutls28/20199677/log.gz
> >
> > Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > %COMPAT: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > *** Fatal error: A TLS fatal alert has been received.
> > Failure: Failed
> > *** Fatal error: A TLS fatal alert has been received.
> > %NO_ETM: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > Failure: Failed
> > *** Fatal error: A TLS fatal alert has been received.
> > Failure: Failed
> > FAIL [11]../../tests/suite/testcompat-main-openssl
> >
> > Which, according to me, is this check:
> > https://sources.debian.org/src/gnutls28/3.6.7-4%2Bdeb10u7/tests/suite/testcompat-main-openssl/#L307
>
> That test still seems to exist, but is just moved to a different file:
> https://github.com/gnutls/gnutls/blob/master/tests/suite/testcompat-openssl-cli-common.sh#L255
>
> My understanding is that gnutls now passes the correct list of signature
> algorithms to use to OpenSSL's s_client to be able to do that test, and
> that this is probably fixed by:
> https://github.com/gnutls/gnutls/commit/23958322865a8a77c2f924f569484e5fd150a24b
> (and
> https://github.com/gnutls/gnutls/commit/8259a1dc8503ad760c0887eb95278f9957a00667)
>
> I'm trying to remember what was changed and why, but I can't
> find/remember it.
The change in openssl is commit
cc7c6eb8135b ("Check that the default signature type is allowed")
The server is
openssl s_server -quiet -www -accept 57687 -keyform pem -certform pem
-tls1 \
-key tests/certs/ecc384.pem -cert tests/certs/cert-ecc384.pem -Verify
1 \
-named_curve secp384r1 -CAfile tests/certs/ca-cert-ecc.pem
The client is
/usr/bin/gnutls-cli -p 57687 127.0.0.1 \
--priority
NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL
\
--insecure --x509certfile tests/certs/cert-ecc384.pem --x509keyfile
tests/certs/ecc384.pem
Before the commit in question it connects as:
- Description: (TLS1.0)-(ECDHE-SECP384R1)-(AES-256-CBC)-(SHA1)
after that, the server throws:
140490373015360:error:14201044:SSL routines:tls_choose_sigalg:internal
error:../ssl/t1_lib.c:2880:
and it appears that the security level in openssl forbids SHA1 here.
The argument on the s_server side
-sigalgs RSA+SHA1:RSA+SHA256:DSA+SHA1:DSA+SHA256
doesn't help here but
-cipher "ALL:@SECLEVEL=1"
does.
> Kurt
Sebastian
NEW changes in oldstable-new
Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_mipsel-buildd.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_armel-buildd.changes ACCEPT Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_mips64el-buildd.changes ACCEPT
Bug#1007792: nmu: fdroidcl_0.5.0-3+b3
Hi Sebastian, * Sebastian Ramacher [2022-03-19 18:08]: Control: tags -1 moreinfo On 2022-03-16 20:38:48 +0100, Jochen Sprickerhof wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: jspri...@debian.org nmu fdroidcl_0.5.0-3+b3 . ANY . unstable . -m "rebuild with new golang version" There is currently no golang transition ongoing. Why is this necessary? fdroidcl was removed from testing due to being build with golang-1.15. I've tested it locally with the current golang version and it builds file, so a binnmu would be enough. Actually I just saw that there are some minor changes in git so I could also upload a new version. Given that this is not the first testing removal, is there anything I should change in the package to fix this? Cheers Jochen signature.asc Description: PGP signature
Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
On Sun, Mar 20, 2022 at 10:00:15PM +0100, Paul Gevers wrote: > Dear Sebastian, Kurt, > > On 19-03-2022 12:33, Adam D Barratt wrote: > > Upload details > > == > > > > Package: openssl > > Version: 1.1.1n-0+deb10u1 > > > > Explanation: new upstream release > > We're seeing a regression in buster in the autopkgtest of gnutls28 with the > new version of openssl on all tested architectures. Can you please have a > look and advise? (bullseye doesn't seem to have the test anymore, hence it > doesn't fail). > > https://ci.debian.net/data/autopkgtest/oldstable/amd64/g/gnutls28/20199677/log.gz > > Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... > %COMPAT: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... > *** Fatal error: A TLS fatal alert has been received. > Failure: Failed > *** Fatal error: A TLS fatal alert has been received. > %NO_ETM: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... > Failure: Failed > *** Fatal error: A TLS fatal alert has been received. > Failure: Failed > FAIL [11]../../tests/suite/testcompat-main-openssl > > Which, according to me, is this check: > https://sources.debian.org/src/gnutls28/3.6.7-4%2Bdeb10u7/tests/suite/testcompat-main-openssl/#L307 That test still seems to exist, but is just moved to a different file: https://github.com/gnutls/gnutls/blob/master/tests/suite/testcompat-openssl-cli-common.sh#L255 My understanding is that gnutls now passes the correct list of signature algorithms to use to OpenSSL's s_client to be able to do that test, and that this is probably fixed by: https://github.com/gnutls/gnutls/commit/23958322865a8a77c2f924f569484e5fd150a24b (and https://github.com/gnutls/gnutls/commit/8259a1dc8503ad760c0887eb95278f9957a00667) I'm trying to remember what was changed and why, but I can't find/remember it. Kurt
NEW changes in oldstable-new
Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_mips-buildd.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_armhf-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_11.1+deb11u3_mips64el-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u3_mipsel-buildd.changes ACCEPT
Bug#1008031: bullseye-pu: package intel-microcode/3.20210608.2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu I'd like to update the intel-microcode package in bullseye. The new Intel microcode release includes fixes for several critical functional defects (errata) as well as security fixes and mitigations. It fixes hangs and incorrect behavior on *many* processors, as well as several CVEs. The package changelog has a reasonable list of the issues addressed by the update. There are no known regressions introduced by this microcode update. The same package is alrady in bullseye-backports, testing and unstable, with no bug reports. I have attached a git diff against the version currently in bullseye. Here's the diffstat: b/.gitignore|1 b/changelog | 79 +++ b/debian/.gitignore |5 + b/debian/changelog | 103 b/debian/ucode-blacklist.txt|2 b/intel-ucode-with-caveats/06-4f-01 |binary b/intel-ucode/06-3f-02 |binary b/intel-ucode/06-3f-04 |binary b/intel-ucode/06-4e-03 |binary b/intel-ucode/06-55-03 |binary b/intel-ucode/06-55-04 |binary b/intel-ucode/06-55-06 |binary b/intel-ucode/06-55-07 |binary b/intel-ucode/06-55-0b |binary b/intel-ucode/06-56-03 |binary b/intel-ucode/06-56-04 |binary b/intel-ucode/06-56-05 |binary b/intel-ucode/06-5c-09 |binary b/intel-ucode/06-5c-0a |binary b/intel-ucode/06-5e-03 |binary b/intel-ucode/06-5f-01 |binary b/intel-ucode/06-6a-06 |binary b/intel-ucode/06-7a-01 |binary b/intel-ucode/06-7a-08 |binary b/intel-ucode/06-7e-05 |binary b/intel-ucode/06-8a-01 |binary b/intel-ucode/06-8c-01 |binary b/intel-ucode/06-8c-02 |binary b/intel-ucode/06-8d-01 |binary b/intel-ucode/06-8e-09 |binary b/intel-ucode/06-8e-0a |binary b/intel-ucode/06-8e-0b |binary b/intel-ucode/06-8e-0c |binary b/intel-ucode/06-96-01 |binary b/intel-ucode/06-9c-00 |binary b/intel-ucode/06-9e-09 |binary b/intel-ucode/06-9e-0a |binary b/intel-ucode/06-9e-0b |binary b/intel-ucode/06-9e-0c |binary b/intel-ucode/06-9e-0d |binary b/intel-ucode/06-a5-02 |binary b/intel-ucode/06-a5-03 |binary b/intel-ucode/06-a5-05 |binary b/intel-ucode/06-a6-00 |binary b/intel-ucode/06-a6-01 |binary b/intel-ucode/06-a7-01 |binary b/releasenote.md| 80 +++ 48 files changed, 270 insertions(+) PS: I apologise for sending this so close to the deadline for the next point release. -- Henrique Holschuh diff --git a/.gitignore b/.gitignore index 5ead64a..0af49a5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ intel-microcode.bin intel-microcode-64.bin *.pbin +*.dbin diff --git a/changelog b/changelog index 25b8ada..7dfb0b0 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,81 @@ +2022-02-07: + * Relevant information: +https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html + * Mitigates (*only* when loaded from firmware through the FIT) +CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through +debug port, on Pentium, Celeron and Atom processors with signatures +0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8 +https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145 + * Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint +may cause a system hang, on many processors. + * Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due +to improper sanitization of shared resources (fast-store forward +predictor), on many processors. + * Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some +Atom Processors may allow information disclosure or denial of service +via network access. + * Fixes critical errata (functional issues) on many processors + * Adds a MSR switch to enable RAPL filtering (default off, once enabled +it can only be disabled by poweroff or reboot). Useful to protect +SGX and other threads from side-channel info leak. Improves the +mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many +processors. + * Disables TSX in more processor models. + * Fixes issue with WBINDV on multi-socket (server) systems which could +cause resets and unpredictable system behavior + * Adds a MSR switch
Bug#1008030: buster-pu: package intel-microcode/3.20210608.2~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu I'd like to update the intel-microcode package in buster. The new Intel microcode release includes fixes for several critical functional defects (errata) as well as security fixes and mitigations. It fixes hangs and incorrect behavior on *many* processors, as well as several CVEs. The package changelog has a reasonable list of the issues addressed by the update. There are no known regressions introduced by this microcode update. The same package is alrady in bullseye-backports, testing and unstable, with no bug reports. I have attached a git diff against the version currently in buster. b/.gitignore|1 b/changelog | 79 +++ b/debian/.gitignore |5 + b/debian/changelog | 103 b/debian/ucode-blacklist.txt|2 b/intel-ucode-with-caveats/06-4f-01 |binary b/intel-ucode/06-3f-02 |binary b/intel-ucode/06-3f-04 |binary b/intel-ucode/06-4e-03 |binary b/intel-ucode/06-55-03 |binary b/intel-ucode/06-55-04 |binary b/intel-ucode/06-55-06 |binary b/intel-ucode/06-55-07 |binary b/intel-ucode/06-55-0b |binary b/intel-ucode/06-56-03 |binary b/intel-ucode/06-56-04 |binary b/intel-ucode/06-56-05 |binary b/intel-ucode/06-5c-09 |binary b/intel-ucode/06-5c-0a |binary b/intel-ucode/06-5e-03 |binary b/intel-ucode/06-5f-01 |binary b/intel-ucode/06-6a-06 |binary b/intel-ucode/06-7a-01 |binary b/intel-ucode/06-7a-08 |binary b/intel-ucode/06-7e-05 |binary b/intel-ucode/06-8a-01 |binary b/intel-ucode/06-8c-01 |binary b/intel-ucode/06-8c-02 |binary b/intel-ucode/06-8d-01 |binary b/intel-ucode/06-8e-09 |binary b/intel-ucode/06-8e-0a |binary b/intel-ucode/06-8e-0b |binary b/intel-ucode/06-8e-0c |binary b/intel-ucode/06-96-01 |binary b/intel-ucode/06-9c-00 |binary b/intel-ucode/06-9e-09 |binary b/intel-ucode/06-9e-0a |binary b/intel-ucode/06-9e-0b |binary b/intel-ucode/06-9e-0c |binary b/intel-ucode/06-9e-0d |binary b/intel-ucode/06-a5-02 |binary b/intel-ucode/06-a5-03 |binary b/intel-ucode/06-a5-05 |binary b/intel-ucode/06-a6-00 |binary b/intel-ucode/06-a6-01 |binary b/intel-ucode/06-a7-01 |binary b/releasenote.md| 80 +++ 48 files changed, 270 insertions(+) PS: I apologise for sending this so close to the deadline for the next point release. -- Henrique Holschuh diff --git a/.gitignore b/.gitignore index 5ead64a..0af49a5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ intel-microcode.bin intel-microcode-64.bin *.pbin +*.dbin diff --git a/changelog b/changelog index 25b8ada..7dfb0b0 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,81 @@ +2022-02-07: + * Relevant information: +https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html + * Mitigates (*only* when loaded from firmware through the FIT) +CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through +debug port, on Pentium, Celeron and Atom processors with signatures +0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8 +https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145 + * Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint +may cause a system hang, on many processors. + * Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due +to improper sanitization of shared resources (fast-store forward +predictor), on many processors. + * Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some +Atom Processors may allow information disclosure or denial of service +via network access. + * Fixes critical errata (functional issues) on many processors + * Adds a MSR switch to enable RAPL filtering (default off, once enabled +it can only be disabled by poweroff or reboot). Useful to protect +SGX and other threads from side-channel info leak. Improves the +mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many +processors. + * Disables TSX in more processor models. + * Fixes issue with WBINDV on multi-socket (server) systems which could +cause resets and unpredictable system behavior + * Adds a MSR switch to 10th and 11th-gen (Ice
NEW changes in oldstable-new
Processing changes file: base-files_10.3+deb10u12_mipsel-buildd.changes ACCEPT Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_amd64-buildd.changes ACCEPT Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_arm64-buildd.changes ACCEPT Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_i386-buildd.changes ACCEPT Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_ppc64el-buildd.changes ACCEPT Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_11.1+deb11u3_ppc64el-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u3_s390x-buildd.changes ACCEPT Processing changes file: nvidia-graphics-drivers-tesla-450_450.172.01-2~deb11u1_amd64-buildd.changes ACCEPT Processing changes file: nvidia-graphics-drivers-tesla-450_450.172.01-2~deb11u1_arm64-buildd.changes ACCEPT Processing changes file: nvidia-graphics-drivers-tesla-450_450.172.01-2~deb11u1_ppc64el-buildd.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: base-files_10.3+deb10u12_amd64-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u12_arm64-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u12_armel-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u12_armhf-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u12_i386-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u12_mips-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u12_mips64el-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u12_ppc64el-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u12_s390x-buildd.changes ACCEPT Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_all-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_11.1+deb11u3_amd64-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u3_arm64-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u3_armel-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u3_armhf-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u3_i386-buildd.changes ACCEPT Processing changes file: nvidia-graphics-drivers-tesla-450_450.172.01-2~deb11u1_i386-buildd.changes ACCEPT
Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
Dear Sebastian, Kurt, On 19-03-2022 12:33, Adam D Barratt wrote: Upload details == Package: openssl Version: 1.1.1n-0+deb10u1 Explanation: new upstream release We're seeing a regression in buster in the autopkgtest of gnutls28 with the new version of openssl on all tested architectures. Can you please have a look and advise? (bullseye doesn't seem to have the test anymore, hence it doesn't fail). https://ci.debian.net/data/autopkgtest/oldstable/amd64/g/gnutls28/20199677/log.gz Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... %COMPAT: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... *** Fatal error: A TLS fatal alert has been received. Failure: Failed *** Fatal error: A TLS fatal alert has been received. %NO_ETM: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... Failure: Failed *** Fatal error: A TLS fatal alert has been received. Failure: Failed FAIL [11]../../tests/suite/testcompat-main-openssl Which, according to me, is this check: https://sources.debian.org/src/gnutls28/3.6.7-4%2Bdeb10u7/tests/suite/testcompat-main-openssl/#L307 Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1003948: bullseye-pu: package systemd/247.3-7
Am 19.03.22 um 18:04 schrieb Julien Cristau: Control: tag -1 confirmed On Tue, Jan 18, 2022 at 02:46:06PM +0100, Michael Biebl wrote: * Demote systemd-timesyncd from Depends to Recommends. This avoids a dependency cycle between systemd and systemd-timesyncd and thus makes dist upgrades more predictable and robust. It also allows minimal, systemd based containers where no NTP client is strictly necessary. To ensure that systemd-timesyncd is installed in a default installation created by d-i, bump its priority to standard. (Closes: #986651, #993947) This one is probably the trickiest (and possibly also the simplest) change. It simply breaks a dependency loop between systemd and systemd-timesyncd resulting in a more predictable upgrade sequence which in turn ensures that modifications of systemd-timesyncd's conffiles are preserved on upgrades. Difficult to predict the side effects this might have, but on the whole it's probably better to do this than not. Go ahead. Uploaded. Thanks, Julien. I've CCed the FTP team for #1003949. Now that this change has been acked by the RT, please adjust the priority accordingly. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
NEW changes in oldstable-new
Processing changes file: base-files_10.3+deb10u12_source.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_11.1+deb11u3_source.changes ACCEPT
NEW changes in stable-new
Processing changes file: nvidia-graphics-drivers-tesla-450_450.172.01-2~deb11u1_source.changes ACCEPT
Bug#1005158: nvidia-graphics-drivers-tesla-450 450.172.01-2~deb11u1 flagged for acceptance
package release.debian.org tags 1005158 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: nvidia-graphics-drivers-tesla-450 Version: 450.172.01-2~deb11u1 Explanation: new upstream release; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]; nvidia-kernel-support: Provide /etc/modprobe.d/nvidia-options.conf as a template
Processed: nvidia-graphics-drivers-tesla-450 450.172.01-2~deb11u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1005158 = bullseye pending Bug #1005158 [release.debian.org] bullseye-pu: package nvidia-graphics-drivers-tesla-450/450.172.01-1~deb11u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1005158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005158 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1005158: bullseye-pu: package nvidia-graphics-drivers-tesla-450/450.172.01-1~deb11u1
On Sun, 2022-03-20 at 17:32 +0100, Andreas Beckmann wrote: > On 19/03/2022 17.48, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Tue, 2022-02-08 at 09:06 +0100, Andreas Beckmann wrote: > > > I'd like to update src:nvidia-graphics-drivers-tesla-450/non-free > > > to > > > a > > > new upstream version to fix CVE‑2022‑21813, CVE‑2022‑21814. > > > > > > This is a simple rebuild of the package from sid. > > > > > > > Please go ahead. > > I've uploaded a rebuild of the latest version from sid (-2 instead > of > -1), which contains a few additional changes, please see the > attached > incremental debdiff from 450.172.01-1 to 450.172.01-2~deb11u1 > Just to confirm, this and nvidia-modprobe - as the only packages from the set so far uploaded AFAICS - are OK to be included in 11.3 without needing the remainder of the updates? Regards, Adam
NEW changes in oldstable-new
Processing changes file: graphicsmagick_1.4+really1.3.35-1~deb10u2_source.changes ACCEPT
Bug#1003548: marked as done (transition: libwebp)
Your message dated Sun, 20 Mar 2022 18:50:39 +0100 with message-id and subject line Re: Bug#1003548: transition: libwebp has caused the Debian Bug report #1003548, regarding transition: libwebp to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1003548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003548 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello Release Team, We would like to transition libwebp to a new upstream version 1.2.1-1 that is already uploaded and built in experimental. No build problems are expected in the reverse dependencies either. This was tested by rebuilding a subset of packages listed on the transition web page: https://release.debian.org/transitions/html/auto-libwebp.html Please let us know if we can proceed with the upload to unstable. Also a binNMU rebuild of reverse dependencies would be required afterwards. Ben file: title = "libwebp"; is_affected = .depends ~ "libwebp6" | .depends ~ "libwebp8"; is_good = .depends ~ "libwebp8"; is_bad = .depends ~ "libwebp6"; --- End Message --- --- Begin Message --- On 2022-02-19 19:30:40, Sebastian Ramacher wrote: > On 2022-02-18 10:26:26 +0100, Sebastian Ramacher wrote: > > On 2022-02-16 20:49:44, Jeff Breidenbach wrote: > > > libwebp 1.2.1-7 has been successfully uploaded to unstable. > > > > > > Anthony and Iustin, help is very strongly appreciated for the NMUs. > > > > Almost all reverse dependencies have successfully been rebuilt against > > libwebp7. Packages failing to build are weston (#998603) and openimageio > > (#1003470). > > The builds of graphicsmagick (#1006110) and qtimageformats-opensource > (#1006009) failed due to tests related to libwebp. Could this be a bug > in libwebp? The old binaries got removed from testing. So that's done. Cheers -- Sebastian Ramacher--- End Message ---
Processed: graphicsmagick 1.4+really1.3.35-1~deb10u2 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1002912 = buster pending Bug #1002912 [release.debian.org] buster-pu: package graphicsmagick/1.4+really1.3.35-1~deb10u2 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1002912: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002912 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1002912: graphicsmagick 1.4+really1.3.35-1~deb10u2 flagged for acceptance
package release.debian.org tags 1002912 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: graphicsmagick Version: 1.4+really1.3.35-1~deb10u2 Explanation: fix buffer overflow issue [CVE-2020-12672]
Bug#1005158: bullseye-pu: package nvidia-graphics-drivers-tesla-450/450.172.01-1~deb11u1
On 19/03/2022 17.48, Adam D. Barratt wrote: Control: tags -1 + confirmed On Tue, 2022-02-08 at 09:06 +0100, Andreas Beckmann wrote: I'd like to update src:nvidia-graphics-drivers-tesla-450/non-free to a new upstream version to fix CVE‑2022‑21813, CVE‑2022‑21814. This is a simple rebuild of the package from sid. Please go ahead. I've uploaded a rebuild of the latest version from sid (-2 instead of -1), which contains a few additional changes, please see the attached incremental debdiff from 450.172.01-1 to 450.172.01-2~deb11u1 The new autopkgtest (for testing buildability of the kernel module) currently is a (passing) no-op, it requires additional changes to dkms and autodep8 s.t. kernel headers get installed and the kernel module gets compiled. Andreas diff --git a/debian/README.source b/debian/README.source index 03853038..d48a6fcf 100644 --- a/debian/README.source +++ b/debian/README.source @@ -13,6 +13,28 @@ Building "bleeding edge" from GIT for users uploaded in the archive. +Upstream support timeframes + +https://nvidia.custhelp.com/app/answers/detail/a_id/3142 +https://docs.nvidia.com/datacenter/tesla/drivers/ +https://web.archive.org/web/20210522000916/https://docs.nvidia.com/datacenter/tesla/drivers/ + +Driver Series Supported until +71 EoL +96 EoL +173 EoL +304 12/2017 EoL +340 12/2019 EoL +390 12/2022 +Tesla 410 EoL +Tesla 418 (LTSB)03/2022 +Tesla 440 11/2020 EoL +Tesla 450 (LTSB)07/2023 +Tesla 460 (PB) 01/2022 EoL +Tesla 470 (LTSB)07/2024 +Tesla 510 (PB) 01/2023 + + The branch structure in the GIT repository The following branches exist in the git repository: @@ -39,9 +61,16 @@ The branch structure in the GIT repository 450 (bullseye) 460, 450-tesla 450-tesla (bullseye) 460-tesla, tesla-450/master tesla-450/master bullseye,sidtesla-460/master -460 (bullseye) master, 460-tesla -460-tesla (bullseye) tesla-460/master -tesla-460/master bullseye,sid +460 EoL (bullseye) 470, 460-tesla +460-tesla EoL (bullseye) 470-tesla, tesla-460/master +tesla-460/masterEoL (bullseye),(sid)tesla-470/master, tesla-460/transition-470 +tesla-460/transition-470 bullseye,sid +470 (bullseye) 510, 470-tesla +470-tesla (bullseye) 510-tesla, tesla-470/master +tesla-470/master bullseye,sidtesla-510/master +510 (bookworm) master, 510-tesla +510-tesla (bookworm) tesla-510/master +tesla-510/master bookworm,sid mastersid YYY YYY experimentalZZZ, (master) ZZZ experimental(master) diff --git a/debian/changelog b/debian/changelog index 10c0a787..7a864cf1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +nvidia-graphics-drivers-tesla-450 (450.172.01-2~deb11u1) bullseye; urgency=medium + + * Rebuild for bullseye. + + -- Andreas Beckmann Sun, 20 Mar 2022 16:53:36 +0100 + +nvidia-graphics-drivers-tesla-450 (450.172.01-2) unstable; urgency=medium + + * Add xorg-video-abi-25 (Xorg Xserver 21) as alternative dependency. +(Closes: #1005932) + * Backport pde_data changes from 470.103.01 to fix kernel module build for +Linux 5.17. + * dkms.conf: Use a BUILD_EXCLUSIVE equivalent hack to skip building for -rt +kernels, not supported upstream (510.54-1). + * Declare Testsuite: autopkgtest-pkg-dkms (510.54-1). + + -- Andreas Beckmann Mon, 28 Feb 2022 21:03:12 +0100 + nvidia-graphics-drivers-tesla-450 (450.172.01-1) unstable; urgency=medium * New upstream Tesla release 450.172.01 (2022-01-31). @@ -919,6 +937,19 @@ nvidia-graphics-drivers (430.14-1) experimental; urgency=medium -- Andreas Beckmann Sat, 25 May 2019 13:49:09 +0200 +nvidia-graphics-drivers-tesla-418 (418.226.00-2) unstable; urgency=medium + + * Backport stdarg.h and stddef.h changes from 495.44 to fix kernel module +build for Linux 5.16. + * Backport pde_data changes from 470.103.01 to fix kernel module build for +Linux 5.17. (Closes: #1005405) + * nvidia-tesla-418-kernel-support: Provide +/etc/modprobe.d/nvidia-options.conf as a template taking into account the +module renaming. This is a slave alternative of the nvidia alternative +(470.86-1). (Closes: #999670) + + -- Andreas Beckmann Fri, 25 Feb 2022 13:48:18 +0100 + nvidia-graphics-drivers-tesla-418 (418.226.00-1) unstable; urgency=medium * New upstream Tesla
NEW changes in oldstable-new
Processing changes file: linux-signed-i386_4.19.235+1_i386-buildd.changes ACCEPT Processing changes file: phpliteadmin_1.9.7.1-2+deb10u1_all-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: nvidia-modprobe_470.103.01-1~deb11u1_amd64-buildd.changes ACCEPT Processing changes file: nvidia-modprobe_470.103.01-1~deb11u1_arm64-buildd.changes ACCEPT Processing changes file: nvidia-modprobe_470.103.01-1~deb11u1_armhf-buildd.changes ACCEPT Processing changes file: nvidia-modprobe_470.103.01-1~deb11u1_i386-buildd.changes ACCEPT Processing changes file: nvidia-modprobe_470.103.01-1~deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: phpliteadmin_1.9.8.2-1+deb11u1_all-buildd.changes ACCEPT
my email
Did you receive our earlier message to you regarding our introduction for private global investment partnership? Please get back as soon as possible. Dong Guo dongguo...@gmail.com Independent Advisor Private Global investment Partnership Best regards, 3/20/2022 9:19:44 PM
NEW changes in stable-new
Processing changes file: nvidia-modprobe_470.103.01-1~deb11u1_source.changes ACCEPT Processing changes file: phpliteadmin_1.9.8.2-1+deb11u1_source.changes ACCEPT
Processed: phpliteadmin 1.9.8.2-1+deb11u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1007947 = bullseye pending Bug #1007947 [release.debian.org] bullseye-pu: package phpliteadmin/1.9.8.2-1+deb11u1 Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 1007947: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007947 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: nvidia-modprobe 470.103.01-1~deb11u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1005148 = bullseye pending Bug #1005148 [release.debian.org] bullseye-pu: package nvidia-modprobe/470.103.01-1~deb11u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1005148: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005148 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1007947: phpliteadmin 1.9.8.2-1+deb11u1 flagged for acceptance
package release.debian.org tags 1007947 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: phpliteadmin Version: 1.9.8.2-1+deb11u1 Explanation: fix cross-site scripting issue [CVE-2021-46709]
Bug#1005148: nvidia-modprobe 470.103.01-1~deb11u1 flagged for acceptance
package release.debian.org tags 1005148 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: nvidia-modprobe Version: 470.103.01-1~deb11u1 Explanation: new upstream release
NEW changes in oldstable-new
Processing changes file: phpliteadmin_1.9.7.1-2+deb10u1_source.changes ACCEPT
Bug#1007948: phpliteadmin 1.9.7.1-2+deb10u1 flagged for acceptance
package release.debian.org tags 1007948 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: phpliteadmin Version: 1.9.7.1-2+deb10u1 Explanation: fix cross-site scripting issue [CVE-2021-46709]
Processed: phpliteadmin 1.9.7.1-2+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1007948 = buster pending Bug #1007948 [release.debian.org] buster-pu: package phpliteadmin/1.9.7.1-2+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1007948: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007948 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in oldstable-new
Processing changes file: linux-signed-i386_4.19.235+1_source.changes ACCEPT
