Bug#1036656: marked as done (unblock: grub2/2.06-13)

[Debian Bug Tracking System]

Your message dated Wed, 24 May 2023 07:44:39 +0200
with message-id <0bacafcb-68eb-d004-354b-e1428ecca...@debian.org>
and subject line Re: Bug#1036656: unblock: grub2/2.06-13
has caused the Debian Bug report #1036656,
regarding unblock: grub2/2.06-13
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036656: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036656
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package grub2 and its derived signed packages.

As promised in the -12 ublock request, we now have a lot more
translations updated for the changed template questions for os-prober.

Also, I've included 1 RC bug fix which fixes up an RC bug which stops
machines booting:

* When *also* installing to the removable media path, include the
  relevant mokmanager binary. Closes: #1034409

And a small fix for generating boot menu options on systems
dual-booting with Arch and derivatives:

* Allow initrd to contain spaces. Closes: #838177, #820838.

unblock grub2/2.06-13
unblock grub-efi-amd64-signed/1+2.06+13
unblock grub-efi-arm64-signed/1+2.06+13
unblock grub-efi-ia32-signed/1+2.06+13

debdiff attached, filtering out noise from *.po updates.
diff -Nru grub2-2.06/debian/changelog grub2-2.06/debian/changelog
--- grub2-2.06/debian/changelog 2023-04-21 13:30:26.0 +0100
+++ grub2-2.06/debian/changelog 2023-04-23 20:55:54.0 +0100
@@ -1,3 +1,35 @@
+grub2 (2.06-13) unstable; urgency=medium
+
+  [ Steve McIntyre ]
+  * When *also* installing to the removable media path, include the
+relevant mokmanager binary. Closes: #1034409
+
+  [ General Chaos ]
+  * Allow initrd to contain spaces. Closes: #838177, #820838.
+
+  [ Translators ]
+  * Update lots of translations of debconf templates, thanks to the
+following:
++ Welsh (Dafydd Tomos)
++ German (Helge Kreutzmann). Closes: #1034850
++ Croatian (Tomislav Krznar)
++ Greek (Emmanuel Galatoulas)
++ Esperanto (Felipe Castro)
++ French (Baptiste Jammet). Closes: #1035761
++ Italian (Luca Monducci). Closes: #1034825
++ Kazakh (Baurzhan Muftakhidinov)
++ Korean (Changwoo Ryu). Closes: #1034868
++ Latvian (Rudolfs Mazurs)
++ Dutch (Frans Spiesschaert). Closes: #1035399
++ Norwegian Bokmål (Petter Reinholdtsen, Sverre Vaabenoe)
++ Brazilian Portuguese (Adriano Rafael Gomes). Closes: #1035905
++ Romanian (Remus-Gabriel Chelu)
++ Russian (Yuri Kozlov). Closes: #1035294
++ Turkish (Atila KOÇ). Closes: #1035846
++ Swedish (Luna Jernberg)
+
+ -- Steve McIntyre <93...@debian.org>  Sun, 23 Apr 2023 20:55:54 +0100
+
 grub2 (2.06-12) unstable; urgency=medium
 
   * Fix up arm64 SB patch to fix build failure on 32-bit arm systems
diff -Nru grub2-2.06/debian/patches/grub-install-removable-shim.patch 
grub2-2.06/debian/patches/grub-install-removable-shim.patch
--- grub2-2.06/debian/patches/grub-install-removable-shim.patch 2023-02-09 
01:32:18.0 +
+++ grub2-2.06/debian/patches/grub-install-removable-shim.patch 2023-04-23 
20:55:54.0 +0100
@@ -107,7 +107,7 @@
  
fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
fb_signed);
-@@ -2154,30 +2152,81 @@ main (int argc, char *argv[])
+@@ -2154,30 +2152,82 @@ main (int argc, char *argv[])
if (!removable)
  grub_install_copy_file (fb_src,
  fb_dst, 0);
@@ -129,6 +129,7 @@
 +  also_install_removable (shim_signed, base_efidir, 
removable_file, 1);
 +
 +  also_install_removable (efi_signed, base_efidir, 
chained_base, 1);
++  also_install_removable (mok_src, base_efidir, mok_file, 0);
 +
 +  /* If we're updating the NVRAM, add fallback too - it
 +  will re-update the NVRAM later if things break */
diff -Nru 
grub2-2.06/debian/patches/os-prober-Allow-initrd-to-contain-spaces.patch 
grub2-2.06/debian/patches/os-prober-Allow-initrd-to-contain-spaces.patch
--- grub2-2.06/debian/patches/os-prober-Allow-initrd-to-contain-spaces.patch
1970-01-01 01:00:00.0 +0100
+++ grub2-2.06/debian/patches/os-prober-Allow-initrd-to-contain-spaces.patch
2023-04-23 20:55:54.0 +0100
@@ -0,0 +1,50 @@
+From 1f982e2a7c35e14d5a92c76db998afafd1bd9e87 Mon Sep 17 00:00:00 2001
+From: General Chaos 
+Date: Tue, 12 Apr 2016 22:28:52 +
+Subject: [PATCH] os-prober: Allow initrd to 

Bug#1036656: unblock: grub2/2.06-13

[Cyril Brulebois]

Hi,

Paul Gevers  (2023-05-24):
> The following needs your approval too.
> 
> On 23-05-2023 23:39, Steve McIntyre wrote:
> > unblock grub2/2.06-13
> > unblock grub-efi-amd64-signed/1+2.06+13
> > unblock grub-efi-arm64-signed/1+2.06+13
> > unblock grub-efi-ia32-signed/1+2.06+13

Yes please!


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Processed: Re: Bug#1036656: unblock: grub2/2.06-13

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed d-i
Bug #1036656 [release.debian.org] unblock: grub2/2.06-13
Added tag(s) d-i and confirmed.

-- 
1036656: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036656
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036656: unblock: grub2/2.06-13

[Paul Gevers]

Control: tags -1 confirmed d-i

Hi Cyril,

The following needs your approval too.

On 23-05-2023 23:39, Steve McIntyre wrote:

Please unblock package grub2 and its derived signed packages.

As promised in the -12 ublock request, we now have a lot more
translations updated for the changed template questions for os-prober.

Also, I've included 1 RC bug fix which fixes up an RC bug which stops
machines booting:

* When *also* installing to the removable media path, include the
   relevant mokmanager binary. Closes: #1034409

And a small fix for generating boot menu options on systems
dual-booting with Arch and derivatives:

* Allow initrd to contain spaces. Closes: #838177, #820838.

unblock grub2/2.06-13
unblock grub-efi-amd64-signed/1+2.06+13
unblock grub-efi-arm64-signed/1+2.06+13
unblock grub-efi-ia32-signed/1+2.06+13

debdiff attached, filtering out noise from *.po updates.


Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036660: unblock: node-socket.io-parser/4.2.1+~3.1.0-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-socket.io-par...@packages.debian.org
Control: affects -1 + src:node-socket.io-parser

Please unblock package node-socket.io-parser

[ Reason ]
node-socket.io-parser is vulnerable to CVE-2023-32695: a malformet
packet can trigger an uncaught exception on the Socket.IO server,
thus killing the Node.js process.

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
No risk:
 * patch is trivial
 * the patch is a revert, version 4.0.2 (Bullseye) isn't vulnerable even
   if included in the report
   (see https://github.com/socketio/socket.io/discussions/4721)

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-socket.io-parser/4.2.1+~3.1.0-2

Processed: unblock: node-socket.io-parser/4.2.1+~3.1.0-2

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:node-socket.io-parser
Bug #1036660 [release.debian.org] unblock: node-socket.io-parser/4.2.1+~3.1.0-2
Added indication that 1036660 affects src:node-socket.io-parser

-- 
1036660: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036660
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1035710: unblock: doc-debian/11.3

[Joost van Baal-Ilić]

Hi Luca,

On Wed, May 24, 2023 at 12:04:57AM +0100, Luca Boccassi wrote:
> Control: retitle -1 unblock: doc-debian/11.3+nmu1
> Control: tags -1 -moreinfo
> 
> On Tue, 23 May 2023 23:37:23 +0100 Luca Boccassi 
> wrote:
> > On Tue, 23 May 2023 06:46:19 +0200 Joost van =?utf-8?Q?Baal-
> Ili=C4=87?=
> >  wrote:
> > > On Sat, May 20, 2023 at 04:21:47PM +0200, Sebastian Ramacher wrote:
> > >  
> > > > On 2023-05-14 06:47:18 +0200, Joost van Baal-Ilić wrote:
> > > > > reopen 1035710
> > > > > retitle 1035710 unblock: doc-debian/11.3
> > > > > thanks
> > > > > 
> > > > > Please unblock package doc-debian
> > > > > 
> > > > 
> > > > Please go ahead with the upload to unstable. Remove the moreinfo
> > > > tag once the package is available.
> > > 
> > > Thank you.  Unfortunately I don't think I'll make it before the deadline
> > > / in the next couple of hours, real life currently doesn't allow me that.
> > > 
> > > If anybody else has time to take a shot at it: here's the current
> > > issue's: I made a mistake in the upload to experimental: it says
> > > 'experimental' in the top of debian/changelog; should probably be
> > > 'unstable'.  And the last commit on salsa is misguided.
> > > 
> > > If nobody steps up I can probably prepare an upload for the first
> > > bookworm point release.
> > 
> > I can take care of this, I'll do a changelog-only upload of the current
> > version that's in experimental to unstable.
> 
> Done, you can find the changelog-only commit to pull from at:
> 
> https://salsa.debian.org/bluca/doc-debian/-/commits/master?ref_type=heads

Excellent, thanks a lot, you made my day \o/

Bye,

Joost

Bug#1036306: unblock: ufw/0.36.2-1

[Jamie Strandboge]

On Tue, 23 May 2023, Paul Gevers wrote:

> > Bug fixes and translations will not be available in bookworm (I am upstream 
> > ufw
> > and I cut 0.36.2 specifically for bookworm users).
> 
> Please elaborate. It's Full Freeze time. A new upstream needs a lot of
> defending to be considered a targeted fix at this stage of the release.

Sorry I didn't elaborate more initially. I too misread the timing and
thought that due to autopkgtests that the timing was still ok.

As mentioned, I am the upstream author for ufw as well as the Debian
maintainer for ufw and I had a choice to either cherrypick the changes
and apply as patches in a 0.36.1-5 release or to gather them all into a
0.36.2-1 release. I chose the later since I didn't expect there to be a
problem. Practically speaking though, it would've been essentially the
same.

Importantly, ufw had very good coverage via unit tests and functional
tests which are both part of the package build. There are additional
runtime functional tests that are part of autopkgtests that run on a
live system. It migrated to Ubuntu 23.10 and passed its build and
autopkgtests too.

ufw is also a leaf package and not installed by default or as part of
any tasks. Upgrades were manually tested from 0.36.1-4.1 to 0.36.2-1 on
bookworm.

I'll outline the changes below.

## Upstream ChangeLog:

* src/ufw-init-functions: set default policy after loading rules. Thanks to
  Mauricio Faria de Oliveira. (LP: #1946804)

This was already in 0.36.1-2 and I simply pulled it upstream. It was
debian/patches/0004-set-default-policy-after-load.patch


* doc/ufw.8:
  - document 'insert' and 'prepend' can't be used to update comments
(LP: #1927737)

This is new to 0.36.2, but only a documentation change to make existing
functionality clearer. I feel this is a useful usability improvement for
bookworm users.


* src/backend_iptables.py: remove unreachable code (LP: #1927734)

This is new to 0.36.2 but a very minor change:
https://git.launchpad.net/ufw/commit/?h=release/0.36=dc350c53c9bc8bad8d9cbd810adf53111bcd5c10

This is safe to remove due to this line a few lines before it:
https://git.launchpad.net/ufw/tree/src/backend_iptables.py?h=release/0.36=dc350c53c9bc8bad8d9cbd810adf53111bcd5c10#n997

(ie, line 997 is already doing an 'position > len(rules)' check so it is
safe to remove the unreachable code in the aforementioned commit). This
change could've been omitted for bookworm, but is also harmless.


* src/util.py:
  - properly parse /proc/pid/stat for WSL (LP: #2015645)

This is one of the main reasons why I wanted an update for bookworm
since I wanted bookworm users on WSL to have a functional ufw. The
change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36=55669b732255c224343605272b793ae3fd534557

Unit tests existed for prior behavior and new tests were added for the
bug fix. I feel this is an important bug fix for for bookworm users
since without it, ufw fails to run on WSL.


* src/util.py:
  - mitigate odd length string with unhexlify (Closes: 1034568)

This mitigates a traceback in the case of if a rules file is somehow
corrupted. The change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36=751e3aa510a992140f748987221600ee4722ea75

Unit tests existed for prior behavior and new tests were added for the
bug fix. I feel this is a useful usability improvement for bookworm
users.


* src/util.py:
  - support vrrp protocol (LP: #1996636)

This is a technically a new feature, but all it did was add a new
protocol to an existing list and so the change is considered safe. Most
of the changes are for the man page and unit tests. The change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36=49b50d9ebd4a381af9886fc1bff17191358188fc

Unit tests existed for prior behavior and new tests were added for the
bug fix. I debated this change as it could've been omitted for bookworm,
but the change was obvious and small and added functionality that might
be useful to keepalived users on bookworm.


* add locales/po/ro.po. Thanks Remus-Gabriel Chelu (Closes: 1034119)

This adds the .ro translation that was submitted via the BTS. I verified
the translations via Google Translate and also ran 0.36.2-1 through
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-ufw.py#n474
which specifically tests that ufw runs under all the different locales.
This test script is part of Ubuntu (of which I am also an Ubuntu
developer) and doesn't work without modification on bookworm, but I did
so and the locale works fine. I felt it important to shepherd the
contribution to Debian into bookworm.


* add '-h' and show help with no args (LP: #1965462)

This change simply add '-h' to the already existing '--help' and 'help'
commands and adjusts the parsing to show raise a ValueError which
triggers showing the help message instead of just showing a
less-than-helpful "not enough args" message like 0.36.1 did. This change
is here:

Bug#1035710: unblock: doc-debian/11.3

[Luca Boccassi]

Control: retitle -1 unblock: doc-debian/11.3+nmu1
Control: tags -1 -moreinfo

On Tue, 23 May 2023 23:37:23 +0100 Luca Boccassi 
wrote:
> On Tue, 23 May 2023 06:46:19 +0200 Joost van =?utf-8?Q?Baal-
Ili=C4=87?=
>  wrote:
> > On Sat, May 20, 2023 at 04:21:47PM +0200, Sebastian Ramacher wrote:
> >  
> > > On 2023-05-14 06:47:18 +0200, Joost van Baal-Ilić wrote:
> > > > reopen 1035710
> > > > retitle 1035710 unblock: doc-debian/11.3
> > > > thanks
> > > > 
> > > > Please unblock package doc-debian
> > > > 
> > > > [ Reason ]
> > > > The doc-debian package claims to ship the Constitution for the
> Debian Project,
> > > > the Debian Social Contract and other Debian documents.  The
> versions of those
> > > > documents are obsolete [obsolete], which makes the package as
now
> in testing
> > > > very buggy.
> > 
> > > > 
> > > > unblock doc-debian/11.3
> > > 
> > > Please go ahead with the upload to unstable. Remove the moreinfo
> tag
> > > once the package is available.
> > 
> > Thank you.  Unfortunately I don't think I'll make it before the
> deadline / in
> > the next couple of hours, real life currently doesn't allow me
that.
> > 
> > If anybody else has time to take a shot at it: here's the current
> issue's: I
> > made a mistake in the upload to experimental: it says
'experimental'
> in the top
> > of debian/changelog; should probably be 'unstable'.  And the last
> commit on
> > salsa is misguided.
> > 
> > If nobody steps up I can probably prepare an upload for the first
> bookworm
> > point release.
> 
> I can take care of this, I'll do a changelog-only upload of the
current
> version that's in experimental to unstable.

Done, you can find the changelog-only commit to pull from at:

https://salsa.debian.org/bluca/doc-debian/-/commits/master?ref_type=heads

-- 
Kind regards,
Luca Boccassi


signature.asc
Description: This is a digitally signed message part

Processed: Re: Bug#1035710: unblock: doc-debian/11.3

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 unblock: doc-debian/11.3+nmu1
Bug #1035710 [release.debian.org] unblock: doc-debian/11.3
Changed Bug title to 'unblock: doc-debian/11.3+nmu1' from 'unblock: 
doc-debian/11.3'.
> tags -1 -moreinfo
Bug #1035710 [release.debian.org] unblock: doc-debian/11.3+nmu1
Removed tag(s) moreinfo.

-- 
1035710: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035710
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1035710: unblock: doc-debian/11.3

[Luca Boccassi]

On Tue, 23 May 2023 06:46:19 +0200 Joost van =?utf-8?Q?Baal-Ili=C4=87?=
 wrote:
> On Sat, May 20, 2023 at 04:21:47PM +0200, Sebastian Ramacher wrote:
>  
> > On 2023-05-14 06:47:18 +0200, Joost van Baal-Ilić wrote:
> > > reopen 1035710
> > > retitle 1035710 unblock: doc-debian/11.3
> > > thanks
> > > 
> > > Please unblock package doc-debian
> > > 
> > > [ Reason ]
> > > The doc-debian package claims to ship the Constitution for the
Debian Project,
> > > the Debian Social Contract and other Debian documents.  The
versions of those
> > > documents are obsolete [obsolete], which makes the package as now
in testing
> > > very buggy.
> 
> > > 
> > > unblock doc-debian/11.3
> > 
> > Please go ahead with the upload to unstable. Remove the moreinfo
tag
> > once the package is available.
> 
> Thank you.  Unfortunately I don't think I'll make it before the
deadline / in
> the next couple of hours, real life currently doesn't allow me that.
> 
> If anybody else has time to take a shot at it: here's the current
issue's: I
> made a mistake in the upload to experimental: it says 'experimental'
in the top
> of debian/changelog; should probably be 'unstable'.  And the last
commit on
> salsa is misguided.
> 
> If nobody steps up I can probably prepare an upload for the first
bookworm
> point release.

I can take care of this, I'll do a changelog-only upload of the current
version that's in experimental to unstable.

-- 
Kind regards,
Luca Boccassi


signature.asc
Description: This is a digitally signed message part

Bug#1036656: unblock: grub2/2.06-13

[Steve McIntyre]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package grub2 and its derived signed packages.

As promised in the -12 ublock request, we now have a lot more
translations updated for the changed template questions for os-prober.

Also, I've included 1 RC bug fix which fixes up an RC bug which stops
machines booting:

* When *also* installing to the removable media path, include the
  relevant mokmanager binary. Closes: #1034409

And a small fix for generating boot menu options on systems
dual-booting with Arch and derivatives:

* Allow initrd to contain spaces. Closes: #838177, #820838.

unblock grub2/2.06-13
unblock grub-efi-amd64-signed/1+2.06+13
unblock grub-efi-arm64-signed/1+2.06+13
unblock grub-efi-ia32-signed/1+2.06+13

debdiff attached, filtering out noise from *.po updates.
diff -Nru grub2-2.06/debian/changelog grub2-2.06/debian/changelog
--- grub2-2.06/debian/changelog 2023-04-21 13:30:26.0 +0100
+++ grub2-2.06/debian/changelog 2023-04-23 20:55:54.0 +0100
@@ -1,3 +1,35 @@
+grub2 (2.06-13) unstable; urgency=medium
+
+  [ Steve McIntyre ]
+  * When *also* installing to the removable media path, include the
+relevant mokmanager binary. Closes: #1034409
+
+  [ General Chaos ]
+  * Allow initrd to contain spaces. Closes: #838177, #820838.
+
+  [ Translators ]
+  * Update lots of translations of debconf templates, thanks to the
+following:
++ Welsh (Dafydd Tomos)
++ German (Helge Kreutzmann). Closes: #1034850
++ Croatian (Tomislav Krznar)
++ Greek (Emmanuel Galatoulas)
++ Esperanto (Felipe Castro)
++ French (Baptiste Jammet). Closes: #1035761
++ Italian (Luca Monducci). Closes: #1034825
++ Kazakh (Baurzhan Muftakhidinov)
++ Korean (Changwoo Ryu). Closes: #1034868
++ Latvian (Rudolfs Mazurs)
++ Dutch (Frans Spiesschaert). Closes: #1035399
++ Norwegian Bokmål (Petter Reinholdtsen, Sverre Vaabenoe)
++ Brazilian Portuguese (Adriano Rafael Gomes). Closes: #1035905
++ Romanian (Remus-Gabriel Chelu)
++ Russian (Yuri Kozlov). Closes: #1035294
++ Turkish (Atila KOÇ). Closes: #1035846
++ Swedish (Luna Jernberg)
+
+ -- Steve McIntyre <93...@debian.org>  Sun, 23 Apr 2023 20:55:54 +0100
+
 grub2 (2.06-12) unstable; urgency=medium
 
   * Fix up arm64 SB patch to fix build failure on 32-bit arm systems
diff -Nru grub2-2.06/debian/patches/grub-install-removable-shim.patch 
grub2-2.06/debian/patches/grub-install-removable-shim.patch
--- grub2-2.06/debian/patches/grub-install-removable-shim.patch 2023-02-09 
01:32:18.0 +
+++ grub2-2.06/debian/patches/grub-install-removable-shim.patch 2023-04-23 
20:55:54.0 +0100
@@ -107,7 +107,7 @@
  
fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
fb_signed);
-@@ -2154,30 +2152,81 @@ main (int argc, char *argv[])
+@@ -2154,30 +2152,82 @@ main (int argc, char *argv[])
if (!removable)
  grub_install_copy_file (fb_src,
  fb_dst, 0);
@@ -129,6 +129,7 @@
 +  also_install_removable (shim_signed, base_efidir, 
removable_file, 1);
 +
 +  also_install_removable (efi_signed, base_efidir, 
chained_base, 1);
++  also_install_removable (mok_src, base_efidir, mok_file, 0);
 +
 +  /* If we're updating the NVRAM, add fallback too - it
 +  will re-update the NVRAM later if things break */
diff -Nru 
grub2-2.06/debian/patches/os-prober-Allow-initrd-to-contain-spaces.patch 
grub2-2.06/debian/patches/os-prober-Allow-initrd-to-contain-spaces.patch
--- grub2-2.06/debian/patches/os-prober-Allow-initrd-to-contain-spaces.patch
1970-01-01 01:00:00.0 +0100
+++ grub2-2.06/debian/patches/os-prober-Allow-initrd-to-contain-spaces.patch
2023-04-23 20:55:54.0 +0100
@@ -0,0 +1,50 @@
+From 1f982e2a7c35e14d5a92c76db998afafd1bd9e87 Mon Sep 17 00:00:00 2001
+From: General Chaos 
+Date: Tue, 12 Apr 2016 22:28:52 +
+Subject: [PATCH] os-prober: Allow initrd to contain spaces
+
+linux-boot-prober produces structured output with newline-terminated rows
+representing kernels, each with colon-delimited columns. We translate
+this into a sequence of space-separated words representing kernels,
+each containing colon-delimited fields where spaces are represented by
+carets.
+
+When we parse each of those words into colon-delimited fields, if the
+field could conceivably contain spaces then we need to translate
+carets back into spaces. We did this for label and parameters, but not
+for the initrd.
+
+In particular, when CPU microcode is installed on Arch Linux or its
+derivatives, they write CPU microcode into one initrd archive and the
+rest of early user-space into another, instead of concatenating the
+archives into a single file like Debian derivatives do. To boot Arch
+successfully from the 

Bug#1036306: unblock: ufw/0.36.2-1

[Gunnar Hjalmarsson]

On 2023-05-23 22:01, Paul Gevers wrote:

On 23-05-2023 18:56, Gunnar Hjalmarsson wrote:

ufw has autopkgtest, so strictly it's not blocked because of the
freeze, but because of a piuparts failure.


That's not true. We're in Hard Freeze, so ufw qualifies to migrate
with passing autopkgtest when it's age is 20 days. However, once
those 20 days are over, we're in Full Freeze so it won't migrate. So
yes, strictly speaking it's *also* blocked by the freeze.


I stand corrected. (And with that I understand wrt ufw why Jamie needs 
to justify the freeze related unblock request.)



As you can see my primary concern is another package, i.e.
ibus-pinyin. That package has already been unblocked from freeze:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036225


And missed the ignore-piuparts hint. Thanks for bringing that to our
attention, I added that hint.


Thanks! (And I understand from your reply that otherwise I should have
simply submitted a separate unblock request. Or maybe re-opened the 
already submitted bug...)



From tomorrow on, all packages that haven't migrated need an unblock
request or they will not be part of bookworm. Normally we'd spot the
piuparts problem and add the ignore hint if it's caused by the
adduser issue.


Sounds like the release team has it under control, then, so I will stop 
worrying. :)


--
Thanks again!

Gunnar

Bug#1036531: marked as done (unblock: firefox-esr/102.11.0esr-1)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 22:45:00 +0200
with message-id <4ecf1f5f-a279-c858-91f7-031dd6c93...@debian.org>
and subject line Re: Bug#1036531: unblock: firefox-esr/102.11.0esr-1
has caused the Debian Bug report #1036531,
regarding unblock: firefox-esr/102.11.0esr-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036531: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036531
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package firefox-esr

[ Reason ]
Security update for Firefox. The same package has already reached
bullseye.

[ Impact ]
See above

[ Tests ]
Usual smoke tests

[ Risks ]
See above.

[ Other info ]
There are no changes to the package debian/ directory other than
debian/changelog. Everything else is upstream changes for the security
update.

unblock firefox-esr/102.11.0esr-1
--- End Message ---
--- Begin Message ---

Hi,

On 23-05-2023 21:57, Salvatore Bonaccorso wrote:

unblock firefox-esr/102.11.0esr-1


unblocked and aged.

Paul


OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---

Re: Bug#1036634: RM: monado/stable -- NVIU; 2 years old codebase for very active project targeting recent hardware and software stack (new version didn't make it into stable).

[Paul Gevers]

Hi David,

On 23-05-2023 16:59, David Heidelberg wrote:

Monado package is in very active development, offering support for
recent XR headsets.

The risk is getting users discouraged by very old and already unsupported
package, rather than just using the Monado package from unstable or git.


I'm slightly wondering, you want to remove the package from stable, but 
the version in bookworm (the next stable) is hardly newer. Should we 
also remove the package from testing?


Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036475: marked as done (unblock: xen/4.17.1+2-gb773c48e36-1)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 22:28:17 +0200
with message-id 
and subject line Re: Bug#1036475: unblock: xen/4.17.1+2-gb773c48e36-1
has caused the Debian Bug report #1036475,
regarding unblock: xen/4.17.1+2-gb773c48e36-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036475
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock 
X-Debbugs-Cc: x...@packages.debian.org, t...@security.debian.org, 
m...@daemonizer.de
Control: affects -1 + src:xen

Please unblock package xen.

[ Reason ]
Xen in bookworm is currently affected by CVE-2022-42335 and
CVE-2022-42336 (see #1034842 and #1036298).

[ Impact ]
The above mentioned CVEs are not fixed in bookworm.

[ Tests ]
The Debian package is based only on upstream commits that have passed
the upstream automated tests.
The Debian package has been successfully tested by the xen packaging
team on their test machines.

[ Risks ]
There could be upstream changes unrelated to the above mentioned
security fixes that cause regressions. However upstream has an automated
testing machinery (osstest) that only allows a commit in the upstream
stable branch if all test pass.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
This security fix is based on the latest upstream stable-4.17 branch.
The branch in general only accepts bug fixes and does not allow new
features, so the changes there are mainly security and other bug fixes.
This does not strictly follow the "only targeted fixes" release policy,
but, as explained below, we believe it is still appropriate for an
unblock request.
The package we have uploaded to unstable is exactly what we would have
done as a security update in a stable release, what we have historically
done together with the security team and are planning to continue to do.
As upstream does extensive automated testing on their stable branches
chances for unnoticed regressions are low. We believe this way the risk
for bugs is lower than trying to manually pick and adjust patches
without all the deep knowledge that upstream has. This approach is
similar to what the linux package is doing.

Please note that piuparts currently fails for xen in unstable. We
believe this is due to adduser now being marked as Protected:yes (see
discussion in #1035654) and not related to the xen packaging. Please let
us know if there is anything we have to do on the xen packaging side.

unblock xen/4.17.1+2-gb773c48e36-1
diff -Nru xen-4.17.0+74-g3eac216e6e/automation/build/centos/7.2.dockerfile xen-4.17.1+2-gb773c48e36/automation/build/centos/7.2.dockerfile
--- xen-4.17.0+74-g3eac216e6e/automation/build/centos/7.2.dockerfile	2023-03-21 13:47:52.0 +0100
+++ xen-4.17.1+2-gb773c48e36/automation/build/centos/7.2.dockerfile	1970-01-01 01:00:00.0 +0100
@@ -1,52 +0,0 @@
-FROM centos:7.2.1511
-LABEL maintainer.name="The Xen Project" \
-  maintainer.email="xen-de...@lists.xenproject.org"
-
-# ensure we only get bits from the vault for
-# the version we want
-COPY CentOS-7.2.repo /etc/yum.repos.d/CentOS-Base.repo
-
-# install EPEL for dev86, xz-devel and possibly other packages
-RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
-yum clean all
-
-RUN mkdir /build
-WORKDIR /build
-
-# work around https://github.com/moby/moby/issues/10180
-# and install Xen depends
-RUN rpm --rebuilddb && \
-yum -y install \
-yum-plugin-ovl \
-gcc \
-gcc-c++ \
-ncurses-devel \
-zlib-devel \
-openssl-devel \
-python-devel \
-libuuid-devel \
-pkgconfig \
-# gettext for Xen < 4.13
-gettext \
-flex \
-bison \
-libaio-devel \
-glib2-devel \
-yajl-devel \
-pixman-devel \
-glibc-devel \
-# glibc-devel.i686 for Xen < 4.15
-glibc-devel.i686 \
-make \
-binutils \
-git \
-wget \
-acpica-tools \
-python-markdown \
-patch \
-checkpolicy \
-dev86 \
-xz-devel \
-bzip2 \
-nasm \
-&& yum clean all
diff -Nru xen-4.17.0+74-g3eac216e6e/automation/build/centos/CentOS-7.2.repo xen-4.17.1+2-gb773c48e36/automation/build/centos/CentOS-7.2.repo
--- 

Bug#1036306: unblock: ufw/0.36.2-1

[Paul Gevers]

Hi Gunnar,

On 23-05-2023 18:56, Gunnar Hjalmarsson wrote:

On 2023-05-23 17:31, Paul Gevers wrote:

On 19-05-2023 05:33, Jamie Strandboge wrote:
Sure. The migration is currently blocked because the upload happened 
very recently


That description is not quite accurate. ufw has autopkgtest, so strictly 
it's not blocked because of the freeze, but because of a piuparts failure.


That's not true. We're in Hard Freeze, so ufw qualifies to migrate with 
passing autopkgtest when it's age is 20 days. However, once those 20 
days are over, we're in Full Freeze so it won't migrate. So yes, 
strictly speaking it's *also* blocked by the freeze.



Maybe you didn't see my reply to Jamie's initial bug, but it was archived:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036306#10


Yes I saw that. People around me (I'm at DebianReunionHamburg) are 
working to figure out how to fix the piuparts situation, but filing 
unblock requests *now* is appropriate *if* the upload is a targeted fix 
(as it should be). The adduser problem is relatively new, so all 
packages that are 20 days now or tomorrow were piuparts tested before 
the problem. So all the packages that are blocked by piuparts need our 
attention via an unblock request anyways, if they need to migrate to 
bookworm.


As you can see my primary concern is another package, i.e. ibus-pinyin. 
That package has already been unblocked from freeze:


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036225


And missed the ignore-piuparts hint. Thanks for bringing that to our 
attention, I added that hint.


But since it hit the very same adduser/piuparts issue as ufw (and 
probably a bunch of other packages) did, it's still blocked from migration.


Not if we add the right hint, which we have in place already for several 
unblocks.


Maybe it was wrong of me to comment on this ufw bug, but the 
adduser/piuparts situation is special, and I felt it made sense to 
handle all affected packages together.


Sorry, that doesn't scale. We'll handle it per unblock request.

Please advice on how uploaders affected by the adduser/piuparts 
situation should act.


From tomorrow on, all packages that haven't migrated need an unblock 
request or they will not be part of bookworm. Normally we'd spot the 
piuparts problem and add the ignore hint if it's caused by the adduser 
issue.


Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036531: unblock: firefox-esr/102.11.0esr-1

[Salvatore Bonaccorso]

Hi Release team,

On Mon, May 22, 2023 at 09:57:13AM +0900, Mike Hommey wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package firefox-esr
> 
> [ Reason ]
> Security update for Firefox. The same package has already reached
> bullseye.
> 
> [ Impact ]
> See above
> 
> [ Tests ]
> Usual smoke tests
> 
> [ Risks ]
> See above.
> 
> [ Other info ]
> There are no changes to the package debian/ directory other than
> debian/changelog. Everything else is upstream changes for the security
> update.
> 
> unblock firefox-esr/102.11.0esr-1

To confirm: As we have 102.11.0esr-1~deb11u1 in bullseye, and this is
exactly what will we will do as well for bookworm for DSAs please do
accept this unblock request. According to the grep-excuses there
should not be anything blocking it.

Thanks for your hard work for the release.

Regards,
Salvatore

Bug#1036123: marked as done ([pre-approval] unblock: libcap2/1:2.66-4)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 21:47:47 +0200
with message-id <983f050d-f27d-29cb-4355-37336f6bc...@debian.org>
and subject line Re: Bug#1036123: [pre-approval] unblock: libcap2/1:2.66-4
has caused the Debian Bug report #1036123,
regarding [pre-approval] unblock: libcap2/1:2.66-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036123
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libc...@packages.debian.org
Control: affects -1 + src:libcap2

Please unblock package libcap2

This fixes two minor CVEs for which the fix was published today. The fix
consists of cherry-picking two small patches from upstream.

I'm erring on the side of caution here and asking for pre-approval, as
the issues this fixes were considered to be minor and I'm not sure
whether "CVE" by itself automatically satisfies the threshold for direct
upload.

[ Reason ]
Fix for two security issues.

[ Impact ]
Without this release, users will be left vulnerable to two minor issues.

[ Tests ]
All upstream tests passed, including those requiring root (tested within
a VM).

[ Risks ]
Little to none. The two patches are trivial.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock libcap2/1:2.66-4diff -Nru libcap2-2.66/debian/changelog libcap2-2.66/debian/changelog
--- libcap2-2.66/debian/changelog   2022-12-21 21:19:49.0 +0100
+++ libcap2-2.66/debian/changelog   2023-05-15 20:34:57.0 +0200
@@ -1,3 +1,9 @@
+libcap2 (1:2.66-4) unstable; urgency=medium
+
+  * Apply upstream patches for CVE-2023-2602, CVE-2023-2603
+
+ -- Christian Kastner   Mon, 15 May 2023 20:34:57 +0200
+
 libcap2 (1:2.66-3) unstable; urgency=medium
 
   * Add gcc to autopkgtest for upstream tests.
diff -Nru 
libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch
 
libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch
--- 
libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch
1970-01-01 01:00:00.0 +0100
+++ 
libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch
2023-05-15 20:34:57.0 +0200
@@ -0,0 +1,39 @@
+From: "Andrew G. Morgan" 
+Date: Wed, 3 May 2023 19:18:36 -0700
+Subject: Correct the check of pthread_create()'s return value.
+
+This function returns a positive number (errno) on error, so the code
+wasn't previously freeing some memory in this situation.
+
+Discussion:
+
+  https://stackoverflow.com/a/3581020/14760867
+
+Credit for finding this bug in libpsx goes to David Gstir of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
+audit of the libcap source code in April of 2023. The audit
+was sponsored by the Open Source Technology Improvement Fund
+(https://ostif.org/).
+
+Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
+
+Signed-off-by: Andrew G. Morgan 
+
+Origin: upstream, 
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb
+---
+ psx/psx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psx/psx.c b/psx/psx.c
+index d9c0485..65eb2aa 100644
+--- a/psx/psx.c
 b/psx/psx.c
+@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const 
pthread_attr_t *attr,
+ pthread_sigmask(SIG_BLOCK, , NULL);
+ 
+ int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter);
+-if (ret == -1) {
++if (ret > 0) {
+   psx_new_state(_PSX_CREATE, _PSX_IDLE);
+   memset(starter, 0, sizeof(*starter));
+   free(starter);
diff -Nru 
libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
 
libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
--- 
libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
   1970-01-01 01:00:00.0 +0100
+++ 
libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
   2023-05-15 20:34:57.0 +0200
@@ -0,0 +1,53 @@
+From: "Andrew G. Morgan" 
+Date: Wed, 3 May 2023 19:44:22 -0700
+Subject: Large strings can confuse libcap's internal strdup code.
+
+Avoid something subtle with really long strings: 1073741823 should
+be enough for anybody. This is an improved fix over something attempted
+in 

Bug#1036548: marked as done (unblock: cups-filters/1.28.17-3)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 21:44:16 +0200
with message-id 
and subject line Re: Bug#1036548: unblock: cups-filters/1.28.17-3
has caused the Debian Bug report #1036548,
regarding unblock: cups-filters/1.28.17-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036548
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock and age package cups-filters

[ Reason ]
CVE-2023-24805 (RCE due to missing input sanitising)

[ Impact ]
The user would be vulnerable to remote code execution.

[ Tests ]
There is no special test for this patch, only a POC that no
longer worked after applying the patch.

[ Risks ]
The patch was provided by upstream and approved by the security team
(upload to Bullseye already done).

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock cups-filters/1.28.17-3diff -Nru cups-filters-1.28.17/debian/changelog 
cups-filters-1.28.17/debian/changelog
--- cups-filters-1.28.17/debian/changelog   2023-03-10 19:25:20.0 
+0100
+++ cups-filters-1.28.17/debian/changelog   2023-05-19 18:25:20.0 
+0200
@@ -1,3 +1,14 @@
+cups-filters (1.28.17-3) unstable; urgency=medium
+
+  * CVE-2023-24805 
+prevent arbitrary command execution by escaping the quoting
+of the arguments in a job with a forged job title
+more information are available in the commit message at:
+https://github.com/OpenPrinting/cups-filters/commit/93e60d3df35
+(Closes: #1036224)
+
+ -- Thorsten Alteholz   Fri, 19 May 2023 18:25:20 +0200
+
 cups-filters (1.28.17-2) unstable; urgency=medium
 
   * qpdf needs at least c++17
diff -Nru cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch 
cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch
--- cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch   
1970-01-01 01:00:00.0 +0100
+++ cups-filters-1.28.17/debian/patches/0003-fix-CVE-2023-24805.patch   
2023-05-19 10:50:03.0 +0200
@@ -0,0 +1,176 @@
+From: Thorsten Alteholz 
+Date: Fri, 19 May 2023 10:49:35 +0200
+Subject: fix CVE-2023-24805
+
+---
+ backend/beh.c | 107 +-
+ 1 file changed, 84 insertions(+), 23 deletions(-)
+
+diff --git a/backend/beh.c b/backend/beh.c
+index 225fd27..8d51235 100644
+--- a/backend/beh.c
 b/backend/beh.c
+@@ -22,12 +22,13 @@
+ #include "backend-private.h"
+ #include 
+ #include 
++#include 
+ 
+ /*
+  * Local globals...
+  */
+ 
+-static intjob_canceled = 0; /* Set to 1 on SIGTERM */
++static volatile int   job_canceled = 0; /* Set to 1 on SIGTERM */
+ 
+ /*
+  * Local functions...
+@@ -213,21 +214,40 @@ call_backend(char *uri, /* I - URI of 
final destination */
+char **argv,   /* I - Command-line arguments */
+char *filename) {  /* I - File name of input data */
+   const char  *cups_serverbin;/* Location of programs */
++  char  *backend_argv[8]; /* Arguments for backend */
+   charscheme[1024],   /* Scheme from URI */
+ *ptr, /* Pointer into scheme */
+-  cmdline[65536]; /* Backend command line */
+-  int   retval;
++  backend_path[2048]; /* Backend path */
++  int   pid = 0,  /* Process ID of backend */
++wait_pid, /* Process ID from wait() */
++wait_status,  /* Status from child */
++retval = 0;
++  int   bytes;
+ 
+  /*
+   * Build the backend command line...
+   */
+ 
+-  strncpy(scheme, uri, sizeof(scheme) - 1);
+-  if (strlen(uri) > 1023)
+-scheme[1023] = '\0';
++  scheme[0] = '\0';
++  strncat(scheme, uri, sizeof(scheme) - 1);
+   if ((ptr = strchr(scheme, ':')) != NULL)
+ *ptr = '\0';
+-
++  else {
++fprintf(stderr,
++  "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme 
part.\n");
++exit (CUPS_BACKEND_FAILED);
++  }
++  if (strchr(scheme, '/')) {
++fprintf(stderr,
++  "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
++exit (CUPS_BACKEND_FAILED);
++  }
++  if (!strcmp(scheme, ".") || !strcmp(scheme, "..")) {
++fprintf(stderr,
++  "ERROR: beh: Invalid URI, scheme (\"%s\") is 

Bug#1036475: unblock: xen/4.17.1+2-gb773c48e36-1

[Salvatore Bonaccorso]

Dear release team,

On Sun, May 21, 2023 at 10:02:25PM +0200, Maximilian Engelhardt wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock 
> X-Debbugs-Cc: x...@packages.debian.org, t...@security.debian.org, 
> m...@daemonizer.de
> Control: affects -1 + src:xen
> 
> Please unblock package xen.
> 
> [ Reason ]
> Xen in bookworm is currently affected by CVE-2022-42335 and
> CVE-2022-42336 (see #1034842 and #1036298).
> 
> [ Impact ]
> The above mentioned CVEs are not fixed in bookworm.
> 
> [ Tests ]
> The Debian package is based only on upstream commits that have passed
> the upstream automated tests.
> The Debian package has been successfully tested by the xen packaging
> team on their test machines.
> 
> [ Risks ]
> There could be upstream changes unrelated to the above mentioned
> security fixes that cause regressions. However upstream has an automated
> testing machinery (osstest) that only allows a commit in the upstream
> stable branch if all test pass.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> [ Other info ]
> This security fix is based on the latest upstream stable-4.17 branch.
> The branch in general only accepts bug fixes and does not allow new
> features, so the changes there are mainly security and other bug fixes.
> This does not strictly follow the "only targeted fixes" release policy,
> but, as explained below, we believe it is still appropriate for an
> unblock request.
> The package we have uploaded to unstable is exactly what we would have
> done as a security update in a stable release, what we have historically
> done together with the security team and are planning to continue to do.
> As upstream does extensive automated testing on their stable branches
> chances for unnoticed regressions are low. We believe this way the risk
> for bugs is lower than trying to manually pick and adjust patches
> without all the deep knowledge that upstream has. This approach is
> similar to what the linux package is doing.

I can confirm that this is indeed the strategy for src:xen we would
follow, like for bullseye already, as well in bookworm.

Regards,
Salvatore

Bug#1035522: debian-security-support 11+2023.05.04 flagged for acceptance

[Holger Levsen]

On Tue, May 23, 2023 at 05:44:30PM +0100, Adam D. Barratt wrote:
> In the interests of not blocking on things other than SRM's free time,
> how does this sound as some blurb for an announcement mail?
> 
> 
> The debian-security-support package tracks the level of security support
> available for packages within Debian releases, allowing administrators to
> be alerted to installed packages for which support has had to be limited
> or prematurely ended.
> 
> The version of the package in bullseye can lead to the production of a
> large number of warning messages during an upgrade to the upcoming
> bookworm release. This update resolves that issue.
> 

sounds pretty good to me, thank you.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

No mas pobres en un pais rico!


signature.asc
Description: PGP signature

Bug#1036227: marked as done (bookworm-pu: package r-cran-shiny/1.7.4+dfsg-3~deb12u1)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 21:20:51 +0200
with message-id 
and subject line Re: Bug#1036227: bookworm-pu: package 
r-cran-shiny/1.7.4+dfsg-3~deb12u1
has caused the Debian Bug report #1036227,
regarding bookworm-pu: package r-cran-shiny/1.7.4+dfsg-3~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036227
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: r-cran-sh...@packages.debian.org, 1035...@bugs.debian.org, 
debia...@lists.debian.org
Control: affects -1 + src:r-cran-shiny

I'd like to announce an upload to testing-proposed-updates

[ Reason ]
As discussed on the mailing list debian-release@l.d.o[1] the
accidental upload of r-base prevents r-cran-shiny from migrating
to testing since it has some failing tests due to the r-base
version conflict.  Thus an upload to testing-proposed-updates
seems an appropriate solution for this and this bug report is
about asking you for confirmation about this solution.

[ Impact ]
R-cran-shiny has an RC bug and is in danger to be not released
with bookworm.  It has quite some dependencies that would be
affected.

[ Tests ]
There is just a fixed symlink in the upload to fix the RC bug.
All tests are passing as usual.

[ Risks ]
The change to the package is minimal.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in (old)stable
  --> will be attached once uploaded
  [x] the issue is verified as fixed in unstable

[ Changes ]

I propose to upload the following change to t-p-u:

$ git diff HEAD^
diff --git a/debian/changelog b/debian/changelog
index 21d12c3..a2b6c26 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+r-cran-shiny (1.7.4+dfsg-3~deb12u1) bookworm; urgency=medium
+
+  * Upload to testing-proposed-updates "bookworm" due to the fact that
+there was an accidental upload of a new version of r-base to unstable
+
+ -- Andreas Tille   Wed, 17 May 2023 07:56:25 +0200
+
 r-cran-shiny (1.7.4+dfsg-3) unstable; urgency=medium


Nilesh Patra suggested to use version 1.7.4+dfsg-2+deb12u1 but I
personally regard my version suggestion more logical (long explanation
given in [2]).


[ Other info ]

Please confirm that I should upload to t-p-u (and raise your opinion
about the most sensible version in your eyes).

Kind regards and thanks for working as release team
   Andreas.


[1] https://lists.debian.org/debian-release/2023/05/msg00623.html
--- End Message ---
--- Begin Message ---

Hi,

unblocked.

Paul


OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---

Bug#1036227: bookworm-pu: package r-cran-shiny/1.7.4+dfsg-3~deb12u1

[Andreas Tille]

Hi Paul,

Am Tue, May 23, 2023 at 01:52:38PM +0200 schrieb Paul Gevers:
> Control: tags -1 confirmed

Thanks.

> On 17-05-2023 19:48, Andreas Tille wrote:
> > I'd like to announce an upload to testing-proposed-updates
> 
> You confused me here. I don't see traces of the upload yet, so I assume this
> is a pre-approval.

Yes, I was asking for pre-approval (sorry for the confusing wording).
 
> > Thus an upload to testing-proposed-updates
> > seems an appropriate solution for this and this bug report is
> > about asking you for confirmation about this solution.
> 
> Ack. For the future ideally this would be fixed by dh-r being less strict in
> what it injects.

I think the injection is sensible in principle to prevent any r-cran
package that is build against r-base with a higher version than in
testing to migrate to testing to early.  Its just the accidental upload
of a higher version which creates the problem.
 
> > I propose to upload the following change to t-p-u:
> 
> Please, always generate your debdiff comparing to what is currently in
> testing.

I'll do - just wanted to wait for confirmation of the versioning
scheme to create the final diff.  It is attached now.
 

> However, I personally prefer the automatic
> syncing of testing to unstable that we get if you use 1.7.4+dfsg-3+deb12u1
> (mind the version being *higher* than testing) or even 1.7.4+dfsg-4. But ACK
> with whatever reasonable version number you choose.

Hope this fits the easy route now.

Kind regards and thanks for working in the release team
Andreas.


[1] https://lists.debian.org/debian-release/2023/05/msg00623.html

-- 
http://fam-tille.de
diff -Nru r-cran-shiny-1.7.4+dfsg/debian/changelog 
r-cran-shiny-1.7.4+dfsg/debian/changelog
--- r-cran-shiny-1.7.4+dfsg/debian/changelog2023-02-21 20:34:31.0 
+0100
+++ r-cran-shiny-1.7.4+dfsg/debian/changelog2023-05-17 07:56:25.0 
+0200
@@ -1,3 +1,12 @@
+r-cran-shiny (1.7.4+dfsg-2+deb12u1) bookworm; urgency=medium
+
+  * Upload to testing-proposed-updates "bookworm" due to the fact that
+there was an accidental upload of a new version of r-base to unstable
+  * Fix link for normalize.css
+Closes: #1035428
+
+ -- Andreas Tille   Wed, 17 May 2023 07:56:25 +0200
+
 r-cran-shiny (1.7.4+dfsg-2) unstable; urgency=medium
 
   * closure-compiler fails - simply symlinking uncompressed JS
diff -Nru r-cran-shiny-1.7.4+dfsg/debian/links 
r-cran-shiny-1.7.4+dfsg/debian/links
--- r-cran-shiny-1.7.4+dfsg/debian/links2023-02-21 20:34:31.0 
+0100
+++ r-cran-shiny-1.7.4+dfsg/debian/links2023-05-17 07:56:25.0 
+0200
@@ -37,5 +37,5 @@
 usr/share/javascript/bootstrap/files/js/locales
usr/lib/R/site-library/shiny/www/shared/datepicker/js/locales
 usr/share/javascript/bootstrap/files/less/datepicker.less  
usr/lib/R/site-library/shiny/www/shared/datepicker/less/datepicker.less
 # usr/share/javascript/selectize.js/selectize.min.js   
usr/lib/R/site-library/shiny/www/shared/selectize/js/selectize.min.js
-usr/lib/nodejs/normalize.css/normalize.css 
usr/lib/R/site-library/shiny/www/shared/ionrangeslider/css/normalize.css
+usr/share/javascript/normalize.css/normalize.css   
usr/lib/R/site-library/shiny/www/shared/ionrangeslider/css/normalize.css
 usr/share/nodejs/html5shiv/dist/html5shiv.min.js   
usr/lib/R/site-library/shiny/www/shared/bootstrap/shim/html5shiv.min.js

Bug#1036554: unblock: iproute2/6.1.0-3

[Luca Boccassi]

On Mon, 22 May 2023 14:30:50 +0100 Luca Boccassi 
wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Dear Release Team,
> 
> A small regression w.r.t. Bookworm has just been reported on
iproute2.
> It is a trivial fix so I'd like to have it in the release if
possible.
> debdiff attached.
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036534

The regression this fixes is w.r.t. Bullseye, I meant.

-- 
Kind regards,
Luca Boccassi


signature.asc
Description: This is a digitally signed message part

Bug#1036123: [pre-approval] unblock: libcap2/1:2.66-4

[Cyril Brulebois]

Hi,

Paul Gevers  (2023-05-23):
> On 18-05-2023 22:06, Salvatore Bonaccorso wrote:
> > I just realized, that apart gettin the unblock by the release team as
> > it affects d-i as well (shipping libcap2-udeb), CC'ing Cyril here as
> > well.
> 
> CVE fixes in libcap2. Can you ACK (or udeb-unblock)?

Apologies for losing track of this request. No objections.

FTR reverse dependencies are just brltty-udeb and udev-udeb. Hopefully
neither of those depend on *not* applying those two CVE fixes.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: Is an MBF and unblock for packages introducing new files in /bin or /sbin or /lib in Bookworm acceptable at this stage?

[Luca Boccassi]

On Tue, 23 May 2023 at 17:48, Paul Gevers  wrote:
>
> Hi,
>
> On 21-05-2023 21:22, Luca Boccassi wrote:
> > If we were to do a MBF against packages that in _Bookworm_ have
> > introduced new files in /bin, /sbin or /lib*, would you accept the
> > consequent mass unblock request?
>
> Short answer is no, it's too late.

Understandable, thanks for checking.

Kind regards,
Luca Boccassi

Bug#1036456: marked as done (unblock: libfastjson/1.2304.0-1)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 18:56:27 +0200
with message-id <13f152e9-11bb-0b7d-d8bc-ce8746106...@debian.org>
and subject line Re: Bug#1036456: unblock: libfastjson/1.2304.0-1
has caused the Debian Bug report #1036456,
regarding unblock: libfastjson/1.2304.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036456
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libfastj...@packages.debian.org, bi...@debian.org
Control: affects -1 + libfastjson

Please unblock package libfastjson

A new upstream version of libfastjson fixes a security bug
(CVE-2020-12762, #1035302). They also changed the release numbering,
hence the seemingly huge jump, but the actual diff is quite small.

[ Reason ]
"Prevent signed integer overflows with large buffers", as upstream
states inline, cf.
.
.

[ Impact ]
Without this change the above vulnerability remains. However, according
to upstream rsyslog - the main and almost sole user of this library -
was not affected anyways due to size limits.

[ Tests ]
There is some coverage via upstream's tests/test_printbuf.c that is run
during build time. The code in question is also tested in json-c, cf.
.

[ Risks ]
Via rsyslog this library is a key package. However, the new code merely
adds some straightforward checks against signed integer overflows, which
are already part of json-c in buster, bullseye, bookworm, and sid, cf.
.
The new libfastjson release has entered unstable 18 days ago, and so far
no bugs seem to have surfaced due to this change.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them (disclaimer below)
  [x] attach debdiff against the package in testing

I am not the package maintainer but merely the bug submitter. However,
Michael expressed he wouldn't object if I want to pursue this, cf.
.

unblock libfastjson/1.2304.0-1
diff -Nru libfastjson-0.99.9/ChangeLog libfastjson-1.2304.0/ChangeLog
--- libfastjson-0.99.9/ChangeLog2021-01-25 13:52:55.0 +0100
+++ libfastjson-1.2304.0/ChangeLog  2023-04-17 15:51:20.0 +0200
@@ -1,3 +1,8 @@
+1.2304.0, 2023-04-18
+- change of release number scheme, now like rsyslog
+- fix Fix CVE-2020-12762
+  Note: the CVE did not affect rsyslog use due to size limits
+  Thanks to Wang Haitao for the patch.
 0.99.9 2021-01-26
 - add API fjson_object_get_uint()
   Thanks to Janmejay Singh for contributing the patch.
diff -Nru libfastjson-0.99.9/configure libfastjson-1.2304.0/configure
--- libfastjson-0.99.9/configure2021-01-25 13:53:09.0 +0100
+++ libfastjson-1.2304.0/configure  2023-04-17 15:54:00.0 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libfastjson 0.99.9.
+# Generated by GNU Autoconf 2.69 for libfastjson 1.2304.0.
 #
 # Report bugs to .
 #
@@ -590,8 +590,8 @@
 # Identity of this package.
 PACKAGE_NAME='libfastjson'
 PACKAGE_TARNAME='libfastjson'
-PACKAGE_VERSION='0.99.9'
-PACKAGE_STRING='libfastjson 0.99.9'
+PACKAGE_VERSION='1.2304.0'
+PACKAGE_STRING='libfastjson 1.2304.0'
 PACKAGE_BUGREPORT='rsys...@lists.adiscon.com'
 PACKAGE_URL=''
 
@@ -1336,7 +1336,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures libfastjson 0.99.9 to adapt to many kinds of systems.
+\`configure' configures libfastjson 1.2304.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1407,7 +1407,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of libfastjson 0.99.9:";;
+ short | recursive ) echo "Configuration of libfastjson 1.2304.0:";;
esac
   cat <<\_ACEOF
 
@@ -1525,7 +1525,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libfastjson configure 0.99.9
+libfastjson configure 1.2304.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1948,7 +1948,7 

Bug#1036306: unblock: ufw/0.36.2-1

[Gunnar Hjalmarsson]

Hi Paul,

On 2023-05-23 17:31, Paul Gevers wrote:

On 19-05-2023 05:33, Jamie Strandboge wrote:
It seems that adduser 3.133 has caused problems for a lot of packages 
in sid, including ufw. See:


https://piuparts.debian.org/sid/fail/adduser_3.133.log
https://piuparts.debian.org/sid/fail/
https://piuparts.debian.org/sid/fail/ufw_0.36.2-1.log
https://piuparts.debian.org/sid/fail/...


Yes, known, let's not worry about that.


Well, I do worry a bit.

ufw did not cause adduser to be unremovable, and adduser being 
unremovable

should not affect ufw's migration.


Sure. The migration is currently blocked because the upload happened 
very recently


That description is not quite accurate. ufw has autopkgtest, so strictly 
it's not blocked because of the freeze, but because of a piuparts failure.


and tomorrow we'll enter Full Freeze. So the upload 
happened too late for it to migrate without us unblocking.


Maybe you didn't see my reply to Jamie's initial bug, but it was archived:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036306#10

As you can see my primary concern is another package, i.e. ibus-pinyin. 
That package has already been unblocked from freeze:


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036225

But since it hit the very same adduser/piuparts issue as ufw (and 
probably a bunch of other packages) did, it's still blocked from migration.



Maybe it was wrong of me to comment on this ufw bug, but the 
adduser/piuparts situation is special, and I felt it made sense to 
handle all affected packages together.


Please advice on how uploaders affected by the adduser/piuparts 
situation should act.


--
Rgds,
Gunnar Hjalmarsson

Processed: Re: Bug#1036453: unblock: libvirt/9.0.0-4

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed moreinfo
Bug #1036453 [release.debian.org] unblock: libvirt/9.0.0-4
Added tag(s) moreinfo and confirmed.

-- 
1036453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036453
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036453: unblock: libvirt/9.0.0-4

[Paul Gevers]

Control: tags -1 confirmed moreinfo

Hi,

On 21-05-2023 12:37, Andrea Bolognani wrote:

Fix CVE-2023-2700.


Please go ahead. And please remove the moreinfo tag once the upload 
happened.


Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1035522: debian-security-support 11+2023.05.04 flagged for acceptance

[Adam D. Barratt]

On Fri, 2023-05-19 at 14:38 +0100, Adam D. Barratt wrote:
> On Fri, 2023-05-19 at 13:11 +, Holger Levsen wrote:
> > On Thu, May 18, 2023 at 07:51:36PM +, Adam D Barratt wrote:
> > > The upload referenced by this bug report has been flagged for
> > > acceptance into the proposed-updates queue for Debian bullseye.
> >  
> > thanks! how/when will it moved/be moved to bullseye-updates?
> 
[...]
> I'm hoping to find time to look at it over the weekend, but that
> depends a little on what life thinks of the idea.
> 

Life has very much had other ideas.

In the interests of not blocking on things other than SRM's free time,
how does this sound as some blurb for an announcement mail?


The debian-security-support package tracks the level of security support
available for packages within Debian releases, allowing administrators to
be alerted to installed packages for which support has had to be limited
or prematurely ended.

The version of the package in bullseye can lead to the production of a
large number of warning messages during an upgrade to the upcoming
bookworm release. This update resolves that issue.


Regard,

Adam

Re: Is an MBF and unblock for packages introducing new files in /bin or /sbin or /lib in Bookworm acceptable at this stage?

[Paul Gevers]

Hi,

On 21-05-2023 21:22, Luca Boccassi wrote:

If we were to do a MBF against packages that in _Bookworm_ have
introduced new files in /bin, /sbin or /lib*, would you accept the
consequent mass unblock request?


Short answer is no, it's too late.

Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1035522: bullseye-pu: package debian-security-support/1:11+2023.05.04

[Adam D. Barratt]

On Fri, 2023-05-19 at 13:57 +, Holger Levsen wrote:
> On Thu, May 18, 2023 at 02:44:01PM +0100, Adam D. Barratt wrote:
> > > ic. so I should have uploaded to bullseye-proposed-updates
> > > instead?
> > Any upload goes to p-u first, yeah. So the target should always be
> > simply "bullseye", by preference. dak will accept a bunch of other
> > things, including "stable", "bullseye-proposed-updates", "proposed-
> > updates" and, as you've demonstrated, "bullseye-updates" and DTRT,
> > but
> > it's cleaner and less potentially confusing if everything uses the
> > same.
> 
> ok, thanks. that does make sense.
>  
> > The relevant section of dev-ref implies this, fwiw. I think some
> > combination of you and I wrote it. :-)
> 
> oh dear. however upon re-reading 5.5.1 and 5.5.2 I've noticed that
> 5.5.2
> says nothing about the suite in d/changelog and I think I'm going to
> fix
> that now :)

fwiw that's semi-intentional, because the point is that there is no
difference from an uploader's perspective.

"Uploads to stable-updates" don't exist as a thing; rather, some
uploads to p-u are cherrypicked by SRM and copied to -updates. So
uploaders shouldn't be trying to do anything different from a technical
perspective, just remembering to request the -updates copy while
discussing the request via the BTS.

Regards,

Adam

Bug#1036449: marked as done (unblock: vice/3.7.1+dfsg1-2)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 18:23:19 +0200
with message-id <17c5e74c-62e5-8128-0c8e-41706a9ed...@debian.org>
and subject line Re: Bug#1036449: unblock: vice/3.7.1+dfsg1-2
has caused the Debian Bug report #1036449,
regarding unblock: vice/3.7.1+dfsg1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036449: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036449
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Control: affects -1 + src:vice

Hi RMs,

[ Reason ]
My bad was still using non-official categories in desktop files. Now
this is corrected.

[ Impact ]
Find shortcuts to emulation binaries in the right place finally for Bookworm.

[ Tests ]
Local check was made and already in Sid for a week.

[ Risks ]
None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock vice/3.7.1+dfsg1-2

Thanks for considering,
Laszlo/GCS
diff -Nru vice-3.7.1+dfsg1/debian/changelog vice-3.7.1+dfsg1/debian/changelog
--- vice-3.7.1+dfsg1/debian/changelog	2023-04-29 10:58:51.0 +0200
+++ vice-3.7.1+dfsg1/debian/changelog	2023-05-14 07:41:04.0 +0200
@@ -1,3 +1,10 @@
+vice (3.7.1+dfsg1-2) unstable; urgency=medium
+
+  * Use valid Freedesktop.org categories for desktop files
+(closes: #626518, #958959).
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 14 May 2023 07:41:04 +0200
+
 vice (3.7.1+dfsg1-1) unstable; urgency=medium
 
   * Remove mps803.bin printer ROM from source (closes: #1035079).
diff -Nru vice-3.7.1+dfsg1/debian/desktop/x128.desktop vice-3.7.1+dfsg1/debian/desktop/x128.desktop
--- vice-3.7.1+dfsg1/debian/desktop/x128.desktop	2022-02-02 17:44:26.0 +0100
+++ vice-3.7.1+dfsg1/debian/desktop/x128.desktop	2023-05-13 23:20:01.0 +0200
@@ -63,4 +63,4 @@
 Icon=/usr/share/pixmaps/c128icon-32x28.xpm
 Exec=/usr/bin/x128
 Terminal=false
-Categories=Application;X-Debian-Applications-Emulators;
+Categories=Game;Emulator;
diff -Nru vice-3.7.1+dfsg1/debian/desktop/x64.desktop vice-3.7.1+dfsg1/debian/desktop/x64.desktop
--- vice-3.7.1+dfsg1/debian/desktop/x64.desktop	2022-02-02 17:44:26.0 +0100
+++ vice-3.7.1+dfsg1/debian/desktop/x64.desktop	2023-05-13 23:20:07.0 +0200
@@ -63,4 +63,4 @@
 Icon=/usr/share/pixmaps/c64icon-32x28.xpm
 Exec=/usr/bin/x64sc
 Terminal=false
-Categories=Application;X-Debian-Applications-Emulators;
+Categories=Game;Emulator;
diff -Nru vice-3.7.1+dfsg1/debian/desktop/xcbm2.desktop vice-3.7.1+dfsg1/debian/desktop/xcbm2.desktop
--- vice-3.7.1+dfsg1/debian/desktop/xcbm2.desktop	2022-02-02 17:44:26.0 +0100
+++ vice-3.7.1+dfsg1/debian/desktop/xcbm2.desktop	2023-05-13 23:20:12.0 +0200
@@ -63,4 +63,4 @@
 Icon=/usr/share/pixmaps/cbm2icon-32x28.xpm
 Exec=/usr/bin/xcbm2
 Terminal=false
-Categories=Application;X-Debian-Applications-Emulators;
+Categories=Game;Emulator;
diff -Nru vice-3.7.1+dfsg1/debian/desktop/xpet.desktop vice-3.7.1+dfsg1/debian/desktop/xpet.desktop
--- vice-3.7.1+dfsg1/debian/desktop/xpet.desktop	2022-02-02 17:44:26.0 +0100
+++ vice-3.7.1+dfsg1/debian/desktop/xpet.desktop	2023-05-13 23:20:16.0 +0200
@@ -63,4 +63,4 @@
 Icon=/usr/share/pixmaps/peticon-32x28.xpm
 Exec=/usr/bin/xpet
 Terminal=false
-Categories=Application;X-Debian-Applications-Emulators;
+Categories=Game;Emulator;
diff -Nru vice-3.7.1+dfsg1/debian/desktop/xplus4.desktop vice-3.7.1+dfsg1/debian/desktop/xplus4.desktop
--- vice-3.7.1+dfsg1/debian/desktop/xplus4.desktop	2022-02-02 17:44:26.0 +0100
+++ vice-3.7.1+dfsg1/debian/desktop/xplus4.desktop	2023-05-13 23:20:32.0 +0200
@@ -63,4 +63,4 @@
 Icon=/usr/share/pixmaps/plus4icon-32x28.xpm
 Exec=/usr/bin/xplus4
 Terminal=false
-Categories=Application;X-Debian-Applications-Emulators;
+Categories=Game;Emulator;
diff -Nru vice-3.7.1+dfsg1/debian/desktop/xvic.desktop vice-3.7.1+dfsg1/debian/desktop/xvic.desktop
--- vice-3.7.1+dfsg1/debian/desktop/xvic.desktop	2022-02-02 17:44:26.0 +0100
+++ vice-3.7.1+dfsg1/debian/desktop/xvic.desktop	2023-05-13 23:20:35.0 +0200
@@ -63,4 +63,4 @@
 Icon=/usr/share/pixmaps/vic20icon-32x28.xpm
 Exec=/usr/bin/xvic
 Terminal=false
-Categories=Application;X-Debian-Applications-Emulators;
+Categories=Game;Emulator;
--- End Message ---
--- Begin Message ---

Hi,

On 21-05-2023 09:26, László Böszörményi (GCS) wrote:

My bad was still using non-official categories in desktop files. Now
this is corrected.


Not entirely 

Bug#1036423: marked as done (unblock: uwsgi/2.0.21-5.1)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 18:04:57 +0200
with message-id <19412684-430b-98b7-3d79-bddd08ea0...@debian.org>
and subject line Re: unblock: uwsgi/2.0.21-5.1
has caused the Debian Bug report #1036423,
regarding unblock: uwsgi/2.0.21-5.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036423: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036423
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: uw...@packages.debian.org
Control: affects -1 + src:uwsgi

Please unblock package uwsgi/2.0.21-5.1.

This is an update to fix RC bug #1035005. I did an NMU as suggested by
the package maintainer.

[ Reason ]

Upgrades from Bullseye to Bookworm failed when
uwsgi-plugin-jvm-openjdk-11 is installed. This is solved by adding
versioned Breaks and Replaces to uwsgi-plugin-jvm-openjdk-17 binary
package.

[ Impact ]

uwsgi removed from the release, affecting many packages that depend on
it.

[ Tests ]

I tested by unpacking the package into a Debian bullseye VM where
uwsgi-plugin-jvm-openjdk-11 was already installed.

[ Risks ]

It is a small change and low risk.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

There is a piuparts regression, but it is due to a recent change in
adduser package, and not related at all to the change in uwsgi package.

unblock uwsgi/2.0.21-5.1
diff -Nru uwsgi-2.0.21/debian/changelog uwsgi-2.0.21/debian/changelog
--- uwsgi-2.0.21/debian/changelog   2023-02-24 06:50:43.0 -0500
+++ uwsgi-2.0.21/debian/changelog   2023-05-19 09:59:29.0 -0400
@@ -1,3 +1,10 @@
+uwsgi (2.0.21-5.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add Replaces on uwsgi-plugin-jvm-openjdk-11 (Closes: #1035005)
+
+ -- James Valleroy   Fri, 19 May 2023 09:59:29 -0400
+
 uwsgi (2.0.21-5) unstable; urgency=medium
 
   * skip shellcheck test when DEB_BUILD_OPTIONS=nocheck;
diff -Nru uwsgi-2.0.21/debian/control uwsgi-2.0.21/debian/control
--- uwsgi-2.0.21/debian/control 2023-02-24 06:49:44.0 -0500
+++ uwsgi-2.0.21/debian/control 2023-05-19 09:59:29.0 -0400
@@ -616,6 +616,8 @@
  uwsgi-core (= ${binary:Version}),
  ${misc:Depends},
  ${shlibs:Depends},
+Replaces: uwsgi-plugin-jvm-openjdk-11 (<< 2.0.21-1)
+Breaks: uwsgi-plugin-jvm-openjdk-11 (<< 2.0.21-1)
 Description: Java plugin for uWSGI (OpenJDK 17)
  uWSGI presents a complete stack for networked/clustered web applications,
  implementing message/object passing, caching, RPC and process management.


OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---

Hi,

On 20-05-2023 19:00, James Valleroy wrote:

unblock uwsgi/2.0.21-5.1


unblocked, aged and piuparts-ignored.

Paul


OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---

Bug#1036401: marked as done (unblock: tools-dep-clojure/0.16.1264-3)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 17:42:31 +0200
with message-id 
and subject line Re: Bug#1036401: tools-dep-clojure/0.16.1264-3
has caused the Debian Bug report #1036401,
regarding unblock: tools-dep-clojure/0.16.1264-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036401: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036401
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: team+cloj...@tracker.debian.org
Control: affects -1 + src:tools-dep-clojure

I would like to request an unblock to upload 
tools-dep-clojure/0.16.1264-3 which fixes a FTBFS bug.


- #1036386 - tools-deps-clojure: FTBFS without network access

[ Reason ]
The package currently FTBFS because the testsuite which runs during 
build requires network access.


[ Impact ]
Accepting this release should not have any impact beyond 
tools-dep-clojure itself. libtools-dep-clojure has no rdeps in bookworm.


[ Tests ]
Test-related FTBFS issue was reproduced and fixed locally. Autopkgtest 
are passing.


[ Risks ]
None that I can imagine considering the very small delta.

[ Checklist ]
   [x] all changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in testing


Thanks!

-- Jérômediff -Nru tools-deps-clojure-0.16.1264/debian/changelog 
tools-deps-clojure-0.16.1264/debian/changelog
--- tools-deps-clojure-0.16.1264/debian/changelog   2023-01-22 
22:02:21.0 -0500
+++ tools-deps-clojure-0.16.1264/debian/changelog   2023-05-20 
08:54:30.0 -0400
@@ -1,3 +1,9 @@
+tools-deps-clojure (0.16.1264-3) unstable; urgency=medium
+
+  * d/run-build-tests: skip test that requires internet (Closes: #1036386)
+
+ -- Jérôme Charaoui   Sat, 20 May 2023 08:54:30 -0400
+
 tools-deps-clojure (0.16.1264-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru tools-deps-clojure-0.16.1264/debian/run-build-tests 
tools-deps-clojure-0.16.1264/debian/run-build-tests
--- tools-deps-clojure-0.16.1264/debian/run-build-tests 2023-01-22 
22:02:21.0 -0500
+++ tools-deps-clojure-0.16.1264/debian/run-build-tests 2023-05-20 
08:54:30.0 -0400
@@ -12,6 +12,5 @@
 -e "(require '[clojure.tools.deps.util.dir-test])" \
 -e "(System/exit (if (clojure.test/successful? (clojure.test/run-tests
 'clojure.tools.deps.extensions.faken
-'clojure.tools.deps.extensions.test-git
 'clojure.tools.deps.gen.test-pom
 'clojure.tools.deps.util.dir-test)) 0 1))"
--- End Message ---
--- Begin Message ---

Hi,

On 20-05-2023 15:11, Jérôme Charaoui wrote:

tools-dep-clojure/0.16.1264-3 which fixes a FTBFS bug.


unblocked and aged, but I had to fix your typo in the package name first :)

Paul


OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---

Bug#1036360: marked as done (unblock: squidguard/1.6.0-4)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 17:35:36 +0200
with message-id 
and subject line Re: unblock: squidguard/1.6.0-4
has caused the Debian Bug report #1036360,
regarding unblock: squidguard/1.6.0-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036360: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036360
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: squidgu...@packages.debian.org
Control: affects -1 + src:squidguard

Please unblock package squidguard

This fixes RC bug #1036028 which could affect users upgrading squidguard
from bullseye to bookworm.

unblock squidguard/1.6.0-4


diff -Nru squidguard-1.6.0/debian/changelog
squidguard-1.6.0/debian/changelog ---
squidguard-1.6.0/debian/changelog   2022-03-18 08:38:18.0
+0100 +++ squidguard-1.6.0/debian/changelog 2023-05-16
16:22:49.0 +0200 @@ -1,3 +1,9 @@ +squidguard (1.6.0-4) unstable;
urgency=medium +
+  * Fix dependency to squid-openssl | squid. Closes: #1036028
+
+ -- Joachim Wiedorn   Tue, 16 May 2023 16:22:49 +0200
+
 squidguard (1.6.0-3) unstable; urgency=medium
 
   * Recompiling with newer libc.
diff -Nru squidguard-1.6.0/debian/control squidguard-1.6.0/debian/control
--- squidguard-1.6.0/debian/control 2022-03-18 08:38:18.0
+0100 +++ squidguard-1.6.0/debian/control   2023-05-16
16:21:06.0 +0200 @@ -13,7 +13,7 @@
 Package: squidguard
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}
-Recommends: squid (>= 3.4.0), liburi-perl, libwww-perl
+Recommends: squid-openssl | squid, liburi-perl, libwww-perl
 Suggests: ldap-utils, squidguard-doc
 Description: filter and redirector plugin for Squid
  squidGuard is a free, flexible and ultra fast filter, redirector
diff -Nru squidguard-1.6.0/debian/copyright
squidguard-1.6.0/debian/copyright ---
squidguard-1.6.0/debian/copyright   2022-03-18 08:38:18.0
+0100 +++ squidguard-1.6.0/debian/copyright 2023-05-16
16:19:47.0 +0200 @@ -19,7 +19,7 @@ License: W3C-Software
 
 Files: debian/*
-Copyright: 2010-2022, Joachim Wiedorn 
+Copyright: 2010-2023, Joachim Wiedorn 
 License: GPL-2
 
 



squidguard_160-4.debdiff
Description: Binary data


pgpvLu084E7Fi.pgp
Description: Digitale Signatur von OpenPGP
--- End Message ---
--- Begin Message ---

Hi,

On Fri, 19 May 2023 19:48:25 +0200 Joachim Wiedorn  
wrote:

unblock squidguard/1.6.0-4


This seems a ghost double of bug #1036331 which was already unblocked.

Paul


OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---

Bug#1036306: unblock: ufw/0.36.2-1

[Paul Gevers]

Control: tags -1 moreinfo

Hi,

On 19-05-2023 05:33, Jamie Strandboge wrote:

It seems that adduser 3.133 has caused problems for a lot of packages in sid,
including ufw. See:

https://piuparts.debian.org/sid/fail/adduser_3.133.log
https://piuparts.debian.org/sid/fail/
https://piuparts.debian.org/sid/fail/ufw_0.36.2-1.log
https://piuparts.debian.org/sid/fail/...


Yes, known, let's not worry about that.


ufw did not cause adduser to be unremovable, and adduser being unremovable
should not affect ufw's migration.


Sure. The migration is currently blocked because the upload happened 
very recently and tomorrow we'll enter Full Freeze. So the upload 
happened too late for it to migrate without us unblocking.



Bug fixes and translations will not be available in bookworm (I am upstream ufw
and I cut 0.36.2 specifically for bookworm users).


Please elaborate. It's Full Freeze time. A new upstream needs a lot of 
defending to be considered a targeted fix at this stage of the release. 
Please read the policy [1] and the FAQ [2].


Paul

[1] https://release.debian.org/testing/freeze_policy.html
[2] https://release.debian.org/testing/FAQ.html


OpenPGP_signature
Description: OpenPGP digital signature

Processed: Re: Bug#1036306: unblock: ufw/0.36.2-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #1036306 [release.debian.org] unblock: ufw/0.36.2-1
Added tag(s) moreinfo.

-- 
1036306: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036306
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036246: marked as done (unblock: iptables-netflow/2.6-4)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 17:23:23 +0200
with message-id 
and subject line Re: Bug#1036246: unblock: iptables-netflow/2.6-4
has caused the Debian Bug report #1036246,
regarding unblock: iptables-netflow/2.6-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036246: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036246
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: iptables-netf...@packages.debian.org, a...@debian.org, 
a...@debian.org
Control: affects -1 + src:iptables-netflow

Please unblock iptables-netflow/2.6-4.

This is an update to fix the RC bug report at
https://bugs.debian.org/1035511 and fixes an upgrade issue from
Bullseye to Bookworm if iptables-netflow-dkms is upgraded while the
Bullseye kernel (and headers) are still installed — which is the case
in nearly every upgrade workflow.

[ Reason ]

Upgrades from Bullseye to Bookworm failed, at least until the Bullseye
kernel has been uninstalled.

[ Impact ]

Impact without this package update, admins will

* have to wait for iptables-netflow-dkms's postinst to succeed until
  they have rebooted into the Bookworm kernel and uninstalled the
  Bullseye kernel.

* have no chance of running the newer iptables-netflow-dkms version
  from Bookworm with the Bullseye kernel.

Impact of the change:

* Low. Cherry-picked an upstream commit explicitly fixing compilation
  with older kernels. Regression introduced upstream with 2.6 when
  fixing compilation with kernel 5.15. It adds some compat definitions
  into the #ifdef areas for older kernels. Does not affect compiling
  against Bookworm's 6.1 kernel.

[ Tests ]

* Installation on Sid. Still compiles fine.

  (Exception: Fails if the kernel 6.3 in Experimental is installed on
  Sid. But I consider a fix for that to be unsuitable at this stage of
  the freeze.)

* Installation on two Bullseye systems of which one is a production
  server heavily relying on exactly this package. Still works fine
  with the Sid package installed on Bullseye with stock Bullseye
  kernel, even during package upgrade and after a reboot (into the
  Bullseye kernel).

  Netflows generated with iptables-netflow-dkms continued to show up
  in nfdump's local cache after upgrading the package to the version
  currently in Sid as well as after rebooting (which guarantees that
  the newly built kernel module was really used, not just compiled).

  This test proves that a server will continue to provide the
  package's functionality even during a dist-upgrade even while still
  running under the Bullseye kernel. (Which was found in #1035511 to
  be not the case due to the failing compilation with the Bullseye
  kernel.)

* Upgrade of a server from Bullseye to Bookworm which is using this
  package in production. Upgrade failed as reported in #1035511. The
  failure was fixed by installing the package from Unstable using
  "dpkg -i" as expected.

  Netflows generated with iptables-netflow-dkms continued to show up
  in nfdump's local cache afterwards as well after the final reboot
  into Bookworm's kernel.

  This test proves that a server will continue to provide the
  package's functionality even during a dist-upgrade and that it still
  works fine under Bookworm's kernel, i.e. that it does NOT introduce
  a regression on Bookworm.

* Autopkgtest in Sid via autopkgtest-pkg-dkms:
  https://qa.debian.org/excuses.php?package=iptables-netflow says "No
  test results" for all tests. I'm not sure what this actually
  means. If I click on such a link I see:

  I: Summary:
  I: PASS 6.1.0-8-amd64
  I: PASS 6.1.0-8-cloud-amd64
  I: PASS 6.1.0-8-rt-amd64

  Maybe these passes were considered superficial as in the end it
  justs says twice:

  dkms-autopkgtest PASS (superficial)

[ Risks ]

* Future updates of the Bullseye kernel with backported kernel fixes
  might break some assumptions of the kernel version #ifdefs in this
  kernel module like the ones updated in this patch and hence might
  cause upgrade issues due to compilation issues again if someone
  upgrades from Bullseye to Bookworm only late in the Bullseye release
  cycle.

  But this is given with and without that upgrade, and it has happened
  in past stable releases as well. (Has IIRC last happened with
  backported kernel fixes in Buster.)

* It's a leaf package only in use on servers which generate netflows
  out of network traffic, e.g. for traffic statistics or security
  monitoring purposes.

[ Checklist ]

  [x] 

Bug#1036634: RM: monado/stable -- NVIU; 2 years old codebase for very active project targeting recent hardware and software stack (new version didn't make it into stable).

[David Heidelberg]

Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: debian-release@lists.debian.org


Monado package is in very active development, offering support for
recent XR headsets.

The risk is getting users discouraged by very old and already unsupported
package, rather than just using the Monado package from unstable or git.

Processed: d-i

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 1036123 d-i
Bug #1036123 [release.debian.org] [pre-approval] unblock: libcap2/1:2.66-4
Added tag(s) d-i.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1036123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036123
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036123: [pre-approval] unblock: libcap2/1:2.66-4

[Paul Gevers]

Hi Cyril,

On 18-05-2023 22:06, Salvatore Bonaccorso wrote:

I just realized, that apart gettin the unblock by the release team as
it affects d-i as well (shipping libcap2-udeb), CC'ing Cyril here as
well.


CVE fixes in libcap2. Can you ACK (or udeb-unblock)?

Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036084: [pre-approval] unblock: android-platform-tools-base/2.2.2-5

[Paul Gevers]

Control: tags -1 moreinfo

Hi,

On 15-05-2023 09:21, Emmanuel Bourg wrote:

I'd like to suggest downgrading the dependency on adb to recommended
if #1034982 isn't fixed in time for the Bookworm release.


That seems to be on it's way all right. Please close this bug if it 
migrates or remove the moreinfo tag if it gets stuck and we need to 
revisit this.


Paul


OpenPGP_signature
Description: OpenPGP digital signature

Processed: Re: Bug#1036084: [pre-approval] unblock: android-platform-tools-base/2.2.2-5

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #1036084 [release.debian.org] [pre-approval] unblock: 
android-platform-tools-base/2.2.2-5
Added tag(s) moreinfo.

-- 
1036084: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036084
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036453: unblock: libvirt/9.0.0-4

[Salvatore Bonaccorso]

Hi Andrea,

On Sun, May 21, 2023 at 12:37:17PM +0200, Andrea Bolognani wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: libv...@packages.debian.org
> Control: affects -1 + src:libvirt
> 
> Please unblock package libvirt
> 
> 
> [ Reason ]
> 
> Fix CVE-2023-2700.
> 
> 
> [ Impact ]
> 
> Fix CVE-2023-2700.
> 
> 
> [ Tests ]
> 
> I haven't found tests covering this specific functionality. However,
> the change is part of libvirt 9.3.0, which is already in Debian
> experimental as well as other distributions such as Fedora, and to
> the best of my knowledge no issues with it have been reported.
> 
> 
> [ Risks ]
> 
> The change has already been reviewed and accepted upstream. The
> function being patched hasn't changed between 9.0.0 and 9.3.0, so the
> backport was a clean one. I have reviewed the changes again in the
> context of the Debian package.
> 
> 
> [ Checklist ]
> 
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> 
> [ Other info ]
> 
> N/A
> 
> 
> unblock libvirt/9.0.0-4

I think in this case you can take advantage of

https://release.debian.org/testing/freeze_policy.html#full

in "Applying for an unblock", item 5, as the diff is very small and
targetted to add the missing g_free you could upload already to
unstable to avoid the additional rountrip (in particular as the hard
deadlines are approaching).

Hope this helps,

Regards,
Salvatore

Bug#1036548: unblock: cups-filters/1.28.17-3

[Salvatore Bonaccorso]

Hi,

On Tue, May 23, 2023 at 03:55:26PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Mon, May 22, 2023 at 09:39:34AM +, Thorsten Alteholz wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > 
> > Please unblock and age package cups-filters
> > 
> > [ Reason ]
> > CVE-2023-24805 (RCE due to missing input sanitising)
> > 
> > [ Impact ]
> > The user would be vulnerable to remote code execution.
> > 
> > [ Tests ]
> > There is no special test for this patch, only a POC that no
> > longer worked after applying the patch.
> > 
> > [ Risks ]
> > The patch was provided by upstream and approved by the security team
> > (upload to Bullseye already done).
> > 
> > [ Checklist ]
> >   [x] all changes are documented in the d/changelog
> >   [x] I reviewed all changes and I approve them
> >   [x] attach debdiff against the package in testing
> > 
> > unblock cups-filters/1.28.17-3
> 
> FWIW, is was as well for bullseye released via a DSA. Thorsten, there
> seems to be as well a piuparts regression blocking it, can you have a
> look?

Looking at the log from
https://piuparts.debian.org/sid/fail/cups-browsed_1.28.17-3.log it
looks this can be ignored, as it is due to the adduser and piuparts
situation.

Regards,
Salvatore

Bug#1036548: unblock: cups-filters/1.28.17-3

[Salvatore Bonaccorso]

Hi,

On Mon, May 22, 2023 at 09:39:34AM +, Thorsten Alteholz wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock and age package cups-filters
> 
> [ Reason ]
> CVE-2023-24805 (RCE due to missing input sanitising)
> 
> [ Impact ]
> The user would be vulnerable to remote code execution.
> 
> [ Tests ]
> There is no special test for this patch, only a POC that no
> longer worked after applying the patch.
> 
> [ Risks ]
> The patch was provided by upstream and approved by the security team
> (upload to Bullseye already done).
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> unblock cups-filters/1.28.17-3

FWIW, is was as well for bullseye released via a DSA. Thorsten, there
seems to be as well a piuparts regression blocking it, can you have a
look?

Regards,
Salvatore

Bug#1036047: marked as done (unblock: nlopt/2.7.1-5)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 15:47:07 +0200
with message-id <7502d771-b071-5fe4-f74b-de7c08916...@debian.org>
and subject line Re: Bug#1036047: unblock: nlopt/2.7.1-5
has caused the Debian Bug report #1036047,
regarding unblock: nlopt/2.7.1-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036047
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: nl...@packages.debian.org
Control: affects -1 + src:nlopt

Please unblock package nlopt

[ Reason ]
This upload was done due to address a piuparts error while
upgrading nlopt from bullseye -> bookworm, see #1035629.

[ Impact ]
Loss of files in usr/share/doc/libnlopt0 maybe observed, and
over-writing files too, which is not desired.

[ Tests ]
Manual tests done locally by upgrading from version in bullseye to
bookworm, and then removing packages individually, and inspected the
contents of the doc directories -- did not see any surprises.

[ Risks ]
As the upload touches only the doc section only, the package is
un-affected in terms of it's core (library) functionality. No big risks.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock nlopt/2.7.1-5
diff -Nru nlopt-2.7.1/debian/changelog nlopt-2.7.1/debian/changelog
--- nlopt-2.7.1/debian/changelog2022-04-14 15:10:53.0 +
+++ nlopt-2.7.1/debian/changelog2023-05-14 09:35:20.0 +
@@ -1,3 +1,13 @@
+nlopt (2.7.1-5) unstable; urgency=medium
+
+  * Team Upload.
+  * Add maintscript to convert libnlopt-dev doc
+symlink to directory (Closes: #1035629)
+  * Add a preinst to remove examples directory in libnlopt0
+which should be present in -dev only
+
+ -- Nilesh Patra   Sun, 14 May 2023 09:35:20 +
+
 nlopt (2.7.1-4) unstable; urgency=medium
 
   * Team upload
diff -Nru nlopt-2.7.1/debian/libnlopt0.preinst 
nlopt-2.7.1/debian/libnlopt0.preinst
--- nlopt-2.7.1/debian/libnlopt0.preinst1970-01-01 00:00:00.0 
+
+++ nlopt-2.7.1/debian/libnlopt0.preinst2023-05-14 09:35:20.0 
+
@@ -0,0 +1,6 @@
+#!/bin/sh -e
+# directory moved to -dev package, the symlink from past upgrade should be 
removed
+if [ -d /usr/share/doc/libnlopt0/examples ]; then
+   rm -rf /usr/share/doc/libnlopt0/examples
+fi
+#DEBHELPER#
diff -Nru nlopt-2.7.1/debian/libnlopt-dev.maintscript 
nlopt-2.7.1/debian/libnlopt-dev.maintscript
--- nlopt-2.7.1/debian/libnlopt-dev.maintscript 1970-01-01 00:00:00.0 
+
+++ nlopt-2.7.1/debian/libnlopt-dev.maintscript 2023-05-14 09:35:20.0 
+
@@ -0,0 +1 @@
+symlink_to_dir /usr/share/doc/libnlopt-dev libnlopt0 2.7.1-5~
--- End Message ---
--- Begin Message ---

Hi,

On 14-05-2023 12:59, Nilesh Patra wrote:

unblock nlopt/2.7.1-5


done and aged.

Paul


OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---

Bug#1036007: marked as done (unblock: opencv/4.6.0+dfsg-12)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 15:41:47 +0200
with message-id 
and subject line Re: Bug#1036007: unblock: opencv/4.6.0+dfsg-12
has caused the Debian Bug report #1036007,
regarding unblock: opencv/4.6.0+dfsg-12
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036007
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ope...@packages.debian.org
Control: affects -1 + src:opencv

Please unblock package opencv

[ Reason ]
This upload fixes two bugs:

1. #1035886 that adds a single Breaks: against an old library version to
   easy the upgrade.

2. #1035954 that adds upstream patches for two CVEs.

[ Impact ]
For 1. users could have problems upgrading.
For 2. I'm not sure about the impact of the CVEs but I guess it is
better to get them fixed before the release.

[ Tests ]
The CVEs carry a test, I did not verify the Breaks: but I assume Andreas
tested it :).

[ Risks ]
The Breaks: means users can't keep the old version, I think that is
acceptable if apt finds a upgrade solution.
For the CVEs the patch looks reasonable but I'm not sure if there is any
risk to it. Given that it applied cleanly to the version in unstable and
that upstream accepted it, I think it is fine.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
The patch carries a change to debian/gbp.conf which is not imported for
the package in the archive.

unblock opencv/4.6.0+dfsg-12
diff --git a/debian/changelog b/debian/changelog
index 35b4b87d7..6ddf7e440 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+opencv (4.6.0+dfsg-12) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Andreas Beckmann ]
+  * libopencv-core406: Add Breaks: libopencv-core4.5 for smoother upgrades 
from bullseye
+(Closes: #1035886)
+
+  [ Jochen Sprickerhof ]
+  * Add upstream patches for CVE-2023-2617 and CVE-2023-2618 (Closes: #1035954)
+
+ -- Jochen Sprickerhof   Fri, 12 May 2023 11:40:38 +0200
+
 opencv (4.6.0+dfsg-11) unstable; urgency=medium
 
   * Update d/rules.
diff --git a/debian/control b/debian/control
index 4b6a4c095..421f0eb14 100644
--- a/debian/control
+++ b/debian/control
@@ -168,6 +168,7 @@ Section: libs
 Depends: ${misc:Depends},
  ${shlibs:Depends}
 Pre-Depends: ${misc:Pre-Depends}
+Breaks: libopencv-core4.5 (<< 4.6),
 Description: computer vision core library
  This package contains the OpenCV (Open Computer Vision) core runtime 
libraries.
  .
diff --git a/debian/gbp.conf b/debian/gbp.conf
index b5d1dad92..f2905a065 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,5 @@
+[DEFAULT]
+component = contrib
+
 [import-orig]
 pristine-tar = True
-component = contrib
diff --git 
a/debian/patches/0009-fix-wechat_qrcode-Init-nBytes-after-the-count-value-.patch
 
b/debian/patches/0009-fix-wechat_qrcode-Init-nBytes-after-the-count-value-.patch
new file mode 100644
index 0..879403e4b
--- /dev/null
+++ 
b/debian/patches/0009-fix-wechat_qrcode-Init-nBytes-after-the-count-value-.patch
@@ -0,0 +1,84 @@
+From: Nano 
+Date: Wed, 26 Apr 2023 15:09:52 +0800
+Subject: fix(wechat_qrcode): Init nBytes after the count value is determined
+ (#3480)
+
+* fix(wechat_qrcode): Initialize nBytes after the count value is determined
+
+* fix(wechat_qrcode): Incorrect count data repair
+
+* chore: format expr
+
+* fix(wechat_qrcode): Avoid null pointer exception
+
+* fix(wechat_qrcode): return when bytes_ is empty
+
+* test(wechat_qrcode): add test case
+
+-
+
+Co-authored-by: GZTime 
+---
+ .../src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp  | 13 +
+ contrib/modules/wechat_qrcode/test/test_qrcode.cpp  | 11 +++
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git 
a/contrib/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
 
b/contrib/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
+index 05de793..b3a0a69 100644
+--- 
a/contrib/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
 
b/contrib/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
+@@ -65,7 +65,8 @@ void DecodedBitStreamParser::append(std::string& result, 
string const& in,
+ 
+ void DecodedBitStreamParser::append(std::string& result, const char* bufIn, 
size_t nIn,
+  

Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3

[Salvatore Bonaccorso]

Hi Gregor,

On Tue, May 23, 2023 at 08:44:48AM +0200, Gregor Jasny wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: c-a...@packages.debian.org
> Control: affects -1 + src:c-ares
> 
> Hello,
> 
> [ Reason ]
> 
> yesterday a version 1.19.1 of c-ares was release which fixes four CVEs.
> The Debian Security team considers two of them relevant for Debian and
> I'd like to cherry-pick them into the unstable package so that the fixes
> can migrate to Bookworm.
> 
> Attached you'll find the debdiff. The changes are also visible in Salsa:
> https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264=false
> 
> [ Impact ]
> 
> CVE-2023-31130 has a CVSS score of 4.1
> CVE-2023-32067 has a CVSS score of 7.5
> 
> [ Tests ]
> 
> On the experimental branch I enabled the unit and integration tests:
> would you consider that commit as acceptable, too?
> https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09
> 
> [ Risks ]
> 
> The fix for the 0-byte DoS issue seems to be straight-forward.
> The fix for inet_net_pton_ipv6 has been synced from OpenBSD and
> is covered by the unit tests.
> 
> Both changes are port of the 1.19.1 release which built and passed
> tests on experimental (except Hurd):
> https://buildd.debian.org/status/package.php?p=c-ares=experimental
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> unblock c-ares/1.18.1-3

Glad to see you worked on it already. I was on it today to propose a
NMU, due to the deadline for bookworm approaching quickly, until
Moritz pointed out to me that you did already filled a unblock
request pre-approval.

Attached for reference what I did, and so they match. Release team,
can you accept it as we would like to see as well a bullseye-security
upload for the same two CVEs and avoid a regression
bullseye->bookworm?

Leaving open the question on enabling the testsuite.

Regards,
Salvatore
diff -Nru c-ares-1.18.1/debian/changelog c-ares-1.18.1/debian/changelog
--- c-ares-1.18.1/debian/changelog  2023-02-17 23:34:35.0 +0100
+++ c-ares-1.18.1/debian/changelog  2023-05-23 14:34:52.0 +0200
@@ -1,3 +1,11 @@
+c-ares (1.18.1-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)
+  * 0-byte UDP payload Denial of Service (CVE-2023-32067)
+
+ -- Salvatore Bonaccorso   Tue, 23 May 2023 14:34:52 +0200
+
 c-ares (1.18.1-2) unstable; urgency=medium
 
   * Add str len check in config_sortlist to avoid stack overflow
diff -Nru c-ares-1.18.1/debian/patches/CVE-2023-31130.diff 
c-ares-1.18.1/debian/patches/CVE-2023-31130.diff
--- c-ares-1.18.1/debian/patches/CVE-2023-31130.diff1970-01-01 
01:00:00.0 +0100
+++ c-ares-1.18.1/debian/patches/CVE-2023-31130.diff2023-05-23 
14:34:52.0 +0200
@@ -0,0 +1,325 @@
+From: Brad House 
+Date: Mon, 22 May 2023 06:51:34 -0400
+Subject: Merge pull request from GHSA-x6mf-cxr9-8q6v
+Origin: 
https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-31130
+
+* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares.
+* Always use our own IP conversion functions now, do not delegate to OS
+  so we can have consistency in testing and fuzzing.
+* Removed bogus test cases that never should have passed.
+* Add new test case for crash bug found.
+
+Fix By: Brad House (@bradh352)
+---
+ src/lib/inet_net_pton.c| 155 -
+ test/ares-test-internal.cc |   7 +-
+ 2 files changed, 86 insertions(+), 76 deletions(-)
+
+diff --git a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c
+index 840de5065290..fc50425b8ea2 100644
+--- a/src/lib/inet_net_pton.c
 b/src/lib/inet_net_pton.c
+@@ -1,19 +1,20 @@
+ 
+ /*
+- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (c) 2012 by Gilles Chehade 
+  * Copyright (c) 1996,1999 by Internet Software Consortium.
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+  * copyright notice and this permission notice appear in all copies.
+  *
+- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ * THE SOFTWARE IS PROVIDED "AS 

Bug#1036625: unblock: sofia-sip/1.12.11+20110422.1+1e14eea~dfsg-5

[Evangelos Ribeiro Tzaras]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sofia-...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:sofia-sip

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Please unblock package sofia-sip

The latest version fixes bug#1031729 sofia-sip
informing of a denial of service CVE.

The fix for this CVE has been backported from the upstream sources.

You can find the debdiff between
1.12.11+20110422.1+1e14eea~dfsg-4 (currently in testing) and
1.12.11+20110422.1+1e14eea~dfsg-5
attached to this unblock request.

I have taken the liberty of uploading the package already
in anticipation that this request be granted on account that it fixes
a denial of service vulnerability.

unblock sofia-sip/1.12.11+20110422.1+1e14eea~dfsg-5

Cheers,
Evangelos

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEuThlVLfdJmvLjimpkPDJsYprShkFAmRsqTgACgkQkPDJsYpr
ShkLCw/7B8AxGxufx6AiZ/2M684vpNTByWW4HVqvi1l37DemoxD9d2Bn8QGvhOE7
cYwleQiHwJ0QZxDAyCKrF4VC9Z51GY6F6GwAVK207MNMoksrnw77VSVyOVTJvOV4
Eix8bkniRTH9lyrv3lgUyYhWoNZqtyrNsO1KIYveVTT9VZpuBvS6cX12Tmng7Y0U
VcltDfrgCu+LQYOyjT04zs7tQt6VHncWhv7CSV/p0cIT8A8ZeJOU7RiQDkMBomyL
04FMG7nYdWQk+spSZ4/nLY4XzZ8NLZllTrtavVas7dPCqywX+VVvG3Zhb1e5hgqL
gVkkEL7lYN2uknPoCie7t2yXrIb65z8iQqYGYN/Kvk2m34X/haExHpsXB4iU1cUt
84FFOFMWEvTfV4iH1oxvd+vRtySsl3Kr276fvP/YilWvScQu8XI1iyLr/IxH8CJd
72NBxdGh/m1NfoK2kIv4fy/6F/BVBWl3mQy+yEkMJBmrFHCqQ6gN0rRFwxJSpwQv
8GadOpo4USNylLt+IND3VCnSHnl4Pv3H69oiiIuftt1QO8cmnGbDdURkkjAjRUMK
07L5j7kcUUCshNWmt+LXtbGPXaloRWalCM15roG/92vu790zo93hl8+yFJRGcsQk
FjRHDpa9BG/Z3LFpENPxRNygndb/AUE5NxWPChFzsfuHvqo7RzU=
=cxDT
-END PGP SIGNATURE-
diff -Nru sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/changelog 
sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/changelog
--- sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/changelog  2023-02-08 
09:46:57.0 +0100
+++ sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/changelog  2023-05-23 
05:53:48.0 +0200
@@ -1,3 +1,13 @@
+sofia-sip (1.12.11+20110422.1+1e14eea~dfsg-5) unstable; urgency=medium
+
+  * Add patch to fix reported CVE; add copyright of patch.
+For further information see:
+- CVE-2022-47516[0]
+[0] https://security-tracker.debian.org/tracker/CVE-2022-47516
+https://www.cve.org/CVERecord?id=CVE-2022-47516 (closes: bug#1031792)
+
+ -- Evangelos Ribeiro Tzaras   Tue, 23 May 
2023 05:53:48 +0200
+
 sofia-sip (1.12.11+20110422.1+1e14eea~dfsg-4) unstable; urgency=high (fixes a 
CVE)
 
   * Rename patches to indicate they have been picked from upstream
diff -Nru sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/copyright 
sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/copyright
--- sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/copyright  2023-02-08 
09:46:57.0 +0100
+++ sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/copyright  2023-05-23 
05:53:48.0 +0200
@@ -250,6 +250,7 @@
 Copyright:
   2022  Andrey Volk 
   2022  Qiuhao Li 
+  2022  Dave Horton 
 License-Grant:
  This library is free software;
  you can redistribute it and/or modify it
diff -Nru 
sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/0005-cve-dos-wrong-assert.patch
 
sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/0005-cve-dos-wrong-assert.patch
--- 
sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/0005-cve-dos-wrong-assert.patch
1970-01-01 01:00:00.0 +0100
+++ 
sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/0005-cve-dos-wrong-assert.patch
2023-05-23 05:53:48.0 +0200
@@ -0,0 +1,22 @@
+From: Dave Horton 
+Date: Mon, 28 Nov 2022 14:44:30 -0500
+Subject: remove assert that can reasonably be expected to happen
+
+(cherry picked from commit cadf505d88e2971d24b6a4379ddbb1398d8ec443)
+---
+ libsofia-sip-ua/tport/tport.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/libsofia-sip-ua/tport/tport.c b/libsofia-sip-ua/tport/tport.c
+index c3bc2b6..18dfd47 100644
+--- a/libsofia-sip-ua/tport/tport.c
 b/libsofia-sip-ua/tport/tport.c
+@@ -3309,8 +3309,6 @@ tport_t *tport_tsend(tport_t *self,
+   tp_name_t tpn[1];
+   struct sigcomp_compartment *cc;
+ 
+-  assert(self);
+-
+   if (!self || !msg || !_tpn) {
+ msg_set_errno(msg, EINVAL);
+ return NULL;
diff -Nru sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/series 
sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/series
--- sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/series 
2023-02-08 09:46:57.0 +0100
+++ sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/series 
2023-05-23 05:53:48.0 +0200
@@ -4,3 +4,4 @@
 0002-cve-fix-oob-read-url_canonize.patch
 0003-cve-fix-heap-overflow-by-two.patch
 0004-cve-check-stun-message-and-attr-len.patch
+0005-cve-dos-wrong-assert.patch

Processed: unblock: sofia-sip/1.12.11+20110422.1+1e14eea~dfsg-5

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:sofia-sip
Bug #1036625 [release.debian.org] unblock: 
sofia-sip/1.12.11+20110422.1+1e14eea~dfsg-5
Added indication that 1036625 affects src:sofia-sip

-- 
1036625: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036625
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#1036227: bookworm-pu: package r-cran-shiny/1.7.4+dfsg-3~deb12u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed
Bug #1036227 [release.debian.org] bookworm-pu: package 
r-cran-shiny/1.7.4+dfsg-3~deb12u1
Added tag(s) confirmed.

-- 
1036227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036227
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036227: bookworm-pu: package r-cran-shiny/1.7.4+dfsg-3~deb12u1

[Paul Gevers]

Control: tags -1 confirmed

Hi Andreas,

On 17-05-2023 19:48, Andreas Tille wrote:

I'd like to announce an upload to testing-proposed-updates


You confused me here. I don't see traces of the upload yet, so I assume 
this is a pre-approval.



Thus an upload to testing-proposed-updates
seems an appropriate solution for this and this bug report is
about asking you for confirmation about this solution.


Ack. For the future ideally this would be fixed by dh-r being less 
strict in what it injects.



I propose to upload the following change to t-p-u:


Please, always generate your debdiff comparing to what is currently in 
testing.



Nilesh Patra suggested to use version 1.7.4+dfsg-2+deb12u1 but I
personally regard my version suggestion more logical (long explanation
given in [2]).


You missed the link to [2]. However, I personally prefer the automatic 
syncing of testing to unstable that we get if you use 
1.7.4+dfsg-3+deb12u1 (mind the version being *higher* than testing) or 
even 1.7.4+dfsg-4. But ACK with whatever reasonable version number you 
choose.


Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036466: marked as done (RM: cpl-plugin-xshoo/3.5.3+dfsg-2 -- ROM; outdated; required upstream file no longer available)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 13:38:33 +0200
with message-id 
and subject line Re: Bug#1036466: RM: cpl-plugin-xshoo/3.5.3+dfsg-2 -- ROM; 
outdated; required upstream file no longer available
has caused the Debian Bug report #1036466,
regarding RM: cpl-plugin-xshoo/3.5.3+dfsg-2 -- ROM; outdated; required upstream 
file no longer available
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036466: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036466
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: rm
Severity: normal

The package is outdated, and upstream doesn't provide the calibration 
files any longer, which leads to an RC bug. The actual version cannot be 
packaged due to unresolved licensing issues. Therefore, the package is 
unsuitable for bookworm; please remove it (it is marked for autoremoval; 
however there is no need to wait so long).


Situation is similar to #1036157; I still want to keep the package in 
unstable.


Cheers

Ole
 Forwarded Message 
Subject: cpl-plugin-xshoo is marked for autoremoval from testing
Date: Thu, 18 May 2023 04:39:03 +
From: Debian testing autoremoval watch 
To: cpl-plugin-xs...@packages.debian.org

cpl-plugin-xshoo 3.5.3+dfsg-1 is marked for autoremoval from testing on 
2023-06-07


It is affected by these RC bugs:
1035786: cpl-plugin-xshoo-calib: xshoo-kit-3.5.3*.tar.gz is no longer 
downloadable

 https://bugs.debian.org/1035786



This mail is generated by:
https://salsa.debian.org/release-team/release-tools/-/blob/master/mailer/mail_autoremovals.pl

Autoremoval data is generated by:
https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl
--- End Message ---
--- Begin Message ---

Hi,

On 21-05-2023 20:02, Ole Streicher wrote:
Therefore, the package is 
unsuitable for bookworm; please remove it (it is marked for autoremoval; 
however there is no need to wait so long).


done.

Paul


OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---

Bug#1036564: marked as done (unblock: qt6-base/6.4.2+dfsg-9)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 10:38:54 +
with message-id 
and subject line unblock qt6-base
has caused the Debian Bug report #1036564,
regarding unblock: qt6-base/6.4.2+dfsg-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036564: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036564
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qt6-b...@packages.debian.org, delta...@debian.org, 
lisan...@debian.org
Control: affects -1 + src:qt6-base

Please unblock package qt6-base

[ Reason ]
Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG
(not related to the one in qtsvg-opensource-src) and the other one
related to a security heade parsing in the network module.

[ Impact ]
Lack of security fixes.

[ Tests ]
Tested by upstream, do not break API/ABI, seems safe.

[ Risks ]
None that I can think of.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock qt6-base/6.4.2+dfsg-9
diff --git a/debian/changelog b/debian/changelog
index b117abd..85ce31b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+qt6-base (6.4.2+dfsg-9) unstable; urgency=medium
+
+  * Team upload.
+  * Add a patch to fix CVE-2023-32762.
+
+ -- Lisandro Damián Nicanor Pérez Meyer   Mon, 22 May 
2023 11:40:45 -0300
+
+qt6-base (6.4.2+dfsg-8) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch for solving CVE-2023-32763.
+  * Refresh patches.
+
+ -- Lisandro Damián Nicanor Pérez Meyer   Mon, 22 May 
2023 10:42:21 -0300
+
 qt6-base (6.4.2+dfsg-7) unstable; urgency=medium
 
   [ Patrick Franz ]
diff --git a/debian/patches/armel-noyield.patch 
b/debian/patches/armel-noyield.patch
index 37061fb..74b1ae2 100644
--- a/debian/patches/armel-noyield.patch
+++ b/debian/patches/armel-noyield.patch
@@ -1,8 +1,12 @@
 Description: Don't use yield on CPUs that might not support it
 
+---
+ src/corelib/global/qsimd_p.h |2 ++
+ 1 file changed, 2 insertions(+)
+
 --- a/src/corelib/global/qsimd_p.h
 +++ b/src/corelib/global/qsimd_p.h
-@@ -428,7 +428,9 @@ static inline void qYieldCpu()
+@@ -401,7 +401,9 @@ static inline void qYieldCpu()
   https://stackoverflow.com/a/70076751/134841
   https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105416
  */
diff --git 
a/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch 
b/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch
index 2ab0f5e..bf93bca 100644
--- a/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch
+++ b/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch
@@ -9,22 +9,18 @@ and causes reproducibility issues when built in different 
paths.
 
 https://reproducible-builds.org/docs/build-path/
 ---
- cmake/QtBuildInternalsExtra.cmake.in | 3 ---
+ cmake/QtBuildInternalsExtra.cmake.in |3 ---
  1 file changed, 3 deletions(-)
 
-diff --git a/cmake/QtBuildInternalsExtra.cmake.in 
b/cmake/QtBuildInternalsExtra.cmake.in
-index cbd70b1..23b2391 100644
 --- a/cmake/QtBuildInternalsExtra.cmake.in
 +++ b/cmake/QtBuildInternalsExtra.cmake.in
-@@ -53,9 +53,6 @@ endif()
+@@ -75,9 +75,6 @@ endif()
  set(QT_WILL_INSTALL @QT_WILL_INSTALL@ CACHE BOOL
  "Boolean indicating if doing a Qt prefix build (vs non-prefix build)." 
FORCE)
-
+ 
 -set(QT_SOURCE_TREE "@QT_SOURCE_TREE@" CACHE PATH
 -"A path to the source tree of the previously configured QtBase project." 
FORCE)
 -
  # Propagate decision of building tests and examples to other repositories.
  set(QT_BUILD_TESTS @QT_BUILD_TESTS@ CACHE BOOL "Build the testing tree.")
  set(QT_BUILD_EXAMPLES @QT_BUILD_EXAMPLES@ CACHE BOOL "Build Qt examples")
---
-2.35.1
diff --git a/debian/patches/cross.patch b/debian/patches/cross.patch
index 1a7ebd3..239c803 100644
--- a/debian/patches/cross.patch
+++ b/debian/patches/cross.patch
@@ -1,6 +1,11 @@
+---
+ cmake/QtBuildInternals/QtBuildInternalsConfig.cmake |2 --
+ src/tools/configure.cmake   |2 +-
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
 --- a/cmake/QtBuildInternals/QtBuildInternalsConfig.cmake
 +++ b/cmake/QtBuildInternals/QtBuildInternalsConfig.cmake
-@@ -146,8 +146,6 @@
+@@ -151,8 +151,6 @@ function(qt_build_internals_disable_pkg_
  set(FEATURE_pkg_config "${pkg_config_enabled}" CACHE STRING "Using 
pkg-config")
  if(NOT pkg_config_enabled)
  

Bug#1036472: marked as done (unblock: ros-actionlib/1.14.0-6)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 10:41:58 +
with message-id 
and subject line unblock ros-actionlib
has caused the Debian Bug report #1036472,
regarding unblock: ros-actionlib/1.14.0-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036472
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ros-action...@packages.debian.org
Control: affects -1 + src:ros-actionlib

Please unblock package ros-actionlib

[ Reason ]
libactionlib-dev was missing a depenency.

[ Impact ]
Users would need to manually install libroscpp-dev in addition.

[ Tests ]
I verified the missing dependency manually.

[ Risks ]
None.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock ros-actionlib/1.14.0-6
diff --git a/debian/changelog b/debian/changelog
index d3143ab..307e040 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ros-actionlib (1.14.0-6) unstable; urgency=medium
+
+  * Add missing dependency
+
+ -- Jochen Sprickerhof   Sun, 21 May 2023 21:10:12 +0200
+
 ros-actionlib (1.14.0-5) unstable; urgency=medium
 
   * Increase timeout for test on armel
diff --git a/debian/control b/debian/control
index a9d09e5..7cebce3 100644
--- a/debian/control
+++ b/debian/control
@@ -54,7 +54,7 @@ Section: libdevel
 Architecture: any
 Multi-Arch: same
 Depends: ${misc:Depends}, libactionlib1d ( = ${binary:Version}),
-   ${python3:Depends}, python3, libboost-thread-dev, 
libactionlib-msgs-dev, ros-message-generation, python3-rosunit, libstd-msgs-dev
+   ${python3:Depends}, python3, libboost-thread-dev, 
libactionlib-msgs-dev, ros-message-generation, python3-rosunit, 
libstd-msgs-dev, libroscpp-dev,
 Description: ${source:Synopsis} - development files
  ${source:Extended-Description}
  .
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#1036595: marked as done (unblock: lprint/1.1.0-3)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 10:39:59 +
with message-id 
and subject line unblock lprint
has caused the Debian Bug report #1036595,
regarding unblock: lprint/1.1.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036595
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package lprint

[ Reason ]
The service file was installed to the wrong directory.

[ Impact ]
The service now is at a location that it can not be used by systemd.

[ Tests ]
There was no code change, so no test was done.

[ Risks ]
The package is a leaf package and the risk should be low.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock lprint/1.1.0-3
diff -Nru lprint-1.1.0/debian/changelog lprint-1.1.0/debian/changelog
--- lprint-1.1.0/debian/changelog   2023-02-24 22:17:35.0 +0100
+++ lprint-1.1.0/debian/changelog   2023-03-22 18:17:35.0 +0100
@@ -1,3 +1,10 @@
+lprint (1.1.0-3) unstable; urgency=medium
+
+  * move service file to correct dir
+(Closes: #1036022, #1036178, #1035601)
+
+ -- Thorsten Alteholz   Mon, 22 Mar 2023 19:17:35 +0200
+
 lprint (1.1.0-2) unstable; urgency=medium
 
   * add patch to use /usr/bin instead of /usr/local/bin in service file
diff -Nru 
lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch 
lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch
--- 
lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch
1970-01-01 01:00:00.0 +0100
+++ 
lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch
2023-03-22 18:17:35.0 +0100
@@ -0,0 +1,25 @@
+From: Thorsten Alteholz 
+Date: Mon, 22 May 2023 23:59:38 +0200
+Subject: move service file to better directory
+
+---
+ Makefile.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index f5108e0..965253a 100644
+--- a/Makefile.in
 b/Makefile.in
+@@ -130,9 +130,9 @@ install:   all
+   $(INSTALL) -d -m 755 $(BUILDROOT)/Library/LaunchDaemons; \
+   $(INSTALL) -c -m 644 org.msweet.lprint.plist 
$(BUILDROOT)/Library/LaunchDaemons; \
+   else \
+-  echo "Installing systemd service to 
$(BUILDROOT)$(sysconfdir)/systemd/system..."; \
+-  $(INSTALL) -d -m 755 $(BUILDROOT)$(sysconfdir)/systemd/system; \
+-  $(INSTALL) -c -m 644 lprint.service 
$(BUILDROOT)$(libdir)/systemd/system; \
++  echo "Installing systemd service to 
$(BUILDROOT)/lib/systemd/system..."; \
++  $(INSTALL) -d -m 755 $(BUILDROOT)/lib/systemd/system; \
++  $(INSTALL) -c -m 644 lprint.service 
$(BUILDROOT)/lib/systemd/system; \
+   fi
+ 
+ 
diff -Nru lprint-1.1.0/debian/patches/series lprint-1.1.0/debian/patches/series
--- lprint-1.1.0/debian/patches/series  2023-02-24 22:17:35.0 +0100
+++ lprint-1.1.0/debian/patches/series  2023-03-22 18:17:35.0 +0100
@@ -1,3 +1,4 @@
 0001-Let-compilation-be-verbose-not-silent.patch
 0002-let-service-file-point-to-usr-bin-instead-of-usr-loc.patch
 0003-put-service-file-into-libdir.patch
+0004-move-service-file-to-better-directory.patch
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#1036563: marked as done (unblock: qt6-svg/6.4.2-2)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 10:37:59 +
with message-id 
and subject line unblock qt6-svg
has caused the Debian Bug report #1036563,
regarding unblock: qt6-svg/6.4.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036563: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036563
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qt6-...@packages.debian.org, delta...@debian.org, 
lisan...@debian.org
Control: affects -1 + src:qt6-svg

Please unblock package qt6-svg

[ Reason ]
Fixes CVE-2023-32573.

[ Impact ]
This patch avoids a crash when parsing malformed/crafted SVG files.

[ Tests ]
Done by upstream, it basically makes sures a variable has a default
value.

[ Risks ]
None that I can think of.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock qt6-svg/6.4.2-2
diff --git a/debian/changelog b/debian/changelog
index 41242b5..78f7594 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qt6-svg (6.4.2-2) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch to solve CVE-2023-32573.
+
+ -- Lisandro Damián Nicanor Pérez Meyer   Mon, 22 May 
2023 10:48:50 -0300
+
 qt6-svg (6.4.2-1) unstable; urgency=medium
 
   [ Patrick Franz ]
diff --git a/debian/patches/cve-2023-32573.diff 
b/debian/patches/cve-2023-32573.diff
new file mode 100644
index 000..750f29e
--- /dev/null
+++ b/debian/patches/cve-2023-32573.diff
@@ -0,0 +1,37 @@
+---
+ src/svg/qsvgfont_p.h|5 ++---
+ src/svg/qsvghandler.cpp |2 +-
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+--- a/src/svg/qsvgfont_p.h
 b/src/svg/qsvgfont_p.h
+@@ -38,6 +38,7 @@ public:
+ class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted
+ {
+ public:
++static constexpr qreal DEFAULT_UNITS_PER_EM = 1000;
+ QSvgFont(qreal horizAdvX);
+ 
+ void setFamilyName(const QString );
+@@ -50,9 +51,7 @@ public:
+ void draw(QPainter *p, const QPointF , const QString , qreal 
pixelSize, Qt::Alignment alignment) const;
+ public:
+ QString m_familyName;
+-qreal m_unitsPerEm;
+-qreal m_ascent;
+-qreal m_descent;
++qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM;
+ qreal m_horizAdvX;
+ QHash m_glyphs;
+ };
+--- a/src/svg/qsvghandler.cpp
 b/src/svg/qsvghandler.cpp
+@@ -2622,7 +2622,7 @@ static bool parseFontFaceNode(QSvgStyleP
+ 
+ qreal unitsPerEm = toDouble(unitsPerEmStr);
+ if (!unitsPerEm)
+-unitsPerEm = 1000;
++unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
+ 
+ if (!name.isEmpty())
+ font->setFamilyName(name);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..71efccf
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+# Fixed in 6.5.
+cve-2023-32573.diff
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#1036562: marked as done (unblock: qtbase-opensource-src/5.15.8+dfsg-10)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 10:38:07 +
with message-id 
and subject line unblock qtbase-opensource-src
has caused the Debian Bug report #1036562,
regarding unblock: qtbase-opensource-src/5.15.8+dfsg-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036562
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtbase-opensource-...@packages.debian.org, mity...@debian.org, 
lisan...@debian.org
Control: affects -1 + src:qtbase-opensource-src

Please unblock package qtbase-opensource-src

[ Reason ]

This upload:
- Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG
  (not related to the one in qtsvg-opensource-src) and the other one
  related to a security heade parsing in the network module.
- Adds a Break/Replaces in order to allow proper handling of systems
  that still had libqtcore4 around (#1035790).
- Backports a patch in order to solve an issue with KWin:
  - https://bugreports.qt.io/browse/QTBUG-98048
  - https://lists.debian.org/debian-kde/2022/11/msg00019.html

[ Impact ]

- Lack of security fixes.
- Breaks the bullseye → bookworm update on some systems.
- Nasty visual effects while drag and dropping.

[ Tests ]

All the patches have been tested by upstream.

The security patches are quite straightforward.
The B/R issue is also straightforward, with a specific Qt4 version
allowing users to keep libqt4 around if necessary.
Drag and dropping just works as expected.

[ Risks ]

Sincerely I don't think there are risks here.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock qtbase-opensource-src/5.15.8+dfsg-10
diff --git a/debian/changelog b/debian/changelog
index 8c172cff..1f5b73f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium
+
+  * Add patches to fix CVE-2023-32762 and CVE-2023-32763.
+
+ -- Lisandro Damián Nicanor Pérez Meyer   Mon, 22 May 
2023 11:31:55 -0300
+
+qtbase-opensource-src (5.15.8+dfsg-9) unstable; urgency=medium
+
+  * Backport upstream patch to fix laggy drag-and-drop with KWin. See:
+- https://bugreports.qt.io/browse/QTBUG-98048
+- https://lists.debian.org/debian-kde/2022/11/msg00019.html
+
+ -- Dmitry Shachnev   Sun, 21 May 2023 12:19:31 +0300
+
 qtbase-opensource-src (5.15.8+dfsg-8) unstable; urgency=medium
 
   * Add back Breaks/Replaces for libqtcore4 (closes: #1035790).
diff --git a/debian/patches/CVE-2023-32762.patch 
b/debian/patches/CVE-2023-32762.patch
new file mode 100644
index ..d0deff76
--- /dev/null
+++ b/debian/patches/CVE-2023-32762.patch
@@ -0,0 +1,17 @@
+---
+ src/network/access/qhsts.cpp |4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/network/access/qhsts.cpp
 b/src/network/access/qhsts.cpp
+@@ -364,8 +364,8 @@ quoted-pair= "\" CHAR
+ bool QHstsHeaderParser::parse(const QList> 
)
+ {
+ for (const auto  : headers) {
+-// We use '==' since header name was already 'trimmed' for us:
+-if (h.first == "Strict-Transport-Security") {
++// We compare directly because header name was already 'trimmed' for 
us:
++if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) 
== 0) {
+ header = h.second;
+ // RFC6797, 8.1:
+ //
diff --git a/debian/patches/cve-2023-32763.diff 
b/debian/patches/cve-2023-32763.diff
new file mode 100644
index ..b74413dc
--- /dev/null
+++ b/debian/patches/cve-2023-32763.diff
@@ -0,0 +1,50 @@
+---
+ src/gui/painting/qfixed_p.h  |9 +
+ src/gui/text/qtextlayout.cpp |9 ++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/src/gui/painting/qfixed_p.h
 b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include 
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include 
+ #include "QtCore/qsize.h"
+ 
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(i
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed , int i) { return 
f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed ) { return i * 
64 > f.value(); }
+ 
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++int val;
++bool result = add_overflow(v1.value(), v2.value(), );
++r->setValue(val);
++

Bug#1036560: marked as done (unblock: libraw/0.20.2-2.1)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 10:40:25 +
with message-id 
and subject line unblock libraw
has caused the Debian Bug report #1036560,
regarding unblock: libraw/0.20.2-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036560: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036560
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: lib...@packages.debian.org, car...@debian.org
Control: affects -1 + src:libraw

Hi release team,

Please unblock package libraw

[ Reason ]
Fixing two CVEs CVE-2021-32142 (would be no-dsa considered), and
CVE-2023-1729. As we do plan to release a DSA for bullseye-security it
is wise to have the fixes as well in the upper suite.

[ Impact ]
libraw in bookworm affected by CVE-2021-32142 and CVE-2023-1729 until
the bookworm point releases or security update.

[ Tests ]
None specifically, autopkgtest with smoketest passes.

[ Risks ]
Two isolated fixes whith low risk I believe.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
None

unblock libraw/0.20.2-2.1

Regards,
Salvatore
diff -Nru libraw-0.20.2/debian/changelog libraw-0.20.2/debian/changelog
--- libraw-0.20.2/debian/changelog  2021-09-11 16:56:07.0 +0200
+++ libraw-0.20.2/debian/changelog  2023-05-20 21:44:42.0 +0200
@@ -1,3 +1,13 @@
+libraw (0.20.2-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * check for input buffer size on datastream::gets (CVE-2021-32142)
+(Closes: #1031790)
+  * do not set shrink flag for 3/4 component images (CVE-2023-1729)
+(Closes: #1036281)
+
+ -- Salvatore Bonaccorso   Sat, 20 May 2023 21:44:42 +0200
+
 libraw (0.20.2-2) unstable; urgency=medium
 
   * debian/watch: bump version 3 -> 4
diff -Nru 
libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch
 
libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch
--- 
libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch
   1970-01-01 01:00:00.0 +0100
+++ 
libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch
   2023-05-20 21:44:42.0 +0200
@@ -0,0 +1,43 @@
+From: Alex Tutubalin 
+Date: Mon, 12 Apr 2021 13:21:52 +0300
+Subject: check for input buffer size on datastream::gets
+Origin: 
https://github.com/LibRaw/LibRaw/commit/bc3aaf4223fdb70d52d470dae65c5a7923ea2a49
+Bug: https://github.com/LibRaw/LibRaw/issues/400
+Bug-Debian: https://bugs.debian.org/1031790
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32142
+
+---
+ src/libraw_datastream.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libraw_datastream.cpp b/src/libraw_datastream.cpp
+index a5c1a84a3a8c..a31ae9dd84db 100644
+--- a/src/libraw_datastream.cpp
 b/src/libraw_datastream.cpp
+@@ -287,6 +287,7 @@ INT64 LibRaw_file_datastream::tell()
+ 
+ char *LibRaw_file_datastream::gets(char *str, int sz)
+ {
++  if(sz<1) return NULL;
+   LR_STREAM_CHK();
+   std::istream is(f.get());
+   is.getline(str, sz);
+@@ -421,6 +422,7 @@ INT64 LibRaw_buffer_datastream::tell()
+ 
+ char *LibRaw_buffer_datastream::gets(char *s, int sz)
+ {
++  if(sz<1) return NULL;
+   unsigned char *psrc, *pdest, *str;
+   str = (unsigned char *)s;
+   psrc = buf + streampos;
+@@ -618,6 +620,7 @@ INT64 LibRaw_bigfile_datastream::tell()
+ 
+ char *LibRaw_bigfile_datastream::gets(char *str, int sz)
+ {
++  if(sz<1) return NULL;
+   LR_BF_CHK();
+   return fgets(str, sz, f);
+ }
+-- 
+2.40.1
+
diff -Nru 
libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch
 
libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch
--- 
libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch
  1970-01-01 01:00:00.0 +0100
+++ 
libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch
  2023-05-20 21:44:42.0 +0200
@@ -0,0 +1,28 @@
+From: Alex Tutubalin 
+Date: Sat, 14 Jan 2023 18:32:59 +0300
+Subject: do not set shrink flag for 3/4 component images
+Origin: 
https://github.com/LibRaw/LibRaw/commit/477e0719ffc07190c89b4f3d12d51b1292e75828
+Bug: https://github.com/LibRaw/LibRaw/issues/557
+Bug-Debian: https://bugs.debian.org/1036281
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-1729
+
+---
+ 

Bug#1036354: marked as done (unblock: iptables-persistent/1.0.20)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 10:35:56 +
with message-id 
and subject line unblock iptables-persistent
has caused the Debian Bug report #1036354,
regarding unblock: iptables-persistent/1.0.20
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036354: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036354
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: bl...@debian.org

Please unblock package iptables-persistent

(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)

[ Reason ]
The package is using alternatives to manage (systemd) aliases,
this is not recommended by the systemd maintainers.

See bug report #1036147


I've added alternatives to this package back in 2019 to solve #926927
as a point of coordination with other firewall managers in Debian
(see https://lists.debian.org/debian-firewall/2019/08/msg0.html) but
the initiative never took off


[ Impact ]
This is (was) the only package in Debian which uses alternatives to
manage aliases, which makes it different from what admins expect

[ Tests ]
This version of the package is clean in lintian and piuparts,
I've upgraded my systems and found no problems


[ Risks ]
I see no risks, if an admin locally have changed the override files,
we'll keep them as dpkg-bak


[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock iptables-persistent/1.0.20
diff -Nru iptables-persistent-1.0.19/debian/changelog 
iptables-persistent-1.0.20/debian/changelog
--- iptables-persistent-1.0.19/debian/changelog 2023-02-28 08:02:38.0 
+0100
+++ iptables-persistent-1.0.20/debian/changelog 2023-05-19 13:27:33.0 
+0200
@@ -1,3 +1,16 @@
+iptables-persistent (1.0.20) unstable; urgency=medium
+
+  [ Luca Boccassi ]
+  * [3d8a9b] Use aliases instead of overrides for alternative names
+(Closes: #1036147)
+  * [418c74] Install drop-ins in /lib/ instead of /etc/ (Closes: #1036147)
+
+  [ gustavo panizzo ]
+  * [06509f] Handle obsolete conffile removal
+  * [633371] Remove obsolete dependency (lsb-base)
+
+ -- gustavo panizzo   Fri, 19 May 2023 13:27:33 +0200
+
 iptables-persistent (1.0.19) unstable; urgency=medium
 
   * [49d9ca] Debconf templates translation to Romanian.
diff -Nru iptables-persistent-1.0.19/debian/control 
iptables-persistent-1.0.20/debian/control
--- iptables-persistent-1.0.19/debian/control   2023-02-28 08:02:01.0 
+0100
+++ iptables-persistent-1.0.20/debian/control   2023-05-19 13:26:46.0 
+0200
@@ -7,10 +7,11 @@
 Vcs-Browser: https://salsa.debian.org/debian/iptables-persistent
 Vcs-Git: https://salsa.debian.org/debian/iptables-persistent.git
 Rules-Requires-Root: no
+Pre-Depends: dpkg (>= 1.15.7.2)
 
 Package: netfilter-persistent
 Architecture: all
-Depends: lsb-base, ${misc:Depends}
+Depends: ${misc:Depends}
 Suggests: iptables-persistent
 Pre-Depends: ${misc:Pre-Depends}
 Description: boot-time loader for netfilter configuration
diff -Nru iptables-persistent-1.0.19/debian/ipset.override 
iptables-persistent-1.0.20/debian/ipset.override
--- iptables-persistent-1.0.19/debian/ipset.override2021-11-17 
08:58:54.0 +0100
+++ iptables-persistent-1.0.20/debian/ipset.override2023-05-19 
12:12:44.0 +0200
@@ -1,2 +1,2 @@
-[Unit]
-Conflicts=ipset.service
+[Install]
+Alias=ipset.service
diff -Nru iptables-persistent-1.0.19/debian/ipset-persistent.install 
iptables-persistent-1.0.20/debian/ipset-persistent.install
--- iptables-persistent-1.0.19/debian/ipset-persistent.install  2021-11-17 
08:58:54.0 +0100
+++ iptables-persistent-1.0.20/debian/ipset-persistent.install  2023-05-19 
12:12:44.0 +0200
@@ -1,4 +1,4 @@
 #! /usr/bin/dh-exec
 plugins/10-ipset usr/share/netfilter-persistent/plugins.d/
 plugins/40-ipset usr/share/netfilter-persistent/plugins.d/
-debian/ipset.override => 
etc/systemd/system/netfilter-persistent.service.d/ipset.conf
+debian/ipset.override => 
lib/systemd/system/netfilter-persistent.service.d/ipset.conf
diff -Nru iptables-persistent-1.0.19/debian/ipset-persistent.maintscript 
iptables-persistent-1.0.20/debian/ipset-persistent.maintscript
--- iptables-persistent-1.0.19/debian/ipset-persistent.maintscript  
1970-01-01 01:00:00.0 +0100
+++ 

Bug#1036553: marked as done (unblock: qtsvg-opensource-src/5.15.8-3)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2023 10:37:10 +
with message-id 
and subject line unblock qtsvg-opensource-src
has caused the Debian Bug report #1036553,
regarding unblock: qtsvg-opensource-src/5.15.8-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036553: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036553
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtsvg-opensource-...@packages.debian.org
Control: affects -1 + src:qtsvg-opensource-src

Please unblock package qtsvg-opensource-src.

[ Reason ]
This fixes a security bug. See:

- https://security-tracker.debian.org/tracker/CVE-2023-32573
- https://www.qt.io/blog/security-advisory-qt-svg

[ Impact ]
Use of uninitialized variable which is undefined behavior, e.g. may lead to
division by zero.

[ Tests ]
The upstream test suite is run during build.

[ Risks ]
The change is quite trivial, it just initializes the variable and uses a 
constant
to keep the value in one place.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock qtsvg-opensource-src/5.15.8-3

--
Dmitry Shachnev
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qtsvg-opensource-src (5.15.8-3) unstable; urgency=medium
+
+  * Backport upstream commit to initialize QSvgFont::m_unitsPerEm
+(CVE-2023-32573).
+
+ -- Dmitry Shachnev   Sun, 21 May 2023 19:06:01 +0300
+
 qtsvg-opensource-src (5.15.8-2) unstable; urgency=medium
 
   * Upload to unstable.
--- /dev/null
+++ b/debian/patches/CVE-2023-32573.diff
@@ -0,0 +1,34 @@
+Description: QSvgFont: initialize m_unitsPerEm to fix undefined behavior
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff
+Last-Update: 2023-05-21
+
+--- a/src/svg/qsvgfont_p.h
 b/src/svg/qsvgfont_p.h
+@@ -74,6 +74,7 @@ public:
+ class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted
+ {
+ public:
++static constexpr qreal DEFAULT_UNITS_PER_EM = 1000;
+ QSvgFont(qreal horizAdvX);
+ 
+ void setFamilyName(const QString );
+@@ -86,7 +87,7 @@ public:
+ void draw(QPainter *p, const QPointF , const QString , qreal pixelSize, Qt::Alignment alignment) const;
+ public:
+ QString m_familyName;
+-qreal m_unitsPerEm;
++qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM;
+ qreal m_ascent;
+ qreal m_descent;
+ qreal m_horizAdvX;
+--- a/src/svg/qsvghandler.cpp
 b/src/svg/qsvghandler.cpp
+@@ -2666,7 +2666,7 @@ static bool parseFontFaceNode(QSvgStyleP
+ 
+ qreal unitsPerEm = toDouble(unitsPerEmStr);
+ if (!unitsPerEm)
+-unitsPerEm = 1000;
++unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
+ 
+ if (!name.isEmpty())
+ font->setFamilyName(name);
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 reject_oversize_svgs.diff
+CVE-2023-32573.diff


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#1036354: unblock: iptables-persistent/1.0.20

[Luca Boccassi]

Control: tags -1 -moreinfo

On Sun, 21 May 2023 21:48:19 +0200 Sebastian Ramacher
 wrote:
> Control: tags -1 moreinfo confirmed
> 
> On 2023-05-20 13:23:09 +, gustavo panizzo wrote:
> > >> >> unblock iptables-persistent/1.0.20
> > >> >>
> > >> >
> > >> >Thanks for taking care of this - I just checked and cannot see
the upload
> > >> >to unstable though?
> > >>
> > >> I'd prefer to wait for an ack from the release team
> > >
> > >Ok, in that case I think it should be explicitly mentioned that
this
> > >is a 'preapproval' request.
> > 
> > 
> > How to do that? I hope is done now 
> 
> Please go ahead and remove the moreinfo tag once the package is
> available in unstable.

It is now in unstable, debdiff attached.

-- 
Kind regards,
Luca Boccassi
diff -Nru iptables-persistent-1.0.19/debian/changelog iptables-persistent-1.0.20/debian/changelog
--- iptables-persistent-1.0.19/debian/changelog	2023-02-28 07:02:38.0 +
+++ iptables-persistent-1.0.20/debian/changelog	2023-05-19 12:27:33.0 +0100
@@ -1,3 +1,16 @@
+iptables-persistent (1.0.20) unstable; urgency=medium
+
+  [ Luca Boccassi ]
+  * [3d8a9b] Use aliases instead of overrides for alternative names
+(Closes: #1036147)
+  * [418c74] Install drop-ins in /lib/ instead of /etc/ (Closes: #1036147)
+
+  [ gustavo panizzo ]
+  * [06509f] Handle obsolete conffile removal
+  * [633371] Remove obsolete dependency (lsb-base)
+
+ -- gustavo panizzo   Fri, 19 May 2023 13:27:33 +0200
+
 iptables-persistent (1.0.19) unstable; urgency=medium
 
   * [49d9ca] Debconf templates translation to Romanian.
diff -Nru iptables-persistent-1.0.19/debian/control iptables-persistent-1.0.20/debian/control
--- iptables-persistent-1.0.19/debian/control	2023-02-28 07:02:01.0 +
+++ iptables-persistent-1.0.20/debian/control	2023-05-19 12:27:33.0 +0100
@@ -10,7 +10,7 @@
 
 Package: netfilter-persistent
 Architecture: all
-Depends: lsb-base, ${misc:Depends}
+Depends: ${misc:Depends}
 Suggests: iptables-persistent
 Pre-Depends: ${misc:Pre-Depends}
 Description: boot-time loader for netfilter configuration
diff -Nru iptables-persistent-1.0.19/debian/ipset.override iptables-persistent-1.0.20/debian/ipset.override
--- iptables-persistent-1.0.19/debian/ipset.override	2021-11-17 07:58:54.0 +
+++ iptables-persistent-1.0.20/debian/ipset.override	2023-05-19 12:27:33.0 +0100
@@ -1,2 +1,2 @@
-[Unit]
-Conflicts=ipset.service
+[Install]
+Alias=ipset.service
diff -Nru iptables-persistent-1.0.19/debian/ipset-persistent.install iptables-persistent-1.0.20/debian/ipset-persistent.install
--- iptables-persistent-1.0.19/debian/ipset-persistent.install	2021-11-17 07:58:54.0 +
+++ iptables-persistent-1.0.20/debian/ipset-persistent.install	2023-05-19 12:27:33.0 +0100
@@ -1,4 +1,4 @@
 #! /usr/bin/dh-exec
 plugins/10-ipset usr/share/netfilter-persistent/plugins.d/
 plugins/40-ipset usr/share/netfilter-persistent/plugins.d/
-debian/ipset.override => etc/systemd/system/netfilter-persistent.service.d/ipset.conf
+debian/ipset.override => lib/systemd/system/netfilter-persistent.service.d/ipset.conf
diff -Nru iptables-persistent-1.0.19/debian/ipset-persistent.maintscript iptables-persistent-1.0.20/debian/ipset-persistent.maintscript
--- iptables-persistent-1.0.19/debian/ipset-persistent.maintscript	1970-01-01 01:00:00.0 +0100
+++ iptables-persistent-1.0.20/debian/ipset-persistent.maintscript	2023-05-19 12:27:33.0 +0100
@@ -0,0 +1 @@
+rm_conffile /etc/systemd/system/netfilter-persistent.service.d/ipset.conf
diff -Nru iptables-persistent-1.0.19/debian/ipset-persistent.postinst iptables-persistent-1.0.20/debian/ipset-persistent.postinst
--- iptables-persistent-1.0.19/debian/ipset-persistent.postinst	2021-11-17 07:58:54.0 +
+++ iptables-persistent-1.0.20/debian/ipset-persistent.postinst	2023-05-19 12:27:33.0 +0100
@@ -2,8 +2,10 @@
 
 set -e
 
-# Setup alternatives
-update-alternatives --install /lib/systemd/system/ipset.service ipset.service /lib/systemd/system/netfilter-persistent.service 40
+# Can be dropped in Trixie
+if update-alternatives --query ipset.service 2>/dev/null; then
+update-alternatives --remove-all ipset.service
+fi
 
 # Source debconf library
 . /usr/share/debconf/confmodule
@@ -29,4 +31,11 @@
 ;;
 esac
 
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+# Ensure the drop-in is loaded
+if [ -d /run/systemd/system ]; then
+systemctl --system daemon-reload >/dev/null || true
+fi
+fi
+
 #DEBHELPER#
diff -Nru iptables-persistent-1.0.19/debian/ipset-persistent.postrm iptables-persistent-1.0.20/debian/ipset-persistent.postrm
--- iptables-persistent-1.0.19/debian/ipset-persistent.postrm	2020-07-02 15:33:46.0 +0100
+++ iptables-persistent-1.0.20/debian/ipset-persistent.postrm	2023-05-19 12:27:33.0 +0100
@@ -8,4 +8,9 @@
 ;;
 esac
 
+# To register the drop-in's 

Processed: Re: Bug#1036354: unblock: iptables-persistent/1.0.20

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo
Bug #1036354 [release.debian.org] unblock: iptables-persistent/1.0.20
Ignoring request to alter tags of bug #1036354 to the same tags previously set

-- 
1036354: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036354
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: New debdiff

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 unblock: node-is-docker/3.0.0-6
Bug #1036605 [release.debian.org] unblock: node-is-docker/3.0.0-5
Changed Bug title to 'unblock: node-is-docker/3.0.0-6' from 'unblock: 
node-is-docker/3.0.0-5'.

-- 
1036605: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036605
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036605: New debdiff

[Yadd]

Control: retitle -1 unblock: node-is-docker/3.0.0-6

Hi,

a dependency to nodejs:any was missing, here is a new debdiff

Cheers,
Yadd

unblock node-is-docker/3.0.0-6diff --git a/debian/changelog b/debian/changelog
index 5270a2c..0f4d72d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+node-is-docker (3.0.0-6) unstable; urgency=medium
+
+  * Team upload
+  * Add dependency to nodejs:any
+
+ -- Yadd   Tue, 23 May 2023 12:38:31 +0400
+
+node-is-docker (3.0.0-5) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.6.2
+  * Fix /usr/bin/is-docker link (Closes: #1036579)
+
+ -- Yadd   Tue, 23 May 2023 12:15:54 +0400
+
 node-is-docker (3.0.0-4) unstable; urgency=medium
 
   * team upload
diff --git a/debian/control b/debian/control
index e6a687b..4511ede 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends:
  debhelper-compat (= 13)
  , dh-sequence-nodejs (>= 0.14.12~)
  , rollup
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Homepage: https://github.com/sindresorhus/is-docker#readme
 Vcs-Git: https://salsa.debian.org/js-team/node-is-docker.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-is-docker
@@ -17,6 +17,7 @@ Rules-Requires-Root: no
 Package: node-is-docker
 Architecture: all
 Depends: ${misc:Depends}
+ , nodejs:any
 Multi-Arch: foreign
 Description: Check if the process is running inside a Docker container
  Node.js is an event-based server-side JavaScript engine.
diff --git a/debian/links b/debian/links
deleted file mode 100644
index b9973ef..000
--- a/debian/links
+++ /dev/null
@@ -1 +0,0 @@
-usr/lib/nodejs/is-docker/cli.js usr/bin/is-docker
diff --git a/debian/nodejs/links b/debian/nodejs/links
new file mode 100644
index 000..6016422
--- /dev/null
+++ b/debian/nodejs/links
@@ -0,0 +1 @@
+is-docker/cli.js /usr/bin/is-docker
diff --git a/debian/rules b/debian/rules
index b6e6027..ee9210e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,3 +10,7 @@
 override_dh_auto_build:
mjs2cjs index.js
perl -i -pe 's/node://' index.cjs
+
+override_dh_fixperms:
+   dh_fixperms
+   chmod +x debian/node-is-docker/usr/share/nodejs/is-docker/cli.js

Bug#1036615: [Pkg-javascript-devel] Bug#1036615: unblock: node-isomorphic-fetch/3.0.0-3

[Yadd]

On 5/23/23 13:25, Yadd wrote:

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-isomorphic-fe...@packages.debian.org
Control: affects -1 + src:node-isomorphic-fetch

Please unblock package node-isomorphic-fetch

[ Reason ]
The useless link for browser module pointed to a libjs-fetch file
instead of new node-whatwg-fetch dependency

[ Impact ]
Only developpers that require the "browser" file of this library had to
install libjs-fetch.

[ Tests ]
No changes

[ Risks ]
No risk here

[ Checklist ]
   [X] all changes are documented in the d/changelog
   [X] I reviewed all changes and I approve them
   [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-isomorphic-fetch/3.0.0-3


Here is the debdiffdiff --git a/debian/changelog b/debian/changelog
index 01aba01..853ab23 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+node-isomorphic-fetch (3.0.0-3) unstable; urgency=medium
+
+  * Team upload
+
+  [ Debian Janitor ]
+  * Apply multi-arch hints. + node-isomorphic-fetch: Add Multi-Arch: foreign.
+
+  [ Yadd ]
+  * Declare compliance with policy 4.6.2
+  * Update fetch-npm-browserify.js link (Closes: #1036610)
+
+ -- Yadd   Tue, 23 May 2023 13:18:55 +0400
+
 node-isomorphic-fetch (3.0.0-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index fa593ca..f2fa299 100644
--- a/debian/control
+++ b/debian/control
@@ -6,7 +6,7 @@ Uploaders: Pirate Praveen 
 Build-Depends: debhelper-compat (= 13)
  , dh-sequence-nodejs
  , node-fetch 
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-isomorphic-fetch
 Vcs-Git: https://salsa.debian.org/js-team/node-isomorphic-fetch.git
 Homepage: https://github.com/matthew-andrews/isomorphic-fetch/issues
@@ -18,6 +18,7 @@ Architecture: all
 Depends: ${misc:Depends}
  , node-fetch
  , node-whatwg-fetch
+Multi-Arch: foreign
 Description: Isomorphic WHATWG Fetch API, for Node & Browserify
  This adds fetch as a global so that its API is consistent between client and
  server.
diff --git a/debian/links b/debian/links
deleted file mode 100644
index 9ff3232..000
--- a/debian/links
+++ /dev/null
@@ -1 +0,0 @@
-usr/share/javascript/fetch/fetch.js 
usr/share/nodejs/isomorphic-fetch/fetch-npm-browserify.js
diff --git a/debian/nodejs/links b/debian/nodejs/links
new file mode 100644
index 000..f822404
--- /dev/null
+++ b/debian/nodejs/links
@@ -0,0 +1 @@
+whatwg-fetch/dist/fetch.umd.js isomorphic-fetch/fetch-npm-browserify.js

Processed: unblock: node-isomorphic-fetch/3.0.0-3

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:node-isomorphic-fetch
Bug #1036615 [release.debian.org] unblock: node-isomorphic-fetch/3.0.0-3
Added indication that 1036615 affects src:node-isomorphic-fetch

-- 
1036615: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036615
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036615: unblock: node-isomorphic-fetch/3.0.0-3

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-isomorphic-fe...@packages.debian.org
Control: affects -1 + src:node-isomorphic-fetch

Please unblock package node-isomorphic-fetch

[ Reason ]
The useless link for browser module pointed to a libjs-fetch file
instead of new node-whatwg-fetch dependency

[ Impact ]
Only developpers that require the "browser" file of this library had to
install libjs-fetch.

[ Tests ]
No changes

[ Risks ]
No risk here

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-isomorphic-fetch/3.0.0-3

Bug#1036613: unblock: node-jschardet/3.0.0+dfsg+~1.4.0-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-jschar...@packages.debian.org
Control: affects -1 + src:node-jschardet

Please unblock package node-jschardet

[ Reason ]
node-js-chardet had a useless link to node-buffer

[ Impact ]
Just a dandling link

[ Tests ]
No change

[ Risks ]
No risk

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-jschardet/3.0.0+dfsg+~1.4.0-2
diff --git a/debian/changelog b/debian/changelog
index 6cc65b3..e38faf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-jschardet (3.0.0+dfsg+~1.4.0-2) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.6.2
+  * Drop useless symlink to buffer (Closes: #1036609)
+
+ -- Yadd   Tue, 23 May 2023 13:03:58 +0400
+
 node-jschardet (3.0.0+dfsg+~1.4.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 8e3fed7..a778394 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Build-Depends: debhelper-compat (= 13)
  , node-typescript
  , terser
  , webpack (>= 5.0~)
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-jschardet
 Vcs-Git: https://salsa.debian.org/js-team/node-jschardet.git
 Homepage: https://github.com/aadsm/jschardet#readme
diff --git a/debian/rules b/debian/rules
index 8ad0ced..e58679b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -15,7 +15,6 @@ override_dh_auto_build:
cp chardet/package.json debian/
perl -i -pe 's/0.0.0-development/$(CHARDET_VERSION)/' 
chardet/package.json
dh_auto_build --buildsystem=nodejs
-   ln -s /usr/share/nodejs/buffer .
webpack --config debian/webpack.config.js --output-library=jschardet \
--entry index.js --output-path ./dist --output-filename jschardet.js
terser dist/jschardet.js -o dist/jschardet.min.js

Processed: unblock: node-jschardet/3.0.0+dfsg+~1.4.0-2

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:node-jschardet
Bug #1036613 [release.debian.org] unblock: node-jschardet/3.0.0+dfsg+~1.4.0-2
Added indication that 1036613 affects src:node-jschardet

-- 
1036613: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036613
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 1036354

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 1036354 - moreinfo
Bug #1036354 [release.debian.org] unblock: iptables-persistent/1.0.20
Removed tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1036354: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036354
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036605: unblock: node-is-docker/3.0.0-5

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-is-doc...@packages.debian.org
Control: affects -1 + src:node-is-docker

Please unblock package node-is-docker

[ Reason ]
The /usr/bin/is-docker link was broken

[ Impact ]
Library unusable in command-line

[ Tests ]
No changes

[ Risks ]
No risk

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-is-docker/3.0.0-5
diff --git a/debian/changelog b/debian/changelog
index 5270a2c..4d93442 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-is-docker (3.0.0-5) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.6.2
+  * Fix /usr/bin/is-docker link (Closes: #1036579)
+
+ -- Yadd   Tue, 23 May 2023 12:15:54 +0400
+
 node-is-docker (3.0.0-4) unstable; urgency=medium
 
   * team upload
diff --git a/debian/control b/debian/control
index e6a687b..7c4821f 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends:
  debhelper-compat (= 13)
  , dh-sequence-nodejs (>= 0.14.12~)
  , rollup
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Homepage: https://github.com/sindresorhus/is-docker#readme
 Vcs-Git: https://salsa.debian.org/js-team/node-is-docker.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-is-docker
diff --git a/debian/links b/debian/links
deleted file mode 100644
index b9973ef..000
--- a/debian/links
+++ /dev/null
@@ -1 +0,0 @@
-usr/lib/nodejs/is-docker/cli.js usr/bin/is-docker
diff --git a/debian/nodejs/links b/debian/nodejs/links
new file mode 100644
index 000..6016422
--- /dev/null
+++ b/debian/nodejs/links
@@ -0,0 +1 @@
+is-docker/cli.js /usr/bin/is-docker
diff --git a/debian/rules b/debian/rules
index b6e6027..ee9210e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,3 +10,7 @@
 override_dh_auto_build:
mjs2cjs index.js
perl -i -pe 's/node://' index.cjs
+
+override_dh_fixperms:
+   dh_fixperms
+   chmod +x debian/node-is-docker/usr/share/nodejs/is-docker/cli.js

Processed: unblock: node-is-docker/3.0.0-5

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:node-is-docker
Bug #1036605 [release.debian.org] unblock: node-is-docker/3.0.0-5
Added indication that 1036605 affects src:node-is-docker

-- 
1036605: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036605
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: unblock: node-shelljs/0.8.5+~cs0.8.10-2

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:node-shelljs
Bug #1036604 [release.debian.org] unblock: node-shelljs/0.8.5+~cs0.8.10-2
Added indication that 1036604 affects src:node-shelljs

-- 
1036604: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036604
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036604: unblock: node-shelljs/0.8.5+~cs0.8.10-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-shel...@packages.debian.org
Control: affects -1 + src:node-shelljs

Please unblock package node-shelljs

[ Reason ]
The /usr/bin/shjs link was broken

[ Impact ]
Library unusable in command line

[ Tests ]
No changes

[ Risks ]
No risk

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-shelljs/0.8.5+~cs0.8.10-2
diff --git a/debian/changelog b/debian/changelog
index 1a94a3e..c688687 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-shelljs (0.8.5+~cs0.8.10-2) unstable; urgency=medium
+
+  * Team upload
+  * Fix /usr/bin/shjs link (Closes: #1036582)
+
+ -- Yadd   Tue, 23 May 2023 06:39:48 +0400
+
 node-shelljs (0.8.5+~cs0.8.10-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/links b/debian/links
deleted file mode 100644
index ba4d0f7..000
--- a/debian/links
+++ /dev/null
@@ -1 +0,0 @@
-usr/lib/nodejs/shelljs/bin/shjs usr/bin/shjs
diff --git a/debian/nodejs/links b/debian/nodejs/links
new file mode 100644
index 000..971d6b0
--- /dev/null
+++ b/debian/nodejs/links
@@ -0,0 +1 @@
+shelljs/bin/shjs /usr/bin/shjs

Processed: unblock: opencascade/7.6.3+dfsg1-7

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:opencascade
Bug #1036598 [release.debian.org] unblock: opencascade/7.6.3+dfsg1-7
Added indication that 1036598 affects src:opencascade

-- 
1036598: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036598
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036598: unblock: opencascade/7.6.3+dfsg1-7

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: opencasc...@packages.debian.org
Control: affects -1 + src:opencascade

Please unblock package opencascade

The upload fixes:
 #1036581 occt-draw: broken symlink: /usr/bin/occt-draw -> occt-draw-7.5

Its a targeted fix, only repairing the symlink. See debdiff.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock opencascade/7.6.3+dfsg1-7
diff -Nru opencascade-7.6.3+dfsg1/debian/changelog 
opencascade-7.6.3+dfsg1/debian/changelog
--- opencascade-7.6.3+dfsg1/debian/changelog2023-05-14 11:37:53.0 
+0200
+++ opencascade-7.6.3+dfsg1/debian/changelog2023-05-23 09:45:56.0 
+0200
@@ -1,3 +1,10 @@
+opencascade (7.6.3+dfsg1-7) unstable; urgency=medium
+
+  * Update broken symlink /usr/bin/occt-draw to new version
+ occt-draw-7.6" (Closes: #1036581)
+
+ -- Tobias Frost   Tue, 23 May 2023 09:45:56 +0200
+
 opencascade (7.6.3+dfsg1-6) unstable; urgency=medium
 
   * Let libocct-data-exchange-dev Conflicts: with liboce-modeling-
diff -Nru opencascade-7.6.3+dfsg1/debian/occt-draw.links 
opencascade-7.6.3+dfsg1/debian/occt-draw.links
--- opencascade-7.6.3+dfsg1/debian/occt-draw.links  2022-07-31 
14:33:23.0 +0200
+++ opencascade-7.6.3+dfsg1/debian/occt-draw.links  2023-05-23 
08:13:21.0 +0200
@@ -1 +1 @@
-/usr/bin/occt-draw-7.5 /usr/bin/occt-draw
+/usr/bin/occt-draw-7.6 /usr/bin/occt-draw

Bug#1036595: unblock: lprint/1.1.0-3

[Thorsten Alteholz]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package lprint

[ Reason ]
The service file was installed to the wrong directory.

[ Impact ]
The service now is at a location that it can not be used by systemd.

[ Tests ]
There was no code change, so no test was done.

[ Risks ]
The package is a leaf package and the risk should be low.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock lprint/1.1.0-3
diff -Nru lprint-1.1.0/debian/changelog lprint-1.1.0/debian/changelog
--- lprint-1.1.0/debian/changelog   2023-02-24 22:17:35.0 +0100
+++ lprint-1.1.0/debian/changelog   2023-03-22 18:17:35.0 +0100
@@ -1,3 +1,10 @@
+lprint (1.1.0-3) unstable; urgency=medium
+
+  * move service file to correct dir
+(Closes: #1036022, #1036178, #1035601)
+
+ -- Thorsten Alteholz   Mon, 22 Mar 2023 19:17:35 +0200
+
 lprint (1.1.0-2) unstable; urgency=medium
 
   * add patch to use /usr/bin instead of /usr/local/bin in service file
diff -Nru 
lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch 
lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch
--- 
lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch
1970-01-01 01:00:00.0 +0100
+++ 
lprint-1.1.0/debian/patches/0004-move-service-file-to-better-directory.patch
2023-03-22 18:17:35.0 +0100
@@ -0,0 +1,25 @@
+From: Thorsten Alteholz 
+Date: Mon, 22 May 2023 23:59:38 +0200
+Subject: move service file to better directory
+
+---
+ Makefile.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index f5108e0..965253a 100644
+--- a/Makefile.in
 b/Makefile.in
+@@ -130,9 +130,9 @@ install:   all
+   $(INSTALL) -d -m 755 $(BUILDROOT)/Library/LaunchDaemons; \
+   $(INSTALL) -c -m 644 org.msweet.lprint.plist 
$(BUILDROOT)/Library/LaunchDaemons; \
+   else \
+-  echo "Installing systemd service to 
$(BUILDROOT)$(sysconfdir)/systemd/system..."; \
+-  $(INSTALL) -d -m 755 $(BUILDROOT)$(sysconfdir)/systemd/system; \
+-  $(INSTALL) -c -m 644 lprint.service 
$(BUILDROOT)$(libdir)/systemd/system; \
++  echo "Installing systemd service to 
$(BUILDROOT)/lib/systemd/system..."; \
++  $(INSTALL) -d -m 755 $(BUILDROOT)/lib/systemd/system; \
++  $(INSTALL) -c -m 644 lprint.service 
$(BUILDROOT)/lib/systemd/system; \
+   fi
+ 
+ 
diff -Nru lprint-1.1.0/debian/patches/series lprint-1.1.0/debian/patches/series
--- lprint-1.1.0/debian/patches/series  2023-02-24 22:17:35.0 +0100
+++ lprint-1.1.0/debian/patches/series  2023-03-22 18:17:35.0 +0100
@@ -1,3 +1,4 @@
 0001-Let-compilation-be-verbose-not-silent.patch
 0002-let-service-file-point-to-usr-bin-instead-of-usr-loc.patch
 0003-put-service-file-into-libdir.patch
+0004-move-service-file-to-better-directory.patch

Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3

[Gregor Jasny]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: c-a...@packages.debian.org
Control: affects -1 + src:c-ares

Hello,

[ Reason ]

yesterday a version 1.19.1 of c-ares was release which fixes four CVEs.
The Debian Security team considers two of them relevant for Debian and
I'd like to cherry-pick them into the unstable package so that the fixes
can migrate to Bookworm.

Attached you'll find the debdiff. The changes are also visible in Salsa:
https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264=false

[ Impact ]

CVE-2023-31130 has a CVSS score of 4.1
CVE-2023-32067 has a CVSS score of 7.5

[ Tests ]

On the experimental branch I enabled the unit and integration tests:
would you consider that commit as acceptable, too?
https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09

[ Risks ]

The fix for the 0-byte DoS issue seems to be straight-forward.
The fix for inet_net_pton_ipv6 has been synced from OpenBSD and
is covered by the unit tests.

Both changes are port of the 1.19.1 release which built and passed
tests on experimental (except Hurd):
https://buildd.debian.org/status/package.php?p=c-ares=experimental

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock c-ares/1.18.1-3

Thanks,
Gregor
diff -Nru c-ares-1.18.1/debian/changelog c-ares-1.18.1/debian/changelog
--- c-ares-1.18.1/debian/changelog  2023-02-17 23:34:35.0 +0100
+++ c-ares-1.18.1/debian/changelog  2023-05-23 07:58:02.0 +0200
@@ -1,3 +1,10 @@
+c-ares (1.18.1-3) unstable; urgency=medium
+
+  * Fix buffer underwrite in ares_inet_net_pton (CVE-2023-31130)
+  * Zero byte UDP packet causes DoS (CVE-2023-32067)
+
+ -- Gregor Jasny   Tue, 23 May 2023 07:58:02 +0200
+
 c-ares (1.18.1-2) unstable; urgency=medium
 
   * Add str len check in config_sortlist to avoid stack overflow
diff -Nru c-ares-1.18.1/debian/patches/CVE-2023-31130.diff 
c-ares-1.18.1/debian/patches/CVE-2023-31130.diff
--- c-ares-1.18.1/debian/patches/CVE-2023-31130.diff1970-01-01 
01:00:00.0 +0100
+++ c-ares-1.18.1/debian/patches/CVE-2023-31130.diff2023-05-23 
07:57:13.0 +0200
@@ -0,0 +1,319 @@
+From f22cc01039b6473b736d3bf438f56a2654cdf2b2 Mon Sep 17 00:00:00 2001
+From: Brad House 
+Date: Mon, 22 May 2023 06:51:34 -0400
+Subject: [PATCH 2/3] Merge pull request from GHSA-x6mf-cxr9-8q6v
+Applied-Upstream: 1.19.1, 
https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2
+Bug: https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
+
+* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares.
+* Always use our own IP conversion functions now, do not delegate to OS
+  so we can have consistency in testing and fuzzing.
+* Removed bogus test cases that never should have passed.
+* Add new test case for crash bug found.
+
+Fix By: Brad House (@bradh352)
+---
+ src/lib/inet_net_pton.c| 155 -
+ test/ares-test-internal.cc |   7 +-
+ 2 files changed, 86 insertions(+), 76 deletions(-)
+
+--- a/src/lib/inet_net_pton.c
 b/src/lib/inet_net_pton.c
+@@ -1,19 +1,20 @@
+ 
+ /*
+- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (c) 2012 by Gilles Chehade 
+  * Copyright (c) 1996,1999 by Internet Software Consortium.
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+  * copyright notice and this permission notice appear in all copies.
+  *
+- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
++ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED 
WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
++ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
++ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
++ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
++ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
++ * SOFTWARE.
+  */
+ 
+ #include "ares_setup.h"
+@@ -35,9 +36,6 @@
+ 
+ const struct ares_in6_addr ares_in6addr_any = { { { 
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } };
+ 
+-
+-#ifndef 

Processed: pre-approval: unblock: c-ares/1.18.1-3

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:c-ares
Bug #1036592 [release.debian.org] pre-approval: unblock: c-ares/1.18.1-3
Added indication that 1036592 affects src:c-ares

-- 
1036592: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036592
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems