Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
On 5/31/23 23:30, Salvatore Bonaccorso wrote:
Hi Yadd,
On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote:
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jquer...@packages.debian.org
Control: affects -1 + src:jqueryui
[ Reason ]
jqueryui is potentially vulnerable to cross-site scripting
(CVE-2022-31160)
[ Impact ]
Low security issue
[ Tests ]
Sadly tests are minimal in this package. Anyway passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Don't accept label outside of the root element
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a6a587..9b1e9cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+ * Team upload
+ * Checkboxradio: Don't re-evaluate text labels as HTML (Closes:
CVE-2022-31160)
+
+ -- Yadd Wed, 31 May 2023 15:08:55 +0400
Minor thing, you could as well close #1015982 with the upload.
Hi,
sure, here is the new debdiffdiff --git a/debian/changelog b/debian/changelog
index 3a6a587..dc02159 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+ * Team upload
+ * Checkboxradio: Don't re-evaluate text labels as HTML
+(Closes: #1015982, CVE-2022-31160)
+
+ -- Yadd Thu, 01 Jun 2023 06:50:09 +0400
+
jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-31160.patch
b/debian/patches/CVE-2022-31160.patch
new file mode 100644
index 000..8f5238d
--- /dev/null
+++ b/debian/patches/CVE-2022-31160.patch
@@ -0,0 +1,157 @@
+Description: Checkboxradio: Don't re-evaluate text labels as HTML
+Author: Michał Gołębiowski-Owczarek
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1
+Bug:
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+Bug-Debian: https://bugs.debian.org/1015982
+Forwarded: not-needed
+Applied-Upstream: 1.13.2, commit:8cc5bae1
+Reviewed-By: Yadd
+Last-Update: 2023-05-31
+
+--- a/tests/unit/checkboxradio/checkboxradio.html
b/tests/unit/checkboxradio/checkboxradio.html
+@@ -64,6 +64,18 @@
+
+
+
++
++
++ Hi, I'm a label
++
++
++
++ Hi, I'm a label
++
++
++
++ emHi, I'm a label/em
++
+
+
+
+--- a/tests/unit/checkboxradio/core.js
b/tests/unit/checkboxradio/core.js
+@@ -135,4 +135,41 @@
+ );
+ } );
+
++QUnit.test( "Inheriting label from initial HTML", function( assert ) {
++ var tests = [
++ {
++ id: "label-with-no-for-with-html",
++ expectedLabel: "Hi, I'm a
label"
++ },
++ {
++ id: "label-with-no-for-with-text",
++ expectedLabel: "Hi, I'm a label"
++ },
++ {
++ id: "label-with-no-for-with-html-like-text",
++ expectedLabel: "emHi, I'm a label/em"
++ }
++ ];
++
++ assert.expect( tests.length );
++
++ tests.forEach( function( testData ) {
++ var id = testData.id;
++ var expectedLabel = testData.expectedLabel;
++ var inputElem = $( "#" + id );
++ var labelElem = inputElem.parent();
++
++ inputElem.checkboxradio( { icon: false } );
++
++ var labelWithoutInput = labelElem.clone();
++ labelWithoutInput.find( "input" ).remove();
++
++ assert.strictEqual(
++ labelWithoutInput.html().trim(),
++ expectedLabel.trim(),
++ "Label correct [" + id + "]"
++ );
++ } );
++} );
++
+ } );
+--- a/tests/unit/checkboxradio/methods.js
b/tests/unit/checkboxradio/methods.js
+@@ -94,4 +94,42 @@
+ assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input
preserved" );
+ } );
+
++QUnit.test( "Initial text label not turned to HTML on refresh", function(
assert ) {
++ var tests = [
++ {
++ id: "label-with-no-for-with-html",
++ expectedLabel: "Hi, I'm a
label"
++ },
++ {
++ id: "label-with-no-for-with-text",
++ expectedLabel: "Hi, I'm a label"
++ },
++ {
++ id: "label-with-no-for-with-html-like-text",
++ expectedLabel: "emHi, I'm a label/em"
++ }
++ ];
++
++ assert.expect( tests.length );
++
++ tests.forEach( function( testData ) {
++ var id = testData.id;
++ var
Bug#1036896: marked as done (unblock: vdr-plugin-xineliboutput/2.2.0+git20211212-2.2)
Your message dated Wed, 31 May 2023 22:46:55 +
with message-id
and subject line unblock vdr-plugin-xineliboutput
has caused the Debian Bug report #1036896,
regarding unblock: vdr-plugin-xineliboutput/2.2.0+git20211212-2.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1036896: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036896
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: vdr-plugin-xinelibout...@packages.debian.org, Andreas Metzler
Control: affects -1 + src:vdr-plugin-xineliboutput
[I'm not the uploader of the update, but filing to meet the deadline]
Please unblock package vdr-plugin-xineliboutput
[ Reason ]
QA work by Helmut Grohne uncovered that xineliboutput-fbfe is missing
Breaks+Replaces for upgrades without unpack errors.
[ Impact ]
Possible unpack errors when users upgrade to bookworm.
[ Tests ]
No package provided tests found this bug. I did not do upgrade tests, but i
am relying that the uploader of the nmu (Andreas Metzler) did.
[ Risks ]
The exact version for the breaks+replaces could be wrong, but the version
of the package in bullseye is covered so the risks should be minor.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
I've reviewed the complete diffoscope
--exclude-directory-metadata=recursive output and there are only the
expected changes and changes that are consistent with a rebuild of a
package after the debian archive evolved for a year or so since the last
build.
[ Full debdiff ]
$ debdiff *.deb
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in first .deb but not in second
-
-rw-r--r-- root/root
/usr/share/doc/xineliboutput-fbfe/changelog.Debian.amd64.gz
Control files: lines which differ (wdiff format)
{+Breaks: xineliboutput-sxfe (<< 2.2.0+git20211212-2.1)+}
Depends: libc6 (>= [-2.33),-] {+2.34),+} libcec6 (>= 6.0.2), libjpeg62-turbo
(>= 1.3.1), libxine2 (>= 1.2.0), libxine2-xvdr (=
[-2.2.0+git20211212-2.1+b1),-] {+2.2.0+git20211212-2.2),+} libxine2-console
Installed-Size: [-278-] {+270+}
{+Replaces: xineliboutput-sxfe (<< 2.2.0+git20211212-2.1)+}
Source: vdr-plugin-xineliboutput [-(2.2.0+git20211212-2.1)-]
Version: [-2.2.0+git20211212-2.1+b1-] {+2.2.0+git20211212-2.2+}
unblock vdr-plugin-xineliboutput/2.2.0+git20211212-2.2
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in first .deb but not in second
-
-rw-r--r-- root/root
/usr/share/doc/xineliboutput-fbfe/changelog.Debian.amd64.gz
Control files: lines which differ (wdiff format)
{+Breaks: xineliboutput-sxfe (<< 2.2.0+git20211212-2.1)+}
Depends: libc6 (>= [-2.33),-] {+2.34),+} libcec6 (>= 6.0.2), libjpeg62-turbo
(>= 1.3.1), libxine2 (>= 1.2.0), libxine2-xvdr (=
[-2.2.0+git20211212-2.1+b1),-] {+2.2.0+git20211212-2.2),+} libxine2-console
Installed-Size: [-278-] {+270+}
{+Replaces: xineliboutput-sxfe (<< 2.2.0+git20211212-2.1)+}
Source: vdr-plugin-xineliboutput [-(2.2.0+git20211212-2.1)-]
Version: [-2.2.0+git20211212-2.1+b1-] {+2.2.0+git20211212-2.2+}
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---
Bug#1036889: marked as done (unblock: ignition-physics/5.1.0+ds1-4.1)
Your message dated Wed, 31 May 2023 22:45:01 +
with message-id
and subject line unblock ignition-physics
has caused the Debian Bug report #1036889,
regarding unblock: ignition-physics/5.1.0+ds1-4.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1036889: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036889
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ignition-phys...@packages.debian.org, gregor herrmann
Control: affects -1 + src:ignition-physics
[I'm not the uploader of the update, but filing to meet the deadline]
Please unblock package ignition-physics
[ Reason ]
QA work by Andreas Beckmann uncovered that libignition-physics-dev is
missing a Depends on libignition-physics5-bullet-plugin5.
[ Impact ]
If the current package is shipped with bookworm, users of
libignition-physics-dev will have to manually install
libignition-physics5-bullet-plugin5 to properly compile sources using that
plugin.
If the current package is removed, users of bookworm will not be able to
use ignition-physics from debian packages.
[ Tests ]
No package provided tests found this bug. I've manually tested that the
symlinks that are created are no longer pointing to non existing files.
[ Risks ]
Only a dependency was added, so the risk should be minimal.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
I've reviewed the complete diffoscope
--exclude-directory-metadata=recursive output and there are only the
expected changes and changes that would be expected for a rebuild of a
package that is not fully reproducable (build dir paths in the build
package changed).
[ Full debdiff ]
$ debdiff *.deb
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in first .deb but not in second
-
-rw-r--r-- root/root
/usr/share/doc/libignition-physics-dev/changelog.Debian.amd64.gz
Control files: lines which differ (wdiff format)
Depends: libignition-physics-core-dev, libignition-physics-mesh-dev,
libignition-physics-sdf-dev, libignition-physics-tpe-dev,
{+libignition-physics5-bullet-plugin5 (= 5.1.0+ds1-4.1),+}
libignition-physics5-dartsim-plugin5 (= [-5.1.0+ds1-4+b1),-]
{+5.1.0+ds1-4.1),+} libbullet-dev, libignition-common-dev (>= 4.0.0),
libignition-math-dev (>= 6.0.0), libignition-plugin-dev (>= 1.1.0), libdart-dev
(>= 6.12.1+dfsg4), libdart-external-convhull-3d-dev (>= 6.12.1+dfsg4),
libdart-collision-ode-dev (>= 6.12.1+dfsg4), libdart-utils-urdf-dev (>=
6.12.1+dfsg4), libdart-utils-dev (>= 6.12.1+dfsg4),
libdart-external-odelcpsolver-dev (>= 6.12.1+dfsg4),
libdart-external-ikfast-dev (>= 6.12.1+dfsg4), libdart-collision-bullet-dev (>=
6.12.1+dfsg4), libsdformat-dev (>= 12.0.0)
Installed-Size: [-592-] {+591+}
Source: ignition-physics [-(5.1.0+ds1-4)-]
Version: [-5.1.0+ds1-4+b1-] {+5.1.0+ds1-4.1+}
unblock ignition-physics/5.1.0+ds1-4.1
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in first .deb but not in second
-
-rw-r--r-- root/root
/usr/share/doc/libignition-physics-dev/changelog.Debian.amd64.gz
Control files: lines which differ (wdiff format)
Depends: libignition-physics-core-dev, libignition-physics-mesh-dev,
libignition-physics-sdf-dev, libignition-physics-tpe-dev,
{+libignition-physics5-bullet-plugin5 (= 5.1.0+ds1-4.1),+}
libignition-physics5-dartsim-plugin5 (= [-5.1.0+ds1-4+b1),-]
{+5.1.0+ds1-4.1),+} libbullet-dev, libignition-common-dev (>= 4.0.0),
libignition-math-dev (>= 6.0.0), libignition-plugin-dev (>= 1.1.0), libdart-dev
(>= 6.12.1+dfsg4), libdart-external-convhull-3d-dev (>= 6.12.1+dfsg4),
libdart-collision-ode-dev (>= 6.12.1+dfsg4), libdart-utils-urdf-dev (>=
6.12.1+dfsg4), libdart-utils-dev (>= 6.12.1+dfsg4),
libdart-external-odelcpsolver-dev (>= 6.12.1+dfsg4),
libdart-external-ikfast-dev (>= 6.12.1+dfsg4), libdart-collision-bullet-dev (>=
6.12.1+dfsg4), libsdformat-dev (>= 12.0.0)
Installed-Size: [-592-] {+591+}
Source: ignition-physics [-(5.1.0+ds1-4)-]
Version: [-5.1.0+ds1-4+b1-] {+5.1.0+ds1-4.1+}
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---
Bug#1036883: marked as done (unblock: inventor/2.1.5-10+dfsg-2)
Your message dated Wed, 31 May 2023 22:46:03 +
with message-id
and subject line unblock inventor
has caused the Debian Bug report #1036883,
regarding unblock: inventor/2.1.5-10+dfsg-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1036883: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036883
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: inven...@packages.debian.org, Steve M. Robbins
Control: affects -1 + src:inventor
[I'm not the uploader of the update, but filing to meet the deadline]
Please unblock package inventor
[ Reason ]
QA work by Andreas Beckmann uncovered that libinventor1 created broken
symlinks to font files that have been renamed.
[ Impact ]
Some broken font symlinks will be created and the application might fail to
find some fonts.
[ Tests ]
No package provided tests found this bug. I've manually tested that the
symlinks that are created are no longer pointing to non existing files.
[ Risks ]
Steven Robbins described the problem the following way:
> I couldn't say "harmless", but "mostly harmless", I'd think.
And uploaded a fix to unstable.
The risks should be minimal given that the change in the package are
minimal.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
I've reviewed the complete diffoscope
--exclude-directory-metadata=recursive output and there are only the
expected changes and changes that would be expected for a rebuild of a
package that is not fully reproducable (gnu debuglink and build id).
[ Full debdiff ]
$ debdiff *.deb
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Depends: libc6 (>= 2.34), libfreetype6 (>= 2.2.1), libgcc-s1 (>= 3.0), libgl1,
libglu1-mesa | libglu1, libjpeg62-turbo (>= 1.3.1), libstdc++6 (>= 5),
libx11-6, libxi6, libxm4 (>= 2.3.4), libxt6, xfonts-scalable, fonts-urw-base35
[-| gsfonts-x11-]
Version: [-2.1.5-10+dfsg-1-] {+2.1.5-10+dfsg-2+}
unblock inventor/2.1.5-10+dfsg-2
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---
Processed: unblock: forensics-extra/2.45
Processing control commands: > affects -1 + src:forensics-extra Bug #1037003 [release.debian.org] unblock: forensics-extra/2.45 Added indication that 1037003 affects src:forensics-extra -- 1037003: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037003 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1037003: unblock: forensics-extra/2.45
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: forensics-ex...@packages.debian.org Control: affects -1 + src:forensics-extra Please unblock package forensics-extra [ Reason ] forensics-extra (like forensics-all) is a metapackage to install several tools to aid in forensics activities. Due an issue in reaver (see #1036809), forensics-extra is marked for autoremoval. The solution was move reaver from Depends field to Recommends field in forensics-extra. Consequently, the files list-of-packages-extra, debian/control and debian/forensics-extra.README.Debian were updated. This metapackage is native and uses some scripts to generate a final debian/control and a debian/forensics-extra.README.Debian. The list-of-packages-extra file describes which packages will be put in debian/control and where they will be put (Depends, Recommends, Suggests). The debian/forensics-extra.README.Debian is a list of all packages on forensics-extra and their short descriptions. [ Impact ] The impact for the user if the unblock isn't granted is that package forensics-extra will not available in next stable release (Bookworm). [ Tests ] Considering that this is a metapackage, no great tests are needed. The package has a CI test and the Salsa CI is activated too. The package pass in CI, piuparts, etc. There is a script in forensics-extra called find-deps.sh (available in a branch in Salsa, not merged yet, but functional). This script ensures that no other package is affected by reaver in forensics-extra. [ Risks ] No risks. This is a trivial change in a metapackage. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] No more info needed. unblock forensics-extra/2.45 diff -Nru forensics-extra-2.44/debian/changelog forensics-extra-2.45/debian/changelog --- forensics-extra-2.44/debian/changelog 2023-04-17 20:59:36.0 -0300 +++ forensics-extra-2.45/debian/changelog 2023-05-31 17:01:50.0 -0300 @@ -1,3 +1,12 @@ +forensics-extra (2.45) unstable; urgency=medium + + * list-of-packages-extra: moved reaver from FED to FER. See #1036809 and +#1036591. + * debian/control: updated. + * debian/forensics-extra.README.Debian: updated. + + -- Joao Eriberto Mota Filho Wed, 31 May 2023 17:01:50 -0300 + forensics-extra (2.44) unstable; urgency=medium * list-of-packages-extra: changed bzip3 from FED to FER. See #1034177. diff -Nru forensics-extra-2.44/debian/control forensics-extra-2.45/debian/control --- forensics-extra-2.44/debian/control 2023-04-17 20:59:36.0 -0300 +++ forensics-extra-2.45/debian/control 2023-05-31 17:01:50.0 -0300 @@ -31,6 +31,7 @@ exfatprogs, guestfs-tools, pngcheck, +reaver, ree, tcpreplay Depends: ancient, @@ -125,7 +126,6 @@ psrip, rarcrack, readstat, - reaver, rzip, scrot, secure-delete, @@ -225,7 +225,7 @@ ncompress, netcat-openbsd, netdiscover, ngrep, nomarch, nstreams, ntfs-3g, nwipe, openpace, p7zip-full, packit, parted, pcapfix, pcaputils, pdfcrack, pecomato, pev, plzip, png-definitive-guide, - poppler-utils, psrip, rarcrack, readstat, reaver, rzip, scrot, + poppler-utils, psrip, rarcrack, readstat, rzip, scrot, secure-delete, sipcrack, sipgrep, sipvicious, sngrep, squashfs-tools-ng, ssh-audit, sslscan, stepic, sxiv, tcpdump, tcpflow, tcptrace, tcpxtract, testdisk, tshark, ugrep, unrar-free, diff -Nru forensics-extra-2.44/debian/forensics-extra.README.Debian forensics-extra-2.45/debian/forensics-extra.README.Debian --- forensics-extra-2.44/debian/forensics-extra.README.Debian 2023-04-17 20:59:36.0 -0300 +++ forensics-extra-2.45/debian/forensics-extra.README.Debian 2023-05-31 17:01:50.0 -0300 @@ -99,7 +99,6 @@ psrip - Extract images from PostScript files rarcrack - Password cracker for rar archives readstat - read/write data sets from SAS, Stata, and SPSS -reaver - brute force attack tool against Wifi Protected Setup PIN number rzip - compression program for large files scrot - command line screen capture utility secure-delete - tools to wipe files, free disk space, swap and memory @@ -173,8 +172,9 @@ exfatprogs - exFAT file system utilities guestfs-tools - guest disk image management system - tools pngcheck - print info and check PNG, JNG and MNG files +reaver - brute force attack tool against Wifi Protected Setup PIN number ree - extract ROM extensions tcpreplay - Tool to replay saved tcpdump files at arbitrary speeds - -- Joao Eriberto Mota Filho Mon, 17 Apr 2023 21:03:07 -0300 + -- Joao Eriberto Mota Filho Wed, 31 May 2023 17:06:35 -0300 diff -Nru forensics-extra-2.44/list-of-packages-extra forensics-extra-2.45/list-of-packages-extra ---
Processed: unblock: forensics-all/3.45
Processing control commands: > affects -1 + src:forensics-all Bug #1037002 [release.debian.org] unblock: forensics-all/3.45 Added indication that 1037002 affects src:forensics-all -- 1037002: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037002 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1037002: unblock: forensics-all/3.45
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: forensics-...@packages.debian.org
Control: affects -1 + src:forensics-all
Please unblock package forensics-all.
[ Reason ]
forensics-all (like forensics-extra) is a metapackage to install several
tools to aid in forensics activities. Due an issue in reaver (see #1036809),
forensics-all is marked for autoremoval. The solution was move wifite, that
depends of the reaver, from Depends field to Recommends field in forensics-all.
Consequently, the files list-of-packages, debian/control and
debian/forensics-all.README.Debian were updated.
This metapackage is native and uses some scripts to generate a final
debian/control and a debian/forensics-all.README.Debian. The list-of-packages
file describes which packages will be put in debian/control and where they
will be put (Depends, Recommends, Suggests). The
debian/forensics-all.README.Debian is a list of all packages on forensics-all
and their short descriptions.
[ Impact ]
The impact for the user if the unblock isn't granted is that package
forensics-all will not available in next stable release (Bookworm).
[ Tests ]
Considering that this is a metapackage, no great tests are needed. The package
has a CI test and the Salsa CI is activated too. The package pass in CI,
piuparts, etc.
There is a script in forensics-all called find-deps.sh. This script ensures
that only wifite depends of the reaver in forensics-all.
[ Risks ]
No risks. This is a trivial change in a metapackage.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
No more info needed.
unblock forensics-all/3.45
diff -Nru forensics-all-3.44/debian/changelog
forensics-all-3.45/debian/changelog
--- forensics-all-3.44/debian/changelog 2023-03-16 08:04:52.0 -0300
+++ forensics-all-3.45/debian/changelog 2023-05-31 16:38:48.0 -0300
@@ -1,3 +1,11 @@
+forensics-all (3.45) unstable; urgency=medium
+
+ * list-of-packages: moved wifite from FD to FR. See #1036809 and #1036591.
+ * debian/control: updated.
+ * debian/forensics-all.README.Debian: updated.
+
+ -- Joao Eriberto Mota Filho Wed, 31 May 2023 16:38:48
-0300
+
forensics-all (3.44) unstable; urgency=medium
* list-of-packages:
diff -Nru forensics-all-3.44/debian/control forensics-all-3.45/debian/control
--- forensics-all-3.44/debian/control 2023-03-16 08:04:52.0 -0300
+++ forensics-all-3.45/debian/control 2023-05-31 16:38:48.0 -0300
@@ -38,6 +38,7 @@
plaso,
radare2,
wapiti,
+wifite,
xmount,
yara
Depends: acct,
@@ -145,7 +146,6 @@
unhide.rb,
vinetto,
wfuzz,
- wifite,
winregfs,
wipe,
${misc:Depends}
@@ -176,7 +176,7 @@
scrounge-ntfs, shed, sleuthkit, smbmap, snowdrop, ssdeep, ssldump,
statsprocessor, stegcracker, steghide, stegsnow, sucrack,
tableau-parm, tcpick, testssl.sh, time-decode, undbx, unhide,
- unhide.rb, vinetto, wfuzz, wifite, winregfs, wipe
+ unhide.rb, vinetto, wfuzz, winregfs, wipe
.
This metapackage is useful for pentesters, ethical hackers and forensics
experts.
diff -Nru forensics-all-3.44/debian/forensics-all.README.Debian
forensics-all-3.45/debian/forensics-all.README.Debian
--- forensics-all-3.44/debian/forensics-all.README.Debian 2023-03-16
08:04:52.0 -0300
+++ forensics-all-3.45/debian/forensics-all.README.Debian 2023-05-31
16:38:48.0 -0300
@@ -110,7 +110,6 @@
unhide.rb - Forensics tool to find processes hidden by rootkits
vinetto - forensics tool to examine Thumbs.db files
wfuzz - Web application bruteforcer
-wifite - Python script to automate wireless auditing using aircrack-ng tools
winregfs - Windows registry FUSE filesystem
wipe - secure file deletion
@@ -128,8 +127,9 @@
plaso - super timeline all the things -- metapackage
radare2 - free and advanced command line hexadecimal editor
wapiti - web application vulnerability scanner
+wifite - Python script to automate wireless auditing using aircrack-ng tools
xmount - tool for crossmounting between disk image formats
yara - Pattern matching swiss knife for malware researchers
- -- Joao Eriberto Mota Filho Thu, 16 Mar 2023 08:33:39
-0300
+ -- Joao Eriberto Mota Filho Wed, 31 May 2023 16:43:31
-0300
diff -Nru forensics-all-3.44/list-of-packages
forensics-all-3.45/list-of-packages
--- forensics-all-3.44/list-of-packages 2023-03-16 08:04:52.0 -0300
+++ forensics-all-3.45/list-of-packages 2023-05-31 16:38:48.0 -0300
@@ -234,7 +234,7 @@
websploit SS
weevely SS
wfuzz FD
-wifite FD
+wifite FR # FIXME. Was F-D. See #1036809 and #1036591.
wig SS
winregfs FD
wipe FD
Bug#1037000: unblock: crowdsec/1.4.6-4 and bouncers
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi!
Please unblock packages crowdsec, crowdsec-custom-bouncer, and
crowdsec-firewall-bouncer.
I'm filing a single unblock request since all three packages are
entangled, and Paul suggested this would be appropriate:
- both bouncers get the exact same changes (only the context differs);
- crowdsec gets an extra snippet to deal with the pending registration
requested by either one or both bouncers.
[ Reason ]
RC bugs #1035499 and #1036985 on the bouncers: they might fail to
install depending on the dpkg-level ordering as far as configuration
goes, that is: if crowdsec (which is listed in Recommends) is unpacked
but not configured, the `cscli` call fails and the postinst errors out.
Back when the bouncers were prepared, both upstream and I verified that
we could just install either bouncer package without a pre-existing
crowdsec package installed, but as seen with Andreas' piuparts-based
testing, we might get a different order over time, or across bouncers…
In any case, at the moment, a freshly-deployed Bookworm VM can't get
either bouncer installed, and I'd like to get that fixed in time for
12.0.
The proposed changes keep the existing code paths, and add detection for
the problematic case, queueing bouncer registration, letting crowdsec
catch up when it's finally configured. To prevent bouncers from starting
before crowdsec has dealt with the registration, I've added a condition
to both their systemd units, and a `deb-systemd-invoke start` call once
everything is ready.
[ Impact ]
Abysmal user experience without those fixes.
[ Tests ]
Both upstream and I have tested updated packages, stashed in a custom
repository, installing 1 to 3 packages in various order, making sure the
new code does the right thing. I've also verified this under piuparts,
seeing that policy-rc.d is respected as it should (and the start request
is ignored without triggering an error).
[ Risks ]
There might be tricky situations I haven't imagined or encountered, but
since we're basically keeping existing code, and just adding detection
and solution for a specific bad situation during the first installation,
I'm not sure what could regress.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock crowdsec/1.4.6-4
unblock crowdsec-custom-bouncer/0.0.15-3
unblock crowdsec-firewall-bouncer/0.0.25-3
Cheers,
--
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
diff -Nru crowdsec-1.4.6/debian/changelog crowdsec-1.4.6/debian/changelog
--- crowdsec-1.4.6/debian/changelog 2023-03-19 00:25:07.0 +0100
+++ crowdsec-1.4.6/debian/changelog 2023-05-31 18:54:17.0 +0200
@@ -1,3 +1,16 @@
+crowdsec (1.4.6-4) unstable; urgency=medium
+
+ * Implement support for pending registration: since bouncers list crowdsec
+in Recommends, we cannot guarantee the order in which bouncers and
+crowdsec are configured (See: #1035499, #1036985). Bouncers can now
+queue triplets (systemd unit name, bouncer identifier and API key) in
+/var/lib/crowdsec/pending-registration. crowdsec.postinst will register
+those bouncers, and start their systemd units after removing that file
+(satisfying their ConditionPathExists=! on it).
+ * Replace `exit 0` with `break` in the preceding code block.
+
+ -- Cyril Brulebois Wed, 31 May 2023 18:54:17 +0200
+
crowdsec (1.4.6-3) unstable; urgency=medium
* When performing an upgrade from pre-1.4.x versions, apply a workaround
diff -Nru crowdsec-1.4.6/debian/crowdsec.postinst
crowdsec-1.4.6/debian/crowdsec.postinst
--- crowdsec-1.4.6/debian/crowdsec.postinst 2023-03-18 14:40:31.0
+0100
+++ crowdsec-1.4.6/debian/crowdsec.postinst 2023-05-31 17:01:15.0
+0200
@@ -280,15 +280,35 @@
for _ in $(seq 1 $MAX); do
# Getting decisions means we can happily exit:
if grep -qs 'added [0-9][0-9]* entries, deleted [0-9][0-9]* entries' $LOG;
then
- exit 0
+ break
fi
# Getting 0 new entries means we can happily trigger a restart then exit:
if grep -qs 'received 0 new entries (expected if you just installed
crowdsec)' $LOG; then
echo "W: Restarting manually to force a CAPI pull (upstream #2120)" >&2
deb-systemd-invoke restart 'crowdsec.service' >/dev/null || true
- exit 0
+ break
fi
# Don't poll too aggressively:
sleep 1
done
fi
+
+# Bouncer registration: they have crowdsec in Recommends only, so ordering
isn't
+# guaranteed (#1035499, #1036985). Process pending registration if any, then
+# kick relevant systemd units once their ConditionPathExists is satisfied.
+PENDING=/var/lib/crowdsec/pending-registration
+if [ -f $PENDING ]; then
+ while read unit name key; do
+units="${units:+$units }$unit"
+bouncers="${bouncers:+$bouncers
Processed: your mail
Processing commands for cont...@bugs.debian.org:
> affects 1036591 forensics-all forensics-extra
Bug #1036591 {Done: Leandro Cunha } [reaver] reaver:
segmentation fault
Added indication that 1036591 affects forensics-all and forensics-extra
> affects 1036809 forensics-all forensics-extra
Bug #1036809 [release.debian.org] unblock: reaver/1.6.6-0.1
Added indication that 1036809 affects forensics-all and forensics-extra
>
End of message, stopping processing here.
Please contact me if you need assistance.
--
1036591: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036591
1036809: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036809
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#1036867: marked as done (unblock: qt6-base/6.4.2+dfsg-10)
Your message dated Wed, 31 May 2023 22:09:27 +0200
with message-id <64ef3095-e5eb-6a54-d48c-fbe1e5ec5...@debian.org>
and subject line Re: Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10
has caused the Debian Bug report #1036867,
regarding unblock: qt6-base/6.4.2+dfsg-10
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1036867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036867
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: delta...@debian.org,debian-qt-...@lists.debian.org
Please unblock package qt6-base
[ Reason ]
Fixes CVE-2023-33285 that prevents a buffer overflow.
[ Impact ]
Lack of security fixes.
[ Tests ]
Tested by upstream, do not break API/ABI, seems safe.
[ Risks ]
None that I can think of.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock qt6-base/6.4.2+dfsg-10
diffstat for qt6-base-6.4.2+dfsg qt6-base-6.4.2+dfsg
changelog |7
patches/cve-2023-33285.diff | 70
patches/series |3 +
3 files changed, 79 insertions(+), 1 deletion(-)
diff -Nru qt6-base-6.4.2+dfsg/debian/changelog
qt6-base-6.4.2+dfsg/debian/changelog
--- qt6-base-6.4.2+dfsg/debian/changelog2023-05-22 16:40:45.0
+0200
+++ qt6-base-6.4.2+dfsg/debian/changelog2023-05-28 10:41:24.0
+0200
@@ -1,3 +1,10 @@
+qt6-base (6.4.2+dfsg-10) unstable; urgency=medium
+
+ [ Patrick Franz ]
+ * Add patch to fix CVE-2023-33285 (Closes: #1036848).
+
+ -- Patrick Franz Sun, 28 May 2023 10:41:24 +0200
+
qt6-base (6.4.2+dfsg-9) unstable; urgency=medium
* Team upload.
diff -Nru qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff
qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff
--- qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff 1970-01-01
01:00:00.0 +0100
+++ qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff 2023-05-28
10:40:55.0 +0200
@@ -0,0 +1,70 @@
+diff --git a/src/network/kernel/qdnslookup_unix.cpp
b/src/network/kernel/qdnslookup_unix.cpp
+index 75f7c6c440..de0113494f 100644
+--- a/src/network/kernel/qdnslookup_unix.cpp
b/src/network/kernel/qdnslookup_unix.cpp
+@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType,
const QByteArray
+ // responseLength in case of error, we still can extract the
+ // exact error code from the response.
+ HEADER *header = (HEADER*)response;
+-const int answerCount = ntohs(header->ancount);
+ switch (header->rcode) {
+ case NOERROR:
+ break;
+@@ -226,18 +225,31 @@ void QDnsLookupRunnable::query(const int requestType,
const QByteArray
+ return;
+ }
+
+-// Skip the query host, type (2 bytes) and class (2 bytes).
+ char host[PACKETSZ], answer[PACKETSZ];
+ unsigned char *p = response + sizeof(HEADER);
+-int status = local_dn_expand(response, response + responseLength, p,
host, sizeof(host));
+-if (status < 0) {
++int status;
++
++if (ntohs(header->qdcount) == 1) {
++// Skip the query host, type (2 bytes) and class (2 bytes).
++status = local_dn_expand(response, response + responseLength, p,
host, sizeof(host));
++if (status < 0) {
++reply->error = QDnsLookup::InvalidReplyError;
++reply->errorString = tr("Could not expand domain name");
++return;
++}
++if ((p - response) + status + 4 >= responseLength)
++header->qdcount = 0x; // invalid reply below
++else
++p += status + 4;
++}
++if (ntohs(header->qdcount) > 1) {
+ reply->error = QDnsLookup::InvalidReplyError;
+-reply->errorString = tr("Could not expand domain name");
++reply->errorString = tr("Invalid reply received");
+ return;
+ }
+-p += status + 4;
+
+ // Extract results.
++const int answerCount = ntohs(header->ancount);
+ int answerIndex = 0;
+ while ((p < response + responseLength) && (answerIndex < answerCount)) {
+ status = local_dn_expand(response, response + responseLength, p,
host, sizeof(host));
+@@ -249,6 +261,11 @@ void QDnsLookupRunnable::query(const int requestType,
const QByteArray
+ const QString name = QUrl::fromAce(host);
+
+ p += status;
++
++if ((p - response) + 10 > responseLength) {
++
Bug#1036864: marked as done (unblock: soapysdr/0.8.1-3)
Your message dated Wed, 31 May 2023 22:06:39 +0200
with message-id
and subject line Re: Bug#1036864: unblock: soapysdr/0.8.1-3
has caused the Debian Bug report #1036864,
regarding unblock: soapysdr/0.8.1-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1036864: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036864
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: tony mancill
Control: tag -1 + src:soapysdr
Please unblock package soapysdr
[ Reason ]
The libsoapysdr0.7 (bullseye) and libsoapysdr0.8 (bookworm) library
stacks are not co-installable due to a package conflict deep in their
dependency tree. This is sometimes hard for apt to figure out and it
may prefer to keep some obsolete packages installed and hold some
upgradable packages at the bullseye version. This can be hinted into the
right direction (removing the whole obsolete tree, and installing all
the fancy new stuff) by adding some Breaks between the roots of the
dependency trees. The explicit Breaks at the root (which has usually a
sufficiently high score) easily propagates the removal through the whole
tree.
[ Impact ]
incomplete upgrades in some cases
[ Tests ]
Local piuparts bullseye -> bookworm tests using the fixed packages,
testing all upgrade paths that had libsoapysdr0.7 (transitively)
installed in bookworm.
[ Risks ]
the Breaks targets only packages not in bookworm
and that need to get removed on upgrades from bullseye
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
n/a
unblock soapysdr/0.8.1-3
Andreas
diff -Nru soapysdr-0.8.1/debian/changelog soapysdr-0.8.1/debian/changelog
--- soapysdr-0.8.1/debian/changelog 2021-09-07 00:29:41.0 +0200
+++ soapysdr-0.8.1/debian/changelog 2023-05-24 09:35:42.0 +0200
@@ -1,3 +1,11 @@
+soapysdr (0.8.1-3) unstable; urgency=medium
+
+ * Team upload
+ * libsoapysdr0.8: Add Breaks: libsoapysdr0.7 for smoother upgrades from
+bullseye. (Closes: #1036737)
+
+ -- Andreas Beckmann Wed, 24 May 2023 09:35:42 +0200
+
soapysdr (0.8.1-2) unstable; urgency=medium
* Upload to unstable
diff -Nru soapysdr-0.8.1/debian/control soapysdr-0.8.1/debian/control
--- soapysdr-0.8.1/debian/control 2021-08-25 22:17:31.0 +0200
+++ soapysdr-0.8.1/debian/control 2023-05-24 09:35:42.0 +0200
@@ -24,6 +24,7 @@
Multi-Arch: same
Depends: ${shlibs:Depends}, ${misc:Depends}
Recommends: soapysdr0.8-module-all | soapysdr0.8-module
+Breaks: libsoapysdr0.7
Description: software defined radio interface library
SoapySDR is a library providing a common interface to SDR (software
defined radio) hardware. Support for different hardware is added through
--- End Message ---
--- Begin Message ---
Hi,
On 28-05-2023 10:26, Andreas Beckmann wrote:
unblock soapysdr/0.8.1-3
unblocked.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
Bug#1036954: marked as done (RM: matrix-synapse/1.78.0-1)
Your message dated Wed, 31 May 2023 22:03:23 +0200 with message-id <7e3e9226-c82d-a752-cde2-a516f1b7f...@debian.org> and subject line Re: Bug#1036954: RM: matrix-synapse/1.78.0-1 has caused the Debian Bug report #1036954, regarding RM: matrix-synapse/1.78.0-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036954: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036954 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: matrix-syna...@packages.debian.org, matrix-syna...@packages.debian.org, t...@security.debian.org, Andrej Shadura , car...@debian.org Control: affects -1 + src:matrix-synapse Dear release team, As discussed with Andrej in #1036806 matrix-synapse will be hard to support during the bookworm release cycle. To avoid we ship it initially with bookworm, but relatively quickly might need to ask for removal, let's not ship it from the start. See https://bugs.debian.org/1036806#30 Regards, Salvatore --- End Message --- --- Begin Message --- Hi, On 30-05-2023 21:34, Salvatore Bonaccorso wrote: As discussed with Andrej in #1036806 matrix-synapse will be hard to support during the bookworm release cycle. To avoid we ship it initially with bookworm, but relatively quickly might need to ask for removal, let's not ship it from the start. removal hint added. Paul OpenPGP_signature Description: OpenPGP digital signature --- End Message ---
Bug#1036852: marked as done (unblock: r-cran-pander/0.6.5+dfsg-3)
Your message dated Wed, 31 May 2023 21:59:29 +0200 with message-id <5e8ba39a-3a6b-26cd-92b2-a43d6d910...@debian.org> and subject line Re: Bug#1036852: unblock: r-cran-pander/0.6.5+dfsg-3 has caused the Debian Bug report #1036852, regarding unblock: r-cran-pander/0.6.5+dfsg-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036852: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036852 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: Andreas Tille Please unblock package r-cran-pander [ Reason ] r-cran-pander needs jquery-1.7.2.js (it is unknown whether newer versions would work, too), but that is no longer available in the Debian archive, causing the package to ship a broken symlink. Therefore let the package ship a copy of the old jquery version. [ Impact ] Some r-cran-pander functionality may be missing and/or cause errors due to missing .js files. [ Tests ] piuparts stops reporting a broken symlink (in a lot of packages depending on this one). [ Risks ] testing/porting r-cran-pander for use with newer jquery versions might be more difficult and risky than using a known good version. The node-jquery-ui dependency might now be superfluous. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [ ] attach debdiff against the package in testing [ Other info ] $ diffstat r-cran-pander_0.6.5+dfsg-3.dsc.diff.xz changelog |8 missing-sources/jquery/get |2 missing-sources/jquery/jquery-1.7.2.js | 9404 + missing-sources/jquery/jquery-1.7.2.min.js | 23 rules |4 5 files changed, 9438 insertions(+), 3 deletions(-) (compressed diff is still > 90kb) $ filterdiff -x '*.js' r-cran-pander_0.6.5+dfsg-3.dsc.diff diff -Nru r-cran-pander-0.6.5+dfsg/debian/changelog r-cran-pander-0.6.5+dfsg/debian/changelog --- r-cran-pander-0.6.5+dfsg/debian/changelog 2023-02-21 21:25:31.0 +0100 +++ r-cran-pander-0.6.5+dfsg/debian/changelog 2023-05-19 12:38:06.0 +0200 @@ -1,3 +1,11 @@ +r-cran-pander (0.6.5+dfsg-3) unstable; urgency=medium + + * Provide source and compressed JS of jquery 1.7.2 since it is not +provided by any other package any more +Closes: #1035855 + + -- Andreas Tille Fri, 19 May 2023 12:38:06 +0200 + r-cran-pander (0.6.5+dfsg-2) unstable; urgency=medium * Pre-compress jcaption.js to avoid calling closure-compiler at diff -Nru r-cran-pander-0.6.5+dfsg/debian/missing-sources/jquery/get r-cran-pander-0.6.5+dfsg/debian/missing-sources/jquery/get --- r-cran-pander-0.6.5+dfsg/debian/missing-sources/jquery/get 1970-01-01 01:00:00.0 +0100 +++ r-cran-pander-0.6.5+dfsg/debian/missing-sources/jquery/get 2023-05-19 12:38:06.0 +0200 @@ -0,0 +1,2 @@ +wget http://code.jquery.com/jquery-1.7.2.js +yui-compressor jquery-1.7.2.js > jquery-1.7.2.min.js diff -Nru r-cran-pander-0.6.5+dfsg/debian/rules r-cran-pander-0.6.5+dfsg/debian/rules --- r-cran-pander-0.6.5+dfsg/debian/rules 2023-02-21 21:25:31.0 +0100 +++ r-cran-pander-0.6.5+dfsg/debian/rules 2023-05-19 12:38:06.0 +0200 @@ -8,6 +8,7 @@ override_dh_install: dh_install dh_install debian/missing-sources/jcaption/jcaption.min.js $(debRdir)/$(cranNameOrig)/includes/javascripts/ + dh_install debian/missing-sources/jquery/jquery-1.7.2.min.js $(debRdir)/$(cranNameOrig)/includes/javascripts/ dh_install debian/missing-sources/rapporter.net/*.gif $(debRdir)/$(cranNameOrig)/includes/images/ dh_install debian/missing-sources/stylesheets/*.css $(debRdir)/$(cranNameOrig)/includes/stylesheets/ sed -i \ @@ -18,6 +19,3 @@ -e '/html5shim/d' \ $(debRlib)/$(cranNameOrig)/includes/html/header.html find debian -name index.html | xargs sed -i 's|library|site-library|g' - -override_dh_link: - dh_link /usr/share/nodejs/jquery-ui/ui/jquery-1-7.min.js $(debRdir)/$(cranNameOrig)/includes/javascripts/jquery-1.7.2.min.js unblock r-cran-pander/0.6.5+dfsg-3 Andreas --- End Message --- --- Begin Message --- Hi On 28-05-2023 00:17, Andreas Beckmann wrote: Therefore let the package ship a copy of the old jquery version. Ugh, OK. Has the security tracker been updated to reflect that? unblock r-cran-pander/0.6.5+dfsg-3 Anyways, unblocked. Paul
Bug#1036801: marked as done (unblock: curl/7.88.1-10)
Your message dated Wed, 31 May 2023 21:54:30 +0200 with message-id <40867e5e-cbda-b256-9559-75e68d9fc...@debian.org> and subject line Re: Bug#1036801: unblock: curl/7.88.1-10 has caused the Debian Bug report #1036801, regarding unblock: curl/7.88.1-10 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036801: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036801 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: c...@packages.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Please unblock package curl [ Reason ] 4 CVE fixes: * Add new patches to fix CVEs (closes: #1036239): - CVE-2023-28319: UAF in SSH sha256 fingerprint check - CVE-2023-28320: siglongjmp race condition - CVE-2023-28321: IDN wildcard match - CVE-2023-28322: more POST-after-PUT confusion * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to CVE-2023-28320 [ Impact ] The highest CVE severity from upstream is "Moderate". [ Tests ] Curl has an extensive test suite that's run at build time and on autopkgtest, no regressions were detected. [ Risks ] The patches didn't require any changes which would be worrying. Regarding the "curl_jmpenv", there's no package on Debian using that. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Please also shorten the bake time in unstable, is possible (and needed). unblock curl/7.88.1-10 -- Samuel Henrique curl_7.88.1-10.debdiff Description: Binary data --- End Message --- --- Begin Message --- Hi, On 28-05-2023 13:17, Samuel Henrique wrote: I should have done a better job at explaining this, so let me try doing it now. Thanks, I just unblocked curl. Paul OpenPGP_signature Description: OpenPGP digital signature --- End Message ---
Bug#1036307: marked as done (unblock: ufw/0.36.2-1)
Your message dated Wed, 31 May 2023 21:50:53 +0200 with message-id <996bc79d-d74d-3664-38c1-2777b45f2...@debian.org> and subject line Re: Bug#1036307: unblock: ufw/0.36.2-1 has caused the Debian Bug report #1036307, regarding unblock: ufw/0.36.2-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036307: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036307 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org This has additional information: https://alioth-lists.debian.net/pipermail/piuparts-devel/2023-May/009566.html On May 18, 2023 10:33:36 PM Jamie Strandboge wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ufw It seems that adduser 3.133 has caused problems for a lot of packages in sid, including ufw. See: https://piuparts.debian.org/sid/fail/adduser_3.133.log https://piuparts.debian.org/sid/fail/ https://piuparts.debian.org/sid/fail/ufw_0.36.2-1.log https://piuparts.debian.org/sid/fail/... In the case of ufw, it ships a logrotate file and logrotate gets installed, which pulls in adduser, but adduser can't be removed and piuparts fails: 0m18.6s DEBUG: Starting command: ['chroot', '/srv/piuparts.debian.org/tmp/tmpwv4fmpa7', 'apt-get', 'install', '-y', 'logrotate'] 0m19.9s DUMP: Reading package lists... Building dependency tree... Reading state information... The following additional packages will be installed: adduser cron cron-daemon-common libpopt0 sensible-utils ... m20.2s ERROR: Command failed (status=1): ['chroot', '/srv/piuparts.debian.org/tmp/tmpwv4fmpa7', 'dpkg', '--purge', 'adduser', 'cron', 'cron-daemon-common', 'libpopt0:amd64', 'logrotate', 'sensible-utils'] dpkg: error processing package adduser (--purge): this is a protected package; it should not be removed ... As mentioned, there seem to be several packages in this state. ufw has shipped a logrotate file for years and this isn't new to ufw 0.36.2-1. [ Reason ] ufw did not cause adduser to be unremovable, and adduser being unremovable should not affect ufw's migration. [ Impact ] Bug fixes and translations will not be available in bookworm (I am upstream ufw and I cut 0.36.2 specifically for bookworm users). [ Tests ] Build tests (unit and functional) and autopkgtests pass. [ Risks ] Leaf package. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock ufw/0.36.2-1 --- End Message --- --- Begin Message --- Hi, On 19-05-2023 07:29, Jamie Strandboge wrote: unblock ufw/0.36.2-1 elbrus@respighi:~$ rmadison ufw -s unstable,testing ufw| 0.36.2-1 | testing| source, all ufw| 0.36.2-1 | unstable | source, all Paul OpenPGP_signature Description: OpenPGP digital signature --- End Message ---
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
Hi Yadd, On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: jquer...@packages.debian.org > Control: affects -1 + src:jqueryui > > [ Reason ] > jqueryui is potentially vulnerable to cross-site scripting > (CVE-2022-31160) > > [ Impact ] > Low security issue > > [ Tests ] > Sadly tests are minimal in this package. Anyway passed > > [ Risks ] > Low risk, patch is trivial > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > Don't accept label outside of the root element > > Cheers, > Yadd > diff --git a/debian/changelog b/debian/changelog > index 3a6a587..9b1e9cc 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium > + > + * Team upload > + * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: > CVE-2022-31160) > + > + -- Yadd Wed, 31 May 2023 15:08:55 +0400 Minor thing, you could as well close #1015982 with the upload. Regards, Salvatore
Processed: Re: Bug#1036957: unblock: openssl/3.0.8-1
Processing control commands: > tags -1 d-i Bug #1036957 [release.debian.org] unblock: openssl/3.0.9-1 Added tag(s) d-i. -- 1036957: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036957 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1036957: unblock: openssl/3.0.8-1
Control: tags -1 d-i Hi kibi, Can you have a look at this onblock request? It's blocked on your block-udeb. Paul On 30-05-2023 22:52, Sebastian Andrzej Siewior wrote: control: retitle -1 unblock: openssl/3.0.9-1 On 2023-05-30 22:16:53 [+0200], To sub...@bugs.debian.org wrote: Please unblock package openssl. The 3.0.9 release contains security and non-security related fixes for the package. There are five new CVEs in total that has been addressed. One with "moderate" severity. From the package's changelog: - CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy Constraints) (Closes: #1034720). - CVE-2023-0465 (Invalid certificate policies in leaf certificates are silently ignored). - CVE-2023-0466 (Certificate policy check not enabled). - Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption). - CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers). - CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM). The package built on all release architectures (it is still building on mipsel at the of writing but I expect it to pass). The openssl testsuite run on all architectures during the build process. Please find attached the debdiff vs the version in testing. unblock openssl/3.0.9-1 Sebastian OpenPGP_signature Description: OpenPGP digital signature
Bug#1036885: unblock: hipsparse/5.3.3+dfsg-2
On 2023-05-31 19:28, Adam D. Barratt wrote: > In the versions in testing, both packages only built for amd64. In > unstable, they have also built for arm64. Migrating the arm64 hipsparse > binaries from unstable therefore requires migrating a version of > rocsparse with arm64 binaries. Oh, that's a good catch, never thought of that, mainly because in practice, we only look at amd64. This is a rather new ecosystem and we're still ironing out the kinks. A successful build on arm64 is a bit annoying, as we don't expect many users there -- I'd be surprised if one manages to even get the required mainboard. I'm willing to do what it takes to get this fixed in testing, but I'm not sure which solution, if any, is agreeable to the RT: (1) Request an unblock for the rocsparse/5.3.0+dfsg-3 as-is (2) Re-upload hipsparse with a reduced arch: amd64 (3) Prepare new (minimal debdiff) upload for rocsparse, file unblock request (4) Remove the arm64 binaries (is that even possible?) (5) Fix this in the first point release (6) Alternatives? Please let me know what, if any, option you'd prefer. I'm aware that we are shortly before the release and that this might limit the available options. Best, Christian
Bug#1036914: [Debian-on-mobile-maintainers] Bug#1036914: unblock: librem5-flash-image/0.0.3-1
On Mon, 2023-05-29 at 13:15 +0200, Guido Günther wrote: > [ Other info ] > I apologize for being late here, I simply missed that the version > is outdated. I could have backported the patch but just using the > upstream version (which didn't bring any other features) seemed more > reasonable here. > > unblock librem5-flash-image/0.0.3-1 I just wanted to add that the wiki on flashing Debian on to a L5 [0] refers to this package (and suggests using a newer version), so it would be very nice if the unblock request be granted :) Thanks! [0] https://wiki.debian.org/InstallingDebianOn/Purism/Librem5Phone
Bug#1036885: unblock: hipsparse/5.3.3+dfsg-2
On Wed, 2023-05-31 at 19:09 +0200, Christian Kastner wrote: > I can't see why rocsparse 5.3.0+dfsg-3 would > block > hipsparse? The Depends and Build-Depends aren't versioned. In the versions in testing, both packages only built for amd64. In unstable, they have also built for arm64. Migrating the arm64 hipsparse binaries from unstable therefore requires migrating a version of rocsparse with arm64 binaries. Regards, Adam
Bug#1036885: unblock: hipsparse/5.3.3+dfsg-2
Hi Graham, On 2023-05-31 08:58, Graham Inggs wrote: > Hi Christian > > On Sun, 28 May 2023 at 18:48, Christian Kastner wrote: >> unblock hipsparse/5.3.3+dfsg-2 > > The debdiff looks good to me, however the migration of > hipsparse/5.3.3+dfsg-2 appears to be blocked by rocsparse/5.3.0+dfsg-3 > [1].> > Migrates after: rocsparse I didn't notice this because I didn't expect this, and to be honest I'm still a bit confused: I can't see why rocsparse 5.3.0+dfsg-3 would block hipsparse? The Depends and Build-Depends aren't versioned. > Migration status for hipsparse (5.3.3+dfsg-1 to 5.3.3+dfsg-2): > BLOCKED: Needs an approval (either due to a freeze, the source suite > or a manual hint) > Issues preventing migration: > ∙ ∙ Not touching package due to block request by freeze (Follow the > freeze policy when applying for an unblock) > ∙ ∙ Too young, only 2 of 5 days old > ∙ ∙ Build-Depends(-Arch): hipsparse rocsparse > ∙ ∙ Depends: hipsparse rocsparse > > I don't see an unblock request for rocsparse/5.3.0+dfsg-3, would you > file one please? I'd be happy to, but the debdiff for rocsparse/5.3.0+dfsg-3 to -2 would be a bit larger than for hipsparse; this is the changelog: > * Update patch DEP-3 metadata fields. >* d/rules: use DWARF 4 debug symbols >* d/rules: enable hardening flags >* d/rules: enable gfx1010 and gfx1011 >* Add d/p/0003-fix-oob-access-in-rocsparse-test.patch > to fix out-of-bound accesses in test suite. >* Reduce arch to amd64, arm64, ppc64el There's nothing dramatic in there, and the changes have been in unstable for almost 3 months now, so we would be fine with letting that migrate if that's the call. I'd also be happy to prepare an upload with some of the changes reduced, but I'm not sure how that would work on your end, schedule-wise. Anyway, perhaps there is a simpler resolution to this, namely the rocsparse block just being a false positive. Best, Christian
Bug#1036989: unblock: needrestart/3.6-4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: tho...@fiasko-nw.net
Please unblock package needrestart
[ Reason ]
In the past I have used the wrong version number, to remove a leftover config
file.
Also this update should close two noisy bugs (ignore serial-getty) and
especially
make the VM & microcode detection work again (just produced by a small typo).
[ Impact ]
Some smaller but noisy bugs.
[ Tests ]
Automated: debian/tests/sanity-test.sh
I also manual tested the update
[ Risks ]
Small diffs, I do not see a risk here.
[ Checklist ]
[x ] all changes are documented in the d/changelog
[x ] I reviewed all changes and I approve them
[x ] attach debdiff against the package in testing
unblock needrestart/3.6-4
diff -Nru needrestart-3.6/debian/changelog needrestart-3.6/debian/changelog
--- needrestart-3.6/debian/changelog2023-01-12 11:08:33.0 +0100
+++ needrestart-3.6/debian/changelog2023-05-31 16:47:03.0 +0200
@@ -1,3 +1,15 @@
+needrestart (3.6-4) unstable; urgency=medium
+
+ * Remove leftover conffile 30-pacman with 3.6-4.
+Closes: #1036526
+ * Add patch 03-ignore-serial-getty from Helmut Grohne to ignore serial-getty.
+Closes: #1035721
+ * Add upstream patch 04-vm-detection to fix a typo, which prevents the VM and
+microcode detection.
+Closes: #1026026
+
+ -- Patrick Matthäi Wed, 31 May 2023 16:47:03 +0200
+
needrestart (3.6-3) unstable; urgency=medium
* Adjust debian/watch to work again with GitHub.
diff -Nru needrestart-3.6/debian/needrestart.postinst
needrestart-3.6/debian/needrestart.postinst
--- needrestart-3.6/debian/needrestart.postinst 2023-01-12 11:08:33.0
+0100
+++ needrestart-3.6/debian/needrestart.postinst 2023-05-31 16:47:03.0
+0200
@@ -2,6 +2,6 @@
set -e
-dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.5-4 --
"$@"
+dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.6-4 --
"$@"
#DEBHELPER#
diff -Nru needrestart-3.6/debian/needrestart.postrm
needrestart-3.6/debian/needrestart.postrm
--- needrestart-3.6/debian/needrestart.postrm 2023-01-12 11:08:33.0
+0100
+++ needrestart-3.6/debian/needrestart.postrm 2023-05-31 16:47:03.0
+0200
@@ -2,6 +2,6 @@
set -e
-dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.5-4 --
"$@"
+dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.6-4 --
"$@"
#DEBHELPER#
diff -Nru needrestart-3.6/debian/needrestart.preinst
needrestart-3.6/debian/needrestart.preinst
--- needrestart-3.6/debian/needrestart.preinst 2023-01-12 11:08:33.0
+0100
+++ needrestart-3.6/debian/needrestart.preinst 2023-05-31 16:47:03.0
+0200
@@ -2,6 +2,6 @@
set -e
-dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.5-4 --
"$@"
+dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.6-4 --
"$@"
#DEBHELPER#
diff -Nru needrestart-3.6/debian/patches/03-ignore-serial-getty.diff
needrestart-3.6/debian/patches/03-ignore-serial-getty.diff
--- needrestart-3.6/debian/patches/03-ignore-serial-getty.diff 1970-01-01
01:00:00.0 +0100
+++ needrestart-3.6/debian/patches/03-ignore-serial-getty.diff 2023-05-31
16:47:03.0 +0200
@@ -0,0 +1,13 @@
+Subject: do not restart serial-getty@*.service
+Author: Helmut Grohne
+
+--- a/ex/needrestart.conf
b/ex/needrestart.conf
+@@ -98,6 +98,7 @@ $nrconf{override_rc} = {
+
+ # gettys
+ qr(^getty@.+\.service) => 0,
++qr(^serial-getty@.+\.service) => 0,
+
+ # systemd --user
+ qr(^user@\d+\.service) => 0,
diff -Nru needrestart-3.6/debian/patches/04-vm-detection.diff
needrestart-3.6/debian/patches/04-vm-detection.diff
--- needrestart-3.6/debian/patches/04-vm-detection.diff 1970-01-01
01:00:00.0 +0100
+++ needrestart-3.6/debian/patches/04-vm-detection.diff 2023-05-31
16:47:03.0 +0200
@@ -0,0 +1,22 @@
+From 27bf4678bb92f68dfadd04ab04e96cba6ea2c376 Mon Sep 17 00:00:00 2001
+From: zxyrepf <53189615+zxyr...@users.noreply.github.com>
+Date: Sun, 24 Jul 2022 08:30:19 +
+Subject: [PATCH] Fix VM detection regression introduced in f54d85c
+
+---
+ needrestart | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/needrestart b/needrestart
+index 64509ba..bcec62b 100755
+--- a/needrestart
b/needrestart
+@@ -51,7 +51,7 @@ my $is_tty = (-t *STDERR || -t *STDOUT || -t *STDIN);
+ my $is_vm;
+ my $is_container;
+
+-if($is_systemd && -x q(/usr/bin/systemds-detect-virt)) {
++if($is_systemd && -x q(/usr/bin/systemd-detect-virt)) {
+ # check if we are inside of a vm
+ my $ret = system(qw(/usr/bin/systemd-detect-virt --vm --quiet));
+ unless($? == -1 || $? & 127) {
diff -Nru needrestart-3.6/debian/patches/series
needrestart-3.6/debian/patches/series
--- needrestart-3.6/debian/patches/series 2023-01-12 11:08:33.0
+0100
+++
Bug#1036984: unblock: packagekit/1.2.6-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package packagekit. [ Reason ] Three things fixed: * A tiny memory leak has been addressed * The daemon package now recommends the tools package again, this was changed late in release and apparently caused issues to some people (see the referenced bug) * Many parts of the documentation reference the old packagekit.org domain, which is now taken over by a 3rd-party who is playing ads on it - so far it's harmless, but we do not know what will happen with this domain in future, so we should avoid referencing it and rather point at the right location @ freedesktop.org [ Impact ] People could click through to a defunct website with tracking ads when trying to reach the PackageKit documentation or information about e.g. missing codecs. [ Tests ] The memleak fix has been upstreamed for a while and is harmless, the changed recommendation restores previous behavior, and the documentation changes do not have any behavioral change. [ Risks ] Very low, as the only functional change is adding a missing free() for a memory leak fix, every other change is either purely in the documentation or restores previously tested behavior. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing Thank you! unblock packagekit/1.2.6-5 packagekit_1.2.6-4_to_1.2.6-5.debdiff Description: Binary data
Bug#1036983: bookworm-pu: package workflow/0.10.5-2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
Dear release team,
I would like to upload a new version of workflow (0.10.5-2) which fixes
two bugs in the package that are currently marking it for autoremoval. I
have just uploaded version 0.10.6-2 to unstable which fixes these two bugs.
I was told to upload the version 0.10.6-2 to unstable and then file this
proposed update to bookworm for 0.10.5-2 to keep the package in bookworm.
The attached debdiff will also apply the fix to 0.10.5-1.
Lance
GPG Fingerprint: 4A31 DB5A 1EE4 096C 8739 9880 9036 4929 4C33 F9B7
diff -Nru workflow-0.10.5/debian/changelog workflow-0.10.5/debian/changelog
--- workflow-0.10.5/debian/changelog2023-01-09 20:25:54.0 +0700
+++ workflow-0.10.5/debian/changelog2023-05-31 18:43:27.0 +0700
@@ -1,3 +1,11 @@
+workflow (0.10.5-2) bookworm; urgency=medium
+
+ [Bastian Germann]
+ * d/control: Add missing Depends (Closes: #1035444)
+ * d/libworkflow0.links: Fixed symlink direction (Closes: #1036653)
+
+ -- Lance Lin Wed, 31 May 2023 18:43:27 +0700
+
workflow (0.10.5-1) unstable; urgency=medium
* Update to version 0.10.5
diff -Nru workflow-0.10.5/debian/control workflow-0.10.5/debian/control
--- workflow-0.10.5/debian/control 2023-01-09 20:25:54.0 +0700
+++ workflow-0.10.5/debian/control 2023-05-31 18:22:31.0 +0700
@@ -31,7 +31,7 @@
Multi-Arch: same
Breaks: libworkflow1 (<< 0.10.1-1)
Replaces: libworkflow1 (<< 0.10.1-1)
-Depends: ${misc:Depends}, ${shlibs:Depends}
+Depends: ${misc:Depends}, ${shlibs:Depends}, libworkflow0 (= ${binary:Version})
Description: Parallel computing and asynchronous web server engine
Workflow can be used as a scalable web server to handle a variety
of server workflows. It can be used to orchestrate complex
diff -Nru workflow-0.10.5/debian/libworkflow0.links
workflow-0.10.5/debian/libworkflow0.links
--- workflow-0.10.5/debian/libworkflow0.links 2023-01-05 20:36:34.0
+0700
+++ workflow-0.10.5/debian/libworkflow0.links 2023-05-31 18:23:20.0
+0700
@@ -1 +1 @@
-usr/lib/${DEB_HOST_MULTIARCH}/libworkflow.so.0
usr/lib/${DEB_HOST_MULTIARCH}/libworkflow.so.0.10.5
+usr/lib/${DEB_HOST_MULTIARCH}/libworkflow.so.0.10.5
usr/lib/${DEB_HOST_MULTIARCH}/libworkflow.so.0
OpenPGP_0x903649294C33F9B7.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
Bug#1036982: unblock: debspawn/0.6.2-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package debspawn. [ Reason ] Packaging of the 0.6.2 bugfix release which contains three changes only: * Fixes issue where users could not build packages against NotAutomatic suites like Debian experimental when the "experimental"-like suite did not contain enough of the required dependencies (APT's solver was too limited) * Python 3.11 support (minimal changes) * Fixes a crash when regenerating an image with `update --recreate` in case the image had a custom name [ Impact ] People would not be able to build packages for experimental, using `update --recreate` for images with custom names would crash. [ Tests ] Tested by upstream, used in production at Purism already for a few weeks, so far no issues have been found. [ Risks ] The worst that could happen is that building experimental packages stays broken, so no regression would happen. Apart from that, this change is very small and should be fairly safe. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing Thank you! unblock debspawn/0.6.2-1 debspawn_0.6.1-1_to_0.6.2-1.debdiff Description: Binary data
Bug#1036980: unblock: jquery-minicolors/2.3.5+dfsg-4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: jquery-minicol...@packages.debian.org
Control: affects -1 + src:jquery-minicolors
Please unblock package jquery-minicolors
[ Reason ]
jquery-minicolor is vulnerable to a cross-site scripting
(CVE-2021-32850)
[ Impact ]
Low security issue
[ Tests ]
No test here
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock jquery-minicolors/2.3.5+dfsg-4
diff --git a/debian/changelog b/debian/changelog
index 1e959f0..dcf5b2f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jquery-minicolors (2.3.5+dfsg-4) unstable; urgency=medium
+
+ * Team upload
+ * Declare compliance with policy 4.6.2
+ * Fix cross-site scripting issue (Closes: CVE-2021-32850)
+
+ -- Yadd Wed, 31 May 2023 16:44:37 +0400
+
jquery-minicolors (2.3.5+dfsg-3) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/debian/control b/debian/control
index 3dcf29b..66693e1 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
Maintainer: Debian JavaScript Maintainers
Uploaders: Yadd
Build-Depends: debhelper-compat (= 13), uglifyjs
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
Homepage: https://github.com/jquery-minicolors
Vcs-Git: https://salsa.debian.org/js-team/jquery-minicolors.git
Vcs-Browser: https://salsa.debian.org/js-team/jquery-minicolors
diff --git a/debian/patches/CVE-2021-32850.patch
b/debian/patches/CVE-2021-32850.patch
new file mode 100644
index 000..5e54e6d
--- /dev/null
+++ b/debian/patches/CVE-2021-32850.patch
@@ -0,0 +1,21 @@
+Description: fix XSS vuln
+Author: Cory LaViska
+Origin: upstream, https://github.com/claviska/jquery-minicolors/commit/ef134824
+Bug:
https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/
+Forwarded: not-needed
+Applied-Upstream: 2.3.6, commit:ef134824
+Reviewed-By: Yadd
+Last-Update: 2023-05-31
+
+--- a/jquery.minicolors.js
b/jquery.minicolors.js
+@@ -226,7 +226,8 @@
+ }
+ swatchString = swatch;
+ swatch = isRgb(swatch) ? parseRgb(swatch, true) :
hex2rgb(parseHex(swatch, true));
+-$('')
++$('')
++ .attr("title", name)
+ .appendTo(swatches)
+ .data('swatch-color', swatchString)
+ .find('.minicolors-swatch-color')
diff --git a/debian/patches/series b/debian/patches/series
index 7ba3ddc..b5c3525 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Use-local-CSS-and-JavaScript-in-examples.patch
+CVE-2021-32850.patch
Processed: unblock: jquery-minicolors/2.3.5+dfsg-4
Processing control commands: > affects -1 + src:jquery-minicolors Bug #1036980 [release.debian.org] unblock: jquery-minicolors/2.3.5+dfsg-4 Added indication that 1036980 affects src:jquery-minicolors -- 1036980: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036980 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1036979: unblock: appstream/0.16.1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package appstream. [ Reason ] Backports a few fixes from the 0.16.2 release: * Fixes two crashes that can happen when the tool is fed invalid or unexpected input * Correctly validates some valid license expressions (LibreOffice was affected by this) * Fixes an issue where component-IDs weren't reproducibly synthesized, leading to ratings/reviews not showing up for these apps * Adds a fix for a noisy warning with newer GLib versions that is inert on older releases [ Impact ] More crashes and invalid evaluation of valid license terms, if not updated. [ Tests ] Tested by upstream and other distros for months already, does not break API/ABI, we already use these changes on Debian's appstream.d.o service to avoid crashes with Qt apps. [ Risks ] None that I can think of. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing Thank you for your work on getting the release out! unblock: appstream/0.16.1-2 appstream_0.16.1-1_to_0.16.1-2.debdiff Description: Binary data
Bug#1036978: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-und...@packages.debian.org
Control: affects -1 + src:node-undici
[ Reason ]
node-undici is vulnerable to:
* CVE-2023-23936: "Host" HTTP header isn't protected against CLRF injection
* CVE-2023-24807: Regex Denial of Service on headers set/append
[ Impact ]
Medium security issues
[ Tests ]
Test updated, passed
[ Risks ]
Low risk, patches are trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just new little checks
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a69b63..92c0de8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium
+
+ * Fix security issues (Closes: #1031418):
+- Protect "Host" HTTP header from CLRF injection (Closes: CVE-2023-23936)
+- Fix potential ReDoS on Headers.set and Headers.append
+ (Closes: CVE-2023-24807)
+ * Increase httpbin.org test timeout
+
+ -- Yadd Wed, 31 May 2023 15:52:45 +0400
+
node-undici (5.15.0+dfsg1+~cs20.10.9.3-1) unstable; urgency=medium
* Update standards version to 4.6.2, no changes needed.
diff --git a/debian/patches/CVE-2023-23936.patch
b/debian/patches/CVE-2023-23936.patch
new file mode 100644
index 000..e6fbb0f
--- /dev/null
+++ b/debian/patches/CVE-2023-23936.patch
@@ -0,0 +1,62 @@
+Description: Protect "Host" HTTP header from CLRF injection
+Author: Yadd
+Origin: upstream, https://github.com/nodejs/undici/commit/a2eff054
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
+Bug-Debian: https://bugs.debian.org/1031418
+Forwarded: not-needed
+Applied-Upstream: 5.19.1, commit:a2eff054
+Reviewed-By: Yadd
+Last-Update: 2023-05-31
+
+--- a/lib/core/request.js
b/lib/core/request.js
+@@ -299,6 +299,9 @@
+ key.length === 4 &&
+ key.toLowerCase() === 'host'
+ ) {
++if (headerCharRegex.exec(val) !== null) {
++ throw new InvalidArgumentError(`invalid ${key} header`)
++}
+ // Consumed by Client
+ request.host = val
+ } else if (
+--- /dev/null
b/test/headers-crlf.js
+@@ -0,0 +1,37 @@
++'use strict'
++
++const { test } = require('tap')
++const { Client } = require('..')
++const { createServer } = require('http')
++const EE = require('events')
++
++test('CRLF Injection in Nodejs ‘undici’ via host', (t) => {
++ t.plan(1)
++
++ const server = createServer(async (req, res) => {
++res.end()
++ })
++ t.teardown(server.close.bind(server))
++
++ server.listen(0, async () => {
++const client = new Client(`http://localhost:${server.address().port}`)
++t.teardown(client.close.bind(client))
++
++const unsanitizedContentTypeInput = '12 \r\n\r\naaa:aaa'
++
++try {
++ const { body } = await client.request({
++path: '/',
++method: 'POST',
++headers: {
++ 'content-type': 'application/json',
++ 'host': unsanitizedContentTypeInput
++},
++body: 'asd'
++ })
++ await body.dump()
++} catch (err) {
++ t.same(err.code, 'UND_ERR_INVALID_ARG')
++}
++ })
++})
diff --git a/debian/patches/CVE-2023-24807.patch
b/debian/patches/CVE-2023-24807.patch
new file mode 100644
index 000..986fb16
--- /dev/null
+++ b/debian/patches/CVE-2023-24807.patch
@@ -0,0 +1,46 @@
+Description: fix potential ReDoS on Headers.set and Headers.append
+Author: Rich Trott
+Origin: upstream, https://github.com/nodejs/undici/commit/f2324e54
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
+Bug-Debian: https://bugs.debian.org/1031418
+Forwarded: not-needed
+Applied-Upstream: 5.19.1, commit:f2324e54
+Reviewed-By: Yadd
+Last-Update: 2023-05-31
+
+--- a/lib/fetch/headers.js
b/lib/fetch/headers.js
+@@ -23,10 +23,12 @@
+ // To normalize a byte sequence potentialValue, remove
+ // any leading and trailing HTTP whitespace bytes from
+ // potentialValue.
+- return potentialValue.replace(
+-/^[\r\n\t ]+|[\r\n\t ]+$/g,
+-''
+- )
++
++ // Trimming the end with `.replace()` and a RegExp is typically subject to
++ // ReDoS. This is safer and faster.
++ let i = potentialValue.length
++ while (/[\r\n\t ]/.test(potentialValue.charAt(--i)));
++ return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '')
+ }
+
+ function fill (headers, object) {
+--- a/test/fetch/headers.js
b/test/fetch/headers.js
+@@ -665,3 +665,14 @@
+
+ t.end()
+ })
++
++tap.test('headers that might cause a ReDoS', (t) => {
++ t.doesNotThrow(() => {
++// This test will time out if the ReDoS attack is successful.
++const headers = new Headers()
++const attack = 'a' + '\t'.repeat(500_000) + '\ta'
++headers.append('fhqwhgads', attack)
++
Processed: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
Processing control commands: > affects -1 + src:node-undici Bug #1036978 [release.debian.org] bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1 Added indication that 1036978 affects src:node-undici -- 1036978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: retitle 1032994 to bookworm-pu: package node-webpack/5.75.0+dfsg+~cs17.16.14-1+deb12u1 ...
Processing commands for cont...@bugs.debian.org: > retitle 1032994 bookworm-pu: package > node-webpack/5.75.0+dfsg+~cs17.16.14-1+deb12u1 Bug #1032994 [release.debian.org] unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1 Changed Bug title to 'bookworm-pu: package node-webpack/5.75.0+dfsg+~cs17.16.14-1+deb12u1' from 'unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1'. > user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was y...@debian.org). > usertags 1032994 pu Usertags were: unblock. Usertags are now: unblock pu. > tags 1032994 + bookworm Bug #1032994 [release.debian.org] bookworm-pu: package node-webpack/5.75.0+dfsg+~cs17.16.14-1+deb12u1 Added tag(s) bookworm. > thanks Stopping processing here. Please contact me if you need assistance. -- 1032994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032994 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
Processing control commands: > affects -1 + src:jqueryui Bug #1036977 [release.debian.org] bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2 Added indication that 1036977 affects src:jqueryui -- 1036977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036977 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jquer...@packages.debian.org
Control: affects -1 + src:jqueryui
[ Reason ]
jqueryui is potentially vulnerable to cross-site scripting
(CVE-2022-31160)
[ Impact ]
Low security issue
[ Tests ]
Sadly tests are minimal in this package. Anyway passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Don't accept label outside of the root element
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a6a587..9b1e9cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+ * Team upload
+ * Checkboxradio: Don't re-evaluate text labels as HTML (Closes:
CVE-2022-31160)
+
+ -- Yadd Wed, 31 May 2023 15:08:55 +0400
+
jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-31160.patch
b/debian/patches/CVE-2022-31160.patch
new file mode 100644
index 000..11d7baa
--- /dev/null
+++ b/debian/patches/CVE-2022-31160.patch
@@ -0,0 +1,156 @@
+Description: Checkboxradio: Don't re-evaluate text labels as HTML
+Author: Michał Gołębiowski-Owczarek
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1
+Bug:
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+Forwarded: not-needed
+Applied-Upstream: 1.13.2, commit:8cc5bae1
+Reviewed-By: Yadd
+Last-Update: 2023-05-31
+
+--- a/tests/unit/checkboxradio/checkboxradio.html
b/tests/unit/checkboxradio/checkboxradio.html
+@@ -64,6 +64,18 @@
+
+
+
++
++
++ Hi, I'm a label
++
++
++
++ Hi, I'm a label
++
++
++
++ emHi, I'm a label/em
++
+
+
+
+--- a/tests/unit/checkboxradio/core.js
b/tests/unit/checkboxradio/core.js
+@@ -135,4 +135,41 @@
+ );
+ } );
+
++QUnit.test( "Inheriting label from initial HTML", function( assert ) {
++ var tests = [
++ {
++ id: "label-with-no-for-with-html",
++ expectedLabel: "Hi, I'm a
label"
++ },
++ {
++ id: "label-with-no-for-with-text",
++ expectedLabel: "Hi, I'm a label"
++ },
++ {
++ id: "label-with-no-for-with-html-like-text",
++ expectedLabel: "emHi, I'm a label/em"
++ }
++ ];
++
++ assert.expect( tests.length );
++
++ tests.forEach( function( testData ) {
++ var id = testData.id;
++ var expectedLabel = testData.expectedLabel;
++ var inputElem = $( "#" + id );
++ var labelElem = inputElem.parent();
++
++ inputElem.checkboxradio( { icon: false } );
++
++ var labelWithoutInput = labelElem.clone();
++ labelWithoutInput.find( "input" ).remove();
++
++ assert.strictEqual(
++ labelWithoutInput.html().trim(),
++ expectedLabel.trim(),
++ "Label correct [" + id + "]"
++ );
++ } );
++} );
++
+ } );
+--- a/tests/unit/checkboxradio/methods.js
b/tests/unit/checkboxradio/methods.js
+@@ -94,4 +94,42 @@
+ assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input
preserved" );
+ } );
+
++QUnit.test( "Initial text label not turned to HTML on refresh", function(
assert ) {
++ var tests = [
++ {
++ id: "label-with-no-for-with-html",
++ expectedLabel: "Hi, I'm a
label"
++ },
++ {
++ id: "label-with-no-for-with-text",
++ expectedLabel: "Hi, I'm a label"
++ },
++ {
++ id: "label-with-no-for-with-html-like-text",
++ expectedLabel: "emHi, I'm a label/em"
++ }
++ ];
++
++ assert.expect( tests.length );
++
++ tests.forEach( function( testData ) {
++ var id = testData.id;
++ var expectedLabel = testData.expectedLabel;
++ var inputElem = $( "#" + id );
++ var labelElem = inputElem.parent();
++
++ inputElem.checkboxradio( { icon: false } );
++ inputElem.checkboxradio( "refresh" );
++
++ var labelWithoutInput = labelElem.clone();
++ labelWithoutInput.find( "input" ).remove();
++
++ assert.strictEqual(
++ labelWithoutInput.html().trim(),
++ expectedLabel.trim(),
++ "Label correct [" + id + "]"
++ );
++ } );
++} );
++
+ } );
+---
Bug#1036976: bullseye-pu: package grunt/1.3.0-1+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gr...@packages.debian.org
Control: affects -1 + src:grunt
[ Reason ]
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition
leading to arbitrary file write in GitHub repository gruntjs/grunt prior to
1.5.3. This vulnerability is capable of arbitrary file writes which can lead
to local privilege escalation to the GruntJS user if a lower-privileged user
has write access to both source and destination directories as the
lower-privileged user can create a symlink to the GruntJS user's .bashrc
file or replace /etc/shadow file if the GruntJS user is root.
[ Impact ]
Medium security issue
[ Tests ]
Test updated, passed
[ Risks ]
Low risk: patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Refuse to copy a file if destination is a symlink
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 23c3145..dcebea4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+grunt (1.3.0-1+deb11u2) bullseye; urgency=medium
+
+ * Team upload
+ * Patch up race condition in symlink copying (Closes: CVE-2022-1537)
+
+ -- Yadd Wed, 31 May 2023 14:59:30 +0400
+
grunt (1.3.0-1+deb11u1) bullseye; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-1537.patch
b/debian/patches/CVE-2022-1537.patch
new file mode 100644
index 000..19c750b
--- /dev/null
+++ b/debian/patches/CVE-2022-1537.patch
@@ -0,0 +1,39 @@
+Description: Patch up race condition in symlink copying
+Author: Vlad Filippov
+Origin: upstream, https://github.com/gruntjs/grunt/commit/58016ffa
+Bug: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
+Forwarded: not-needed
+Applied-Upstream: 1.5.3, commit:58016ffa
+Reviewed-By: Yadd
+Last-Update: 2023-05-31
+
+--- a/lib/grunt/file.js
b/lib/grunt/file.js
+@@ -333,8 +333,8 @@
+ }
+ }
+ // Abort copy if the process function returns false.
+- if (contents === false) {
+-grunt.verbose.writeln('Write aborted.');
++ if (contents === false || file.isLink(destpath)) {
++grunt.verbose.writeln('Write aborted. Either the process function
returned false or the destination is a symlink');
+ } else {
+ file.write(destpath, contents, readWriteOptions);
+ }
+--- a/test/grunt/file_test.js
b/test/grunt/file_test.js
+@@ -916,5 +916,13 @@
+ test.ok(fs.lstatSync(path.join(destdir.path,
path.basename(fixtures))).isSymbolicLink());
+ test.done();
+ },
+- }
++ },
++ 'symbolicLinkDestError': function(test) {
++test.expect(1);
++var tmpfile = new Tempdir();
++fs.symlinkSync(path.resolve('test/fixtures/octocat.png'),
path.join(tmpfile.path, 'octocat.png'), 'file');
++grunt.file.copy(path.resolve('test/fixtures/octocat.png'),
path.join(tmpfile.path, 'octocat.png'));
++test.ok(fs.lstatSync(path.join(tmpfile.path,
'octocat.png')).isSymbolicLink());
++test.done();
++ },
+ };
diff --git a/debian/patches/series b/debian/patches/series
index 24fd9f9..6231471 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ add-root-variable.patch
fix-for-coffescript.diff
adapt-gruntfile.patch
CVE-2022-0436.patch
+CVE-2022-1537.patch
Processed: bullseye-pu: package grunt/1.3.0-1+deb11u2
Processing control commands: > affects -1 + src:grunt Bug #1036976 [release.debian.org] bullseye-pu: package grunt/1.3.0-1+deb11u2 Added indication that 1036976 affects src:grunt -- 1036976: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036976 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1036975: bullseye-pu: package node-url-parse/1.5.3-1+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-url-pa...@packages.debian.org
Control: affects -1 + src:node-url-parse
[ Reason ]
node-url-parse is vulnerable to authorization bypass through
user-controlled key prior version 1.5.6
[ Impact ]
Medium security issue
[ Tests ]
Test updated, passed
[ Risks ]
Low risk, the non-test part of the patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Update URL split to fix user and password values if any
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 842b4ff..c261d0e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-url-parse (1.5.3-1+deb11u2) bullseye; urgency=medium
+
+ * Team upload
+ * Correctly handle userinfo containing the at sign (Closes: CVE-2022-0512)
+
+ -- Yadd Wed, 31 May 2023 14:43:23 +0400
+
node-url-parse (1.5.3-1+deb11u1) bullseye; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-0512.patch
b/debian/patches/CVE-2022-0512.patch
new file mode 100644
index 000..9b3caed
--- /dev/null
+++ b/debian/patches/CVE-2022-0512.patch
@@ -0,0 +1,135 @@
+Description: Correctly handle userinfo containing the at sign
+Author: Luigi Pinca
+Origin: upstream, https://github.com/unshiftio/url-parse/commit/9be7ee88
+Bug: https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b
+Forwarded: not-needed
+Applied-Upstream: 1.5.6, commit:9be7ee88
+Reviewed-By: Yadd
+Last-Update: 2023-05-31
+
+--- a/index.js
b/index.js
+@@ -306,7 +306,11 @@
+ if (parse !== parse) {
+ url[key] = address;
+ } else if ('string' === typeof parse) {
+- if (~(index = address.indexOf(parse))) {
++ index = parse === '@'
++? address.lastIndexOf(parse)
++: address.indexOf(parse);
++
++ if (~index) {
+ if ('number' === typeof instruction[2]) {
+ url[key] = address.slice(0, index);
+ address = address.slice(index + instruction[2]);
+@@ -373,9 +377,19 @@
+ //
+ url.username = url.password = '';
+ if (url.auth) {
+-instruction = url.auth.split(':');
+-url.username = instruction[0] || '';
+-url.password = instruction[1] || '';
++index = url.auth.indexOf(':');
++
++if (~index) {
++ url.username = url.auth.slice(0, index);
++ url.username = encodeURIComponent(decodeURIComponent(url.username));
++
++ url.password = url.auth.slice(index + 1);
++ url.password = encodeURIComponent(decodeURIComponent(url.password))
++} else {
++ url.username = encodeURIComponent(decodeURIComponent(url.auth));
++}
++
++url.auth = url.password ? url.username +':'+ url.password : url.username;
+ }
+
+ url.origin = url.protocol !== 'file:' && isSpecial(url.protocol) && url.host
+--- a/test/test.js
b/test/test.js
+@@ -712,6 +712,54 @@
+ });
+ });
+
++ it('handles @ in username', function () {
++ var url = 'http://user@@www.example.com/'
++, parsed = parse(url);
++
++ assume(parsed.protocol).equals('http:');
++ assume(parsed.auth).equals('user%40');
++ assume(parsed.username).equals('user%40');
++ assume(parsed.password).equals('');
++ assume(parsed.hostname).equals('www.example.com');
++ assume(parsed.pathname).equals('/');
++ assume(parsed.href).equals('http://user...@www.example.com/');
++
++ url = 'http://user...@www.example.com/';
++ parsed = parse(url);
++
++ assume(parsed.protocol).equals('http:');
++ assume(parsed.auth).equals('user%40');
++ assume(parsed.username).equals('user%40');
++ assume(parsed.password).equals('');
++ assume(parsed.hostname).equals('www.example.com');
++ assume(parsed.pathname).equals('/');
++ assume(parsed.href).equals('http://user...@www.example.com/');
++});
++
++it('handles @ in password', function () {
++ var url = 'http://user@:pas:s@@www.example.com/'
++, parsed = parse(url);
++
++ assume(parsed.protocol).equals('http:');
++ assume(parsed.auth).equals('user%40:pas%3As%40');
++ assume(parsed.username).equals('user%40');
++ assume(parsed.password).equals('pas%3As%40');
++ assume(parsed.hostname).equals('www.example.com');
++ assume(parsed.pathname).equals('/');
++
assume(parsed.href).equals('http://user%40:pas%3as...@www.example.com/');
++
++ url = 'http://user%40:pas%3as...@www.example.com/'
++ parsed = parse(url);
++
++ assume(parsed.protocol).equals('http:');
++ assume(parsed.auth).equals('user%40:pas%3As%40');
++ assume(parsed.username).equals('user%40');
++ assume(parsed.password).equals('pas%3As%40');
++ assume(parsed.hostname).equals('www.example.com');
++
Processed: bullseye-pu: package node-url-parse/1.5.3-1+deb11u2
Processing control commands: > affects -1 + src:node-url-parse Bug #1036975 [release.debian.org] bullseye-pu: package node-url-parse/1.5.3-1+deb11u2 Added indication that 1036975 affects src:node-url-parse -- 1036975: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036975 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: unblock: syncthing-gtk/0.9.4.4+ds+git20221205+12a9702d29ab-2
Processing control commands: > affects -1 + src:syncthing-gtk Bug #1036969 [release.debian.org] unblock: syncthing-gtk/0.9.4.4+ds+git20221205+12a9702d29ab-2 Added indication that 1036969 affects src:syncthing-gtk -- 1036969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036969 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1036969: unblock: syncthing-gtk/0.9.4.4+ds+git20221205+12a9702d29ab-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: syncthing-...@packages.debian.org Control: affects -1 + src:syncthing-gtk Please unblock package syncthing-gtk Syncthing-GTK has been hardcoding a non-PEP-440-compliant version for quite some time. Since it’s not used by other packages normally, it didn’t impact anything directly, but OTOH any package that enumerated installed Python packages would crash if it (rightfully) didn’t handle the possibility of an incorrect version. Since the mere fact of Syncthing-GTK being installed breaks other packages, we need to have in fixed for Bookworm. Other than fixing that, this change should have no other impact on the release. See more details in: https://bugs.debian.org/1036947 [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock syncthing-gtk/0.9.4.4+ds+git20221205+12a9702d29ab-2
Bug#1036885: unblock: hipsparse/5.3.3+dfsg-2
Hi Christian On Sun, 28 May 2023 at 18:48, Christian Kastner wrote: > unblock hipsparse/5.3.3+dfsg-2 The debdiff looks good to me, however the migration of hipsparse/5.3.3+dfsg-2 appears to be blocked by rocsparse/5.3.0+dfsg-3 [1]. Migrates after: rocsparse Migration status for hipsparse (5.3.3+dfsg-1 to 5.3.3+dfsg-2): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint) Issues preventing migration: ∙ ∙ Not touching package due to block request by freeze (Follow the freeze policy when applying for an unblock) ∙ ∙ Too young, only 2 of 5 days old ∙ ∙ Build-Depends(-Arch): hipsparse rocsparse ∙ ∙ Depends: hipsparse rocsparse I don't see an unblock request for rocsparse/5.3.0+dfsg-3, would you file one please? Regards Graham [1] https://tracker.debian.org/pkg/hipsparse
Bug#1036759: marked as done (unblock: heat-cfntools/1.4.2-3)
Your message dated Wed, 31 May 2023 08:44:33 +0200 with message-id and subject line Re: Bug#1036759: unblock: heat-cfntools/1.4.2-3 has caused the Debian Bug report #1036759, regarding unblock: heat-cfntools/1.4.2-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036759: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036759 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: heat-cfnto...@packages.debian.org Control: affects -1 + src:heat-cfntools Please unblock package heat-cfntools [ Reason ] The fix packages the missing code of heat-cfntools. [ Impact ] Package is otherwise not useable (import fails when launching the command line). [ Risks ] No risk, this just adds the missing files. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock heat-cfntools/1.4.2-3 diff --git a/debian/changelog b/debian/changelog index 624b1c9..cb37a99 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +heat-cfntools (1.4.2-3) unstable; urgency=medium + + * Also package heat-cfntools python module (Closes: #1035994). + + -- Thomas Goirand Mon, 22 May 2023 15:40:56 +0200 + heat-cfntools (1.4.2-2.1) unstable; urgency=medium * Non maintainer upload by the Reproducible Builds team. diff --git a/debian/heat-cfntools.install b/debian/heat-cfntools.install index 75f3882..02bc81e 100644 --- a/debian/heat-cfntools.install +++ b/debian/heat-cfntools.install @@ -1 +1,2 @@ bin/* /usr/bin/ +/usr diff --git a/debian/rules b/debian/rules index f5a5585..a90397c 100755 --- a/debian/rules +++ b/debian/rules @@ -6,7 +6,7 @@ include /usr/share/openstack-pkg-tools/pkgos.make dh $@ --with python3 override_dh_auto_install: - pkgos-dh_auto_install --no-py2 + pkgos-dh_auto_install --no-py2 --in-tmp override_dh_auto_build: echo "Do nothing..." --- End Message --- --- Begin Message --- On Tue, 30 May 2023 at 10:33, Thomas Goirand wrote: > Sorry. Indeed, forgot to upload, and just did it a few minutes ago. Unblocked, thanks.--- End Message ---
Processed: tagging 1032994
Processing commands for cont...@bugs.debian.org: > tags 1032994 - moreinfo Bug #1032994 [release.debian.org] unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1 Removed tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 1032994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032994 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
