Bug#1037444: bookworm-pu: package kanboard/1.2.26+ds-4
Attached is a revised debdiff between -2 and -2+deb12u1. --Joe diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog --- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.0 -0400 +++ kanboard-1.2.26+ds/debian/changelog 2023-06-15 23:02:33.0 -0400 @@ -1,3 +1,24 @@ +kanboard (1.2.26+ds-2+deb12u1) bookworm; urgency=high + + * Cherry-pick security fixes from kanboard_1.2.26+ds-[34] for bookworm. + * backport fix for CVE-2023-32685 from kanboard v1.2.29 + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv +Based on upstream commits 26b6eeb & c9c1872. +(cherry picked from commit d9b8d854f2d35831b04b84cfdda41cc7b49e3a28) +(Closes: #1036874) + * backport security fixes from kanboard v1.2.30. + > CVE-2023-33956: Parameter based Indirect Object Referencing leading + to private file exposure + > CVE-2023-33968: Missing access control allows user to move and + duplicate tasks to any project in the software + > CVE-2023-33969: Stored XSS in the Task External Link Functionality + > CVE-2023-33970: Missing access control in internal task links feature +(cherry picked from commit 4ad0ad220613bbf04bef559addba8c363fdf0dfa) +(Closes: #1037167) + * point gbp & salsa at bookworm + + -- Joseph Nahmias Thu, 15 Jun 2023 23:02:33 -0400 + kanboard (1.2.26+ds-2) unstable; urgency=medium * properly test for lighty-enable-mod. diff -Nru kanboard-1.2.26+ds/debian/gbp.conf kanboard-1.2.26+ds/debian/gbp.conf --- kanboard-1.2.26+ds/debian/gbp.conf 2023-05-09 06:27:15.0 -0400 +++ kanboard-1.2.26+ds/debian/gbp.conf 2023-06-15 23:02:33.0 -0400 @@ -1,3 +1,3 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm pristine-tar = True diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch --- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 1969-12-31 19:00:00.0 -0500 +++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 2023-06-15 23:00:52.0 -0400 @@ -0,0 +1,111 @@ +Description: fix for CVE-2023-32685 + Clipboard based cross-site scripting (blocked with default CSP) + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv +Author: Frédéric Guillot +Origin: upstream +Last-Update: 2023-05-24 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js +index a8acd64..1130bd2 100644 +--- a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js +@@ -1,5 +1,4 @@ + KB.component('screenshot', function (containerElement) { +-var pasteCatcher = null; + var inputElement = null; + + function onFileLoaded(e) { +@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) { + } + + function onPaste(e) { +-// Firefox doesn't have the property e.clipboardData.items (only Chrome) + if (e.clipboardData && e.clipboardData.items) { + var items = e.clipboardData.items; + +@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) { + } + } + } +-} else { +- +-// Handle Firefox +-setTimeout(checkInput, 100); + } + } + + function initialize() { +-destroy(); +- +-if (! window.Clipboard) { +-// Insert the content editable at the top to avoid scrolling down in the board view +-pasteCatcher = document.createElement('div'); +-pasteCatcher.id = 'screenshot-pastezone'; +-pasteCatcher.contentEditable = true; +-pasteCatcher.style.opacity = 0; +-pasteCatcher.style.position = 'fixed'; +-pasteCatcher.style.top = 0; +-pasteCatcher.style.right = 0; +-pasteCatcher.style.width = 0; +-document.body.insertBefore(pasteCatcher, document.body.firstChild); +- +-pasteCatcher.focus(); +- +-// Set the focus when clicked anywhere in the document +-document.addEventListener('click', setFocus); +- +-// Set the focus when clicked in screenshot dropzone +- document.getElementById('screenshot-zone').addEventListener('click', setFocus); +-} +- + window.addEventListener('paste', onPaste, false); + } + +-function destroy() { +-if (KB.exists('#screenshot-pastezone')) { +-KB.find('#screenshot-pastezone').remove(); +-} +- +-document.removeEventListener('click', setFocus); +-pasteCatcher = null; +-} +- +-function setFocus() { +-if (pasteCatcher !== null) { +-pasteCatcher.focus(); +-} +-} +- +-function checkInput() { +-var child = pasteCatcher.childNodes[0]; +- +-if (child) { +-
Processed: Re: Bug#1038122: cp: cannot stat '/tmp/odbcinst.ini.bak'
Processing control commands: > severity -1 serious Bug #1038122 [unixodbc-common] cp: cannot stat '/tmp/odbcinst.ini.bak' Severity set to 'serious' from 'important' > block 1038041 by -1 Bug #1038041 [release.debian.org] bookworm-pu: package unixodbc/2.3.11-2+deb12u1 1038041 was not blocked by any bugs. 1038041 was not blocking any bugs. Added blocking bug(s) of 1038041: 1038122 -- 1038041: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038041 1038122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038122 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 1037286
Processing commands for cont...@bugs.debian.org: > tags 1037286 + confirmed Bug #1037286 [release.debian.org] transition: libcamera 0.0.5 Added tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1037286: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037286 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1028602: transition: gnustep-base, gnustep-gui
Processing control commands: > tags -1 = confirmed Bug #1028602 [release.debian.org] transition: gnustep-base, gnustep-gui Added tag(s) confirmed; removed tag(s) moreinfo and trixie. -- 1028602: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028602 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1028602: transition: gnustep-base, gnustep-gui
Control: tags -1 = confirmed On 2023-01-13 15:15:10 +0200, Yavor Doganov wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > X-Debbugs-Cc: pkg-gnustep-maintain...@lists.alioth.debian.org > Control: affects -1 + src:gnustep-base src:gnustep-gui > > Dear Release team, > > We would like your permission to carry out a GNUstep transition (two > libraries simultaneously with one round of binNMUs): > > libgnustep-base1.28 -> 1.29 > libgnustep-gui0.29 -> 0.30 Please go ahead. Cheers -- Sebastian Ramacher
Bug#1037286: transition: libcamera 0.0.5
Control: tags -1 confirm On 2023-06-10 10:25:29 +0200, Dylan Aïssi wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > > Dear Release Team, > > Please schedule a transition slot for libcamera 0.0.5. > > The auto-generated ben tracker looks good: > https://release.debian.org/transitions/html/auto-libcamera.html > > The unique reverse dep (pipewire 0.3.71-1) builds fine with the > new libcamera in experimental. Please go ahead. Cheers -- Sebastian Ramacher
Bug#1038140: bookworm-pu: package onionshare/2.6-5
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: onionsh...@packages.debian.org, pkg-privacy-maintain...@alioth-lists.debian.net, he...@debian.org Control: affects -1 + src:onionshare [ Reason ] The version 2.6-4 does not install icons, desktop file and appstream metadata file at the correct place (Closes: #1036691). So users can only run onionshare via commandline. [ Tests ] Autopkgtests make sure, that the main parts of the package are still functioning. Manual tests, that onionshare is listed in desktop menu and that it has the correct icon. Same version is installed in sid. [ Risks ] No real risks, as it is only installing some files to correct places. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Do I need to do update the version with a stable extension ~deb12u1 as there won't be any diff? diff -Nru onionshare-2.6/debian/changelog onionshare-2.6/debian/changelog --- onionshare-2.6/debian/changelog 2023-05-05 14:41:35.0 +0200 +++ onionshare-2.6/debian/changelog 2023-06-13 12:23:22.0 +0200 @@ -1,3 +1,10 @@ +onionshare (2.6-5) unstable; urgency=medium + + * Install desktp/appmetadata at expected places. (Closes: #1036691) + * Install icons under usr/share/icons. + + -- Sandro Knauß Tue, 13 Jun 2023 12:23:22 +0200 + onionshare (2.6-4) unstable; urgency=medium * Mark chat-server test as flaky, as it fails on i386 also randomly. diff -Nru onionshare-2.6/debian/rules onionshare-2.6/debian/rules --- onionshare-2.6/debian/rules 2022-12-22 14:32:13.0 +0100 +++ onionshare-2.6/debian/rules 2023-06-06 21:21:03.0 +0200 @@ -4,6 +4,8 @@ %: dh $@ --buildsystem=pybuild +SIZES = 16 32 64 128 256 512 + override_dh_auto_build: PYBUILD_NAME=onionshare-cli dh_auto_build --buildsystem=pybuild --sourcedirectory cli --\ --after-build "CURDIR=$(CURDIR) BUILD_DIR={build_dir} $(CURDIR)/debian/missing-sources/uglifyjs.sh" @@ -24,8 +26,22 @@ rm debian/onionshare/usr/bin/onionshare-cli execute_after_dh_auto_install: - mkdir -p debian/onionshare/usr/share + mkdir -p debian/onionshare/usr/share/metainfo + cp desktop/org.onionshare.OnionShare.appdata.xml debian/onionshare/usr/share/metainfo/ + mkdir -p debian/onionshare/usr/share/applications + cp desktop/org.onionshare.OnionShare.desktop debian/onionshare/usr/share/applications/ + mv debian/onionshare/usr/lib/python3*/dist-packages/onionshare/resources debian/onionshare/usr/share/onionshare + + # Move icons to the places where they are searched + mkdir -p debian/onionshare/usr/share/icons/hicolor/scalable/apps + cp desktop/org.onionshare.OnionShare.svg debian/onionshare/usr/share/icons/hicolor/scalable/apps/ + $(foreach size,$(SIZES), \ + mkdir debian/onionshare/usr/share/icons/hicolor/$(size)x$(size); \ + mv debian/onionshare/usr/share/onionshare/onionshare-$(size).png debian/onionshare/usr/share/icons/hicolor/$(size)x$(size)/org.onionshare.OnionShare.png; \ + ln -s /usr/share/icons/hicolor/$(size)x$(size)/org.onionshare.OnionShare.png debian/onionshare/usr/share/onionshare/onionshare-$(size).png; \ + ) true + mkdir -p debian/onionshare-cli/usr/share mv debian/onionshare-cli/usr/lib/python3*/dist-packages/onionshare_cli/resources debian/onionshare-cli/usr/share/onionshare-cli
Processed: bookworm-pu: package onionshare/2.6-5
Processing control commands: > affects -1 + src:onionshare Bug #1038140 [release.debian.org] bookworm-pu: package onionshare/2.6-5 Added indication that 1038140 affects src:onionshare -- 1038140: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038140 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: transition: gdal
Processing control commands: > affects -1 + src:gdal Bug #1038115 [release.debian.org] transition: gdal Added indication that 1038115 affects src:gdal > forwarded -1 https://release.debian.org/transitions/html/auto-gdal.html Bug #1038115 [release.debian.org] transition: gdal Set Bug forwarded-to-address to 'https://release.debian.org/transitions/html/auto-gdal.html'. > block -1 by 1030129 998833 1037920 984398 1037976 Bug #1038115 [release.debian.org] transition: gdal 1038115 was not blocked by any bugs. 1038115 was not blocking any bugs. Added blocking bug(s) of 1038115: 1037976, 1030129, 998833, 1037920, and 984398 -- 1038115: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038115 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1038115: transition: gdal
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: g...@packages.debian.org Control: affects -1 + src:gdal Control: forwarded -1 https://release.debian.org/transitions/html/auto-gdal.html Control: block -1 by 1030129 998833 1037920 984398 1037976 For the Debian GIS team I'd like to transition to GDAL 3.7.0. Most reverse dependencies rebuilt successfully with GDAL 3.7.0 from experimental as summarized below. mysql-workbench (8.0.32+dfsg-1) FTBFS due to ca-certificates-java (#1030129). Once that is fixed it will likely FTBFS due to #998833. ncl (6.6.2.dfsg.1-1) FTBFS due to hdf4 (4.2.16-1): /usr/include/hdf/dfi.h:128:2: error: #endif without #if 128 | #endif /* H4_DFI_H */ | ^ This is fixed in hdf4 (4.2.16-2), but NCL still FTBFS: /usr/include/hdf/dfi.h:53:33: error: two or more data types in declaration specifiers 53 | #define float32 float | ^ /usr/include/hdf/hdfi.h:121:16: note: in expansion of macro 'float32' 121 | typedef float float32; |^~~ /usr/include/hdf/hdfi.h:121:1: warning: useless type name in empty declaration 121 | typedef float float32; | ^~~ hdf4 (4.2.16-3) contains a different fix for dfi.h that resolves this issue. python-django (3:3.2.19-1) FTBFS due to an unrelated issue (#1037920). vtk6 (6.3.0+dfsg2-8.1) FTBFS due to an unrelated issue (#984398). opencv (4.6.0+dfsg-12) FTBFS due to ca-certificates-java (#1030129). Removing the Java packages lets the package build successfully with GDAL 3.7.0. osmcoastline (2.4.0-1) FTBFS due to changes in GDAL 3.7.0 (#1037976), osmcoastline (2.4.0-2) contains a patch to fix this issue. Transition: gdal libgdal32 (3.6.4+dfsg-1) -> libgdal33 (3.7.0+dfsg-1~exp1) The status of the most recent rebuilds is as follows. cloudcompare(2.11.3-7.1) OK fiona (1.9.4-1) OK gmt (6.4.0+dfsg-2)OK grass (8.2.1-1) OK libcitygml (2.5.1-1) OK libosmium (2.19.0-1)OK mapcache(1.14.0-1)OK mapnik (3.1.0+ds-3) OK mapproxy(1.16.0+dfsg-1) OK mapserver (8.0.1-1) OK merkaartor (0.19.0+ds-3) OK mysql-workbench (8.0.32+dfsg-1) FTBFS (#998833) ncl (6.6.2.dfsg.1-1) OK octave-mapping (1.4.2-3) OK openorienteering-mapper (0.9.5-3) OK openscenegraph (3.6.5+dfsg1-8) OK paraview(5.11.0+dfsg-1) OK pgsql-ogr-fdw (1.1.3-1) OK pktools (2.6.7.6+ds-4)OK postgis (3.3.3+dfsg-2)OK python-django (3:3.2.19-1) FTBFS (#1037920) qmapshack (1.16.1-2)OK r-cran-rgdal(1.6-4+dfsg-1)OK r-cran-sf (1.0-9+dfsg-1)OK r-cran-terra(1.7-3-1) OK rasterio(1.3.7-1) OK saga(9.0.2+dfsg-1)OK vtk6(6.3.0+dfsg2-8.1) FTBFS (#984398) vtk7(7.1.1+dfsg2-10.2)OK vtk9(9.1.0+really9.1.0+dfsg2-5) OK facet-analyser (0.0~git20221121142040.6be10b8+ds1-3) OK libgdal-grass (1:1.0.2-4) OK opencv (4.6.0+dfsg-12) FTBFS (#1030129) osmcoastline(2.4.0-2) OK qgis(3.28.7+dfsg-1) OK sumo(1.15.0+dfsg-1) OK otb (8.1.1+dfsg-1)OK Kind Regards, Bas
Bug#1037466: marked as done (nmu: spirv-llvm-translator-16_16.0.0-1)
Your message dated Thu, 15 Jun 2023 12:26:15 + with message-id and subject line Bug#1037466: fixed in spirv-llvm-translator-16 16.0.0-2 has caused the Debian Bug report #1037466, regarding nmu: spirv-llvm-translator-16_16.0.0-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1037466: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037466 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu spirv-llvm-translator-16_16.0.0-1 . ANY . experimental . -m "Rebuild against llvm 16.0.5" the updated llvm-16/gcc-13 combination causes symbol changes that I'd like to collect before uploading the package to unstable Andreas --- End Message --- --- Begin Message --- Source: spirv-llvm-translator-16 Source-Version: 16.0.0-2 Done: Andreas Beckmann We believe that the bug you reported is fixed in the latest version of spirv-llvm-translator-16, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1037...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Beckmann (supplier of updated spirv-llvm-translator-16 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 15 Jun 2023 14:01:00 +0200 Source: spirv-llvm-translator-16 Architecture: source Version: 16.0.0-2 Distribution: unstable Urgency: medium Maintainer: Debian OpenCL team Changed-By: Andreas Beckmann Closes: 1037466 Changes: spirv-llvm-translator-16 (16.0.0-2) unstable; urgency=medium . * Update from llvm_release_160 branch. * Upload to unstable. (Closes: #1037466) Checksums-Sha1: 2966cf4c1139d3eaeeedbedb10171c04c95dd36b 2574 spirv-llvm-translator-16_16.0.0-2.dsc 9dcd4a12e9c83673fc537c9aeb43eab8d2e7dd8d 19148 spirv-llvm-translator-16_16.0.0-2.debian.tar.xz b84358e59c23a298d8bf1c70c95ba174b6e6b9bb 7885 spirv-llvm-translator-16_16.0.0-2_source.buildinfo Checksums-Sha256: 1296a0638209ff387f6af3a7738935ae114cf94fc67d131e41236066f30e4fe2 2574 spirv-llvm-translator-16_16.0.0-2.dsc 101558e6c22f78a06b6a09f82a5dedd8462c19d4e9304beaad5b793efdbedc50 19148 spirv-llvm-translator-16_16.0.0-2.debian.tar.xz 83c0427bb30a54580d9a0d241fb5ca46582c2503b8fe982a4512f7b1661a6f5f 7885 spirv-llvm-translator-16_16.0.0-2_source.buildinfo Files: 0d07bfcac302be3a87e86787e5e5 2574 libdevel optional spirv-llvm-translator-16_16.0.0-2.dsc 07fe6aa3402ccdd8715cc8c96b494e43 19148 libdevel optional spirv-llvm-translator-16_16.0.0-2.debian.tar.xz 49dc4ca69031ee7d7eb0fdb931ec4068 7885 libdevel optional spirv-llvm-translator-16_16.0.0-2_source.buildinfo -BEGIN PGP SIGNATURE- iQJEBAEBCAAuFiEE6/MKMKjZxjvaRMaUX7M/k1np7QgFAmSK/eMQHGFuYmVAZGVi aWFuLm9yZwAKCRBfsz+TWentCJS6D/wPYUKJJvHH18UE2Q5C7ScUxVKsC+5RdP8k XiFjw6J/hwmAoXVub9b1tbVObWNtb+Y8qSF025rMTZ2XOLfGVjxe8FAoBG9OxUL2 IdG+aJ8PANt1m8iEpQbLwcZA0+8LAHoNSX5BGOWTnlMMTRHMOQ/yvrLhA0p92wbW F6qa+4CWsUu03Qm9KUHN/API0ps2O5t0U2REwxhKaCR5Sk+lI5KZYIwlcMFYdet2 dbHNeOyBNAlIx8tK7w/owsegf8/5UmMtnU5xs39uP3MSp9lae+IP32sddW6tHZvJ s1mw1UZtWKrgbc7c9aJxjWWQjzV1lhhSVdF1jZuDQE41buwSCl5nstS9qGpunwDW vtV06ZifNDuJjbWuyBoRGaE1AxyIu0AL2cLYcyo71oWvVZwlsr5TRxcwj4+7SLAj FBVzZhBbkpEN6JGYPDOe7aqg4QdoXtYxVJ1vh+kryKYh6oIfLyBzJecnQBybuJev 6dKsZK4YbNXKRoxVd2whnli+bpMS5UE1NAEMapHALBhCbot0LzdWTWCIfTKOOI5A lyOyUNq69Dls/tVEZRyQmGmxDq04VU7MX4r4srqMeYSvxxHiMmsocELiK3ilPHg3 n4O4xnoPakhxqhMpxXAcLP+7dvo7VNVQN7iyaOV8yqQiyOvdPyxPDo7E5QyeyNRJ sejmRUXk2Q== =5rFy -END PGP SIGNATURE End Message ---
Bug#1038041: bookworm-pu: package unixodbc/2.3.11-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: unixo...@packages.debian.org Control: affects -1 + src:unixodbc I'd like to fix two bugs in the stable version of unixodbc (2.3.11-2). [ Reason ] (1) Users who upgrade their system from old versions of Debian (e.g. Lenny, Squeeze, Wheezy etc.) with odbcinst1debian1 installed are unable to upgrade to bookworm due to a missing Breaks+Replaces against two binary packages. Although odbcinst1debian1 hasn't existed for years, dpkg complains because /etc/odbc.ini is also in unixodbc-common, and /usr/bin/odbcinst is also in odbcinst. (2) Due to an oversight on my part, the stable version of unixodbc-common has an obsolete conffile. [ Impact ] (1) Users with odbcinst1debian1 installed cannot upgrade to bookworm without removing the binary package (which really shouldn't be installed anyway). Note that the number of uses actually affected by this bug will be very small. (2) No impact. [ Tests ] (1) Testing of staged upgrades with piuparts. (2) Manual testing of package upgrades and purging with rm_conffile in relevant maintscripts. [ Risks ] The changes are minimal and well tested. [ Checklist ] [ x ] *all* changes are documented in the d/changelog [ x ] I reviewed all changes and I approve them [ x ] attach debdiff against the package in stable [ x ] the issue is verified as fixed in unstable diff -Nru unixodbc-2.3.11/debian/changelog unixodbc-2.3.11/debian/changelog --- unixodbc-2.3.11/debian/changelog2022-05-23 21:14:45.0 +1000 +++ unixodbc-2.3.11/debian/changelog2023-06-15 21:05:33.0 +1000 @@ -1,3 +1,11 @@ +unixodbc (2.3.11-2+deb12u1) bookworm; urgency=medium + + * unixodbc-common, odbcinst: Add Breaks+Replaces against odbcinst1debian1 + (Closes: #1037172). + * unixodbc-common: Remove obsolete conffile (Closes: #1009152). + + -- Hugh McMaster Thu, 15 Jun 2023 21:05:33 +1000 + unixodbc (2.3.11-2) unstable; urgency=medium * debian/control: Update Standards-Version to 4.6.1 (no changes needed). diff -Nru unixodbc-2.3.11/debian/control unixodbc-2.3.11/debian/control --- unixodbc-2.3.11/debian/control 2022-05-23 21:14:45.0 +1000 +++ unixodbc-2.3.11/debian/control 2023-06-15 19:50:03.0 +1000 @@ -88,6 +88,8 @@ Multi-Arch: foreign Section: utils Depends: unixodbc-common (>= ${source:Version}), ${shlibs:Depends}, ${misc:Depends} +Replaces: odbcinst1debian1 +Breaks: odbcinst1debian1 Description: Helper program for accessing ODBC configuration files UnixODBC is an implementation of the Open Database Connectivity standard, a database abstraction layer that allows applications to be used with @@ -122,8 +124,8 @@ Architecture: all Multi-Arch: foreign Depends: ${misc:Depends} -Replaces: odbcinst (<< 2.3.9-1~), odbcinst1debian2 (<< 2.3.9-1~) -Breaks: odbcinst (<< 2.3.9-1~), odbcinst1debian2 (<< 2.3.9-1~) +Replaces: odbcinst (<< 2.3.9-1~), odbcinst1debian1, odbcinst1debian2 (<< 2.3.9-1~) +Breaks: odbcinst (<< 2.3.9-1~), odbcinst1debian1, odbcinst1debian2 (<< 2.3.9-1~) Description: Common ODBC configuration files UnixODBC is an implementation of the Open Database Connectivity standard, a database abstraction layer that allows applications to be used with diff -Nru unixodbc-2.3.11/debian/unixodbc-common.postinst unixodbc-2.3.11/debian/unixodbc-common.postinst --- unixodbc-2.3.11/debian/unixodbc-common.postinst 2022-05-23 21:06:12.0 +1000 +++ unixodbc-2.3.11/debian/unixodbc-common.postinst 2023-06-15 20:00:39.0 +1000 @@ -6,4 +6,11 @@ touch /etc/odbcinst.ini fi +dpkg-maintscript-helper rm_conffile \ +/etc/odbcinst.ini 2.3.11-2+deb12u1~ unixodbc-common -- "$@" + +if [ "$1" = "configure" -o "$1" = "abort-upgrade" ] && [ -n "$2" ]; then +cp -a /tmp/odbcinst.ini.bak /etc/odbcinst.ini +fi + #DEBHELPER# diff -Nru unixodbc-2.3.11/debian/unixodbc-common.postrm unixodbc-2.3.11/debian/unixodbc-common.postrm --- unixodbc-2.3.11/debian/unixodbc-common.postrm 2022-05-23 21:06:12.0 +1000 +++ unixodbc-2.3.11/debian/unixodbc-common.postrm 2023-06-15 20:00:34.0 +1000 @@ -6,4 +6,7 @@ rm -f /etc/odbcinst.ini fi +dpkg-maintscript-helper rm_conffile \ +/etc/odbcinst.ini 2.3.11-2+deb12u1~ unixodbc-common -- "$@" + #DEBHELPER# diff -Nru unixodbc-2.3.11/debian/unixodbc-common.preinst unixodbc-2.3.11/debian/unixodbc-common.preinst --- unixodbc-2.3.11/debian/unixodbc-common.preinst 1970-01-01 10:00:00.0 +1000 +++ unixodbc-2.3.11/debian/unixodbc-common.preinst 2023-06-15 20:00:30.0 +1000 @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +if [ "$1" = "upgrade" ] && [ -e /etc/odbcinst.ini ]; then +cp -a /etc/odbcinst.ini /tmp/odbcinst.ini.bak +fi + +dpkg-maintscript-helper rm_conffile \ +/etc/odbcinst.ini 2.3.11-2+deb12u1~ unixodbc-common -- "$@" + +#DEBHELPER#
Processed: bookworm-pu: package unixodbc/2.3.11-2+deb12u1
Processing control commands: > affects -1 + src:unixodbc Bug #1038041 [release.debian.org] bookworm-pu: package unixodbc/2.3.11-2+deb12u1 Added indication that 1038041 affects src:unixodbc -- 1038041: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038041 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: texlive-...@packages.debian.org, car...@debian.org Control: affects -1 + src:texlive-bin * Stop building *jit* binaries on i386 based arches to make TL installable on computers not supporting sse2 (Closes: #1035461). * Add patch for CVE-2023-32668: disable socket in luatex by default (Closes: #1036470). [ Reason ] - CVE-2023-32668: luatex can open connections to other devices, w/o notification to the end user. It is very surprising that a TeX engine allows unrestricted network access by default. This isn’t a "vulnerability" per se, but the feature is sufficiently dangerous, unexpected, and rarely used for it to merit a security update. - Not building *jit* binaries: currently users having a CPU without sse2 support are not able to use TL at all, b/c texlive-binaries is not installable. The Dep on sse2-support was introduced in late release cycle of bookworm, it is a regression to bullseye. [ Impact ] - Small security leak in luatex. - Some people can't use TeX Live at all. [ Tests ] The patch for CVE-2023-32668 comes from upstream, was tested there and is part of the luatex 1.17.0 release. I can confirm that the network access is disabled with the patch applied. The patch for not needing sse2 is rather trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable Both fixes will be uploaded to experimental shortly as soon as TL 2023 is packaged. The *jit* change will look a little differently: I'll split the *jit* binaries into a new package, so people having sse2 capable CPU's will still be able to use the jit feature. [ Other info ] The ConteXt mtxrun needs the --socket feature enabled, else the MkIV engine won't work. Hence we need an update of the context package too, which enables that feature by runtime. Therefore a 2nd debdiff is attached. -- sigmentation fault diff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog --- texlive-bin-2022.20220321.62855/debian/changelog 2023-05-18 23:15:13.0 +0200 +++ texlive-bin-2022.20220321.62855/debian/changelog 2023-06-12 23:19:18.0 +0200 @@ -1,3 +1,12 @@ +texlive-bin (2022.20220321.62855-5.1+deb12u1) UNRELEASED; urgency=medium + + * Stop building *jit* binaries on i386 based arches to make TL installable +on computers not supporting sse2 (Closes: #1035461). + * Add patch for CVE-2023-32668: disable socket in luatex by default +(Closes: #1036470). + + -- Hilmar Preusse Mon, 12 Jun 2023 23:19:18 +0200 + texlive-bin (2022.20220321.62855-5.1) unstable; urgency=high * Non-maintainer upload. diff -Nru texlive-bin-2022.20220321.62855/debian/control texlive-bin-2022.20220321.62855/debian/control --- texlive-bin-2022.20220321.62855/debian/control 2023-05-18 23:15:13.0 +0200 +++ texlive-bin-2022.20220321.62855/debian/control 2023-06-12 23:19:18.0 +0200 @@ -50,13 +50,12 @@ libtexlua53-5 (<< ${source:Version}.1~), libtexluajit2 (>= ${source:Version}) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc], libtexluajit2 (<< ${source:Version}.1~) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc], - sse2-support [i386], t1utils, tex-common, perl:any, ${shlibs:Depends}, ${misc:Depends} Recommends: texlive-base, dvisvgm Replaces: ptex-bin, mendexk, jmpost, luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329) Conflicts: mendexk, makejvf, jmpost -Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329) +Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329), context (<= 2021.03.05.20230120+dfsg-1) Provides: texlive-base-bin, makejvf, mendexk, jmpost, luatex Description: Binaries for TeX Live This package contains all the binaries of TeX Live packages. diff -Nru texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch --- texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 1970-01-01 01:00:00.0 +0100 +++ texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 2023-06-12 23:19:18.0 +0200 @@ -0,0 +1,234 @@ +--- texlive-bin.orig/texk/web2c/luatexdir/lua/loslibext.c texlive-bin/texk/web2c/luatexdir/lua/loslibext.c +@@ -1046,6 +1046,59 @@ + return ret; + } + ++/* socket.sleep and socket.gettime */ ++/* are duplicated here, and they are*/ ++/* always available (the socket library */ ++/* can be nil in some setups) */
Processed: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1
Processing control commands: > affects -1 + src:texlive-bin Bug #1038000 [release.debian.org] bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1 Added indication that 1038000 affects src:texlive-bin -- 1038000: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038000 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1037990: bookworm-pu: package nvidia-support/20220217+3~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu [ Reason ] Upgrades from bullseye to bookworm may fail while building kernel modules with dkms if some obsolete nvidia-*-dkms packages (that have no successor in bookworm) are still installed. (The dkms hook in bookworm no longer returns success if building a module has failed.) Let's add some Breaks against them (to nvidia-installer-cleanup which has the highest score from apt in these scenarios), to ensure the obsolete packages (and anything depending on them) gets removed during the upgrade to bookworm. [ Impact ] upgrade failures [ Tests ] lots of piuparts upgrade tests in my local piuparts instance (which handles non-free, too) [ Risks ] low, only affect packages not in bookworm [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] +nvidia-support (20220217+3) unstable; urgency=medium + + * nvidia-installer-cleanup: Add Breaks against obsolete nvidia-*-dkms +packages from bullseye that are incompatible with the bookworm kernel. [ Other info ] Andreas diff --git a/debian/changelog b/debian/changelog index 4fa6b49..15fda43 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +nvidia-support (20220217+3~deb12u1) bookworm; urgency=medium + + * Rebuild for bookworm. + + -- Andreas Beckmann Thu, 15 Jun 2023 10:37:21 +0200 + +nvidia-support (20220217+3) unstable; urgency=medium + + * nvidia-installer-cleanup: Add Breaks against obsolete nvidia-*-dkms +packages from bullseye that are incompatible with the bookworm kernel. + + -- Andreas Beckmann Mon, 12 Jun 2023 16:55:42 +0200 + nvidia-support (20220217+2) unstable; urgency=medium [ Andreas Beckmann ] diff --git a/debian/control b/debian/control index 3947885..e51c7f0 100644 --- a/debian/control +++ b/debian/control @@ -31,6 +31,9 @@ Conflicts: nvidia-current, nvidia-current-updates, nvidia-driver-binary, +Breaks: + nvidia-tesla-418-kernel-dkms (<< 418.226.00-9~), + nvidia-tesla-460-kernel-dkms (<< 460.106.00-9~), Description: cleanup after driver installation with the nvidia-installer This package ensures that no remnants of the non-free NVIDIA graphics drivers that were installed with the nvidia-installer remain on the
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Hi Salvatore, Le 15/06/2023 à 07:21, Salvatore Bonaccorso a écrit : Hi Pierre, On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote: [...] diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200 @@ -1,3 +1,9 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) + + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 Can you as well add the Debian bug closer for #1036706 here? Thanks for looking at my diff. I admit I had not considered closing the bug here since it has already been declared as closed by the upload to unstable, I would have issued a BTS command after this proposal hits bookworm. Anyway, thanks for educating me on this. Enclosed is the new source debdiff, everything else in the original message of this bug thread remains unchanged. Regards, Salvatore Best, -- Pierre diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200 @@ -1,3 +1,10 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm, +Closes: #1036706) + + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 + xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium * New upstream version 3.40.1.0+dfsg diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 1970-01-01 01:00:00.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 2023-06-13 23:17:23.0 +0200 @@ -0,0 +1,28 @@ +Description: fixing CVE-2023-32697 +Author: Pierre Gruet +Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242 +Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2 +Bug-Debian: https://bugs.debian.org/1036706 +Forwarded: not-needed +Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242 +Last-Update: 2023-06-13 + +--- a/src/main/java/org/sqlite/SQLiteConnection.java b/src/main/java/org/sqlite/SQLiteConnection.java +@@ -13,6 +13,7 @@ + import java.sql.ResultSet; + import java.sql.SQLException; + import java.util.Properties; ++import java.util.UUID; + import java.util.concurrent.Executor; + import org.sqlite.SQLiteConfig.TransactionMode; + import org.sqlite.core.CoreDatabaseMetaData; +@@ -303,7 +304,7 @@ + } + + String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath(); +-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode()); ++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID()); + File dbFile = new File(tempFolder, dbFileName); + + if (dbFile.exists()) { diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02 17:16:53.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13 23:10:58.0 +0200 @@ -7,3 +7,4 @@ skip_OSInfoTest.patch tests_without_archunit-junit5_and_some_assertions.patch junit-jupiter-params_artifact.patch +CVE-2023-32697.patch OpenPGP_signature Description: OpenPGP digital signature