Processed: bookworm-pu: package node-openpgp-seek-bzip/1.0.5-2+deb12u1
Processing control commands: > affects -1 + src:node-openpgp-seek-bzip Bug #1040680 [release.debian.org] bookworm-pu: package node-openpgp-seek-bzip/1.0.5-2+deb12u1 Added indication that 1040680 affects src:node-openpgp-seek-bzip -- 1040680: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040680 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040680: bookworm-pu: package node-openpgp-seek-bzip/1.0.5-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-openpgp-seek-b...@packages.debian.org Control: affects -1 + src:node-openpgp-seek-bzip [ Reason ] src:node-openpgp-seek-bzip provides: * a Node.js module (node-openpgp-seek-bzip) * command-line scripts (seek-bzip) This second package is unusable due to missing files and broken links. [ Impact ] /usr/bin/seek-bunzip and /usr/bin/seek-table are unusable [ Tests ] No changes [ Risks ] No risk, this just fix install [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Install missing /usr/share/nodejs/seek-bzip/bin files and fix links in /usr/bin Regards, Yadd diff --git a/debian/changelog b/debian/changelog index daa35de..20dc0b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-openpgp-seek-bzip (1.0.5-2+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix seek-bzip install (Closes: #1040584) + + -- Yadd Sun, 09 Jul 2023 09:29:47 +0400 + node-openpgp-seek-bzip (1.0.5-2) unstable; urgency=medium * Team upload diff --git a/debian/nodejs/links b/debian/nodejs/links index 0ff514c..6c89a6e 100644 --- a/debian/nodejs/links +++ b/debian/nodejs/links @@ -1,2 +1,2 @@ -@openpgp/seek-bzip/bin/seek-bunzip /usr/bin/seek-bunzip -@openpgp/seek-bzip/bin/seek-bzip-table /usr/bin/seek-table +seek-bzip/bin/seek-bunzip /usr/bin/seek-bunzip +seek-bzip/bin/seek-bzip-table /usr/bin/seek-table diff --git a/debian/seek-bzip.install b/debian/seek-bzip.install index e772481..8bbbe8d 100644 --- a/debian/seek-bzip.install +++ b/debian/seek-bzip.install @@ -1 +1,2 @@ usr/bin +usr/share/nodejs/seek-bzip/bin
Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-dot...@packages.debian.org
Control: affects -1 + src:node-dottie
[ Reason ]
node-dottie is vulnerable to prototype pollution (#1040592,
CVE-2023-26132)
[ Impact ]
Medium security issue
[ Tests ]
Test updated passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Don't allow __proto__ modifications.
Patch includes also debian/tests/pkg-js/enable_proto file to allow
__proto__ calls during autopkgtest (forbidden by default) because patch
includes a prototype-pollution test
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 9edf53f..5c9d435 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-dottie (2.0.2-4+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #1040592, CVE-2023-26132)
+
+ -- Yadd Sun, 09 Jul 2023 08:46:31 +0400
+
node-dottie (2.0.2-4) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2023-26132.patch
b/debian/patches/CVE-2023-26132.patch
new file mode 100644
index 000..5186407
--- /dev/null
+++ b/debian/patches/CVE-2023-26132.patch
@@ -0,0 +1,76 @@
+Description: rudimentary __proto__ guarding
+Author: Mick Hansen
+Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c
+Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
+Bug-Debian: https://bugs.debian.org/1040592
+Forwarded: not-needed
+Applied-Upstream: 2.0.6, commit:7d3aee1c
+Reviewed-By: Yadd
+Last-Update: 2023-07-09
+
+--- a/README.md
b/README.md
+@@ -42,6 +42,8 @@
+ });
+ ```
+
++If you accept arbitrary/user-defined paths to `set` you should call
`Object.preventExtensions(values)` first to guard against potential pollution.
++
+ ### Transform object
+ Transform object from keys with dottie notation to nested objects
+
+--- a/dottie.js
b/dottie.js
+@@ -72,6 +72,7 @@
+ // Set nested value
+ Dottie.set = function(object, path, value, options) {
+ var pieces = Array.isArray(path) ? path : path.split('.'), current =
object, piece, length = pieces.length;
++if (pieces[0] === '__proto__') return;
+
+ if (typeof current !== 'object') {
+ throw new Error('Parent is not an object.');
+@@ -137,6 +138,9 @@
+
+ if (key.indexOf(options.delimiter) !== -1) {
+ pieces = key.split(options.delimiter);
++
++if (pieces[0] === '__proto__') break;
++
+ piecesLength = pieces.length;
+ current = transformed;
+
+--- a/test/set.test.js
b/test/set.test.js
+@@ -45,4 +45,12 @@
+ });
+ expect(data.foo.bar.baz).to.equal('someValue');
+ });
++
++ it('should not attempt to set __proto__', function () {
++var data = {};
++
++dottie.set(data, '__proto__.pollution', 'polluted');
++
++expect(data.__proto__.pollution).to.be.undefined;
++ });
+ });
+\ No newline at end of file
+--- a/test/transform.test.js
b/test/transform.test.js
+@@ -145,4 +145,16 @@
+ expect(transformed.user.location.city).to.equal('Zanzibar City');
+ expect(transformed.project.title).to.equal('dottie');
+ });
++
++ it("should guard against prototype pollution", function () {
++var values = {
++ 'user.name': 'John Doe',
++ '__proto__.pollution': 'pollution'
++};
++
++var transformed = dottie.transform(values);
++expect(transformed.user).not.to.equal(undefined);
++expect(transformed.user.name).to.equal('John Doe');
++expect(transformed.__proto__.pollution).to.be.undefined;
++ });
+ });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..e86da5e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26132.patch
diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto
new file mode 100644
index 000..e69de29
Processed: bullseye-pu: package node-dottie/2.0.2-4+deb11u1
Processing control commands: > affects -1 + src:node-dottie Bug #1040679 [release.debian.org] bullseye-pu: package node-dottie/2.0.2-4+deb11u1 Added indication that 1040679 affects src:node-dottie -- 1040679: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040679 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040678: bookworm-pu: package node-dottie/2.0.2-4+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-dot...@packages.debian.org
Control: affects -1 + src:node-dottie
[ Reason ]
node-dottie is vulnerable to prototype pollution (#1040592,
CVE-2023-26132)
[ Impact ]
Medium security issue
[ Tests ]
Test updated passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Don't allow __proto__ modifications.
Patch includes also debian/tests/pkg-js/enable_proto file to allow
__proto__ calls during autopkgtest (forbidden by default) because patch
includes a prototype-pollution test
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 9edf53f..a6edff9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-dottie (2.0.2-4+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #1040592, CVE-2023-26132)
+
+ -- Yadd Sun, 09 Jul 2023 08:43:00 +0400
+
node-dottie (2.0.2-4) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2023-26132.patch
b/debian/patches/CVE-2023-26132.patch
new file mode 100644
index 000..5186407
--- /dev/null
+++ b/debian/patches/CVE-2023-26132.patch
@@ -0,0 +1,76 @@
+Description: rudimentary __proto__ guarding
+Author: Mick Hansen
+Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c
+Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
+Bug-Debian: https://bugs.debian.org/1040592
+Forwarded: not-needed
+Applied-Upstream: 2.0.6, commit:7d3aee1c
+Reviewed-By: Yadd
+Last-Update: 2023-07-09
+
+--- a/README.md
b/README.md
+@@ -42,6 +42,8 @@
+ });
+ ```
+
++If you accept arbitrary/user-defined paths to `set` you should call
`Object.preventExtensions(values)` first to guard against potential pollution.
++
+ ### Transform object
+ Transform object from keys with dottie notation to nested objects
+
+--- a/dottie.js
b/dottie.js
+@@ -72,6 +72,7 @@
+ // Set nested value
+ Dottie.set = function(object, path, value, options) {
+ var pieces = Array.isArray(path) ? path : path.split('.'), current =
object, piece, length = pieces.length;
++if (pieces[0] === '__proto__') return;
+
+ if (typeof current !== 'object') {
+ throw new Error('Parent is not an object.');
+@@ -137,6 +138,9 @@
+
+ if (key.indexOf(options.delimiter) !== -1) {
+ pieces = key.split(options.delimiter);
++
++if (pieces[0] === '__proto__') break;
++
+ piecesLength = pieces.length;
+ current = transformed;
+
+--- a/test/set.test.js
b/test/set.test.js
+@@ -45,4 +45,12 @@
+ });
+ expect(data.foo.bar.baz).to.equal('someValue');
+ });
++
++ it('should not attempt to set __proto__', function () {
++var data = {};
++
++dottie.set(data, '__proto__.pollution', 'polluted');
++
++expect(data.__proto__.pollution).to.be.undefined;
++ });
+ });
+\ No newline at end of file
+--- a/test/transform.test.js
b/test/transform.test.js
+@@ -145,4 +145,16 @@
+ expect(transformed.user.location.city).to.equal('Zanzibar City');
+ expect(transformed.project.title).to.equal('dottie');
+ });
++
++ it("should guard against prototype pollution", function () {
++var values = {
++ 'user.name': 'John Doe',
++ '__proto__.pollution': 'pollution'
++};
++
++var transformed = dottie.transform(values);
++expect(transformed.user).not.to.equal(undefined);
++expect(transformed.user.name).to.equal('John Doe');
++expect(transformed.__proto__.pollution).to.be.undefined;
++ });
+ });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..e86da5e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26132.patch
diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto
new file mode 100644
index 000..e69de29
Processed: bookworm-pu: package node-dottie/2.0.2-4+deb12u1
Processing control commands: > affects -1 + src:node-dottie Bug #1040678 [release.debian.org] bookworm-pu: package node-dottie/2.0.2-4+deb12u1 Added indication that 1040678 affects src:node-dottie -- 1040678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040678 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040677: bullseye-pu: package node-tough-cookie/4.0.0-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-tough-coo...@packages.debian.org
Control: affects -1 + src:node-tough-cookie
[ Reason ]
node-tough-cookie is vulnerable to prototype pollution
[ Impact ]
Littel security issue
[ Tests ]
Test updated, passed
[ Risks ]
No risk, patch is trivial and tested
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Create new object instead of using default {}
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3652359..84339cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-tough-cookie (4.0.0-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2023-26136)
+
+ -- Yadd Sun, 09 Jul 2023 08:32:32 +0400
+
node-tough-cookie (4.0.0-2) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2023-26136.patch
b/debian/patches/CVE-2023-26136.patch
new file mode 100644
index 000..05e6372
--- /dev/null
+++ b/debian/patches/CVE-2023-26136.patch
@@ -0,0 +1,71 @@
+Description: Fix prototype pollution
+ CVE-2023-26136
+Author: Yadd
+Forwarded: not-needed
+Last-Update: 2023-07-07
+
+--- a/lib/memstore.js
b/lib/memstore.js
+@@ -39,7 +39,7 @@
+ constructor() {
+ super();
+ this.synchronous = true;
+-this.idx = {};
++this.idx = Object.create(null);
+ if (util.inspect.custom) {
+ this[util.inspect.custom] = this.inspect;
+ }
+@@ -109,10 +109,10 @@
+
+ putCookie(cookie, cb) {
+ if (!this.idx[cookie.domain]) {
+- this.idx[cookie.domain] = {};
++ this.idx[cookie.domain] = Object.create(null);
+ }
+ if (!this.idx[cookie.domain][cookie.path]) {
+- this.idx[cookie.domain][cookie.path] = {};
++ this.idx[cookie.domain][cookie.path] = Object.create(null);
+ }
+ this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
+ cb(null);
+@@ -144,7 +144,7 @@
+ return cb(null);
+ }
+ removeAllCookies(cb) {
+-this.idx = {};
++this.idx = Object.create(null);
+ return cb(null);
+ }
+ getAllCookies(cb) {
+--- a/test/cookie_jar_test.js
b/test/cookie_jar_test.js
+@@ -669,4 +669,29 @@
+ }
+ }
+ })
++ .addBatch({
++"Issue #282 - Prototype pollution": {
++ "when setting a cookie with the domain __proto__": {
++topic: function() {
++ const jar = new tough.CookieJar(undefined, {
++rejectPublicSuffixes: false
++ });
++ // try to pollute the prototype
++ jar.setCookieSync(
++"Slonser=polluted; Domain=__proto__; Path=/notauth",
++"https://__proto__/admin;
++ );
++ jar.setCookieSync(
++"Auth=Lol; Domain=google.com; Path=/notauth",
++"https://google.com/;
++ );
++ this.callback();
++},
++"results in a cookie that is not affected by the attempted prototype
pollution": function() {
++ const pollutedObject = {};
++ assert(pollutedObject["/notauth"] === undefined);
++}
++ }
++}
++ })
+ .export(module);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..67af372
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26136.patch
Processed: bullseye-pu: package node-tough-cookie/4.0.0-2+deb11u1
Processing control commands: > affects -1 + src:node-tough-cookie Bug #1040677 [release.debian.org] bullseye-pu: package node-tough-cookie/4.0.0-2+deb11u1 Added indication that 1040677 affects src:node-tough-cookie -- 1040677: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040677 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: samba_4.17.9+dfsg-0+deb12u1_mips64el-buildd.changes ACCEPT
Bug#1040519: bookworm-pu: package samba/2:4.17.9+dfsg-0+deb12u1
On Sun, Jul 09, 2023 at 01:13:55AM +0300, Michael Tokarev wrote: >... > I'll see what can be done tomorrow. Apparently it might be better to revert > this keyring change for bookworm and fix it for good in trixie first. >... And BTW, manually linking with libatomic is the correct fix here for your package. "fix it for good" would be to fix gcc, but such a fix would not be backported to bookworm. > Thank you! > > /mjt cu Adrian
Bug#1040519: bookworm-pu: package samba/2:4.17.9+dfsg-0+deb12u1
On Sun, Jul 09, 2023 at 01:13:55AM +0300, Michael Tokarev wrote: > 09.07.2023 01:01, Adrian Bunk wrote: > > This does apparently need the -latomic workaround from 2:4.18.3+dfsg-3: > > https://buildd.debian.org/status/package.php?p=samba=bookworm > > Sigh! > This is the kerberos in-kernel tickets.. :( > > I haven't realized until now that atomic8 thing come into the game after > I enabled the in-kernel kerberos tickets. I was sure it was due to some > toolchain changes. FTR, the underlying toolchain bug is not new: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81358 > Now I know why we weren't able to reproduce this issue > with upstream, - because it happens in the code which is enabled by this > change. >... The error message is a bit cryptic, but it basically says in which lines in krcache.c the 64bit loads/stores are for which the CPU has no instructions and needs libatomic. Not linking with libatomic automatically for C11 atomics is the gcc bug. > Thank you! > > /mjt cu Adrian
NEW changes in stable-new
Processing changes file: exim4_4.96-15+deb12u1_armel-buildd.changes ACCEPT Processing changes file: exim4_4.96-15+deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: exim4_4.96-15+deb12u1_mipsel-buildd.changes ACCEPT Processing changes file: samba_4.17.9+dfsg-0+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: samba_4.17.9+dfsg-0+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: samba_4.17.9+dfsg-0+deb12u1_armhf-buildd.changes ACCEPT Processing changes file: samba_4.17.9+dfsg-0+deb12u1_i386-buildd.changes ACCEPT Processing changes file: samba_4.17.9+dfsg-0+deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: samba_4.17.9+dfsg-0+deb12u1_s390x-buildd.changes ACCEPT Processing changes file: tang_11-2+deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: tang_11-2+deb12u1_mipsel-buildd.changes ACCEPT
Bug#1040519: bookworm-pu: package samba/2:4.17.9+dfsg-0+deb12u1
09.07.2023 01:01, Adrian Bunk wrote: This does apparently need the -latomic workaround from 2:4.18.3+dfsg-3: https://buildd.debian.org/status/package.php?p=samba=bookworm Sigh! This is the kerberos in-kernel tickets.. :( I haven't realized until now that atomic8 thing come into the game after I enabled the in-kernel kerberos tickets. I was sure it was due to some toolchain changes. Now I know why we weren't able to reproduce this issue with upstream, - because it happens in the code which is enabled by this change. I'll see what can be done tomorrow. Apparently it might be better to revert this keyring change for bookworm and fix it for good in trixie first. Either way, it's for tomorrow. The very good thing is that now I know the context which I thought is entirely different. Thank you! /mjt
Bug#1040519: bookworm-pu: package samba/2:4.17.9+dfsg-0+deb12u1
This does apparently need the -latomic workaround from 2:4.18.3+dfsg-3: https://buildd.debian.org/status/package.php?p=samba=bookworm cu Adrian
NEW changes in stable-new
Processing changes file: exim4_4.96-15+deb12u1_all-buildd.changes ACCEPT Processing changes file: exim4_4.96-15+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: exim4_4.96-15+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: exim4_4.96-15+deb12u1_armhf-buildd.changes ACCEPT Processing changes file: exim4_4.96-15+deb12u1_i386-buildd.changes ACCEPT Processing changes file: exim4_4.96-15+deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: exim4_4.96-15+deb12u1_s390x-buildd.changes ACCEPT Processing changes file: samba_4.17.9+dfsg-0+deb12u1_all-buildd.changes ACCEPT Processing changes file: tang_11-2+deb12u1_all-buildd.changes ACCEPT Processing changes file: tang_11-2+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: tang_11-2+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: tang_11-2+deb12u1_armel-buildd.changes ACCEPT Processing changes file: tang_11-2+deb12u1_armhf-buildd.changes ACCEPT Processing changes file: tang_11-2+deb12u1_i386-buildd.changes ACCEPT Processing changes file: tang_11-2+deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: tang_11-2+deb12u1_s390x-buildd.changes ACCEPT
Bug#1040668: bullseye-pu: package tang/8-3+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@packages.debian.org
Control: affects -1 + src:tang
This is the bullseye version of #1040646
[ Reason ]
Fix https://security-tracker.debian.org/tracker/CVE-2023-1672 for
Debian 11 ("bullseye"), tagged "no-dsa (minor)" by the security team.
The problem of creating key material without restrictive file
permissions probably existed upstream since always. Up to and including
Debian 10 ("buster") however, this situation was caught by enforcing
restrictive permissions on the key directory.
With Debian 11 ("bullseye") a change in the creation of that directory
caused it to be created with a too permissive mode.
[ Impact ]
Without the change being accepted, the directory that holds the private
key would stay world-readable. Also this would continue to put users at
risk who configured a different key directory but did not enforce
restrictive access permissions.
[ Tests ]
No automated tests I'm aware of. Of course I did a manual test, and the
outcome matched the expectations.
[ Risks ]
The changes are small and rather straight-forward. I'd be surprised if
they introduce problems.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable (14.1)
[ Changes ]
* Assert restrictive permissions of the key directory in Debian's
postinst.
For regular users and new instaaltions.
* Upstream's change to create the key file with restrictive
permissions.
Mostly for users who configure a different key directory.
* Recommend a key rotation in setups where this seems wise, add
some details in NEWS.Debian.
* Make the key rotation program executable as it should always
have been.
Regards,
Christoph
diff -Nru tang-8/debian/changelog tang-8/debian/changelog
--- tang-8/debian/changelog 2021-12-16 20:47:10.0 +0100
+++ tang-8/debian/changelog 2023-07-08 12:41:29.0 +0200
@@ -1,3 +1,14 @@
+tang (8-3+deb11u2) bullseye; urgency=high
+
+ * Fix CVE-2023-1672:
+- Cherry-pick "Fix race condition when creating/rotating keys"
+- Assert restrictive permissions on tang's key directory
+In existing multi-user bullseye installations, rotating the keys
+is suggested.
+ * Make the tangd-rotate-keys program executable
+
+ -- Christoph Biedl Sat, 08 Jul 2023
12:41:29 +0200
+
tang (8-3+deb11u1) bullseye-security; urgency=high
* Fix data leak [CVE-2021-4076]
diff -Nru
tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
---
tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
1970-01-01 01:00:00.0 +0100
+++
tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
2023-07-08 12:41:29.0 +0200
@@ -0,0 +1,73 @@
+Subject: Fix race condition when creating/rotating keys (#123)
+Origin: v13-3-g8dbbed1
+Upstream-Author: Sergio Correia
+Date: Wed Jun 14 10:53:20 2023 -0300
+
+When we create/rotate keys using either the tangd-keygen and
+tangd-rotate-keys helpers, there is a small window between the
+keys being created and then the proper ownership permissions being
+set. This also happens when there are no keys and tang creates a
+pair of keys itself.
+
+In certain situations, such as the keys directory having wide open
+permissions, a user with local access could exploit this race
+condition and read the keys before they are set to more restrictive
+permissions.
+
+To prevent this issue, we now set the default umask to 0337 before
+creating the files, so that they are already created with restrictive
+permissions; afterwards, we set the proper ownership as usual.
+
+Issue reported by Brian McDermott of CENSUS labs.
+
+Fixes CVE-2023-1672
+
+
+Reviewed-by: Sergio Arroutbi
+Signed-off-by: Sergio Correia
+
+--- a/src/keys.c
b/src/keys.c
+@@ -17,6 +17,7 @@
+ * along with this program. If not, see
Processed: bullseye-pu: package tang/8-3+deb11u1
Processing control commands: > affects -1 + src:tang Bug #1040668 [release.debian.org] bullseye-pu: package tang/8-3+deb11u1 Added indication that 1040668 affects src:tang -- 1040668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040668 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040001: To strict version restrictions injected by dh-r (Was: Bug#1040001: Seeking advise how to proceed with the transition / move R stack to testing)
Hi Andreas On 06/07/2023 22:09, Andreas Tille wrote: It comes from this line: https://salsa.debian.org/r-pkg-team/dh-r/-/blob/master/dh/R.pm#L272 More precisely the “r-base-core (>= $rbase_version)” part, which imposes an unnecessarily tight restriction on the r-base-core version. Got it, thanks for the explanation. This restriction existed since the early stage of dh-r development https://salsa.debian.org/r-pkg-team/dh-r/-/commit/22fd80b9#L174 by Gordon Ball (in CC but not really active in R pkg team any more) at 2016-09-04 12:28:57 +0200 . I'm guessing this restriction was obtained from the cdbs helper that existed before the dh support was created by Gordon and he simply took over what existed there. The according line in the initial commit of dh-r is I'm pretty sure I cargo-culted it from the previous CDBS helper when writing dh-r. I assumed it was meant to allow for non-backwards compatible bytecode, but I'm not sure I investigated the exact semantics it was meant to be enforcing. I concur that it sounds like the `$rapiversion` dependency is probably sufficient. (Yes, I'm afraid I don't really have an ongoing interest in R - I used it a lot in academia, but it hasn't really featured in professional life since then). Gordon
Bug#1040001: Role of tibble? (Was: Bug#1040001: Seeking advise how to proceed with the transition / move R stack to testing)
Hi, On 06-07-2023 21:18, Andreas Tille wrote: Am Thu, Jul 06, 2023 at 08:28:45PM +0200 schrieb Paul Gevers: On 06-07-2023 19:08, Paul Gevers wrote: I'm seeing in several tests where things seem to work when r-cran-tibble from unstable is involved and fail if the version from unstable is used; Are you sure there is no typo in your sentence? At least I fail to understand. I assume the latter "unstable" should be "testing", right? Indeed, I think the pattern is that if we test in testing, with r-cran from unstable and r-cran-tibble from testing it fails, but with r-cran from unstable and r-cran-tibble from unstable, it works. I'm working my through the list and the ppc64el ci workers have a bit of backlog; we're getting somewhere, but I'm think I'm still also seeing different failure modes than the graphics engine, tibble and dplyr. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1040623: bookworm-pu: package bup/0.33.2-1+deb12u1
Adam D. Barratt wrote: > On Sat, 2023-07-08 at 02:24 -0400, Robert Edmonds wrote: > > I'd like to update the version of bup in bookworm from 0.33-2 to > > 0.33.2-1+deb12u1, which incorporates two upstream bugfix releases for > > a bug deemed important enough by upstream to issue point releases. > > > > The version number for p-u needs to be lower than unstable. This looks > like a backport of 0.33.2-1 from unstable, so the convention would be > 0.33.2-1~deb12u1. > > Feel free to re-upload with the corrected version number; there's no > need to wait for the original upload to be rejected. Uploaded with the corrected version number. Interdebdiff from the rejected version below. Thanks! diff -u bup-0.33.2/debian/changelog bup-0.33.2/debian/changelog --- bup-0.33.2/debian/changelog 2023-07-08 01:17:38.0 -0400 +++ bup-0.33.2/debian/changelog 2023-07-08 16:11:59.0 -0400 @@ -1,9 +1,9 @@ -bup (0.33.2-1+deb12u1) bookworm; urgency=medium +bup (0.33.2-1~deb12u1) bookworm; urgency=medium * Upstream version 0.33.2, with a fix for a problem that can cause POSIX.1e ACLs to be restored incorrectly. - -- Robert Edmonds Sat, 08 Jul 2023 01:17:38 -0400 + -- Robert Edmonds Sat, 08 Jul 2023 16:11:59 -0400 bup (0.33.2-1) unstable; urgency=medium diff -u bup-0.33.2/debian/patches/debian-changes bup-0.33.2/debian/patches/debian-changes --- bup-0.33.2/debian/patches/debian-changes2023-07-08 01:17:38.0 -0400 +++ bup-0.33.2/debian/patches/debian-changes2023-07-08 16:11:59.0 -0400 @@ -30,4 +30,4 @@ -date='2023-07-01 15:08:43 -0500' -+commit='61307904e4133b55acf7c2794da47fafecedf5af' -+date='2023-07-08 01:27:47 -0400' ++commit='db4734ba24249fee8060a186e03e6173ce2e5d55' ++date='2023-07-08 16:12:37 -0400' modified=False -- Robert Edmonds edmo...@debian.org
NEW changes in oldstable-new
Processing changes file: webkit2gtk_2.40.3-2~deb11u1_source.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb11u1_all-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb11u1_amd64-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb11u1_arm64-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb11u1_armel-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb11u1_armhf-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb11u1_i386-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb11u1_s390x-buildd.changes ACCEPT
Processed: nmu: dovecot-antispam_2.0+20171229-1+b11
Processing control commands: > affects -1 + src:dovecot-antispam Bug #1040665 [release.debian.org] nmu: dovecot-antispam_2.0+20171229-1+b11 Added indication that 1040665 affects src:dovecot-antispam -- 1040665: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040665 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040665: nmu: dovecot-antispam_2.0+20171229-1+b11
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: dovecot-antis...@packages.debian.org Control: affects -1 + src:dovecot-antispam nmu dovecot-antispam_2.0+20171229-1+b11 . ANY . unstable . -m "Rebuild for dovecot 1:2.3.20+dfsg1-1 ABI" dovecot-antispam needs to be rebuilt against the dovecot 1.3.20 internal ABI in order to allow the transition to testing.
NEW changes in stable-new
Processing changes file: bup_0.33.2-1+deb12u1_source.changes REJECT Processing changes file: exim4_4.96-15+deb12u1_multi.changes ACCEPT Processing changes file: firefox-esr_102.13.0esr-1~deb12u1_source.changes ACCEPT Processing changes file: firefox-esr_102.13.0esr-1~deb12u1_all-buildd.changes ACCEPT Processing changes file: firefox-esr_102.13.0esr-1~deb12u1_amd64-buildd.changes ACCEPT Processing changes file: firefox-esr_102.13.0esr-1~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: firefox-esr_102.13.0esr-1~deb12u1_armhf-buildd.changes ACCEPT Processing changes file: firefox-esr_102.13.0esr-1~deb12u1_i386-buildd.changes ACCEPT Processing changes file: firefox-esr_102.13.0esr-1~deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: firefox-esr_102.13.0esr-1~deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: firefox-esr_102.13.0esr-1~deb12u1_s390x-buildd.changes ACCEPT Processing changes file: samba_4.17.9+dfsg-0+deb12u1_source.changes ACCEPT Processing changes file: tang_11-2+deb12u1_source.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_source.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_all-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_amd64-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_armel-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_armhf-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_i386-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_mipsel-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: webkit2gtk_2.40.3-2~deb12u1_s390x-buildd.changes ACCEPT
Processed: tang 11-2+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1040646 = bookworm pending Bug #1040646 [release.debian.org] bookworm-pu: package tang/11-2 Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 1040646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040646 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: samba 4.17.9+dfsg-0+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1040519 = bookworm pending Bug #1040519 [release.debian.org] bookworm-pu: package samba/2:4.17.9+dfsg-0+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1040519: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040519 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040646: tang 11-2+deb12u1 flagged for acceptance
package release.debian.org tags 1040646 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: tang Version: 11-2+deb12u1 Explanation: fix race condition when creating/rotating keys [CVE-2023-1672]
Bug#1040519: samba 4.17.9+dfsg-0+deb12u1 flagged for acceptance
package release.debian.org tags 1040519 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: samba Version: 4.17.9+dfsg-0+deb12u1 Explanation: new upstream stable release; ensure manpages are generated during build; enable ability to store kerberos tickets in kernel keyring
Processed: exim4 4.96-15+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1040139 = bookworm pending Bug #1040139 [release.debian.org] bookworm-pu: package exim4/4.96-15 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1040139: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040139 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040139: exim4 4.96-15+deb12u1 flagged for acceptance
package release.debian.org
tags 1040139 = bookworm pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into
the proposed-updates queue for Debian bookworm.
Thanks for your contribution!
Upload details
==
Package: exim4
Version: 4.96-15+deb12u1
Explanation: fix argument parsing for ${run } expansion; fix ${srs_encode ..}
returning incorrect result every 1024 days
Bug#1037188: bullseye-pu: package git/2.30.2-1+deb11u3
On Wed, 2023-06-07 at 13:22 +0200, Andreas Beckmann wrote: > git-el in bullseye is uninstallable in any sensible combination with > emacs/xemacs (it only installs fine in a minimal chroot w/o > --install-recommends). > The package was dropped from sid shortly after the bullseye release, > let's to the same in bullseye. > [...] > [ Changes ] > remove all packaging bits for git-el, add Breaks to ensure cleanup if > the package is still (partially) installed > It looks like not all of the postinst was removed - was that intentional? It's presumably harmless, but now leads to a lintian warning, which is why I noticed. :-) +W: maintainer-script-lacks-debhelper-token debian/git-el.postinst --- git-2.30.2/debian/git-el.postinst 2021-03-10 02:40:56.0 +0100 +++ git-2.30.2/debian/git-el.postinst 2023-06-07 11:51:35.0 +0200 @@ -1,10 +1,3 @@ -#!/bin/sh -set -e - -#DEBHELPER# - -test "$1" = configure || exit 0 -/usr/lib/emacsen-common/emacs-package-install git # Clean up after 1:1.7.4.1-1 through 1:1.7.4.1-3. ! test -L /usr/share/git-core/emacs/emacs || Regards, Adam
Processed: nmu: dovecot-fts-xapian_1.5.5-1+b2
Processing control commands: > affects -1 + src:dovecot-fts-xapian Bug #1040648 [release.debian.org] nmu: dovecot-fts-xapian_1.5.5-1+b2 Added indication that 1040648 affects src:dovecot-fts-xapian -- 1040648: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040648 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040648: nmu: dovecot-fts-xapian_1.5.5-1+b2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: dovecot-fts-xap...@packages.debian.org Control: affects -1 + src:dovecot-fts-xapian nmu dovecot-fts-xapian_1.5.5-1+b2 . ANY . unstable . -m "Rebuild for dovecot 1:2.3.20+dfsg1-1 ABI" dovecot-fts-xapian needs to be rebuilt against the dovecot 1.3.20 internal ABI in order to allow the transition to testing.
Bug#1040646: bookworm-pu: package tang/11-2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@packages.debian.org
Control: affects -1 + src:tang
[ Reason ]
Fix https://security-tracker.debian.org/tracker/CVE-2023-1672 for
Debian 12 ("bookworm"), tagged "no-dsa (minor)" by the security team.
The problem of creating key material without restrictive file
permissions probably existed upstream since always. Up to and including
Debian 10 ("buster") however, this situation was caught by enforcing
restrictive permissions on the key directory.
With Debian 11 ("bullseye") a change in the creation of that directory
caused it to be created with a too permissive mode. That will be
addressed in a separature upload that requires more testing.
For Debian 12 ("bookworm"), this request here, stricter permissions were
already implemented and they are enforced during upgrade, however with a
small window during installation of the package.
[ Impact ]
The small time window as mentioned above will stay. Also this would
continue to put users at risk who configured a different key directory
but did not enforce restrictive access permissions.
[ Tests ]
None that I'm aware of.
[ Risks ]
The changes are small and rather straight-forward. I'd be surprised if
they introduce problems.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable (14.1)
[ Changes ]
* Assert restrictive permissions of the key directory in Debian's
postinst.
For regular users and new instaaltions.
* Upstream's change to create the key file with restrictive
permissions.
Mostly for users who configure a different key directory.
Regards,
Christoph
diff -Nru tang-11/debian/changelog tang-11/debian/changelog
--- tang-11/debian/changelog2022-10-15 15:00:56.0 +0200
+++ tang-11/debian/changelog2023-07-08 12:49:07.0 +0200
@@ -1,3 +1,11 @@
+tang (11-2+deb12u1) bookworm; urgency=medium
+
+ * Fix CVE-2023-1672. Closes: #1038119
+- Cherry-pick "Fix race condition when creating/rotating keys"
+- Assert restrictive permissions on tang's key directory
+
+ -- Christoph Biedl Sat, 08 Jul 2023
12:49:07 +0200
+
tang (11-2) unstable; urgency=medium
* Tighten access permissions of the key directory
diff -Nru
tang-11/debian/patches/bookworm/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
tang-11/debian/patches/bookworm/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
---
tang-11/debian/patches/bookworm/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
1970-01-01 01:00:00.0 +0100
+++
tang-11/debian/patches/bookworm/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
2023-07-08 12:49:07.0 +0200
@@ -0,0 +1,66 @@
+Subject: Fix race condition when creating/rotating keys (#123)
+Origin: v13-3-g8dbbed1
+Upstream-Author: Sergio Correia
+Date: Wed Jun 14 10:53:20 2023 -0300
+
+When we create/rotate keys using either the tangd-keygen and
+tangd-rotate-keys helpers, there is a small window between the
+keys being created and then the proper ownership permissions being
+set. This also happens when there are no keys and tang creates a
+pair of keys itself.
+
+In certain situations, such as the keys directory having wide open
+permissions, a user with local access could exploit this race
+condition and read the keys before they are set to more restrictive
+permissions.
+
+To prevent this issue, we now set the default umask to 0337 before
+creating the files, so that they are already created with restrictive
+permissions; afterwards, we set the proper ownership as usual.
+
+Issue reported by Brian McDermott of CENSUS labs.
+
+Fixes CVE-2023-1672
+
+
+Reviewed-by: Sergio Arroutbi
+Signed-off-by: Sergio Correia
+
+--- a/src/keys.c
b/src/keys.c
+@@ -307,6 +307,9 @@
+ {
+ const char* alg[] = {"ES512", "ECMR", NULL};
+ char path[PATH_MAX];
++
++/* Set default umask for file creation. */
++umask(0337);
+ for (int i = 0; alg[i] != NULL; i++) {
+ json_auto_t* jwk = jwk_generate(alg[i]);
+ if (!jwk) {
+--- a/src/tangd-keygen.in
b/src/tangd-keygen.in
+@@ -38,6 +38,10 @@
+ [ $# -eq 3 ] && sig=$2 && exc=$3
+
+ THP_DEFAULT_HASH=S256 # SHA-256.
++
++# Set default umask for file creation.
++umask 0337
++
+ jwe=$(jose jwk gen -i '{"alg":"ES512"}')
+ [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a
"${THP_DEFAULT_HASH}")
+ echo "$jwe" > "$1/$sig.jwk"
+--- a/src/tangd-rotate-keys.in
b/src/tangd-rotate-keys.in
+@@ -79,6 +79,10 @@
+
+ # Create a new set of keys.
+ DEFAULT_THP_HASH="S256"
++
++# Set
Processed: bookworm-pu: package tang/11-2
Processing control commands: > affects -1 + src:tang Bug #1040646 [release.debian.org] bookworm-pu: package tang/11-2 Added indication that 1040646 affects src:tang -- 1040646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040646 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040623: bookworm-pu: package bup/0.33.2-1+deb12u1
Hi, On Sat, 2023-07-08 at 02:24 -0400, Robert Edmonds wrote: > I'd like to update the version of bup in bookworm from 0.33-2 to > 0.33.2-1+deb12u1, which incorporates two upstream bugfix releases for > a bug deemed important enough by upstream to issue point releases. > The version number for p-u needs to be lower than unstable. This looks like a backport of 0.33.2-1 from unstable, so the convention would be 0.33.2-1~deb12u1. Feel free to re-upload with the corrected version number; there's no need to wait for the original upload to be rejected. Regards, Adam
Processed: bug 1040639 is forwarded to https://release.debian.org/transitions/html/auto-rocksdb.html
Processing commands for cont...@bugs.debian.org: > forwarded 1040639 > https://release.debian.org/transitions/html/auto-rocksdb.html Bug #1040639 [release.debian.org] transition: rocksdb Set Bug forwarded-to-address to 'https://release.debian.org/transitions/html/auto-rocksdb.html'. > thanks Stopping processing here. Please contact me if you need assistance. -- 1040639: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040639 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed (with 1 error): transition: rocksdb
Processing control commands: > affects -1 + src:rocksdb Bug #1040639 [release.debian.org] transition: rocksdb Added indication that 1040639 affects src:rocksdb > forwarded -1 Unknown command or malformed arguments to command. -- 1040639: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040639 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040639: transition: rocksdb
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Control: affects -1 + src:rocksdb Control: forwarded -1 https://release.debian.org/transitions/html/auto-rocksdb.html Hi RMs, Small transition for RocksDB as only two reverse dependencies are in the archives: balboa and sortmerna. Both build fine with the rocksdb 8.3.2-1 version already in experimental. The only thing you might wait for is that it's not yet started to build on mips64el. I don't expect any failure as it was built fine on other release architectures. Regards, Laszlo/GCS
Bug#1040623: bookworm-pu: package bup/0.33.2-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: b...@packages.debian.org, r...@defaultvalue.org Control: affects -1 + src:bup Hi, [ Reason ] I'd like to update the version of bup in bookworm from 0.33-2 to 0.33.2-1+deb12u1, which incorporates two upstream bugfix releases for a bug deemed important enough by upstream to issue point releases. Quoting from the upstream release notes: 0.33.1: * POSIX1e ACLs should be restored correctly now. Previously there were two problems. First, bup incorrectly restored default (`ACL_TYPE_DEFAULT`) ACLs as access acls (`ACL_TYPE_ACCESS`). When both existed, it restored the access ACL first and then the default ACL as an access ACL. Now, bup should restore each with the proper type. This issue only affects saves created on platforms where bup currently supports ACLs, so presumably mostly just saves created on Linux since the current ACL support depends on non-standard functions like `acl_extended(3)`. Second, bup stored ACLs in the `acl_to_any_text(3)` format with a newlne delimiter, when the standard (and `acl_from_text(3)` which restore depends on) requires commas. Now bup uses commas, and translates previously created saves during restore when possible. If a previously created ACL entry contains a comma, then bup will give up, report an error, and skip it. If nothing else, this could cause restores of relevant saves to fail on some platforms. 0.33.2: * The fix for the POSIX1e ACL issue addressed by 0.33.1 should no longer crash due to a missing path argument. [ Impact ] See above; without the fix, backed up files with both default and access ACLs would be restored incorrectly. [ Tests ] bup has an extensive test suite that is run by upstream's CI on multiple platforms, and by the Debian buildd's when a new Debian release is uploaded. New tests specifically cover this bug. I tested the updated package on a machine running bookworm. [ Risks ] The bug fix is fairly short, but may not make much sense unless you understand POSIX.1e ACLs. There is a risk with any update to the bup package that saves or restores might begin erroring out, etc.; this occurred in the initial upstream fix (0.33.1) which was corrected by the followup fix (0.33.2). However, bup tries very hard not to lose data, and the risk of losing data due to this package update is likely to be much lower than the risk of breaking new saves or restores. The upstream 0.33.1 and 0.33.2 releases were specifically targeted at this issue and there aren't any unrelated changes like there would be in a typical bup release which would contain many changes. There are no real alternatives here other than not updating the package. If a user is affected by an incorrect restore due to this bug, they would need to identify that the ACLs had been incorrectly restored, then find out about the issue in the old version of bup that they are running, install a fixed version of bup, and then re-do their restore. If they don't do so, they might run a system with files with incorrect ACLs, which could open a security hole. [ Checklist ] [✔] *all* changes are documented in the d/changelog [✔] I reviewed all changes and I approve them [✔] attach debdiff against the package in (old)stable [✔] the issue is verified as fixed in unstable [ Changes ] The upstream releases 0.33.1 and 0.33.2 were imported to the Debian package, containing the bug fix (0.33.1), the updated bug fix (0.33.2), some related fixes to the test infrastructure, and the test case. The upstream shortlog: Rob Browning (17): conftest.py: switch to Path to support pytest 7+ conftest.py: restore support for pytest < 7 configure: handle relative MAKE paths test_get: remove vestigial debug messages configure: allow and prefer python3.11-config; ignore 3.6 buptest init: get quote from shlex not pipes test-comparative-split-join: accommodate varying HEAD names cirrus: move to freebsd 12.4 to fix rsync-related test failures compare-trees: add --features and disallow args with it and -h Restore posix1e default acls as default, not access; improve tests Fix ACL metadata format; delimit short form entries with commas Update docs for 0.33.1 release Update base_version for 0.33.1 release Update base_version for 0.33.2 development correct_posix1e_v1_delimiters: provide path for error messages Update docs for 0.33.2 release Update base_version for 0.33.2 release [ Other info ] Debian bug reports related to this release: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038609 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039089 diff -Nru bup-0.33/.cirrus.yml bup-0.33.2/.cirrus.yml --- bup-0.33/.cirrus.yml2022-10-16 17:18:38.0 -0400 +++ bup-0.33.2/.cirrus.yml 2023-07-01 16:08:43.0 -0400 @@ -48,7 +48,7 @@
Processed: bookworm-pu: package bup/0.33.2-1+deb12u1
Processing control commands: > affects -1 + src:bup Bug #1040623 [release.debian.org] bookworm-pu: package bup/0.33.2-1+deb12u1 Added indication that 1040623 affects src:bup -- 1040623: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040623 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
