Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
On Thu, 2023-12-21 at 21:48 +, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > On Thu, Dec 21, 2023 at 10:06:23PM +0100, Salvatore Bonaccorso wrote: > > Can you as well add a bug closer for #1057455? > > And a brief description of what the vulnerability actually is, please. You > can go ahead with those changes. Thanks. I added the missing information as follows, and will upload it shortly. --- diff --git a/debian/changelog b/debian/changelog index 0c1065b..3f18ea1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,10 @@ fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium - * Cherry-pick upstream fix for CVE-2023-49284. + * Cherry-pick upstream fix for CVE-2023-49284. (Closes: #1057455) +fish shell uses certain Unicode non-characters internally for marking +wildcards and expansions. It will incorrectly allow these markers to be +read on command substitution output, rather than transforming them into +a safe internal representation. -- Mo Zhou Thu, 21 Dec 2023 14:47:56 -0500 diff --git a/debian/patches/CVE-2023-49284.patch b/debian/patches/CVE-2023-49284.patch index a6fb924..5830277 100644 --- a/debian/patches/CVE-2023-49284.patch +++ b/debian/patches/CVE-2023-49284.patch @@ -4,6 +4,16 @@ Description: fixes CVE-2023-49284 The corresponding fix can be found at https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 This patch is rebased from the upstream fix. + . + fish shell uses certain Unicode non-characters internally for marking + wildcards and expansions. It will incorrectly allow these markers to be read + on command substitution output, rather than transforming them into a safe + internal representation. + . + While this may cause unexpected behavior with direct input (for example, echo + \UFDD2HOME has the same output as echo $HOME), this may become a minor security + problem if the output is being fed from an external program into a command + substitution where this output may not be expected.
Bug#1059345: bullseye-pu: package libdatetime-timezone-perl/1:2.47-1+2023d
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libdatetime-timezone-p...@packages.debian.org Control: affects -1 + src:libdatetime-timezone-perl -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I've uploaded libdatetime-timezone-perl/1:2.47-1+2023d to bullseye. It includes the new tzdata release as a quilt patch. Manually stripped down debdiff attached. Thanks in advance, gregor -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmWGMpdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgY9jw/+IcD4/fkUGMcuy63JbEYHnHPtHA1Tci8bHYnyYef/aY6/KxDuAqcJHAbM UGUgS09njELipkV21V+U/9SGrV9AhUia+2EneuMNZFTb+wCuTQGNm6C1Uo7WYJmw 1L1pHmsrlV3ShOZkjYmQODeIJfCyjYNQAcIGkrSMAIO1eK1xMVWuL7J64aWnHTnV Be5ib3LaArz1caA7aas5WLE5sh9c0htZYTkceNXCiPjeNUJFG9YZAjyCTyBeMbsk H+V29YyjksiOHW03lQdlOa/HulB6sGYzkEWNIzr0GfIYgpGlLOYSNnGiFY5YC2Ji ePea3z01VyxYYlSehEGpdG2g33FcQwFzaY991g3Ey0zvSJ62dtre75w9kbU/dIEf lxHKiZU/2qv2YUKN4hggt8Fjccz6oK4U/4uZB/O/MfP8GxoAEb7Udrllihjx/+xV FiejEQmm+OSJJrFzDlmAmqYCk4AkP/gWuiZyaJ9otwtMnq1DaLdiw4wpazXrvRr4 OAdfR/rb2h+yZE0+idxmgg903eTFEwCIAx+hCVlulk+m2L2OY8q7i0wQhPDR4H9z AAADq8m8ro/iLCNKST979NyceTBErjn9aNrzXZwi27VmI5ZNFnvxlv5gEtYqTA0W 3p7mRGZUXJy3U0zza05VKmK5iXOpKp8nUcfHZHVhdYg8mzXNpYw= =lgAZ -END PGP SIGNATURE- diff -Nru libdatetime-timezone-perl-2.47/debian/changelog libdatetime-timezone-perl-2.47/debian/changelog --- libdatetime-timezone-perl-2.47/debian/changelog 2023-03-29 20:21:49.0 +0200 +++ libdatetime-timezone-perl-2.47/debian/changelog 2023-12-23 01:50:44.0 +0100 @@ -1,3 +1,10 @@ +libdatetime-timezone-perl (1:2.47-1+2023d) bullseye; urgency=medium + + * Update data to Olson database version 2023d. +This update contains contemporary changes for Antarctica and Greenland. + + -- gregor herrmann Sat, 23 Dec 2023 01:50:44 +0100 + libdatetime-timezone-perl (1:2.47-1+2023c) bullseye; urgency=medium * Update data to Olson database version 2023c. diff -Nru libdatetime-timezone-perl-2.47/debian/patches/olson-2023d libdatetime-timezone-perl-2.47/debian/patches/olson-2023d --- libdatetime-timezone-perl-2.47/debian/patches/olson-2023d 1970-01-01 01:00:00.0 +0100 +++ libdatetime-timezone-perl-2.47/debian/patches/olson-2023d 2023-12-23 01:50:44.0 +0100 @@ -0,0 +1,7146 @@ +Description: Update to Olson DB 2023d +Origin: vendor +Author: gregor herrmann +Reviewed-by: gregor herrmann +Last-Update: 2023-12-23 + +--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm b/lib/DateTime/TimeZone/Africa/Abidjan.pm +@@ -3,7 +3,7 @@ + # DateTime::TimeZone module distribution in the tools/ directory + + # +-# Generated from debian/tzdata/africa. Olson data version 2023c ++# Generated from debian/tzdata/africa. Olson data version 2023d + # + # Do not edit this file directly. + # +@@ -43,7 +43,7 @@ + ], + ]; + +-sub olson_version {'2023c'} ++sub olson_version {'2023d'} + + sub has_dst_changes {0} + +--- /dev/null b/lib/DateTime/TimeZone/Antarctica/Vostok.pm +@@ -0,0 +1,86 @@ ++# This file is auto-generated by the Perl DateTime Suite time zone ++# code generator (0.08) This code generator comes with the ++# DateTime::TimeZone module distribution in the tools/ directory ++ ++# ++# Generated from debian/tzdata/antarctica. Olson data version 2023d ++# ++# Do not edit this file directly. ++# ++package DateTime::TimeZone::Antarctica::Vostok; ++ ++use strict; ++use warnings; ++use namespace::autoclean; ++ ++our $VERSION = '2.47'; ++ ++use Class::Singleton 1.03; ++use DateTime::TimeZone; ++use DateTime::TimeZone::OlsonDB; ++ ++@DateTime::TimeZone::Antarctica::Vostok::ISA = ( 'Class::Singleton', 'DateTime::TimeZone' ); ++ ++my $spans = ++[ ++[ ++DateTime::TimeZone::NEG_INFINITY, #utc_start ++61755609600, # utc_end 1957-12-16 00:00:00 (Mon) ++DateTime::TimeZone::NEG_INFINITY, # local_start ++61755609600, #local_end 1957-12-16 00:00:00 (Mon) ++0, ++0, ++'-00', ++], ++[ ++61755609600, #utc_start 1957-12-16 00:00:00 (Mon) ++62895718800, # utc_end 1994-01-31 17:00:00 (Mon) ++61755634800, # local_start 1957-12-16 07:00:00 (Mon) ++62895744000, #local_end 1994-02-01 00:00:00 (Tue) ++25200, ++0, ++'+07', ++], ++[ ++62895718800, #utc_start 1994-01-31 17:00:00 (Mon) ++62919331200, # utc_end 1994-11-01 00:00:00 (Tue) ++62895718800, # local_start 1994-01-31 17:00:00 (Mon) ++62919331200, #local_end 1994-11-01 00:00:00 (Tue) ++0, ++0, ++'-00', ++], ++[ ++62919331200, #utc_start 1994-11-01 00:00:00 (Tue) ++63838522800, # utc_end 2023-12-17 19:00:00 (Sun) ++62919356400, # local_start 1994-11-01 07:00:00 (Tue) ++63838548000, #local_end 2023-12-18 02:00:00 (Mon) ++25200, ++0, ++'+07', ++], ++[ ++63838522800, #utc_start 2023-12-17 19:00:00 (Sun) ++DateTime::TimeZone::INFINITY, #
Processed: bullseye-pu: package libdatetime-timezone-perl/1:2.47-1+2023d
Processing control commands: > affects -1 + src:libdatetime-timezone-perl Bug #1059345 [release.debian.org] bullseye-pu: package libdatetime-timezone-perl/1:2.47-1+2023d Added indication that 1059345 affects src:libdatetime-timezone-perl -- 1059345: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059345 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bookworm-pu: package libdatetime-timezone-perl/1:2.60-1+2023d
Processing control commands: > affects -1 + src:libdatetime-timezone-perl Bug #1059344 [release.debian.org] bookworm-pu: package libdatetime-timezone-perl/1:2.60-1+2023d Added indication that 1059344 affects src:libdatetime-timezone-perl -- 1059344: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059344 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1059344: bookworm-pu: package libdatetime-timezone-perl/1:2.60-1+2023d
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libdatetime-timezone-p...@packages.debian.org Control: affects -1 + src:libdatetime-timezone-perl -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I've uploaded libdatetime-timezone-perl/1:2.60-1+2023d to bookworm. As usual, it contains the tzdata data 2023d as a quilt patch. Manually stripped down debdiff attached. Cheers, gregor -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmWGK3tfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgaueA/7BufaCNIYWZfeI5Unp8avYsvGkU9BSOc/1nl7T80D6s/kwn/QXFPnqze5 f9JL59YGiq7ALJ1vQK1TewCWKx6OsjbexVVTRIpjMNXL1QqPkVcJwhkZTOmhkHGu xGG7MPw6Rr4UlG4NxV0Rbny6KSF0PCasoDEyd9GzqSARKupNvyPFxkFDyt7oZ/x4 5cvbI0RhOYTR8sm2Hg/ws+7YWbL735brv1E4+vMozV5jXXiljynT1GaQB03kk+dx pdueZSzRftrelYxI1kM8nji3GtVAzG4gcx7C+PMMbXNE5XPyGt/klCUGRkJCX5rS /2usevQdAsSv04v1wMQK8Fce56+J2wig5KP423UIX5AvtANIF3VJUuFYQKVv+Uo/ I5awNmuSqbs0zOPi4z72zn4+oS7tIdU6ABWK+SFuaxbH6dslyVL+nzVMmfmjeEFF oFQawN88lyf7wcLdfCbhiTYlBFTrmrUbKUbGFuOD6oGTfbmhz+zl27VNjj2MOf2M KYKDCNSccTpVzl34rOOXlQJQUb+Q66PbcYkkghNAY9LChgoUFw7BPR/2dkj52gQA Ltat77yQWp386jrX7FquhejUMVmRP9qcx1EVuLO10DExKAXdc/vEjrt2UIfmXfHa 91xgevUJGyArw7LIyBcOvc8TkoXzadKLNSxx4VU3d9ecmIk453o= =dLDF -END PGP SIGNATURE- diff -Nru libdatetime-timezone-perl-2.60/debian/changelog libdatetime-timezone-perl-2.60/debian/changelog --- libdatetime-timezone-perl-2.60/debian/changelog 2023-03-29 19:46:25.0 +0200 +++ libdatetime-timezone-perl-2.60/debian/changelog 2023-12-23 01:27:56.0 +0100 @@ -1,3 +1,10 @@ +libdatetime-timezone-perl (1:2.60-1+2023d) bookworm; urgency=medium + + * Update data to Olson database version 2023d. +This update contains contemporary changes for Antarctica and Greenland. + + -- gregor herrmann Sat, 23 Dec 2023 01:27:56 +0100 + libdatetime-timezone-perl (1:2.60-1+2023c) unstable; urgency=medium * Import upstream version 2.60. diff -Nru libdatetime-timezone-perl-2.60/debian/patches/olson-2023d libdatetime-timezone-perl-2.60/debian/patches/olson-2023d --- libdatetime-timezone-perl-2.60/debian/patches/olson-2023d 1970-01-01 01:00:00.0 +0100 +++ libdatetime-timezone-perl-2.60/debian/patches/olson-2023d 2023-12-23 01:27:56.0 +0100 @@ -0,0 +1,7155 @@ +Description: Update to Olson DB 2023d +Origin: vendor +Author: gregor herrmann +Last-Update: 2023-12-23 + +--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm b/lib/DateTime/TimeZone/Africa/Abidjan.pm +@@ -3,7 +3,7 @@ + # DateTime::TimeZone module distribution in the tools/ directory + + # +-# Generated from /tmp/DzE_ngvtVe/africa. Olson data version 2023c ++# Generated from debian/tzdata/africa. Olson data version 2023d + # + # Do not edit this file directly. + # +@@ -43,7 +43,7 @@ + ], + ]; + +-sub olson_version {'2023c'} ++sub olson_version {'2023d'} + + sub has_dst_changes {0} + +--- /dev/null b/lib/DateTime/TimeZone/Antarctica/Vostok.pm +@@ -0,0 +1,86 @@ ++# This file is auto-generated by the Perl DateTime Suite time zone ++# code generator (0.08) This code generator comes with the ++# DateTime::TimeZone module distribution in the tools/ directory ++ ++# ++# Generated from debian/tzdata/antarctica. Olson data version 2023d ++# ++# Do not edit this file directly. ++# ++package DateTime::TimeZone::Antarctica::Vostok; ++ ++use strict; ++use warnings; ++use namespace::autoclean; ++ ++our $VERSION = '2.60'; ++ ++use Class::Singleton 1.03; ++use DateTime::TimeZone; ++use DateTime::TimeZone::OlsonDB; ++ ++@DateTime::TimeZone::Antarctica::Vostok::ISA = ( 'Class::Singleton', 'DateTime::TimeZone' ); ++ ++my $spans = ++[ ++[ ++DateTime::TimeZone::NEG_INFINITY, #utc_start ++61755609600, # utc_end 1957-12-16 00:00:00 (Mon) ++DateTime::TimeZone::NEG_INFINITY, # local_start ++61755609600, #local_end 1957-12-16 00:00:00 (Mon) ++0, ++0, ++'-00', ++], ++[ ++61755609600, #utc_start 1957-12-16 00:00:00 (Mon) ++62895718800, # utc_end 1994-01-31 17:00:00 (Mon) ++61755634800, # local_start 1957-12-16 07:00:00 (Mon) ++62895744000, #local_end 1994-02-01 00:00:00 (Tue) ++25200, ++0, ++'+07', ++], ++[ ++62895718800, #utc_start 1994-01-31 17:00:00 (Mon) ++62919331200, # utc_end 1994-11-01 00:00:00 (Tue) ++62895718800, # local_start 1994-01-31 17:00:00 (Mon) ++62919331200, #local_end 1994-11-01 00:00:00 (Tue) ++0, ++0, ++'-00', ++], ++[ ++62919331200, #utc_start 1994-11-01 00:00:00 (Tue) ++63838522800, # utc_end 2023-12-17 19:00:00 (Sun) ++62919356400, # local_start 1994-11-01 07:00:00 (Tue) ++63838548000, #local_end 2023-12-18 02:00:00 (Mon) ++25200, ++0, ++'+07', ++], ++[ ++63838522800, #utc_start 2023-12-17 19:00:00 (Sun) ++DateTime::TimeZone::INFINITY, # utc_end ++63838540800, # local_start
Processed: Re: Bug#1042299: libfirefox-marionette-perl: FTBFS: tests fail
Processing control commands: > block -1 with 1059343 Bug #1042299 {Done: gregor herrmann } [src:libfirefox-marionette-perl] libfirefox-marionette-perl: FTBFS: tests fail 1042299 was not blocked by any bugs. 1042299 was not blocking any bugs. Added blocking bug(s) of 1042299: 1059343 -- 1042299: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042299 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bookworm-pu: package libfirefox-marionette-perl/1.35-1+deb12u1
Processing control commands: > affects -1 + src:libfirefox-marionette-perl Bug #1059343 [release.debian.org] bookworm-pu: package libfirefox-marionette-perl/1.35-1+deb12u1 Added indication that 1059343 affects src:libfirefox-marionette-perl -- 1059343: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059343 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1059343: bookworm-pu: package libfirefox-marionette-perl/1.35-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libfirefox-marionette-p...@packages.debian.org Control: affects -1 + src:libfirefox-marionette-perl -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I've uploaded libfirefox-marionette-perl/1.35-1+deb12u1 to bookworm. Compared to 1.35-1 it contains one small patch, taken from an upstream commit which is in the 1.36 release, which adjusts the Firefox Capabilities handling to Firefox 112+. This upload fixes the FTBFS bug #1042299. Upstream bug report: https://github.com/david-dick/firefox-marionette/issues/21 Related firefox issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1819029 Upstream commit (= patch): https://github.com/david-dick/firefox-marionette/commit/1e8785004852e561c8b7a98701bc82fb7a537ffd Full debdiff attached. Thanks in advance, gregor -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmWGF1VfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgb3DhAAw0+ye42GcRoBBymTiCrJR6TzCxT1SI0gwBnC6bTczNkv5yg8sEYAlXMe NpG4RRNG77x6oqBB95yXt/USUCMZdgjlpJcgqZrK3NiZ3QLuMC+erghsToWSCL6S WqRy4DHJPx4xsOenGsyVIgMqQzxtlkg1wsr93vjI5ToL1fAppki3QZuN/ovXl7wU p6yb/aoTXaW1jn7ZN7FbLBe6KNC1Vl6NX5JNuCR0iihBxXZDQTLoZDle60s/7Hjc TZpuSK7KTwhW2f3Rg8kYvuuA4VlX8x2uVuGb4q7ptvUTHWlSdKjRcPeMKLOcb9NQ h3YFhhSxS1Cofn0sX8Rz67yfnYkVnY+QEJZESueEIyhgp0NDpWMoiVqSeiOWyjXy kBYIIupb6eaPKSVnCd0Cbqbf9IuTeotP6YukS9xIdAZRwaPu4dEYIVH52i+U4oXT ZoX/Pe6GruG+4UFrP/Elo5VSSxuHFhM3Z8tfa2OMGUd47KfehbZFbikAH+2uX1/v 9n5liqIMwTJl3rJBfSMYPKSZFukICnvFiqwIP44uTG6WYgHaQwUUcLmzMQyPXTFO 8zZSU5EFqG8jEjp9j/z6IxzVI5VtRI+cU7UIc0ZHkcMtsdVBVkIXel60lfetynsg 2XxuUt5g+10f1KJAmGWIOgixc/8JMPz88XpLhI1OpycG5NpL1cg= =bm57 -END PGP SIGNATURE- diff -Nru libfirefox-marionette-perl-1.35/debian/changelog libfirefox-marionette-perl-1.35/debian/changelog --- libfirefox-marionette-perl-1.35/debian/changelog2023-01-30 20:40:55.0 +0100 +++ libfirefox-marionette-perl-1.35/debian/changelog2023-12-22 23:49:39.0 +0100 @@ -1,3 +1,12 @@ +libfirefox-marionette-perl (1.35-1+deb12u1) bookworm; urgency=medium + + * Add patch 0001-Fixes-to-capabilities-for-Firefox-112.-Looks- +related.patch: "Fixes to capabilities for Firefox 112." +(This is upstream commit 1e87850, included in the 1.36 release.) +Closes: #1042299 + + -- gregor herrmann Fri, 22 Dec 2023 23:49:39 +0100 + libfirefox-marionette-perl (1.35-1) unstable; urgency=medium * Import upstream version 1.35. diff -Nru libfirefox-marionette-perl-1.35/debian/patches/0001-Fixes-to-capabilities-for-Firefox-112.-Looks-related.patch libfirefox-marionette-perl-1.35/debian/patches/0001-Fixes-to-capabilities-for-Firefox-112.-Looks-related.patch --- libfirefox-marionette-perl-1.35/debian/patches/0001-Fixes-to-capabilities-for-Firefox-112.-Looks-related.patch 1970-01-01 01:00:00.0 +0100 +++ libfirefox-marionette-perl-1.35/debian/patches/0001-Fixes-to-capabilities-for-Firefox-112.-Looks-related.patch 2023-12-22 23:49:39.0 +0100 @@ -0,0 +1,39 @@ +From 1e8785004852e561c8b7a98701bc82fb7a537ffd Mon Sep 17 00:00:00 2001 +From: David Dick +Date: Sat, 29 Apr 2023 13:37:28 +1000 +Subject: [PATCH] Fixes to capabilities for Firefox 112. Looks related to + https://bugzilla.mozilla.org/show_bug.cgi?id=1819029. Thanks to toreau for + the bug report in GH#21 + +Bugs-Debian: https://bugs.debian.org/1042299 + +--- + lib/Firefox/Marionette.pm | 12 ++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/Firefox/Marionette.pm b/lib/Firefox/Marionette.pm +index 2d10d85..6b8440b 100644 +--- a/lib/Firefox/Marionette.pm b/lib/Firefox/Marionette.pm +@@ -7670,8 +7670,16 @@ sub capabilities { + ); + my $response = $self->_get_response($message_id); + if ( $self->marionette_protocol() == _MARIONETTE_PROTOCOL_VERSION_3() ) { +-return $self->_create_capabilities( +-$response->result()->{capabilities} ); ++if ( ( $response->result()->{value} ) ++&& ( $response->result()->{value}->{capabilities} ) ) ++{ ++return $self->_create_capabilities( ++$response->result()->{value}->{capabilities} ); ++} ++else { ++return $self->_create_capabilities( ++$response->result()->{capabilities} ); ++} + } + else { + return $self->_create_capabilities( $response->result()->{value} ); +-- +2.43.0 + diff -Nru libfirefox-marionette-perl-1.35/debian/patches/series libfirefox-marionette-perl-1.35/debian/patches/series --- libfirefox-marionette-perl-1.35/debian/patches/series 2023-01-30 20:40:55.0 +0100 +++ libfirefox-marionette-perl-1.35/debian/patches/series 2023-12-22 23:49:39.0 +0100 @@ -1 +1,2 @@ no-network.patch
NEW changes in oldstable-new
Processing changes file: bluez_5.55-3.1+deb11u1_sourceonly.changes ACCEPT Processing changes file: bluez_5.55-3.1+deb11u1_all-buildd.changes ACCEPT Processing changes file: bluez_5.55-3.1+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: bluez_5.55-3.1+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: bluez_5.55-3.1+deb11u1_armel-buildd.changes ACCEPT Processing changes file: bluez_5.55-3.1+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: bluez_5.55-3.1+deb11u1_i386-buildd.changes ACCEPT Processing changes file: bluez_5.55-3.1+deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: bluez_5.55-3.1+deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: bluez_5.55-3.1+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: bluez_5.55-3.1+deb11u1_s390x-buildd.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_source.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_all-buildd.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_amd64-buildd.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_arm64-buildd.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_armel-buildd.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_armhf-buildd.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_i386-buildd.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_mips64el-buildd.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_mipsel-buildd.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_ppc64el-buildd.changes ACCEPT Processing changes file: openssh_8.4p1-5+deb11u3_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: bluez_5.66-1+deb12u1_sourceonly.changes ACCEPT Processing changes file: bluez_5.66-1+deb12u1_all-buildd.changes ACCEPT Processing changes file: bluez_5.66-1+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: bluez_5.66-1+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: bluez_5.66-1+deb12u1_armel-buildd.changes ACCEPT Processing changes file: bluez_5.66-1+deb12u1_armhf-buildd.changes ACCEPT Processing changes file: bluez_5.66-1+deb12u1_i386-buildd.changes ACCEPT Processing changes file: bluez_5.66-1+deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: bluez_5.66-1+deb12u1_mipsel-buildd.changes ACCEPT Processing changes file: bluez_5.66-1+deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: bluez_5.66-1+deb12u1_s390x-buildd.changes ACCEPT Processing changes file: chromium_120.0.6099.129-1~deb12u1_source.changes ACCEPT Processing changes file: chromium_120.0.6099.129-1~deb12u1_all-buildd.changes ACCEPT Processing changes file: chromium_120.0.6099.129-1~deb12u1_amd64-buildd.changes ACCEPT Processing changes file: chromium_120.0.6099.129-1~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: chromium_120.0.6099.129-1~deb12u1_armhf-buildd.changes ACCEPT Processing changes file: chromium_120.0.6099.129-1~deb12u1_i386-buildd.changes ACCEPT Processing changes file: chromium_120.0.6099.129-1~deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: gst-plugins-bad1.0_1.22.0-4+deb12u4_source.changes ACCEPT Processing changes file: gst-plugins-bad1.0_1.22.0-4+deb12u4_amd64-buildd.changes ACCEPT Processing changes file: gst-plugins-bad1.0_1.22.0-4+deb12u4_arm64-buildd.changes ACCEPT Processing changes file: gst-plugins-bad1.0_1.22.0-4+deb12u4_armel-buildd.changes ACCEPT Processing changes file: gst-plugins-bad1.0_1.22.0-4+deb12u4_armhf-buildd.changes ACCEPT Processing changes file: gst-plugins-bad1.0_1.22.0-4+deb12u4_i386-buildd.changes ACCEPT Processing changes file: gst-plugins-bad1.0_1.22.0-4+deb12u4_mips64el-buildd.changes ACCEPT Processing changes file: gst-plugins-bad1.0_1.22.0-4+deb12u4_mipsel-buildd.changes ACCEPT Processing changes file: gst-plugins-bad1.0_1.22.0-4+deb12u4_ppc64el-buildd.changes ACCEPT Processing changes file: gst-plugins-bad1.0_1.22.0-4+deb12u4_s390x-buildd.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_source.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_all-buildd.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_amd64-buildd.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_arm64-buildd.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_armel-buildd.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_armhf-buildd.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_i386-buildd.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_mips64el-buildd.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_mipsel-buildd.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_ppc64el-buildd.changes ACCEPT Processing changes file: openssh_9.2p1-2+deb12u2_s390x-buildd.changes ACCEPT Processing changes file: thunderbird_115.6.0-1~deb12u1_source.changes ACCEPT Processing changes file: thunderbird_115.6.0-1~deb12u1_all-buildd.changes ACCEPT Processing changes file: thunderbird_115.6.0-1~deb12u1_amd64-buildd.changes ACCEPT Processing changes file: thunderbird_115.6.0-1~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: thunderbird_115.6.0-1~deb12u1_i386-buildd.changes ACCEPT Processing changes file: thunderbird_115.6.0-1~deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: thunderbird_115.6.0-1~deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: thunderbird_115.6.0-1~deb12u1_s390x-buildd.changes ACCEPT
Re: /usr-move: Do we support upgrades without apt?
Hi Matthew, On Thu, Dec 21, 2023 at 02:42:56PM +, Matthew Vernon wrote: > On 21/12/2023 09:41, Helmut Grohne wrote: > > > Is it ok to call upgrade scenarios failures that cannot be reproduced > > using apt unsupported until we no longer deal with aliasing? Let me thank David for clarifying what "using apt" means in exactly the way I intended it. As a result, I think the only "no" reply, I've seen thus far is from Matthew here. > I incline towards "no"; if an upgrade has failed part-way (as does happen), > people may then reasonably use dpkg directly to try and un-wedge the upgrade > (e.g. to try and configure some part-installed packages, or try installing > some already-downloaded packages). I incline to agreeing with the scenario you depict. This can reasonably happen. I also think that David made a good case for it being unlikely to manage oneself into the buggy situation that way. And then the consequence is that you lost some possibly important files. If you ended up fiddling with dpkg in a failed upgrade, would it be too much to ask for running dpkg --verify? In the event you see missing files, you may reinstall affected packages and thus have cured the symptoms for your installation. Say we extended release-notes saying that you should dpkg --verify after the upgrade and more so if you happened to use dpkg directly in the process and review the output. Would that address your concern? > It may be that the mitigations necessary are worse than the risk, but I > think the behaviour as described in #1058937 is definitely buggy. I hope we all agree this is buggy. That's not the question. The question at hand is whether this is a bug worth fixing or mitigating. We face a lot of bugs in Debian and assign different severities. Here, the preliminary analysis assigned a rc-severity which generally means it is worth fixing. That's the thing I'm questioning here. Also keep in mind that probably the majority of bullseye -> bookworm upgrades have been performed already. In all those upgrades, nobody ran into the issue and reported it. As David pointed out, it was encountered by actively trying to make it break. It's the silent kind of failure, so it may just have happened without people noticing. Maybe we can all run dpkg --verify on our installations (in particular those upgraded to bookworm or later) and report if they show anything suspicious. Then we can better quantify how likely these issues happen in practice. I note that dpkg --verify does not currently work with --path-exclude. I'm not sure whether that's a bug. Being a user of --path-exclude, I note that I ran dpkg --verify on 5 very different systems and didn't spot unusual things. This is anecdotal evidence and cannot prove the absence of problems though. I'd be very keen to see at least one user reporting such problems in a real upgrade rather than me trying to find problems. Helmut
Bug#1058928: bookworm-pu: package cryptsetup/2:2.6.1-4~deb12u2
Control: tag -1 - moreinfo Hi, On Thu, 21 Dec 2023 at 21:59:40 +, Jonathan Wiltshire wrote: > On Mon, Dec 18, 2023 at 02:10:20PM +0100, Guilhem Moulin wrote: >> [ Reason ] >> >> 1. cryptsetup-suspend 2:2.6.1-4~deb12u1 was found incompatible with >> systemd 254.1-3 and later, in particular with systemd/bookworm-backports. >> >> 2. cryptsetup-initramfs 2:2.6.1-4~deb12u2 dos not support kernel >> shipping compressed modules under MODULES=dep, as is done by default >> with linux 6.6 (currently in Debian experimental). > > Aren't these problems better sorted out in the relevant suites, e.g. with > Breaks? It seems an unnecessary change in stable when stable isn't actually > broken. It's correct that stable isn't broken at the moment, but some users also build their own kernels, and we can't warn about the incompatibilty there; they just won't be able to boot when these 3 conditions are satisfied: 1. Linux is configured with CONFIG_MODULE_COMPRESS_* (Debian currently does that in experimental only but the setting is also available in <6.0); 2. initramfs.conf(5) sets MODULES=dep; and 3. There is a device to be unlocked at initramfs stage (for instance the root FS). Moreover the issue stands in the way of kernel maintainers enabling CONFIG_MODULE_COMPRESS_* in stable should that be needed or desired in some point release. (Compressed modules are already suported in Bookworm's initramfs-tools, but currently not in cryptsetup-initramfs.) The other issue I see with ‘Breaks: cryptsetup-initramfs (<< 2:2.6.1-6~)’ without having a recent enough cryptsetup-initramfs available is that apt will hapilly suggest to remove cryptsetup-initramfs. That too would yield an unbootable system whenever there is any device to be unlocked at initramfs stage. Note that the proposed change is a no-op with Bookworm's current kernel and systemd. It just adds forward compatibility in the same way initramfs-tools did. -- Guilhem. signature.asc Description: PGP signature
Processed: Re: Bug#1058928: bookworm-pu: package cryptsetup/2:2.6.1-4~deb12u2
Processing control commands: > tag -1 - moreinfo Bug #1058928 [release.debian.org] bookworm-pu: package cryptsetup/2:2.6.1-4~deb12u2 Removed tag(s) moreinfo. -- 1058928: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058928 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1054189: bullseye-pu: package debian-security-support/1:11+2023.10.17
On Thu, Dec 21, 2023 at 08:59:31PM +, Jonathan Wiltshire wrote: > > I've updated this update request for adding 3 more lines to > > security-support-ended.deb11 (and updating d/changelog) > Please go ahead. thanks, uploaded. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ First they ignore you, then they laugh at you, and then it's too late. Don't look up! signature.asc Description: PGP signature
Bug#1059330: transition: shapelib
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: shape...@packages.debian.org Control: affects -1 + src:shapelib Control: forwarded -1 https://release.debian.org/transitions/html/auto-shapelib.html Shapelib 1.6.0 bumps the SONAME requiring a transition. All rdeps built successfully with the new version as summarized below. Transition: shapelib libshp2 (1.5.0-3+b1) -> libshp4 (1.6.0~rc1-1~exp1) The status of the most recent rebuilds is as follows. cyrus-imapd (3.8.1-1) OK glgrib (1.0-3) OK gpsbabel (1.9.0+ds-2)OK gpsmanshp(1.2.3-6) OK grads(3:2.2.1-5) OK libgeo-shapelib-perl (0.22-6)OK libterralib (4.3.0+dfsg.2-12.1) OK marble (4:22.12.3-2) OK plplot (5.15.0+dfsg2-6)OK therion (6.1.8-2) OK tilemaker(2.4.0-1) OK gnudatalanguage (1.0.3-1) OK scamp(2.10.0-2) OK xastir (2.2.0-1) OK Kind Regards, Bas
Processed: transition: shapelib
Processing control commands: > affects -1 + src:shapelib Bug #1059330 [release.debian.org] transition: shapelib Added indication that 1059330 affects src:shapelib > forwarded -1 https://release.debian.org/transitions/html/auto-shapelib.html Bug #1059330 [release.debian.org] transition: shapelib Set Bug forwarded-to-address to 'https://release.debian.org/transitions/html/auto-shapelib.html'. -- 1059330: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059330 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Re: Security releases for ecosystems that use static linking
El 22/12/23 a las 14:21, Moritz Muehlenhoff escribió: > On Fri, Dec 22, 2023 at 10:19:15AM -0300, Santiago Ruano Rincón wrote: > > El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió: > > > On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote: > > > > So let me ask you: are you interested in addressing the infrastructure > > > > limitations to handle those kind of packages? and having some help for > > > > that? > > > > > > Foremost this is an infrastructure limitation that needs to be resolved: > > > security-master and ftp-master use separate dak installations, which makes > > > binNMUs in the current form untenable since every package would need a > > > source-fule upload first (the same reason why currently the first upload > > > of a package to foo-security needs a sourceful upload). > > > > > > One solution which has been discussed in the past is to import a full copy > > > of stable towards stable-security at the beginning of each release cycle, > > > but that is currently not possible since security-master is a Ganeti VM > > > and the disk requirements for a full archive copy would rather require > > > a baremetal host. > > > > If a baremetal host would be the first requirement, may I volunteer to > > try to find one? If yes, do you have any idea of the required space and > > HDD setup? > > These hosts are managed by the DSA team, this all needs to be discussed/sorted > out with them. Absolutely, so adding them to the loop. Dear DSA team, for the full context, you can find the initial mail here: https://lists.debian.org/debian-lts/2023/12/msg00034.html Cheers, -- Santiago signature.asc Description: PGP signature
Re: Security releases for ecosystems that use static linking
On Fri, Dec 22, 2023 at 10:19:15AM -0300, Santiago Ruano Rincón wrote: > El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió: > > On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote: > > > So let me ask you: are you interested in addressing the infrastructure > > > limitations to handle those kind of packages? and having some help for > > > that? > > > > Foremost this is an infrastructure limitation that needs to be resolved: > > security-master and ftp-master use separate dak installations, which makes > > binNMUs in the current form untenable since every package would need a > > source-fule upload first (the same reason why currently the first upload > > of a package to foo-security needs a sourceful upload). > > > > One solution which has been discussed in the past is to import a full copy > > of stable towards stable-security at the beginning of each release cycle, > > but that is currently not possible since security-master is a Ganeti VM > > and the disk requirements for a full archive copy would rather require > > a baremetal host. > > If a baremetal host would be the first requirement, may I volunteer to > try to find one? If yes, do you have any idea of the required space and > HDD setup? These hosts are managed by the DSA team, this all needs to be discussed/sorted out with them. Cheers, Moritz
Re: Security releases for ecosystems that use static linking
El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió: > On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote: > > So let me ask you: are you interested in addressing the infrastructure > > limitations to handle those kind of packages? and having some help for > > that? > > Foremost this is an infrastructure limitation that needs to be resolved: > security-master and ftp-master use separate dak installations, which makes > binNMUs in the current form untenable since every package would need a > source-fule upload first (the same reason why currently the first upload > of a package to foo-security needs a sourceful upload). > > One solution which has been discussed in the past is to import a full copy > of stable towards stable-security at the beginning of each release cycle, > but that is currently not possible since security-master is a Ganeti VM > and the disk requirements for a full archive copy would rather require > a baremetal host. If a baremetal host would be the first requirement, may I volunteer to try to find one? If yes, do you have any idea of the required space and HDD setup? Cheers, -- Santiago signature.asc Description: PGP signature
Bug#1053998: marked as done (bookworm-pu: package curl/7.88.1-10+deb12u5)
Your message dated Fri, 22 Dec 2023 09:49:22 -0300 with message-id and subject line curl bookworm-pu and bullseye-pu has caused the Debian Bug report #1053998, regarding bookworm-pu: package curl/7.88.1-10+deb12u5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1053998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053998 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: c...@packages.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: bookworm X-Debbugs-Cc: samuel...@debian.org Severity: normal [ Reason ] This change provides DEB_VERSION on "--version" output. It's common for curl users to provide the output of "curl --version" when reporting issues, and there have been cases where having the version of the package in that output would have saved time (e.g.: if we don't know which distro the person is using and/or whether the package is up-to-date). Recently, on a Twitter thread, someone was assuming that a server was not patched for "CVE-2023-38545" because they only saw the upstream version. With this change, the "Release-Date" line of the output will change from e.g.: Release-Date: 2020-12-09 to: Release-Date: 2020-12-09, security patched: 7.88.1-10+deb12u4 [ Impact ] // Explained in the "Reason" section. [ Tests ] Curl has an extensive test suite and no failures were detected. [ Risks ] The only affected code is a single "printf" statement, which is changed to include the version: https://github.com/curl/curl/blob/curl-7_88_1/src/tool_help.c#L171-L176 There's a risk that scripts parsing the "Release-Date:" line from "--version" might fail to parse the date if the regex is badly written. I think it's very unlikely that there are scripts parsing that line of the output. Assuming there is one, and that it's using a bad regex, the risk is that it will match more than just the release date. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] d/rules is now importing "/usr/share/dpkg/pkg-info.mk" and setting "CURL_PATCHSTAMP" to the value of "DEB_VERSION". Effectively, this only changes the output of "curl --version" (on the "Release-Date" line). [ Other info ] I'm opening -pu bugs against bullseye, bookworm, and I'll check with the LTS team if they accept this change for buster. -- Samuel Henrique curl_7.88.1-10+deb12u5.debdiff Description: Binary data --- End Message --- --- Begin Message --- This change is included in the next security update of curl which is currently staged for publishing. Regards, -- Samuel Henrique --- End Message ---
Bug#1053997: marked as done (bullseye-pu: package curl/7.74.0-1.3+deb11u11)
Your message dated Fri, 22 Dec 2023 09:49:22 -0300 with message-id and subject line curl bookworm-pu and bullseye-pu has caused the Debian Bug report #1053997, regarding bullseye-pu: package curl/7.74.0-1.3+deb11u11 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1053997: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053997 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: c...@packages.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: bullseye X-Debbugs-Cc: samuel...@debian.org Severity: normal [ Reason ] This change provides DEB_VERSION on "--version" output. It's common for curl users to provide the output of "curl --version" when reporting issues, and there have been cases where having the version of the package in that output would have saved time (e.g.: if we don't know which distro the person is using and/or whether the package is up-to-date). Recently, on a Twitter thread, someone was assuming that a server was not patched for "CVE-2023-38545" because they only saw the upstream version. With this change, the "Release-Date" line of the output will change from e.g.: Release-Date: 2020-12-09 to: Release-Date: 2020-12-09, security patched: 7.88.1-10+deb12u4 [ Impact ] // Explained in the "Reason" section. [ Tests ] Curl has an extensive test suite and no failures were detected. [ Risks ] The only affected code is a single "printf" statement, which is changed to include the version: https://github.com/curl/curl/blob/curl-7_74_0/src/tool_help.c#L949-L954 There's a risk that scripts parsing the "Release-Date:" line from "--version" might fail to parse the date if the regex is badly written. I think it's very unlikely that there are scripts parsing that line of the output. Assuming there is one, and that it's using a bad regex, the risk is that it will match more than just the release date. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] d/rules is now importing "/usr/share/dpkg/pkg-info.mk" and setting "CURL_PATCHSTAMP" to the value of "DEB_VERSION". Effectively, this only changes the output of "curl --version" (on the "Release-Date" line). [ Other info ] I'm opening -pu bugs against bullseye, bookworm, and I'll check with the LTS team if they accept this change for buster. -- Samuel Henrique curl_7.74.0-1.3+deb11u11.debdiff Description: Binary data --- End Message --- --- Begin Message --- This change is included in the next security update of curl which is currently staged for publishing. Regards, -- Samuel Henrique --- End Message ---
Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10
Le Fri, Dec 22, 2023 at 01:21:56PM +0100, David Prévot a écrit : […] > [x] attach debdiff against the package in oldstable For real now (the usual running gag of the missing attachement)… Merry Christmas. Cheers. taffit diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog --- spip-3.2.11/debian/changelog 2023-07-08 20:38:26.0 +0200 +++ spip-3.2.11/debian/changelog 2023-12-21 19:27:21.0 +0100 @@ -1,3 +1,10 @@ +spip (3.2.11-3+deb11u10) bullseye; urgency=medium + + * Backport security fix from 4.1.13 +- fix XSS when calling some templates + + -- David Prévot Thu, 21 Dec 2023 19:27:21 +0100 + spip (3.2.11-3+deb11u9) bullseye; urgency=medium * Backport security fix from 4.1.11 diff -Nru spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch --- spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch 1970-01-01 01:00:00.0 +0100 +++ spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch 2023-12-21 19:26:30.0 +0100 @@ -0,0 +1,68 @@ +From: Cerdic +Date: Thu, 9 Nov 2023 16:46:19 +0100 +Subject: =?utf-8?q?fix=3A_les_mod=C3=A8les_ins=C3=A9r=C3=A9s_dans_un_texte_?= + =?utf-8?q?h=C3=A9ritent_automatiquement_du_contexte=2C_a_l=27insu_des_reda?= + =?utf-8?q?cteurs=2E_Securiser_ce_qui_proviendrait_de_variables_envoy=C3=A9?= + =?utf-8?q?es_par_l=27utilisateur?= + +(cherry picked from commit d993a9797d839218a3fee84f80be60409b2c05f1) + +Origin: upstream, https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb +--- + ecrire/public/assembler.php | 36 + 1 file changed, 36 insertions(+) + +diff --git a/ecrire/public/assembler.php b/ecrire/public/assembler.php +index 8fc3f7a..ba77e48 100644 +--- a/ecrire/public/assembler.php b/ecrire/public/assembler.php +@@ -563,6 +563,20 @@ function inclure_modele($type, $id, $params, $lien, $connect = '', $env = array( + $fond = 'modeles/' . $fond; + // Creer le contexte + $contexte = $env; ++ // securiser le contexte des modèles : tout ce qui arrive de _request() doit être sanitizé ++ foreach ($contexte as $k => &$v) { ++ if (!is_null(_request($k)) && (!is_scalar($v) || (_request($k) === $v))) { ++ include_spip('inc/texte_mini'); ++ if (is_scalar($v)) { ++$v = spip_securise_valeur_env_modele($v); ++ } else { ++array_walk_recursive($v, function (&$value, $index) { ++ $value = spip_securise_valeur_env_modele($value); ++}); ++ } ++ } ++ } ++ + $contexte['dir_racine'] = _DIR_RACINE; # eviter de mixer un cache racine et un cache ecrire (meme si pour l'instant les modeles ne sont pas caches, le resultat etant different il faut que le contexte en tienne compte + + // Le numero du modele est mis dans l'environnement +@@ -616,6 +630,28 @@ function inclure_modele($type, $id, $params, $lien, $connect = '', $env = array( + : $retour; + } + ++/** ++ * Sanitizer une valeur venant de _request() et passée à un modèle : ++ * on laisse passer les null, bool et numeriques (id et pagination), ++ * les @+nombre (pagination indirecte) ++ * ou sinon le \w + espace et tirets uniquement, pour les tris/sens tri etc ++ * mais rien de compliqué suceptible d'être interprété ++ * ++ * @param $valeur ++ * @return array|float|int|mixed|string|string[]|null ++ */ ++function spip_securise_valeur_env_modele($valeur) { ++ if (is_numeric($valeur) || is_bool($valeur) || is_null($valeur)) { ++ return $valeur; ++ } ++ $valeur = (string)$valeur; ++ if (strpos($valeur, '@') === 0 && is_numeric(substr($valeur, 1))) { ++ return $valeur; ++ } ++ // on laisse passer que les \w, les espaces et les -, le reste est supprimé ++ return preg_replace(",[^\w\s-],", "", $valeur); ++} ++ + // Un inclure_page qui marche aussi pour l'espace prive + // fonction interne a spip, ne pas appeler directement + // pour recuperer $page complet, utiliser: diff -Nru spip-3.2.11/debian/patches/series spip-3.2.11/debian/patches/series --- spip-3.2.11/debian/patches/series 2023-07-08 20:38:18.0 +0200 +++ spip-3.2.11/debian/patches/series 2023-12-21 19:26:30.0 +0100 @@ -56,3 +56,4 @@ 0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch 0058-fix-Inclusion-manquante-dans-5663.patch +0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch signature.asc Description: PGP signature
Bug#1059291: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u3
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: s...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:spip Hi, This issue is similar to #1059289 for oldstable. Another upstream release fixed a security (XSS) issue. The last two updates of this kind didn’t warrant a DSA, so I guess this one will not warrant one either (security team X-D-CCed in case I’m wrong). https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html The 4.1 branch is mostly in maintenance mode, and the patch has been cherry-picked directly from upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable Thanks in advance. Regards, taffit diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog --- spip-4.1.9+dfsg/debian/changelog 2023-07-08 20:29:04.0 +0200 +++ spip-4.1.9+dfsg/debian/changelog 2023-12-21 19:24:13.0 +0100 @@ -1,3 +1,10 @@ +spip (4.1.9+dfsg-1+deb12u3) bookworm; urgency=medium + + * Backport security fix from 4.1.13 +- fix XSS when calling some templates + + -- David Prévot Thu, 21 Dec 2023 19:24:13 +0100 + spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium * Backport security fix from 4.1.11 diff -Nru spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch --- spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch 1970-01-01 01:00:00.0 +0100 +++ spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch 2023-12-21 13:56:02.0 +0100 @@ -0,0 +1,68 @@ +From: Cerdic +Date: Thu, 9 Nov 2023 16:46:19 +0100 +Subject: =?utf-8?q?fix=3A_les_mod=C3=A8les_ins=C3=A9r=C3=A9s_dans_un_texte_?= + =?utf-8?q?h=C3=A9ritent_automatiquement_du_contexte=2C_a_l=27insu_des_reda?= + =?utf-8?q?cteurs=2E_Securiser_ce_qui_proviendrait_de_variables_envoy=C3=A9?= + =?utf-8?q?es_par_l=27utilisateur?= + +(cherry picked from commit d993a9797d839218a3fee84f80be60409b2c05f1) + +Origin: upstream, https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb +--- + ecrire/public/assembler.php | 36 + 1 file changed, 36 insertions(+) + +diff --git a/ecrire/public/assembler.php b/ecrire/public/assembler.php +index a7e9a11..b44c2cb 100644 +--- a/ecrire/public/assembler.php b/ecrire/public/assembler.php +@@ -643,6 +643,20 @@ function inclure_modele($type, $id, $params, $lien, string $connect = '', $env = + $fond = 'modeles/' . $fond; + // Creer le contexte + $contexte = $env; ++ // securiser le contexte des modèles : tout ce qui arrive de _request() doit être sanitizé ++ foreach ($contexte as $k => &$v) { ++ if (!is_null(_request($k)) && (!is_scalar($v) || (_request($k) === $v))) { ++ include_spip('inc/texte_mini'); ++ if (is_scalar($v)) { ++$v = spip_securise_valeur_env_modele($v); ++ } else { ++array_walk_recursive($v, function (&$value, $index) { ++ $value = spip_securise_valeur_env_modele($value); ++}); ++ } ++ } ++ } ++ + $contexte['dir_racine'] = _DIR_RACINE; # eviter de mixer un cache racine et un cache ecrire (meme si pour l'instant les modeles ne sont pas caches, le resultat etant different il faut que le contexte en tienne compte + + // Le numero du modele est mis dans l'environnement +@@ -703,6 +717,28 @@ function inclure_modele($type, $id, $params, $lien, string $connect = '', $env = + : $retour; + } + ++/** ++ * Sanitizer une valeur venant de _request() et passée à un modèle : ++ * on laisse passer les null, bool et numeriques (id et pagination), ++ * les @+nombre (pagination indirecte) ++ * ou sinon le \w + espace et tirets uniquement, pour les tris/sens tri etc ++ * mais rien de compliqué suceptible d'être interprété ++ * ++ * @param $valeur ++ * @return array|float|int|mixed|string|string[]|null ++ */ ++function spip_securise_valeur_env_modele($valeur) { ++ if (is_numeric($valeur) || is_bool($valeur) || is_null($valeur)) { ++ return $valeur; ++ } ++ $valeur = (string)$valeur; ++ if (strpos($valeur, '@') === 0 && is_numeric(substr($valeur, 1))) { ++ return $valeur; ++ } ++ // on laisse passer que les \w, les espaces et les -, le reste est supprimé ++ return preg_replace(",[^\w\s-],", "", $valeur); ++} ++ + // Un inclure_page qui marche aussi pour l'espace prive + // fonction interne a spip, ne pas appeler directement + // pour recuperer $page complet, utiliser: diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series --- spip-4.1.9+dfsg/debian/patches/series 2023-07-08 20:25:35.0 +0200 +++ spip-4.1.9+dfsg/debian/patches/series
Processed: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u3
Processing control commands: > affects -1 + src:spip Bug #1059291 [release.debian.org] bookworm-pu: package spip/4.1.9+dfsg-1+deb12u3 Added indication that 1059291 affects src:spip -- 1059291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059291 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bullseye-pu: package spip/3.2.11-3+deb11u10
Processing control commands: > affects -1 + src:spip Bug #1059289 [release.debian.org] bullseye-pu: package spip/3.2.11-3+deb11u10 Added indication that 1059289 affects src:spip -- 1059289: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059289 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: s...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:spip Another upstream release fixed a security (XSS) issue. The last two updates of this kind didn’t warrant a DSA, so I guess this one will not warrant one either (security team X-D-CCed in case I’m wrong). https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html The 3.2 branch is not maintained upstream anymore, but the patch has been cherry-picked directly from the 4.1 branch. Also, I’ve already deployed the proposed package on a server providing over 30 SPIP websites. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable Thanks in advance. Regards, taffit signature.asc Description: PGP signature
Bug#1058938: bookworm-pu: package onionprobe/1.0.0+ds-2.1+deb12u1
On 23-12-21 21:52:08, Jonathan Wiltshire wrote: > Please go ahead. Thanks, uploaded.
Processed: transition: tango
Processing control commands: > affects -1 + src:tango Bug #1059272 [release.debian.org] transition: tango Added indication that 1059272 affects src:tango -- 1059272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059272 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1059272: transition: tango
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: ta...@packages.debian.org, thomas.br...@byte-physics.de Control: affects -1 + src:tango Dear Release Team, I would like to upload tango 9.5.0 to unstable. There has been a SONAME bump from 9.4.2. Its reverse dependency pytango 9.5.0 builds and works well. Both are available in experimental. This set of uploads are needed to fix the pytango FTBFS bugs in unstable related to python3.12: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055733 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049843 Even if there is only one reverse dependency, I prefer to ask: May I go ahead? Ben file: title = "tango"; is_affected = .depends ~ "old="libtango9-4"" | .depends ~ "old="libtango95""; is_good = .depends ~ "old="libtango95""; is_bad = .depends ~ "old="libtango9-4""; Thank you, -- Santiago signature.asc Description: PGP signature
diversions of /sbin/halt and friends
Hello, thanks to all of you Francois, Daniel and Michael for uploading my changes to experimental. Whilst I already tested the patches individually earlier, this gave me the opportunity to test them in cooperation. In particular, the versioned Conflicts issued by systemd-sysv now work as expected. In performed a number of manual tests upgrading from bookworm to experimental and replacing diverters for one another (molly-guard/bfh-container/progress-linux-container) as well as replacing divertees (systemd-sysv/sysvinit-core) and removing packages. When doing this with apt, this all looks good despite systemd-sysv not having added my patch for #1057220. This is expected as that patch mitigates problems resulting from direct usage of dpkg. I also checked the dumat report for these uploads and am generally happy. Given that the current mitigation does make diverters not issue Breaks, molly-guard continues to work with the current sysvinit-core that has not moved its files yet. My patch for progress-linux-container and bfh-container fails to remove /usr/lib/container on package removal. This probably breaks piuparts. I am attaching a followup patch. This defect is unrelated to the /usr-move as far as I can tell. I would prefer systemd-sysv to also address #1057220, but Michael confirmed that he was not intentionally excluding it. Also the systemd-ukify split leaves an unusual file loss scenario while upgrading from bookworm-backports and simultaneously installing systemd-ukify (P1), which Michael will likely mitigate by upgrading Breaks to Conflicts (M7). I also thank Marc for his works-for-me feedback regarding molly-guard. Given all of this, I am happy with all of these changes moving to unstable and trixie. Thanks for your patience. Helmut
Bug#1059179: Acknowledgement (transition: proftpd-dfsg)
Control: severity -1 important On 21.12.2023 00:18, Debian Bug Tracking System wrote: Hi, If you wish to submit further information on this problem, please send it to 1059...@bugs.debian.org. Bumping to important to fix the security issue CVE-2023-48795 in trixie too. Currently the proftp modules are awaiting a rebuild, which prevents migration. H. -- sigfault OpenPGP_signature.asc Description: OpenPGP digital signature
Processed: Re: Bug#1059179: Acknowledgement (transition: proftpd-dfsg)
Processing control commands: > severity -1 important Bug #1059179 [release.debian.org] transition: proftpd-dfsg Severity set to 'important' from 'normal' -- 1059179: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059179 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Re: Security releases for ecosystems that use static linking
On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote: > So let me ask you: are you interested in addressing the infrastructure > limitations to handle those kind of packages? and having some help for > that? Foremost this is an infrastructure limitation that needs to be resolved: security-master and ftp-master use separate dak installations, which makes binNMUs in the current form untenable since every package would need a source-fule upload first (the same reason why currently the first upload of a package to foo-security needs a sourceful upload). One solution which has been discussed in the past is to import a full copy of stable towards stable-security at the beginning of each release cycle, but that is currently not possible since security-master is a Ganeti VM and the disk requirements for a full archive copy would rather require a baremetal host. Cheers, Moritz