NEW changes in stable-new
Processing changes file: icinga2_2.13.6-2+deb12u1_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: curl_7.88.1-10+deb12u6_armhf-buildd.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: curl_7.88.1-10+deb12u6_mips64el-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u6_mipsel-buildd.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: curl_7.88.1-10+deb12u6_all-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u6_amd64-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u6_arm64-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u6_armel-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u6_i386-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u6_ppc64el-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u6_s390x-buildd.changes ACCEPT Processing changes file: icinga2_2.13.6-2+deb12u1_armel-buildd.changes ACCEPT Processing changes file: icinga2_2.13.6-2+deb12u1_armhf-buildd.changes ACCEPT
Bug#1068719: RM: ruby-arel/9.0.0-2 -- RoQA; obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x
tags -1 bookworm On 09-04-2024 7:23 p.m., Andreas Beckmann wrote: Please remove the obsolete ruby-arel from bookworm. I'm tagging it as such, so it shows up in the SRM tooling. Paul OpenPGP_signature.asc Description: OpenPGP digital signature
NEW changes in stable-new
Processing changes file: bioawk_1.0-4+deb12u1_mipsel-buildd.changes ACCEPT Processing changes file: icinga2_2.13.6-2+deb12u1_all-buildd.changes ACCEPT Processing changes file: icinga2_2.13.6-2+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: icinga2_2.13.6-2+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: icinga2_2.13.6-2+deb12u1_i386-buildd.changes ACCEPT Processing changes file: icinga2_2.13.6-2+deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: icinga2_2.13.6-2+deb12u1_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: bioawk_1.0-4+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: bioawk_1.0-4+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: bioawk_1.0-4+deb12u1_armel-buildd.changes ACCEPT Processing changes file: bioawk_1.0-4+deb12u1_armhf-buildd.changes ACCEPT Processing changes file: bioawk_1.0-4+deb12u1_i386-buildd.changes ACCEPT Processing changes file: bioawk_1.0-4+deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: bioawk_1.0-4+deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: bioawk_1.0-4+deb12u1_s390x-buildd.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_all-buildd.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_armel-buildd.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_armhf-buildd.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_i386-buildd.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_s390x-buildd.changes ACCEPT Processing changes file: schleuder_4.0.3-7+deb12u1_all-buildd.changes ACCEPT
Processed: RM: ruby-arel/9.0.0-2 -- RoQA; obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x
Processing control commands: > block -1 with 1068715 Bug #1068719 [release.debian.org] RM: ruby-arel/9.0.0-2 -- RoQA; obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x 1068719 was not blocked by any bugs. 1068719 was not blocking any bugs. Added blocking bug(s) of 1068719: 1068715 -- 1068719: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068719 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068719: RM: ruby-arel/9.0.0-2 -- RoQA; obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: Georg Faerber Control: block -1 with 1068715 Please remove the obsolete ruby-arel from bookworm. The functionality is now integrated into ruby-activerecord and the separately packaged ruby-arel is incompatible with the ruby-activerecord version in bookworm, causing schleuder maintainer scripts to fail if installed. There is a superfluous build-dependency on ruby-arel in src:ruby-premailer-rails, dropping that is handled in pu request #1068715. pu request #1068717 tracks adding Breaks+Replaces against ruby-arel to ruby-activerecord to ensure removal of the obsolete and incompatible package on upgrades. Andreas
Processed: bookworm-pu: package rails/2:6.1.7.3+dfsg-2~deb12u1
Processing control commands: > block -1 with 1068715 Bug #1068717 [release.debian.org] bookworm-pu: package rails/2:6.1.7.3+dfsg-2~deb12u1 1068717 was not blocked by any bugs. 1068717 was not blocking any bugs. Added blocking bug(s) of 1068717: 1068715 -- 1068717: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068717 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068717: bookworm-pu: package rails/2:6.1.7.3+dfsg-2~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: Georg Faerber Control: block -1 with 1068715 [ Reason ] The obsolete (but unfortunately still in bookworm present) ruby-arel is not compatible with ruby-activerecord in bookworm (which now integrates ruby-arel functionality), causing schleuder to fail in its maintainer scripts during upgrades. Let's add Breaks+Replaces to ruby-activerecord to ensure ruby-arel gets removed on upgrades from bookworm. This may make ruby-arel uninstallable in stable, so let's follow up with a RM request for that. [ Impact ] Failures on some upgrade paths of schleuder if the obsolete ruby-arel is still installed. [ Tests ] Local piuparts tests upgrading schleuder with old ruby-arel installed showed proper removal of ruby-arel and no more errors. [ Risks ] Uninstallability of the obsolete ruby-arel which should not have been in bookworm at all. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] debian/changelog | 16 debian/control | 2 ++ debian/gbp.conf | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) [ Other info ] This is a rebuild of a package that has been in sid and testing for a long time (but is now superseded by further uploads with changes not appropriate for stable). Andreas diff --git a/debian/changelog b/debian/changelog index e0710e15..c3d33ee2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +rails (2:6.1.7.3+dfsg-2~deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Rebuild for bookworm. + + -- Andreas Beckmann Tue, 09 Apr 2024 18:24:31 +0200 + +rails (2:6.1.7.3+dfsg-2) unstable; urgency=medium + + * debian/control: +- Declare that ruby-activerecord breaks and replaces ruby-arel: it was + merged five years ago, is therefore obsolete and to be removed. + (Closes: #1038935) + + -- Georg Faerber Sun, 25 Jun 2023 11:53:59 + + rails (2:6.1.7.3+dfsg-1) unstable; urgency=medium * Team upload. diff --git a/debian/control b/debian/control index fc8d64d5..9e01f2b9 100644 --- a/debian/control +++ b/debian/control @@ -134,6 +134,7 @@ Depends: ruby:any (>= 1:2.5.0), Breaks: ruby-activerecord-import (<< 1.0.5~), ruby-activerecord-nulldb-adapter (<< 0.8.0~), ruby-acts-as-taggable-on (<< 6.5~), +ruby-arel, ruby-delayed-job-active-record (<< 4.1.6-3~), ruby-enumerize (<< 2.4.0~), ruby-has-secure-token (<< 1.0.0-3~), @@ -146,6 +147,7 @@ Description: object-relational mapper framework (part of Rails) a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in. +Replaces: ruby-arel, XB-Ruby-Versions: ${ruby:Versions} X-DhRuby-Root: activerecord/ diff --git a/debian/gbp.conf b/debian/gbp.conf index 584b9683..1190046b 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -4,7 +4,7 @@ sign-tags = True upstream-tag = upstream/%(version)s upstream-branch = upstream -debian-branch = master +debian-branch = bookworm [pq] patch-numbers = False
NEW changes in stable-new
Processing changes file: bioawk_1.0-4+deb12u1_source.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u6_source.changes ACCEPT Processing changes file: glewlwyd_2.7.5-3+deb12u1_source.changes ACCEPT Processing changes file: icinga2_2.13.6-2+deb12u1_source.changes ACCEPT Processing changes file: schleuder_4.0.3-7+deb12u1_source.changes ACCEPT
Bug#1068411: schleuder 4.0.3-7+deb12u1 flagged for acceptance
package release.debian.org tags 1068411 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: schleuder Version: 4.0.3-7+deb12u1 Explanation: fix argument parsing insufficient validation; fix importing keys from attachments sent by Thunderbird and handle mails without further content; look for keywords only at the start of mail; validate downcased email addresses when checking subscribers; consider From header for finding reply addresses
Processed: curl 7.88.1-10+deb12u6 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1068344 = bookworm pending Bug #1068344 [release.debian.org] bookworm-pu: package curl/7.88.1-10+deb12u6 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068344: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068344 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: glewlwyd 2.7.5-3+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1056936 = bookworm pending Bug #1056936 [release.debian.org] bookworm-pu: package glewlwyd/2.7.5-3 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1056936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056936 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: schleuder 4.0.3-7+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1068411 = bookworm pending Bug #1068411 [release.debian.org] bookworm-pu: package schleuder/4.0.3-7+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068411: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068411 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bioawk 1.0-4+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1068654 = bookworm pending Bug #1068654 [release.debian.org] bookworm-pu: package bioawk/1.0-4+deb12u1 Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068654: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068654 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: icinga2 2.13.6-2+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1068574 = bookworm pending Bug #1068574 [release.debian.org] bookworm-pu: package icinga2/2.13.6-2+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068574: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068574 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068654: bioawk 1.0-4+deb12u1 flagged for acceptance
package release.debian.org tags 1068654 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: bioawk Version: 1.0-4+deb12u1 Explanation: disable parallel builds to fix random failures
Bug#1068574: icinga2 2.13.6-2+deb12u1 flagged for acceptance
package release.debian.org tags 1068574 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: icinga2 Version: 2.13.6-2+deb12u1 Explanation: fix segmentation fault on ppc64el
Bug#1068344: curl 7.88.1-10+deb12u6 flagged for acceptance
package release.debian.org tags 1068344 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: curl Version: 7.88.1-10+deb12u6 Explanation: do not keep default protocols when deselected [CVE-2024-2004]; fix memory leak [CVE-2024-2398]
Bug#1056936: glewlwyd 2.7.5-3+deb12u1 flagged for acceptance
package release.debian.org tags 1056936 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: glewlwyd Version: 2.7.5-3+deb12u1 Explanation: fix potential buffer overflow during FIDO2 credential validation [CVE-2023-49208]; fi xopen redirection via redirect_uri [CVE-2024-25715]
Bug#1065413: bookworm-pu: package openssl/3.0.13-1~deb12u1
On 2024-04-07 23:46:28 [+0200], To Adam D. Barratt wrote: > On 2024-03-24 20:06:12 [+], Adam D. Barratt wrote: > > > > Sorry for not getting to this sooner. Is this still the case? > > So. This happened #1068045 (yapet broke with 1.0 format) due to the > update. On the bright side it has been broken in unstable but unnoticed. > Looking into it but also sleeping (but making progress). yapet is fixed in unstable. My understanding is that the maintainer will take care of it. I've been looking at the release.d.o page and there are deb-ci failures for nodejs. Those should be gone with nodejs/18.19.0+dfsg-6~deb12u1 which is in d-security. So based on this I would say all good ;) > > Regards, > > > > Adam Sebastian
Bug#1068715: bookworm-pu: package ruby-premailer-rails/1.10.3-4~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: Georg Faerber [ Reason ] In order to get rid of the obsolete and incompatible ruby-arel, ruby-premailer-rails has to drop its superfluous build dependency on it. ruby-arel is nowadays integrated into ruby-actionmailer and the incompatible ruby-arel version fortunately does not get used during build. [ Impact ] Failures on some upgrade paths of schleuder if the obsolete ruby-arel is still installed. [ Tests ] The package still builds ;-) [ Risks ] Low, dropping of a superfluous B-D could only cause a FTBFS and the package would therefore be excluded from -pu. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] debian/.gitattributes | 3 +++ debian/changelog | 15 +++ debian/control| 7 +++ 3 files changed, 21 insertions(+), 4 deletions(-) ruby-premailer-rails (1.10.3-4~deb12u1) bookworm; urgency=medium * Non-maintainer upload. * Rebuild for bookworm. -- Andreas Beckmann Tue, 09 Apr 2024 16:56:10 +0200 ruby-premailer-rails (1.10.3-4) unstable; urgency=medium * debian/control: - Drop Build-Depends on ruby-arel, which is obsolete and part of rails since five years. (Closes: #1039035) -- Georg Faerber Sat, 24 Jun 2023 22:31:11 + It also drops the version constraint on the ruby-actionmailer (build-)dependency which has been satisfied since jessie at least. [ Other info ] This is a rebuild of a package that has been in sid and testing for a long time (but is now superseded by a new upstream release). Andreas diff --git a/debian/.gitattributes b/debian/.gitattributes new file mode 100644 index 000..74e43f3 --- /dev/null +++ b/debian/.gitattributes @@ -0,0 +1,3 @@ +.gitattributes export-ignore +gbp.conf export-ignore +salsa-ci.yml export-ignore \ No newline at end of file diff --git a/debian/changelog b/debian/changelog index 0ed9fdc..5e9ead3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +ruby-premailer-rails (1.10.3-4~deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Rebuild for bookworm. + + -- Andreas Beckmann Tue, 09 Apr 2024 16:56:10 +0200 + +ruby-premailer-rails (1.10.3-4) unstable; urgency=medium + + * debian/control: +- Drop Build-Depends on ruby-arel, which is obsolete and part of rails + since five years. (Closes: #1039035) + + -- Georg Faerber Sat, 24 Jun 2023 22:31:11 + + ruby-premailer-rails (1.10.3-3) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index ece4ea5..9f756d7 100644 --- a/debian/control +++ b/debian/control @@ -1,19 +1,18 @@ Source: ruby-premailer-rails Section: ruby Priority: optional -Maintainer: Debian Ruby Extras Maintainers +Maintainer: Debian Ruby Team Uploaders: Balasankar C Build-Depends: debhelper-compat (= 12), gem2deb, rake, - ruby-actionmailer (>= 2:3.0~), + ruby-actionmailer, ruby-byebug, ruby-coveralls, ruby-premailer (>= 1.11.1~), ruby-rspec, ruby-simplecov, ruby-rails, - ruby-arel Standards-Version: 4.5.0 Vcs-Git: https://salsa.debian.org/ruby-team/ruby-premailer-rails.git Vcs-Browser: https://salsa.debian.org/ruby-team/ruby-premailer-rails @@ -25,7 +24,7 @@ Package: ruby-premailer-rails Architecture: all XB-Ruby-Versions: ${ruby:Versions} Depends: ruby | ruby-interpreter, - ruby-actionmailer (>= 2:3.0~), + ruby-actionmailer, ruby-premailer (>= 1.11.1~), ${misc:Depends}, ${shlibs:Depends}
Processed: user release.debian....@packages.debian.org, usertagging 1066965, tagging 1066965 ...
Processing commands for cont...@bugs.debian.org: > user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was a...@debian.org). > usertags 1066965 pu There were no usertags set. Usertags are now: pu. > tags 1066965 + bookworm Bug #1066965 [release.debian.org] bookworm-pu: package newlib/3.3.0-2 Added tag(s) bookworm. > usertags 1065309 transition There were no usertags set. Usertags are now: transition. > thanks Stopping processing here. Please contact me if you need assistance. -- 1065309: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065309 1066965: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066965 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068695: bookworm-pu: package json-smart/2.2-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: Bastien Roucariès Control: affects -1 + src:json-smart Control: block 1039985 with -1 Control: block 1033474 with -1 [ Reason ] Two CVEs were fixed in buster-lts, but not yet in bullseye or later, causing version skew on upgrades: json-smart | 2.2-1 | stretch | source json-smart | 2.2-2 | buster | source json-smart | 2.2-2 | bullseye| source json-smart | 2.2-2 | bookworm| source json-smart | 2.2-2 | trixie | source json-smart | 2.2-2 | sid | source json-smart | 2.2-2+deb10u1 | buster-security | source [ Impact ] Unfixed CVEs. Versions going backward and confusing QA tools. [ Tests ] Build-time testsuite contains a new test. [ Risks ] Fixed version in buster-lts for one year already. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable NMU in DELAYED [ Changes ] debian/changelog | 33 + debian/control | 4 +- .../patches/0004-CVE-2021-31684-Fix-indexOf.patch | 27 ...70-stack-overflow-due-to-excessive-recurs.patch | 156 + debian/patches/01-bundle-dependencies.patch| 15 +- debian/patches/02-ignore-failing-tests.patch | 16 ++- debian/patches/series | 2 + 7 files changed, 244 insertions(+), 9 deletions(-) json-smart (2.2-2+deb12u1) bookworm; urgency=medium * Non-maintainer upload. * Rebuild for bookworm. (Closes: #1039985) -- Andreas Beckmann Tue, 09 Apr 2024 10:01:36 +0200 json-smart (2.2-2+deb11u1) bullseye; urgency=medium * Non-maintainer upload. * Update Vcs-* URLs to point to salsa.debian.org. * Rebuild for bullseye. (Closes: #1039985) -- Andreas Beckmann Tue, 09 Apr 2024 09:36:58 +0200 json-smart (2.2-2+deb10u1) buster-security; urgency=high * Non-maintainer upload by the LTS team. * CVE-2023-1370: stack overflow due to excessive recursion When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. (Closes: #1033474) * CVE-2021-31684: Fix indexOf A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request. -- Bastien Roucariès Wed, 29 Mar 2023 22:21:33 + [ Other info ] n/a Andreas diff --git a/debian/changelog b/debian/changelog index 70116d2..877457c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,36 @@ +json-smart (2.2-2+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Rebuild for bookworm. (Closes: #1039985) + + -- Andreas Beckmann Tue, 09 Apr 2024 10:01:36 +0200 + +json-smart (2.2-2+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + * Update Vcs-* URLs to point to salsa.debian.org. + * Rebuild for bullseye. (Closes: #1039985) + + -- Andreas Beckmann Tue, 09 Apr 2024 09:36:58 +0200 + +json-smart (2.2-2+deb10u1) buster-security; urgency=high + + * Non-maintainer upload by the LTS team. + * CVE-2023-1370: stack overflow due to excessive recursion +When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code +parses an array or an object respectively. It was discovered that the +code does not have any limit to the nesting of such arrays or +objects. Since the parsing of nested arrays and objects is done +recursively, nesting too many of them can cause a stack exhaustion +(stack overflow) and crash the software. (Closes: #1033474) + * CVE-2021-31684: Fix indexOf +A vulnerability was discovered in the indexOf function of +JSONParserByteArray in JSON Smart versions 1.3 and 2.4 +which causes a denial of service (DOS) +via a crafted web request. + + -- Bastien Roucariès Wed, 29 Mar 2023 22:21:33 + + json-smart (2.2-2) unstable; urgency=medium * Team upload. diff --git a/debian/control b/debian/control index 6488a01..deb7c40 100644 --- a/debian/control +++ b/debian/control @@ -6,8 +6,8 @@ Uploaders: Emmanuel Bourg Build-Depends: debhelper (>= 10), default-jdk, maven-debian-helper (>= 1.5) Build-Depends-Indep: libmaven-bundle-plugin-java, junit Standards-Version: 4.1.1 -Vcs-Git: https://anonscm.debian.org/git/pkg-java/json-smart.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/json-smart.git +Vcs-Browser:
Processed: bookworm-pu: package json-smart/2.2-2+deb12u1
Processing control commands: > affects -1 + src:json-smart Bug #1068695 [release.debian.org] bookworm-pu: package json-smart/2.2-2+deb12u1 Added indication that 1068695 affects src:json-smart > block 1039985 with -1 Bug #1039985 [libjson-smart-java] libjson-smart-java: buster-lts has a newer version than bullseye/bookworm/sid 1039985 was blocked by: 1068694 1039985 was not blocking any bugs. Added blocking bug(s) of 1039985: 1068695 > block 1033474 with -1 Bug #1033474 [src:json-smart] json-smart: CVE-2023-1370 1033474 was blocked by: 1068694 1033474 was not blocking any bugs. Added blocking bug(s) of 1033474: 1068695 -- 1033474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474 1039985: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039985 1068695: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068695 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: Bastien Roucariès Control: affects -1 + src:json-smart Control: block 1039985 with -1 Control: block 1033474 with -1 [ Reason ] Two CVEs were fixed in buster-lts, but not yet in bullseye or later, causing version skew on upgrades: json-smart | 2.2-1 | stretch | source json-smart | 2.2-2 | buster | source json-smart | 2.2-2 | bullseye| source json-smart | 2.2-2 | bookworm| source json-smart | 2.2-2 | trixie | source json-smart | 2.2-2 | sid | source json-smart | 2.2-2+deb10u1 | buster-security | source [ Impact ] Unfixed CVEs. Versions going backward and confusing QA tools. [ Tests ] Build-time testsuite contains a new test. [ Risks ] Fixed version in buster-lts for one year already. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable NMU in DELAYED [ Changes ] debian/changelog | 26 debian/control | 4 +- .../patches/0004-CVE-2021-31684-Fix-indexOf.patch | 27 ...70-stack-overflow-due-to-excessive-recurs.patch | 156 + debian/patches/01-bundle-dependencies.patch| 15 +- debian/patches/02-ignore-failing-tests.patch | 16 ++- debian/patches/series | 2 + 7 files changed, 237 insertions(+), 9 deletions(-) json-smart (2.2-2+deb11u1) bullseye; urgency=medium * Non-maintainer upload. * Update Vcs-* URLs to point to salsa.debian.org. * Rebuild for bullseye. (Closes: #1039985) -- Andreas Beckmann Tue, 09 Apr 2024 09:36:58 +0200 json-smart (2.2-2+deb10u1) buster-security; urgency=high * Non-maintainer upload by the LTS team. * CVE-2023-1370: stack overflow due to excessive recursion When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. (Closes: #1033474) * CVE-2021-31684: Fix indexOf A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request. -- Bastien Roucariès Wed, 29 Mar 2023 22:21:33 + [ Other info ] n/a Andreas diff --git a/debian/changelog b/debian/changelog index 70116d2..f9cd61d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,29 @@ +json-smart (2.2-2+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + * Update Vcs-* URLs to point to salsa.debian.org. + * Rebuild for bullseye. (Closes: #1039985) + + -- Andreas Beckmann Tue, 09 Apr 2024 09:36:58 +0200 + +json-smart (2.2-2+deb10u1) buster-security; urgency=high + + * Non-maintainer upload by the LTS team. + * CVE-2023-1370: stack overflow due to excessive recursion +When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code +parses an array or an object respectively. It was discovered that the +code does not have any limit to the nesting of such arrays or +objects. Since the parsing of nested arrays and objects is done +recursively, nesting too many of them can cause a stack exhaustion +(stack overflow) and crash the software. (Closes: #1033474) + * CVE-2021-31684: Fix indexOf +A vulnerability was discovered in the indexOf function of +JSONParserByteArray in JSON Smart versions 1.3 and 2.4 +which causes a denial of service (DOS) +via a crafted web request. + + -- Bastien Roucariès Wed, 29 Mar 2023 22:21:33 + + json-smart (2.2-2) unstable; urgency=medium * Team upload. diff --git a/debian/control b/debian/control index 6488a01..deb7c40 100644 --- a/debian/control +++ b/debian/control @@ -6,8 +6,8 @@ Uploaders: Emmanuel Bourg Build-Depends: debhelper (>= 10), default-jdk, maven-debian-helper (>= 1.5) Build-Depends-Indep: libmaven-bundle-plugin-java, junit Standards-Version: 4.1.1 -Vcs-Git: https://anonscm.debian.org/git/pkg-java/json-smart.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/json-smart.git +Vcs-Browser: https://salsa.debian.org/java-team/json-smart +Vcs-Git: https://salsa.debian.org/java-team/json-smart.git Homepage: http://netplex.github.io/json-smart/ Package: libjson-smart-java diff --git a/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch b/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch new file mode 100644 index 000..d085f43 --- /dev/null +++
Processed: bullseye-pu: package json-smart/2.2-2+deb11u1
Processing control commands: > affects -1 + src:json-smart Bug #1068694 [release.debian.org] bullseye-pu: package json-smart/2.2-2+deb11u1 Added indication that 1068694 affects src:json-smart > block 1039985 with -1 Bug #1039985 [libjson-smart-java] libjson-smart-java: buster-lts has a newer version than bullseye/bookworm/sid 1039985 was not blocked by any bugs. 1039985 was not blocking any bugs. Added blocking bug(s) of 1039985: 1068694 > block 1033474 with -1 Bug #1033474 [src:json-smart] json-smart: CVE-2023-1370 1033474 was not blocked by any bugs. 1033474 was not blocking any bugs. Added blocking bug(s) of 1033474: 1068694 -- 1033474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474 1039985: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039985 1068694: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068694 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1
Control: tag -1 -moreinfo Le lundi, 8 avril 2024, 12.16:34 h CEST Christian Franke a écrit : > Jonathan Wiltshire wrote: > > ... > > Thanks. The bug #1050288 isn't fixed in unstable according to the BTS, > > which is a requirement. What's the status? > > The problem described in #1050288 does not longer occur since NSIS 3.09. > The problem appeared in Debian 12 because the Mingw-w64 toolchain now > enables ASLR (and therefore emits relocation information) by default but > NSIS does not support relocation information. NSIS upstream addressed > this in the build recipes of 3.09. > > I could confirm that this has the desired effect: > In the smartmontools project, we use a Debian 12 based docker image for > reproducible CI builds (https://builds.smartmontools.org/). After > forcibly upgrading NSIS to 3.09 from Debian trixie, the problem > disappeared. Here the related commit: > https://github.com/smartmontools/docker-build/commit/9b231f0 > > Therefore I guess that #1050288 is also fixed in unstable. I've just now marked it as fixed. Sorry I hadn't checked that the bug was in the correct state. All lights should now be green. Best, OdyX signature.asc Description: This is a digitally signed message part.
Processed: Re: Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1
Processing control commands: > tag -1 -moreinfo Bug #1050588 [release.debian.org] bookworm-pu: package nsis/nsis 3.08-3 Removed tag(s) moreinfo. -- 1050588: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050588 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems