Bug#1037444: bookworm-pu: package kanboard/1.2.26+ds-4
Attached is a revised debdiff between -2 and -2+deb12u1. --Joe diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog --- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.0 -0400 +++ kanboard-1.2.26+ds/debian/changelog 2023-06-15 23:02:33.0 -0400 @@ -1,3 +1,24 @@ +kanboard (1.2.26+ds-2+deb12u1) bookworm; urgency=high + + * Cherry-pick security fixes from kanboard_1.2.26+ds-[34] for bookworm. + * backport fix for CVE-2023-32685 from kanboard v1.2.29 + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv +Based on upstream commits 26b6eeb & c9c1872. +(cherry picked from commit d9b8d854f2d35831b04b84cfdda41cc7b49e3a28) +(Closes: #1036874) + * backport security fixes from kanboard v1.2.30. + > CVE-2023-33956: Parameter based Indirect Object Referencing leading + to private file exposure + > CVE-2023-33968: Missing access control allows user to move and + duplicate tasks to any project in the software + > CVE-2023-33969: Stored XSS in the Task External Link Functionality + > CVE-2023-33970: Missing access control in internal task links feature +(cherry picked from commit 4ad0ad220613bbf04bef559addba8c363fdf0dfa) +(Closes: #1037167) + * point gbp & salsa at bookworm + + -- Joseph Nahmias Thu, 15 Jun 2023 23:02:33 -0400 + kanboard (1.2.26+ds-2) unstable; urgency=medium * properly test for lighty-enable-mod. diff -Nru kanboard-1.2.26+ds/debian/gbp.conf kanboard-1.2.26+ds/debian/gbp.conf --- kanboard-1.2.26+ds/debian/gbp.conf 2023-05-09 06:27:15.0 -0400 +++ kanboard-1.2.26+ds/debian/gbp.conf 2023-06-15 23:02:33.0 -0400 @@ -1,3 +1,3 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm pristine-tar = True diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch --- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 1969-12-31 19:00:00.0 -0500 +++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 2023-06-15 23:00:52.0 -0400 @@ -0,0 +1,111 @@ +Description: fix for CVE-2023-32685 + Clipboard based cross-site scripting (blocked with default CSP) + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv +Author: Frédéric Guillot +Origin: upstream +Last-Update: 2023-05-24 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js +index a8acd64..1130bd2 100644 +--- a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js +@@ -1,5 +1,4 @@ + KB.component('screenshot', function (containerElement) { +-var pasteCatcher = null; + var inputElement = null; + + function onFileLoaded(e) { +@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) { + } + + function onPaste(e) { +-// Firefox doesn't have the property e.clipboardData.items (only Chrome) + if (e.clipboardData && e.clipboardData.items) { + var items = e.clipboardData.items; + +@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) { + } + } + } +-} else { +- +-// Handle Firefox +-setTimeout(checkInput, 100); + } + } + + function initialize() { +-destroy(); +- +-if (! window.Clipboard) { +-// Insert the content editable at the top to avoid scrolling down in the board view +-pasteCatcher = document.createElement('div'); +-pasteCatcher.id = 'screenshot-pastezone'; +-pasteCatcher.contentEditable = true; +-pasteCatcher.style.opacity = 0; +-pasteCatcher.style.position = 'fixed'; +-pasteCatcher.style.top = 0; +-pasteCatcher.style.right = 0; +-pasteCatcher.style.width = 0; +-document.body.insertBefore(pasteCatcher, document.body.firstChild); +- +-pasteCatcher.focus(); +- +-// Set the focus when clicked anywhere in the document +-document.addEventListener('click', setFocus); +- +-// Set the focus when clicked in screenshot dropzone +- document.getElementById('screenshot-zone').addEventListener('click', setFocus); +-} +- + window.addEventListener('paste', onPaste, false); + } + +-function destroy() { +-if (KB.exists('#screenshot-pastezone')) { +-KB.find('#screenshot-pastezone').remove(); +-} +- +-document.removeEventListener('click', setFocus); +-pasteCatcher = null; +-} +- +-function setFocus() { +-if (pasteCatcher !== null) { +-pasteCatcher.focus(); +-} +-} +- +-function checkInput() { +-var child = pasteCatcher.childNodes[0]; +- +-if (child) { +-
Bug#990214: unblock: dovecot-fts-xapian/1.4.9a-1
Control: tags -1 - moreinfo Hello, On Sun, Jul 04, 2021 at 10:17:31PM +0200, Sebastian Ramacher wrote: > Control: tags -1 moreinfo confirmed > > Assuming that the upload happens soon, please go ahead and remove the > moreinfo tag once the new version is available in unstable. Thanks for reviewing. I've added one additional patch cherry-picked from upstream to fix a crash when reindexing, see attached. Uploaded to unstable. --Joe
Bug#990214: unblock: dovecot-fts-xapian/1.4.9a-1
On Tue, Jun 22, 2021 at 10:50:00PM -0400, Joseph Nahmias wrote: > Source debdiff from 1.4.7-1 (currently in testing) to 1.4.9a-1 is attached > here. Please let me know when approved so I can upload to unstable. Hi release team, I realize that the size of the debdiff is not ideal for an update at this point in the release cycle; however, I have reviewed every line in it and feel that the changes to the source are quite targetted such that it makes sense to take a new version and be in sync with upstream's releases instead of cherry-picking 80%+ of the changes. Happy to discuss further on email/bts or on IRC. Thanks, --Joe
unblock efp/1.4-2
Hi RMs, Firstly, thanks for the fantastic job you've done thus far getting etch into releasable shape! I looking for an exception to allow efp into etch. This fixes an important bug which is covered under the etch release policy. Changelog is below, interdiff is attached. Thanks and Happy Holidays! --Joe efp (1.4-2) unstable; urgency=low * Ack NMU, thanks Steinar! closes: #397828. * Add binary-arch target to debian/rules for policy compliance. Thanks to Aurelien Jarno [EMAIL PROTECTED], closes: #395594. * Bump debhelper to v5, std-ver to 3.7.2.2 -- Joe Nahmias [EMAIL PROTECTED] Mon, 25 Dec 2006 06:52:08 + diff -u efp-1.4/debian/changelog efp-1.4/debian/changelog --- efp-1.4/debian/changelog +++ efp-1.4/debian/changelog @@ -1,3 +1,12 @@ +efp (1.4-2) unstable; urgency=low + + * Ack NMU, thanks Steinar! closes: #397828. + * Add binary-arch target to debian/rules for policy compliance. +Thanks to Aurelien Jarno [EMAIL PROTECTED], closes: #395594. + * Bump debhelper to v5, std-ver to 3.7.2.2 + + -- Joe Nahmias [EMAIL PROTECTED] Mon, 25 Dec 2006 06:52:08 + + efp (1.4-1.1) unstable; urgency=high * Non-maintainer upload. diff -u efp-1.4/debian/control efp-1.4/debian/control --- efp-1.4/debian/control +++ efp-1.4/debian/control @@ -2,8 +2,9 @@ Section: games Priority: optional Maintainer: Joe Nahmias [EMAIL PROTECTED] -Build-Depends-Indep: debhelper (= 4.0.0), xa65 -Standards-Version: 3.6.1.0 +Build-Depends: debhelper (= 5.0.0) +Build-Depends-Indep: xa65 +Standards-Version: 3.7.2.2 Package: efp Architecture: all diff -u efp-1.4/debian/compat efp-1.4/debian/compat --- efp-1.4/debian/compat +++ efp-1.4/debian/compat @@ -1 +1 @@ -4 +5 diff -u efp-1.4/debian/rules efp-1.4/debian/rules --- efp-1.4/debian/rules +++ efp-1.4/debian/rules @@ -35,6 +35,10 @@ # Add here commands to install the package into debian/efp. dh_install +# No architecture-dependant files to build; however, +# binary-arch target is needed for policy (4.9) compliance +binary-arch: build + # Build architecture-independent files here. binary-indep: build install dh_testdir
Removal request
Hello release people, Please remove version 0.96-1 of fceu from testing so that version 0.97.5-3 can go in. This hasn't happened yet because gcc on alpha is b0rked (see #228018, yes it's been tried with gcc-3.4 and it still doesn't work). Thanks, --Joe
More testing cleanup
Hello, Here are some more things we can do to clean up testing: Package: request-tracker Testing: 2.0.14-2 Unstable: 2.0.14-2 Bugs: 191165 196200 Suggestion: remove-from-testing Analysis: Package has been orphaned, and is maintained by QA. Newer version of package has been uploaded as request-tracker3. Interested parties are working on a migration strategy. I don't see a point in releasing with a broken package, if stable users are happy let them stay that way. Package: rsynth [non-free] Testing: 2.0-6 Unstable: 2.0-6.1 Bugs: 206154 Suggestion: remove-from-testing, orphan-package Analysis: No maintainer upload in two and a half years. FTBFS fixed in NMU two months ago, no response from maintainer. This is the only package from this maintainer. Package has no license, so we probably should not distribute it until this is clarified. QA will be contacted. Package: stellarium [non-free] Testing: 0.5.1-2 Unstable: 0.5.1-4 Bugs: 198495 Suggestion: remove-outdated-binaries Analysis: Maintainer has moved package to non-free because of license issues. Let's get the old binaries (from main) out of testing. Thanks, Joe Nahmias [EMAIL PROTECTED]
for good measure...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello again, In recognition of recent events [0], here are a few more suggestions for the release team: Package: lincvs Testing: 1.0.0-1 Unstable: 1.0.0-1 Bugs: 189152 198538 Suggestion: remove-from-testing Analysis: Package orphaned five months ago, a couple of days later someone said they would take over, no sign of them since. Package hasn't made the C++ transition and therefore FTBFS. No point in releasing it until someone spends the time to fix it. Package: magpie Testing: 0.5.1-1 Unstable: 0.5.1-1 Bugs: 208947 Suggestion: remove-from-testing Analysis: RC bug filed by maintainer, title says it all: magpie not ready for stable, so keep it out. Bug mentions numerous problems with the package and a planned rewrite. Let's listen to the maintainer :) Package: mp3asm (non-free) Testing: 0.01-2 Unstable: 0.01-2 Bugs: 72756 Suggestion: remove-from-testing, remove-from-unstable Analysis: This package is severely broken, to the point where ~99% of mp3 files given to it cause it to barf. Bug has been open for almost 3 years with no response from the maintainer. Last upload was about 2.5 years ago. It's non-free and there are plenty of other free alternatives, let's get rid of it! Package: preferences Testing: 1.2.99-0.1 Unstable: 1.2.99-0.1 Bugs: 194168 144942 Suggestion: remove-from-testing, orphan-package Analysis: FTBFS bug open for 3 months with no response from maintainer. More disturbing however, is the important bug open for over a year entitled: Kills X Server when it doesn't find a font cache. Maintainer promised a new version over a year ago, and still waiting... I will contact debian-qa to orphan the package. Package: word2x Testing: 1:0.005-4.1 Unstable: 1:0.005-4.2 Bugs: 105012 207908 Suggestion: remove-from-testing, orphan-package Analysis: FTBFS bug open over 2 years, no response from the maintainer. Last maintainer upload in April of 2001. Lots of other bugs outstanding even if FTBFS is fixed. This package needs a new home, debian-qa will be contacted. Thanks, Joe Nahmias, DD wannabe [0] http://lists.debian.org/debian-newmaint/2003/debian-newmaint-200309/msg00015.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/X69iKl23+OYWEqURAr79AJ4jTg5aYvw8Xg8dtWw9cPFYszIlkQCfVQvN MtSP23CRER9lv3DdophlzCM= =IpVd -END PGP SIGNATURE-
more removals
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello again, I had a little extra time today, so here are a few more packages for consideration: Package: realtimebattle Testing: 1.0.5-5 Unstable: 1.0.5-5 Bugs: 134033 192461 Suggestion: remove-from-testing, orphan-package Analysis: This package has two FTBFS bugs open against (one for over a year) with no uploads since 2002-02-15. Package: tora Testing: 1.3.8-1 Unstable: 1.3.9.2-3 Bugs: 206156 Suggestion: remove-from-testing Analysis: This package is currently uninstallable in testing since it requires the outdated libqt3-mt (instead of libqt3c102-mt). The new version in unstable is compiled against the correct version, but is waiting for kdelibs. The one in testing isn't helping anyone, lets get rid of it. Package: vtkdata-installer Testing: 1.0-1 Unstable: 1.0-1 Bugs: 161300 Suggestion: remove-from-testing, remove-from-unstable Analysis: Package is an installer for old vtkdata. This data is now present in the VTK 4 packages in testing/unstable. BTW, when do the suggested actions get implemented? I almost submitted vold and root-portal again... Joe -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/TWX1Kl23+OYWEqURAu0uAJ4omayZa6+xjgbDWnsWhRpRzusQEQCfVgas s1gMUD6qtGbKbVgZS4TOzvw= =DWXn -END PGP SIGNATURE-
Re: Bug#155374: Where are Installation Manual and Release Notes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Colin Watson wrote: On Sun, May 11, 2003 at 01:31:44PM +0200, Josip Rodin wrote: On Fri, May 09, 2003 at 02:13:04PM -0500, Steve Langasek wrote: Is there any reason that install-doc shouldn't be removed from unstable and/or testing, if it's not going to be used for debian-installer? The package is useless as it is so nobody would shed a tear for it, but I don't know if there are any repercussions (or if it's against the etiquette) if you ditch a binary package but don't adjust the source package it originates from... The same reasons to remove install-doc would apply to the whole boot-floppies source package, wouldn't they? PMJI, but what if the SRM does another point release of woody? Wouldn't install-doc and boot-floppies be kinda necessary? Joe Nahmias, d-t tester-at-large, DD wannabe -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+vn0yKl23+OYWEqURAg93AJ4wT69VS/MNVJZAAPa/toMnXME+XACdGcVw y/oOKVbMDZgY5Yaz8yDYZLg= =KBZ6 -END PGP SIGNATURE-
Re: ulog-acctd not entering testing -- help sought
Hello Hilko, I think the debian-release list is a more appropriate forum for this question, since they deal directly with release management and discuss how/why packages go from unstable to testing. I am ccing this mail to -release for them to comment. Hope this helps! Joe Nahmias, DD wannabe Hilko Bengen wrote: As the maintainer of ulog-acctd, I am facing the problem that the latest version is not passed into testing because it is not built on all architectures that it used to be built on. I took out arm and m68k because their libc6-dev lacked the ipt_ULOG.h file and I did not want to ship that file with ulog-acctd any longer. ipt_ULOG.h is part of kernel versions 2.4.18 and higher and if it isn't in libc6-dev on those architecture, I suppose that this kernel version isn't available there--which would make ulog-acctd useless there, anyhow. Here's the snippet from update_excuses: http://ftp-master.debian.org/testing/update_excuses.html#ulog-acctd # ulog-acctd (0.3.2-1 to 0.3.3-2) * Maintainer: Hilko Bengen * 23 days old (needed 10 days) * out of date on arm: ulog-acctd (from 0.3.2-1) * out of date on m68k: ulog-acctd (from 0.3.2-1) * Not considered What should I do? -Hilko