Bug#1037444: bookworm-pu: package kanboard/1.2.26+ds-4

2023-06-15 Thread Joe Nahmias 
Attached is a revised debdiff between -2 and -2+deb12u1.
--Joe
diff -Nru kanboard-1.2.26+ds/debian/changelog 
kanboard-1.2.26+ds/debian/changelog
--- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.0 -0400
+++ kanboard-1.2.26+ds/debian/changelog 2023-06-15 23:02:33.0 -0400
@@ -1,3 +1,24 @@
+kanboard (1.2.26+ds-2+deb12u1) bookworm; urgency=high
+
+  * Cherry-pick security fixes from kanboard_1.2.26+ds-[34] for bookworm.
+  * backport fix for CVE-2023-32685 from kanboard v1.2.29
+
https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+Based on upstream commits 26b6eeb & c9c1872.
+(cherry picked from commit d9b8d854f2d35831b04b84cfdda41cc7b49e3a28)
+(Closes: #1036874)
+  * backport security fixes from kanboard v1.2.30.
+ > CVE-2023-33956: Parameter based Indirect Object Referencing leading
+   to private file exposure
+ > CVE-2023-33968: Missing access control allows user to move and
+   duplicate tasks to any project in the software
+ > CVE-2023-33969: Stored XSS in the Task External Link Functionality
+ > CVE-2023-33970: Missing access control in internal task links feature
+(cherry picked from commit 4ad0ad220613bbf04bef559addba8c363fdf0dfa)
+(Closes: #1037167)
+  * point gbp & salsa at bookworm
+
+ -- Joseph Nahmias   Thu, 15 Jun 2023 23:02:33 -0400
+
 kanboard (1.2.26+ds-2) unstable; urgency=medium
 
   * properly test for lighty-enable-mod.
diff -Nru kanboard-1.2.26+ds/debian/gbp.conf kanboard-1.2.26+ds/debian/gbp.conf
--- kanboard-1.2.26+ds/debian/gbp.conf  2023-05-09 06:27:15.0 -0400
+++ kanboard-1.2.26+ds/debian/gbp.conf  2023-06-15 23:02:33.0 -0400
@@ -1,3 +1,3 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
 pristine-tar = True
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 
kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch  1969-12-31 
19:00:00.0 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch  2023-06-15 
23:00:52.0 -0400
@@ -0,0 +1,111 @@
+Description: fix for CVE-2023-32685
+ Clipboard based cross-site scripting (blocked with default CSP)
+ https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+Author: Frédéric Guillot 
+Origin: upstream
+Last-Update: 2023-05-24
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/assets/js/components/screenshot.js 
b/assets/js/components/screenshot.js
+index a8acd64..1130bd2 100644
+--- a/assets/js/components/screenshot.js
 b/assets/js/components/screenshot.js
+@@ -1,5 +1,4 @@
+ KB.component('screenshot', function (containerElement) {
+-var pasteCatcher = null;
+ var inputElement = null;
+ 
+ function onFileLoaded(e) {
+@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) {
+ }
+ 
+ function onPaste(e) {
+-// Firefox doesn't have the property e.clipboardData.items (only 
Chrome)
+ if (e.clipboardData && e.clipboardData.items) {
+ var items = e.clipboardData.items;
+ 
+@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) {
+ }
+ }
+ }
+-} else {
+-
+-// Handle Firefox
+-setTimeout(checkInput, 100);
+ }
+ }
+ 
+ function initialize() {
+-destroy();
+-
+-if (! window.Clipboard) {
+-// Insert the content editable at the top to avoid scrolling down 
in the board view
+-pasteCatcher = document.createElement('div');
+-pasteCatcher.id = 'screenshot-pastezone';
+-pasteCatcher.contentEditable = true;
+-pasteCatcher.style.opacity = 0;
+-pasteCatcher.style.position = 'fixed';
+-pasteCatcher.style.top = 0;
+-pasteCatcher.style.right = 0;
+-pasteCatcher.style.width = 0;
+-document.body.insertBefore(pasteCatcher, 
document.body.firstChild);
+-
+-pasteCatcher.focus();
+-
+-// Set the focus when clicked anywhere in the document
+-document.addEventListener('click', setFocus);
+-
+-// Set the focus when clicked in screenshot dropzone
+-
document.getElementById('screenshot-zone').addEventListener('click', setFocus);
+-}
+-
+ window.addEventListener('paste', onPaste, false);
+ }
+ 
+-function destroy() {
+-if (KB.exists('#screenshot-pastezone')) {
+-KB.find('#screenshot-pastezone').remove();
+-}
+-
+-document.removeEventListener('click', setFocus);
+-pasteCatcher = null;
+-}
+-
+-function setFocus() {
+-if (pasteCatcher !== null) {
+-pasteCatcher.focus();
+-}
+-}
+-
+-function checkInput() {
+-var child = pasteCatcher.childNodes[0];
+-
+-if (child) {
+-

Bug#990214: unblock: dovecot-fts-xapian/1.4.9a-1

2021-07-05 Thread Joe Nahmias 
Control: tags -1 - moreinfo

Hello,

On Sun, Jul 04, 2021 at 10:17:31PM +0200, Sebastian Ramacher wrote:
> Control: tags -1 moreinfo confirmed
> 
> Assuming that the upload happens soon, please go ahead and remove the
> moreinfo tag once the new version is available in unstable.

Thanks for reviewing. I've added one additional patch cherry-picked from
upstream to fix a crash when reindexing, see attached. Uploaded to
unstable.

--Joe

Bug#990214: unblock: dovecot-fts-xapian/1.4.9a-1

2021-06-23 Thread Joe Nahmias 
On Tue, Jun 22, 2021 at 10:50:00PM -0400, Joseph Nahmias wrote:
> Source debdiff from 1.4.7-1 (currently in testing) to 1.4.9a-1 is attached
> here. Please let me know when approved so I can upload to unstable.

Hi release team,

I realize that the size of the debdiff is not ideal for an update at this
point in the release cycle; however, I have reviewed every line in it and
feel that the changes to the source are quite targetted such that it makes
sense to take a new version and be in sync with upstream's releases
instead of cherry-picking 80%+ of the changes.

Happy to discuss further on email/bts or on IRC.

Thanks,
--Joe

unblock efp/1.4-2

2006-12-25 Thread Joe Nahmias 
Hi RMs,

Firstly, thanks for the fantastic job you've done thus far getting etch
into releasable shape!

I looking for an exception to allow efp into etch.  This fixes an
important bug which is covered under the etch release policy.  Changelog
is below, interdiff is attached.

Thanks and Happy Holidays!
--Joe

efp (1.4-2) unstable; urgency=low

  * Ack NMU, thanks Steinar! closes: #397828.
  * Add binary-arch target to debian/rules for policy compliance.
Thanks to Aurelien Jarno [EMAIL PROTECTED], closes: #395594.
  * Bump debhelper to v5, std-ver to 3.7.2.2

 -- Joe Nahmias [EMAIL PROTECTED]  Mon, 25 Dec 2006 06:52:08 +
diff -u efp-1.4/debian/changelog efp-1.4/debian/changelog
--- efp-1.4/debian/changelog
+++ efp-1.4/debian/changelog
@@ -1,3 +1,12 @@
+efp (1.4-2) unstable; urgency=low
+
+  * Ack NMU, thanks Steinar! closes: #397828.
+  * Add binary-arch target to debian/rules for policy compliance.
+Thanks to Aurelien Jarno [EMAIL PROTECTED], closes: #395594.
+  * Bump debhelper to v5, std-ver to 3.7.2.2
+
+ -- Joe Nahmias [EMAIL PROTECTED]  Mon, 25 Dec 2006 06:52:08 +
+
 efp (1.4-1.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -u efp-1.4/debian/control efp-1.4/debian/control
--- efp-1.4/debian/control
+++ efp-1.4/debian/control
@@ -2,8 +2,9 @@
 Section: games
 Priority: optional
 Maintainer: Joe Nahmias [EMAIL PROTECTED]
-Build-Depends-Indep: debhelper (= 4.0.0), xa65
-Standards-Version: 3.6.1.0
+Build-Depends: debhelper (= 5.0.0)
+Build-Depends-Indep: xa65
+Standards-Version: 3.7.2.2
 
 Package: efp
 Architecture: all
diff -u efp-1.4/debian/compat efp-1.4/debian/compat
--- efp-1.4/debian/compat
+++ efp-1.4/debian/compat
@@ -1 +1 @@
-4
+5
diff -u efp-1.4/debian/rules efp-1.4/debian/rules
--- efp-1.4/debian/rules
+++ efp-1.4/debian/rules
@@ -35,6 +35,10 @@
# Add here commands to install the package into debian/efp.
dh_install
 
+# No architecture-dependant files to build; however,
+# binary-arch target is needed for policy (4.9) compliance
+binary-arch: build
+
 # Build architecture-independent files here.
 binary-indep: build install
dh_testdir

Removal request

2004-07-29 Thread Joe Nahmias 
Hello release people,

Please remove version 0.96-1 of fceu from testing so that version
0.97.5-3 can go in.  This hasn't happened yet because gcc on alpha is
b0rked (see #228018, yes it's been tried with gcc-3.4 and it still
doesn't work).

Thanks,
--Joe

More testing cleanup

2003-09-29 Thread Joe Nahmias 
Hello,

Here are some more things we can do to clean up testing:

Package: request-tracker
Testing: 2.0.14-2
Unstable: 2.0.14-2
Bugs: 191165 196200
Suggestion: remove-from-testing
Analysis:
  Package has been orphaned, and is maintained by QA.  Newer version of
  package has been uploaded as request-tracker3.  Interested parties are
  working on a migration strategy.  I don't see a point in releasing with
  a broken package, if stable users are happy let them stay that way.

Package: rsynth [non-free]
Testing: 2.0-6
Unstable: 2.0-6.1
Bugs: 206154
Suggestion: remove-from-testing, orphan-package
Analysis:
  No maintainer upload in two and a half years.  FTBFS fixed in NMU two
  months ago, no response from maintainer.  This is the only package from
  this maintainer.  Package has no license, so we probably should not
  distribute it until this is clarified.  QA will be contacted.

Package: stellarium [non-free]
Testing: 0.5.1-2
Unstable: 0.5.1-4
Bugs: 198495
Suggestion: remove-outdated-binaries
Analysis:
  Maintainer has moved package to non-free because of license issues.
  Let's get the old binaries (from main) out of testing.


Thanks,
Joe Nahmias
[EMAIL PROTECTED]

for good measure...

2003-09-10 Thread Joe Nahmias 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello again,

In recognition of recent events [0], here are a few more suggestions for
the release team:

Package: lincvs
Testing: 1.0.0-1
Unstable: 1.0.0-1
Bugs: 189152 198538
Suggestion: remove-from-testing
Analysis:
  Package orphaned five months ago, a couple of days later someone said
  they would take over, no sign of them since.  Package hasn't made the
  C++ transition and therefore FTBFS.  No point in releasing it until
  someone spends the time to fix it.

Package: magpie
Testing: 0.5.1-1
Unstable: 0.5.1-1
Bugs: 208947
Suggestion: remove-from-testing
Analysis:
  RC bug filed by maintainer, title says it all: magpie not ready for
  stable, so keep it out.  Bug mentions numerous problems with the
  package and a planned rewrite.  Let's listen to the maintainer :)

Package: mp3asm (non-free)
Testing: 0.01-2
Unstable: 0.01-2
Bugs: 72756
Suggestion: remove-from-testing, remove-from-unstable
Analysis:
  This package is severely broken, to the point where ~99% of mp3 files
  given to it cause it to barf.  Bug has been open for almost 3 years with
  no response from the maintainer.  Last upload was about 2.5 years ago.
  It's non-free and there are plenty of other free alternatives, let's get
  rid of it!

Package: preferences
Testing: 1.2.99-0.1
Unstable: 1.2.99-0.1
Bugs: 194168 144942
Suggestion: remove-from-testing, orphan-package
Analysis:
  FTBFS bug open for  3 months with no response from maintainer.  More
  disturbing however, is the important bug open for over a year entitled:
  Kills X Server when it doesn't find a font cache.  Maintainer promised
  a new version over a year ago, and still waiting...  I will contact
  debian-qa to orphan the package.

Package: word2x
Testing: 1:0.005-4.1
Unstable: 1:0.005-4.2
Bugs: 105012 207908
Suggestion: remove-from-testing, orphan-package
Analysis:
  FTBFS bug open over 2 years, no response from the maintainer.  Last
  maintainer upload in April of 2001.  Lots of other bugs outstanding even
  if FTBFS is fixed.  This package needs a new home, debian-qa will be
  contacted.

Thanks,
Joe Nahmias, DD wannabe

 [0] 
http://lists.debian.org/debian-newmaint/2003/debian-newmaint-200309/msg00015.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/X69iKl23+OYWEqURAr79AJ4jTg5aYvw8Xg8dtWw9cPFYszIlkQCfVQvN
MtSP23CRER9lv3DdophlzCM=
=IpVd
-END PGP SIGNATURE-

more removals

2003-08-27 Thread Joe Nahmias 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello again,

I had a little extra time today, so here are a few more packages for
consideration:


Package: realtimebattle
Testing: 1.0.5-5
Unstable: 1.0.5-5
Bugs: 134033 192461
Suggestion: remove-from-testing, orphan-package
Analysis: 
  This package has two FTBFS bugs open against (one for over a year)
  with no uploads since 2002-02-15.

Package: tora
Testing: 1.3.8-1
Unstable: 1.3.9.2-3
Bugs: 206156
Suggestion: remove-from-testing
Analysis: 
  This package is currently uninstallable in testing since it requires
  the outdated libqt3-mt (instead of libqt3c102-mt).  The new version in
  unstable is compiled against the correct version, but is waiting for
  kdelibs.  The one in testing isn't helping anyone, lets get rid of it.

Package: vtkdata-installer
Testing: 1.0-1
Unstable: 1.0-1
Bugs: 161300
Suggestion: remove-from-testing, remove-from-unstable
Analysis: 
  Package is an installer for old vtkdata.  This data is now present in
  the VTK 4 packages in testing/unstable. 


BTW, when do the suggested actions get implemented?  I almost submitted
vold and root-portal again...


Joe
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/TWX1Kl23+OYWEqURAu0uAJ4omayZa6+xjgbDWnsWhRpRzusQEQCfVgas
s1gMUD6qtGbKbVgZS4TOzvw=
=DWXn
-END PGP SIGNATURE-

Re: Bug#155374: Where are Installation Manual and Release Notes

2003-05-11 Thread Joe Nahmias 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Colin Watson wrote:
 On Sun, May 11, 2003 at 01:31:44PM +0200, Josip Rodin wrote:
  On Fri, May 09, 2003 at 02:13:04PM -0500, Steve Langasek wrote:
   Is there any reason that install-doc shouldn't be removed from
   unstable and/or testing, if it's not going to be used for
   debian-installer?
  
  The package is useless as it is so nobody would shed a tear for it,
  but I don't know if there are any repercussions (or if it's against
  the etiquette) if you ditch a binary package but don't adjust the
  source package it originates from...
 
 The same reasons to remove install-doc would apply to the whole
 boot-floppies source package, wouldn't they?
PMJI, but what if the SRM does another point release of woody?  Wouldn't
install-doc and boot-floppies be kinda necessary?

Joe Nahmias, d-t tester-at-large, DD wannabe
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+vn0yKl23+OYWEqURAg93AJ4wT69VS/MNVJZAAPa/toMnXME+XACdGcVw
y/oOKVbMDZgY5Yaz8yDYZLg=
=KBZ6
-END PGP SIGNATURE-

Re: ulog-acctd not entering testing -- help sought

2003-04-30 Thread Joe Nahmias 
Hello Hilko,

I think the debian-release list is a more appropriate forum for this
question, since they deal directly with release management and discuss
how/why packages go from unstable to testing.  I am ccing this mail to
-release for them to comment.

Hope this helps!

Joe Nahmias, DD wannabe

Hilko Bengen wrote:
 As the maintainer of ulog-acctd, I am facing the problem that the
 latest version is not passed into testing because it is not built on
 all architectures that it used to be built on. I took out arm and m68k
 because their libc6-dev lacked the ipt_ULOG.h file and I did not want
 to ship that file with ulog-acctd any longer. ipt_ULOG.h is part of
 kernel versions 2.4.18 and higher and if it isn't in libc6-dev on
 those architecture, I suppose that this kernel version isn't available
 there--which would make ulog-acctd useless there, anyhow.
 
 Here's the snippet from update_excuses:
 
 http://ftp-master.debian.org/testing/update_excuses.html#ulog-acctd
 
 # ulog-acctd (0.3.2-1 to 0.3.3-2)
 
 * Maintainer: Hilko Bengen
 * 23 days old (needed 10 days)
 * out of date on arm: ulog-acctd (from 0.3.2-1)
 * out of date on m68k: ulog-acctd (from 0.3.2-1)
 * Not considered 
 
 What should I do?
 
 -Hilko