from:"Utkarsh Gupta"

Bug#1028468: bullseye-pu: package tomcat9/9.0.43-2~deb11u5

2023-01-11 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Tags: bullseye
Severity: normal

Hello,

src:tomcat9 has been affected by debbug #1020948 which was fixed in
sid and thus would want to backport the fix to bullseye in the next
point release.

It was noticed that the tomcat-locate-java.sh script which seems to be
in charge of identifying the Java version to use doesn't have version
17 listed. This is a trivial (and thus a low regression) fix.

Debdiff is duly attached. Let me know if you any more information. TIA! \o/


- u


tomcat9_bullseye.debdiff
Description: Binary data

Bug#1024055: Upload MariaDB 1:10.3.37-0+deb10u1 ?

2022-12-05 Thread Utkarsh Gupta

Hi Otto,

On Mon, Dec 5, 2022 at 5:33 AM Otto Kekäläinen  wrote:
> I didn't get a reply to this, so asking again.

I could take care of the upload but if you'd like to do that, please
feel free to do so and I can take care of the paperwork. One quick
thing I spotted in the target in d/ch is "buster". Could you please
change that to "buster-security" instead?

Let me know if you'd like to upload yourself or want me to take care
of it. Thanks.


- u

Re: Update of debian-archive-keyring in stretch?

2022-03-11 Thread Utkarsh Gupta

Hi Jonathan,

On Mon, Oct 11, 2021 at 6:24 AM Utkarsh Gupta  wrote:
> On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire  wrote:
> > You will need (but may not want) the commit removing jessie's keys as well.
> > Basically all intermediate commits which touch keyrings - a removal is
> > really a move from the main keyring to the archive keyring, so it will
> > change the makeup of the keyring and fail the validation.
> >
> > If you actually need the jessie keys kept, as I suspect you do, I can
> > prepare a stretch branch with new signatures on it in a few days.
>
> That'd be really helpful, yes. Though I am still unsure what am I missing.
> When you prep a branch for stretch, please let me know and as I said,
> that'd be really helpful. Thank you so much!

Friendly ping on this. Any status update on this, please? :)
Do you think you can take a look at this sooner? Let me/us know.

> > I intend to simplify the whole thing significantly in bookworm; this whole
> > jetring and gpg validation thing makes for a lot of maintenance pain.
>
> Perfect, that'll indeed help a lot. :)


- u

Re: Update of debian-archive-keyring in stretch?

2021-10-10 Thread Utkarsh Gupta

Hi Jonathan,

On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire  wrote:
> You will need (but may not want) the commit removing jessie's keys as
well.
> Basically all intermediate commits which touch keyrings - a removal is
> really a move from the main keyring to the archive keyring, so it will
> change the makeup of the keyring and fail the validation.
>
> If you actually need the jessie keys kept, as I suspect you do, I can
> prepare a stretch branch with new signatures on it in a few days.

That'd be really helpful, yes. Though I am still unsure what am I missing.
When you prep a branch for stretch, please let me know and as I said,
that'd be really helpful. Thank you so much!

> I intend to simplify the whole thing significantly in bookworm; this whole
> jetring and gpg validation thing makes for a lot of maintenance pain.

Perfect, that'll indeed help a lot. :)


- u

Re: Update of debian-archive-keyring in stretch?

2021-10-02 Thread Utkarsh Gupta

On Sat, Oct 2, 2021 at 9:35 PM Utkarsh Gupta  wrote:
> With these 3 commits, I tried to build the package and it failed
> with the following error:
> 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
> gpg --no-options --no-default-keyring --no-auto-check-trustdb
--trustdb-name ./trustdb.gpg \
> --keyring keyrings/team-members.gpg \
> --verify active-keys/index.gpg active-keys/index
> gpg: Signature made Wed Feb 24 20:38:18 2021 UTC
> gpg:using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9
> gpg: ./trustdb.gpg: trustdb created
> gpg: BAD signature from "Jonathan Wiltshire " [expired]
> Makefile:9: recipe for target 'verify-indices' failed
> 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
>
> I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b,
> that is, updating your key. But it still failed with the same
> error. I am not sure what's up? Do you have an idea what's
> happening? TIA!

I've pushed the changes to my namespace so that it's easy to see
what I am doing. The repository/commits could be found here:
https://salsa.debian.org/utkarsh/debian-archive-keyring/-/commits/master

Please let me know what I am missing. Thank you!


- u

Re: Update of debian-archive-keyring in stretch?

2021-10-02 Thread Utkarsh Gupta

Hi Jonathan,

On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog  wrote:
> it would be nice if we could get an update of debian-archive-keyring
> in stretch to add the bullseye key just like it has been done in buster a
> while ago:
>
https://tracker.debian.org/news/1236764/accepted-debian-archive-keyring-20191deb10u1-source-all-into-proposed-updates-stable-new-proposed-updates/

Whilst prepping an update for stretch, I cherry-picked the following
commits from the salsa repository w cross-checking the update
as proposed via #985371:

464dc87f2dc7d5ef84150a1fe5b326ba9bb5174e -> Add automatic
signing keys for bullseye.

379aebbdf44d2fa9bde4eb5904c9e860cd13eb28 -> Add Debian
Stable Release Key (11/bullseye).

74d1b0366c01b1b4653b5eba24f751655c25bb96 -> Refresh
signatures over keyrings/debian-archive-keyring.gpg (and not
keyrings/debian-archive-removed-keys.gpg since I'm not
removing any keys in this update).

With these 3 commits, I tried to build the package and it failed
with the following error:
8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
gpg --no-options --no-default-keyring --no-auto-check-trustdb
--trustdb-name ./trustdb.gpg \
--keyring keyrings/team-members.gpg \
--verify active-keys/index.gpg active-keys/index
gpg: Signature made Wed Feb 24 20:38:18 2021 UTC
gpg:using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9
gpg: ./trustdb.gpg: trustdb created
gpg: BAD signature from "Jonathan Wiltshire " [expired]
Makefile:9: recipe for target 'verify-indices' failed
8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<

I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b,
that is, updating your key. But it still failed with the same
error. I am not sure what's up? Do you have an idea what's
happening? TIA!

- u

Re: Update of debian-archive-keyring in stretch?

2021-09-14 Thread Utkarsh Gupta

Hello all,

On Thu, Aug 26, 2021 at 12:33 AM Utkarsh Gupta  wrote:
> > The missing key creates problems for example with simple-cdd:
> > https://bugs.debian.org/992966
>
> Okay, I'll be happy to do the update. Though I wonder if it'd rather
> be helpful in just doing a rebuild of buster to stretch instead of
> backporting the changes each time?

Slight ping on this. I'm inclined towards rebuilding the same package
for stretch. Does anybody have an opinion or opposition on this? :)

I intend to do this in the next couple of days, so let me know what
you think.

- u

Re: Update of debian-archive-keyring in stretch?

2021-08-25 Thread Utkarsh Gupta

Hi Raphael,

On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog  wrote:
> it would be nice if we could get an update of debian-archive-keyring
> in stretch to add the bullseye key just like it has been done in buster a
> while ago: [...]
>
> The missing key creates problems for example with simple-cdd:
> https://bugs.debian.org/992966

Okay, I'll be happy to do the update. Though I wonder if it'd rather
be helpful in just doing a rebuild of buster to stretch instead of
backporting the changes each time?

- u

Bug#991886: buster-pu: package libpam-tacplus/1.3.8-2+deb10u1

2021-08-04 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Tags: buster
Severity: normal

Hello,

src:libpam-tacplus has been affected by CVE-2020-13881 which is fixed
in sid & stretch. Thus this -pu update for buster. This update also
helps in fixing the versioning problem because as of now,
the version in stretch is greater than that in stable. So this update
will help fix things for buster.

The debdiff is duly attached. Let me know if you any more information. TIA! \o/


- u


libpam-tacplus_buster.debdiff
Description: Binary data

Bug#991843: unblock: libjdom2-java/2.0.6-1.1

2021-08-03 Thread Utkarsh Gupta

Hi Sebastian,

On Tue, Aug 3, 2021 at 10:35 PM Sebastian Ramacher  wrote:
> Unstable and bullseye contain the same version of libjdom2-java. Are you
> sure that the upload reached unstable?

There was a bit of a fiasco and processing delay from dak (see my mail
at -devel for more information) but the new version of libjdom2-java
should now be available in sid.

$ rmadison libjdom2-java
libjdom2-java | 2.0.6-1   | oldoldstable| source, all
libjdom2-java | 2.0.6-1   | oldstable   | source, all
libjdom2-java | 2.0.6-1   | stable  | source, all
libjdom2-java | 2.0.6-1.1 | unstable| source
libjdom2-java | 2.0.6-2   | testing | source, all
libjdom2-java | 2.0.6-2   | unstable| source, all
libjdom2-java | 2.0.6-2.1 | buildd-unstable | source, all
libjdom2-java | 2.0.6-2.1 | unstable| source, all

Please let me know if you need any more information. Thank you!


- u

Bug#991844: unblock: libpam-tacplus/1.3.8-2.1

2021-08-03 Thread Utkarsh Gupta

Hi Paul,

On Tue, Aug 3, 2021 at 9:46 PM Paul Gevers  wrote:
> On 03-08-2021 10:46, Utkarsh Gupta wrote:
> > src:libpam-tacplus
>
> ... is not in testing.
>
> closing this bug as there's nothing to do (no, we're not going to let it
> in now).

Ugh, my bad for not checking that. Thanks and of course not letting it
go to bullseye absolutely makes sense! Thank you and sorry for the
noise!

- u

Bug#991844: unblock: libpam-tacplus/1.3.8-2.1

2021-08-03 Thread Utkarsh Gupta

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hey,

src:libpam-tacplus has been affected by CVE-2020-13881 which is fixed
in sid & stretch. -pu update for buster is also being filed. This
update also helps in fixing the versioning problem because as of now,
the version in stretch is greater than that in stable and sid. So this
update will help fix things for sid and bullseye, at least.

Since this is just a CVE fix, I'd request you to unblock this and let
it go to bullseye, please? (I am sorry for doing this on the eleventh
hour :/)

The debdiff is duly attached. Let me know if you any more information. TIA! \o/


- u


libpam-tacplus_sid.debdiff
Description: Binary data

Bug#991843: unblock: libjdom2-java/2.0.6-1.1

2021-08-03 Thread Utkarsh Gupta

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hey,

src:libjdom2-java has been affected by CVE-2021-33813 which is fixed
in sid & stretch. -pu update for buster is also being filed.

Since this is just a CVE fix, I'd request you to unblock this and let
it go to bullseye, please? (I am sorry for doing this on the eleventh
hour :/)

The debdiff is duly attached. Let me know if you any more information. TIA! \o/


- u


libjdom2-java_sid.debdiff
Description: Binary data

Bug#991842: unblock: libjdom1-java/1.1.3-2.1

2021-08-03 Thread Utkarsh Gupta

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hey,

src:libjdom1-java has been affected by CVE-2021-33813 which is fixed
in sid & stretch. -pu update for buster is also being filed.

Since this is just a CVE fix, I'd request you to unblock this and let
it go to bullseye, please? (I am sorry for doing this on the eleventh hour :/)

The debdiff is duly attached. Let me know if you any more information. TIA! \o/


- u


libjdom1-java_sid.debdiff
Description: Binary data

Bug#989037: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

2021-07-11 Thread Utkarsh Gupta

Hi Paul,

[CC'ed team@s.d.o]

On Sat, Jul 10, 2021 at 1:34 AM Paul Gevers  wrote:
> Unblocked the latest version in unstable.

Awesome, thank you so much!

Just as a heads up, I'll be also filing unblock requests for ruby2.7
(already uploaded) and libjdom1-java & libjdom2-java (yet to upload).
All three are CVE fixes and hopefully should be trivial for the
release team to evaluate. Let me know if you've any questions, thank
you!


- u

Bug#989703: unblock: eterm/0.9.6-6.1

2021-06-10 Thread Utkarsh Gupta

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hey,

src:eterm has been affected by CVE-2021-33477 which is fixed in sid &
stretch. -pu update for buster has also been filed.

Since this is just a CVE fix, I'd request you to unblock this and let
it go to bullseye. :)

The debdiff is duly attached. Let me know if you any more information. TIA! \o/


- u


eterm_sid.debdiff
Description: Binary data

Bug#989702: buster-pu: package eterm/0.9.6-5+deb10u1

2021-06-10 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Tags: buster
Severity: normal

Hello,

src:eterm has been affected by CVE-2021-33477 which is fixed in sid &
stretch. Since the version in stretch & buster is the same, I'd like
to get this update into -pu in the next release so as to avoid upgrade
problems.

The debdiff is duly attached. Let me know if you any more information. TIA! \o/


- u


eterm_buster.debdiff
Description: Binary data

Bug#989037: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

2021-06-04 Thread Utkarsh Gupta

Hi Paul,

On Fri, Jun 4, 2021 at 1:38 AM Paul Gevers  wrote:
> > You haven't answered my question: "does rails still work with the old
> > version of ruby-marcel and can the version bump be reverted"
>
> Ping. Without a proper answer, I can't decide.

Thanks, I'm yet to figure that out and hopefully do this on weekend.
If it were to work with the older ruby-marcel, can I then just push
the newer rails to bullseye directly? Now that marcel's at v1.0 in
unstable, I don't want to downgrade again.

- u

Bug#989037: unblock: rails/2:6.0.3.7+dfsg-1

2021-05-24 Thread Utkarsh Gupta

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-r...@lists.debian.org

Hello,

Rails was recently affected by 3 CVEs (CVE-2021-2290{2,4} and CVE-2021-22885).

I'm attaching a filtered diff for your review; the diff is really
small and minimal which should be clear by looking at it. The only
caveat is that it needs ruby-marcel, which has an unblock request
(#989036) opened a few minutes ago.

rails has been in unstable for around 9 days now[1]; I've done some
testing and it all works OK w/ Bullseye, so it should be good to go.
[1]: https://tracker.debian.org/pkg/rails

The command used to filter the debdiff is as follows:
filterdiff --exclude='*/Gemfile.lock' --exclude='*/CHANGELOG.md'
--exclude='*/gem_version.rb' --exclude='*/package.json'
--exclude='*/test/*' ../rails.debdiff

Let me know if you need any other information from my end. Thanks!

- u


rails_filtered.debdiff
Description: Binary data

Bug#989036: unblock: ruby-marcel/1.0.1+dfsg-2

2021-05-24 Thread Utkarsh Gupta

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-r...@lists.debian.org

Hello,

We had to bump ruby-marcel to a newer version because the mimemagic
dependency - which relies on GPL-licensed mime type data from
freedesktop.org’s shared-mime-info project - is removed. Marcel now
directly uses mime type data adapted from the Apache Tika project,
distributed under the Apache License. This is the only major change
here + some other bug fixes to get everything working.

ruby-marcel has been in unstable for around 9 days now[1]; I've done
some testing and it all works OK w/ Bullseye, so it should be good to
go.
[1]: https://tracker.debian.org/pkg/ruby-marcel

Since this is licensing + bug fix, I believe it'd be a good idea to
have this included in Bullseye; this is also needed for rails to be
unblocked (another separate request).

Attaching a filtered debdiff for your review. The command used to
filter the debdiff is as follows:
filterdiff --exclude='*/APACHE-LICENSE' --exclude='*/.*'
--exclude='*/data/*' --exclude='*/script/*' --exclude='*/test/*'
--exclude='*/Gemfile.lock' --exclude='*/README.md'
../ruby-marcel.debdiff

Let me know if you need any other information from my end. Thanks!


- u


ruby-marcel_filtered.debdiff
Description: Binary data

Bug#987531: buster-pu: package opendmarc/1.3.2-6+deb10u2

2021-04-25 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
User: debian-release@lists.debian.org
Usertags: bsp-2021-04-at-salzburg
X-Debbugs-Cc: t...@security.debian.org
Tags: buster
Severity: normal

Hello,

src:opendmarc has been affected by CVE-2020-12460, which is fixed in
sid, bullseye, and stretch. Therefore, I'd like for it to be fixed in
buster as well. And hence this pu update.

The debdiff is duly attached. Let me know if you need any more information. TIA!


- u


opendmarc-buster.debdiff
Description: Binary data

Bug#987501: unblock ruby-librarian/0.6.4-3

2021-04-24 Thread Utkarsh Gupta

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock bsp-2021-04-AT-Salzburg

Hello,

This upload fixes #987113 and is actually a one-liner change:
```
-  project_path = Pathname.new(__FILE__).expand_path
+  project_path = Pathname.pwd.expand_path
```

A more formal debdiff is attached. Requesting you to please unblock
this. Should you need any more details, please let me know. TIA!


- u


ruby-librarian-sid.debdiff
Description: Binary data

Bug#987494: buster-pu: package fluidsynth/1.1.11-1+deb10u1

2021-04-24 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
X-Debbugs-Cc: t...@security.debian.org, a...@debian.org
Usertags: pu bsp-2021-04-AT-Salzburg
Tags: buster
Severity: normal

Hello,

src:fluidsynth has been affected by CVE-2021-28421 which is fixed in
sid and unblocked for bullseye. Since this affects buster as well, I'm
hereby opening a pu update bug for tracking.

Thanks to Reiner Herrmann for preparing and testing the update. I've
reviewed and it looks good; the debdiff is duly attached. Let me know
if you need any more information. TIA!


- u


fluidsynth-buster.debdiff
Description: Binary data

Bug#987489: buster-pu: package jackson-databind/2.9.8-3+deb10u3

2021-04-24 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
X-Debbugs-Cc: t...@security.debian.org, a...@debian.org
Usertags: pu bsp-2021-04-AT-Salzburg
Tags: buster
Severity: normal

Hello,

src:jackson-databind has been affected by 18 CVEs which are fixed in
unstable and bullseye (and also jessie). Therefore, I'd like them to
be fixed in buster as well. And hence this pu update.

The debdiff is duly attached. Let me know if you need any more information. TIA!


- u


jackson-databind-buster.debdiff
Description: Binary data

Bug#987471:

2021-04-24 Thread Utkarsh Gupta

user debian-release@lists.debian.org
usertags -1 + bsp-2021-04-AT-Salzburg
thank you

Bug#986742: unblock: ruby2.7/2.7.3-1

2021-04-17 Thread Utkarsh Gupta

Hi Sebastian,

On Sat, Apr 17, 2021 at 3:08 PM Sebastian Ramacher  wrote:
> Thanks, please go ahead and remove the moreinfo tag once the version is
> available in unstable.

Uploaded to unstable, thanks. And removed the tag as well.


- u

Bug#986146: unblock: rabbitmq-server/3.8.9-2

2021-03-30 Thread Utkarsh Gupta

Hello,

Awesome, thanks for this upload, Thomas.
I can confirm that this is a pure bug-fix release only and indeed
fixes the problems raised, thereby making this package even better for
bullseye.

A huge +1 for unblocking.


- u

Bug#983113: buster-pu: package ruby-mechanize/2.7.6-1+deb10u1

2021-02-19 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
X-Debbugs-Cc: debian-r...@lists.debian.org
Usertags: pu
Tags: buster
Severity: normal

Hello,

ruby-mechanize was affected by CVE-2021-21289, where the package was
vulnerable to command injection vulnerability.

This has been fixed in sid, bullseye, and stretch.
Here's the debdiff for buster-pu:

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

diff -Nru ruby-mechanize-2.7.6/debian/changelog
ruby-mechanize-2.7.6/debian/changelog
--- ruby-mechanize-2.7.6/debian/changelog2019-01-04 16:57:45.0 +0530
+++ ruby-mechanize-2.7.6/debian/changelog2021-02-19 22:47:27.0 +0530
@@ -1,3 +1,10 @@
+ruby-mechanize (2.7.6-1+deb10u1) buster; urgency=medium
+
+  * Team upload for buster-pu.
+  * Add patch to prevent OS command injection. (Fixes: CVE-2021-21289)
+
+ -- Utkarsh Gupta   Fri, 19 Feb 2021 22:47:27 +0530
+
 ruby-mechanize (2.7.6-1) unstable; urgency=medium

   * Team upload
diff -Nru ruby-mechanize-2.7.6/debian/patches/CVE-2021-21289.patch
ruby-mechanize-2.7.6/debian/patches/CVE-2021-21289.patch
--- ruby-mechanize-2.7.6/debian/patches/CVE-2021-21289.patch
1970-01-01 05:30:00.0 +0530
+++ ruby-mechanize-2.7.6/debian/patches/CVE-2021-21289.patch
2021-02-19 22:46:52.0 +0530
@@ -0,0 +1,260 @@
+From aae0b13514a1a0caf93b1cf233733c50e679069a Mon Sep 17 00:00:00 2001
+From: Katsuhiko YOSHIDA 
+Date: Sat, 20 Jul 2019 11:03:40 +0900
+Subject: [PATCH 1/7] fix(security): prevent command injection in CookieJar
+
+Related to 
https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g
+---
+ lib/mechanize/cookie_jar.rb   |  4 ++--
+ test/test_mechanize_cookie_jar.rb | 30 ++
+ 2 files changed, 32 insertions(+), 2 deletions(-)
+
+--- a/lib/mechanize/cookie_jar.rb
 b/lib/mechanize/cookie_jar.rb
+@@ -65,7 +65,7 @@
+   class CookieJar < ::HTTP::CookieJar
+ def save(output, *options)
+   output.respond_to?(:write) or
+-return open(output, 'w') { |io| save(io, *options) }
++return ::File.open(output, 'w') { |io| save(io, *options) }
+
+   opthash = {
+ :format => :yaml,
+@@ -119,7 +119,7 @@
+
+ def load(input, *options)
+   input.respond_to?(:write) or
+-return open(input, 'r') { |io| load(io, *options) }
++return ::File.open(input, 'r') { |io| load(io, *options) }
+
+   opthash = {
+ :format => :yaml,
+--- a/test/test_mechanize_cookie_jar.rb
 b/test/test_mechanize_cookie_jar.rb
+@@ -1,4 +1,5 @@
+ require 'mechanize/test_case'
++require 'fileutils'
+
+ class TestMechanizeCookieJar < Mechanize::TestCase
+
+@@ -500,6 +501,35 @@
+ assert_equal(0, @jar.cookies(url).length)
+   end
+
++  def test_prevent_command_injection_when_saving
++url = URI 'http://rubygems.org/'
++path = '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\''
++
++@jar.add(url, Mechanize::Cookie.new(cookie_values))
++
++in_tmpdir do
++  @jar.save_as(path, :cookiestxt)
++  assert_equal(false, File.exist?('vul.txt'))
++end
++  end
++
++  def test_prevent_command_injection_when_loading
++url = URI 'http://rubygems.org/'
++path = '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\''
++
++@jar.add(url, Mechanize::Cookie.new(cookie_values))
++
++in_tmpdir do
++  @jar.save_as("cookies.txt", :cookiestxt)
++  @jar.clear!
++
++  assert_raises Errno::ENOENT do
++@jar.load(path, :cookiestxt)
++  end
++  assert_equal(false, File.exist?('vul.txt'))
++end
++  end
++
+   def test_save_and_read_expired_cookies
+ url = URI 'http://rubyforge.org/'
+
+--- a/lib/mechanize.rb
 b/lib/mechanize.rb
+@@ -396,7 +396,7 @@
+ io = if io_or_filename.respond_to? :write then
+io_or_filename
+  else
+-   open io_or_filename, 'wb'
++   ::File.open(io_or_filename, 'wb')
+  end
+
+ case page
+--- a/test/test_mechanize.rb
 b/test/test_mechanize.rb
+@@ -345,6 +345,14 @@
+ end
+   end
+
++  def test_download_does_not_allow_command_injection
++in_tmpdir do
++  @mech.download('http://example', '| ruby -rfileutils -e
\'FileUtils.touch("vul.txt")\'')
++
++  refute_operator(File, :exist?, "vul.txt")
++end
++  end
++
+   def test_get
+ uri = URI 'http://localhost'
+
+--- a/lib/mechanize/download.rb
 b/lib/mechanize/download.rb
+@@ -71,7 +71,7 @@
+ dirname = File.dirname filename
+ FileUtils.mkdir_p dirname
+
+-open filename, 'wb' do |io|
++::File.open(filename, 'wb')do |io|
+   until @body_io.eof? do
+ io.write @body_io.read 16384
+   end
+--- a/test/test_mechanize_download.rb
 b/test/test_mechanize_download.rb
+@@ -46,6 +46,18 @@
+ end
+   end
+
++  def test_save_bang_does_not_allow_command_injection
++uri = URI.parse 'http://example/

Re: Re: source-only uploads for future point releases (Re: Bug

2021-01-30 Thread Utkarsh Gupta

Henrique de Moraes Holschuh  wrote:
> But just in case, what about Jessie ELTS non-free ?

A source-only upload should work and the builders would pick it from there.
However, uploading to jessie now is not straightforward. There's a
different repository altogether, so only those who have their keys
added can upload (cf: the ELTS team).

Should you have more questions, let me know. Either way, I'll wait for
buster-pu and stretch update of intel-microcode and then work on this?
(cf: our other thread :)).


- u

Bug#981271: buster-pu: package python-bottle/0.12.15-2+deb10u1

2021-01-28 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

Hello,

python-bottle was affected by CVE-2020-28473, where the package was
vulnerable to Web Cache Poisoning by using a vector called parameter
cloaking.

This has been fixed in Sid, Bullseye, and Stretch (& Jessie).
Here's the debdiff for buster-pu:

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

diff -Nru python-bottle-0.12.15/debian/changelog
python-bottle-0.12.15/debian/changelog
--- python-bottle-0.12.15/debian/changelog2019-03-27
05:13:08.0 +0530
+++ python-bottle-0.12.15/debian/changelog2021-01-28
20:22:22.0 +0530
@@ -1,3 +1,10 @@
+python-bottle (0.12.15-2+deb10u1) buster; urgency=high
+
+  * Non-maintainer upload by the Security team.
+  * Do not split query strings on `;` anymore. (Fixes: CVE-2020-28473)
+
+ -- Utkarsh Gupta   Thu, 28 Jan 2021 20:22:22 +0530
+
 python-bottle (0.12.15-2) unstable; urgency=medium

   * Update tox dependency (Closes: #924836)
diff -Nru python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
--- python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
1970-01-01 05:30:00.0 +0530
+++ python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
2021-01-28 20:21:24.0 +0530
@@ -0,0 +1,25 @@
+From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001
+From: Marcel Hellkamp 
+Date: Wed, 11 Nov 2020 19:24:29 +0100
+Subject: [PATCH] Do not split query strings on `;` anymore.
+
+Using `;` as a separator instead of `&` was allowed a long time ago,
+but is now obsolete and actually invalid according to the 2014 W3C
+recommendations. Even if this change is technically backwards-incompatible,
+no real-world application should depend on broken behavior. If you REALLY
+need this functionality, monkey-patch the _parse_qsl() function.
+---
+ bottle.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/bottle.py
 b/bottle.py
+@@ -2577,7 +2577,7 @@
+
+ def _parse_qsl(qs):
+ r = []
+-for pair in qs.replace(';','&').split('&'):
++for pair in qs.split('&'):
+ if not pair: continue
+ nv = pair.split('=', 1)
+ if len(nv) != 2: nv.append('')
diff -Nru python-bottle-0.12.15/debian/patches/series
python-bottle-0.12.15/debian/patches/series
--- python-bottle-0.12.15/debian/patches/series2019-03-27
05:13:08.0 +0530
+++ python-bottle-0.12.15/debian/patches/series2021-01-28
20:21:33.0 +0530
@@ -1,2 +1,3 @@
 0001-Remove-bottle.py-from-scripts.patch
 0002-Add-CLI-manpage.patch
+CVE-2020-28473.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

- u

---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#971571: transition: libgit2

2020-12-09 Thread Utkarsh Gupta

Hey,

On Wed, Dec 9, 2020 at 3:13 PM Utkarsh Gupta  wrote:
> I'll take a look at python-pygit2 today as well. So leaves us with
> ruby-rugged. I'll come to that in next few days if no one beats me to
> it.

FWIW, I've uploaded both, thereby completing all the blockers.
Hopefully this transition should complete soon :)

Thanks to everybody who was involved here, especially Ximin and Sebastian! \o/

- u

Bug#971571: transition: libgit2

2020-12-09 Thread Utkarsh Gupta

Hello,

On Wed, Dec 9, 2020 at 2:23 AM Sebastian Ramacher  wrote:
> > So I conclude that it's probably fine to upload libgit2 1.1.0 to unstable 
> > now?
> Okay, then let's do this now. Please go ahead.

Awesome, uploaded!
I'll take a look at python-pygit2 today as well. So leaves us with
ruby-rugged. I'll come to that in next few days if no one beats me to
it.

- u

Bug#971571: transition: libgit2

2020-12-08 Thread Utkarsh Gupta

Hi Sebastian,

On Tue, Dec 8, 2020 at 3:30 PM Sebastian Ramacher  wrote:
> v30 was accepted. Please perform a source-only upload for the arch: all
> packages.

That should be done now! \o/

> > The only reverse-{,build-}dependency is gitaly, it seems. So I'm CCing
> > Praveen so he gets a heads up.
>
> Filed #976820 against gitaly.
>
> In any case, I'll remove golang-gopkg-libgit2-git2go.v28 and
> gitaly from testing to unblock this transition. gitaly is blocked by
> ruby-faraday which is currently causing a bunch of autopkgtest
> regressions.

Great, thanks for this!

I do have another (stupid) question :)
libgit2 upstream has released 1.1.0 after 1.0.1 (which is the
transition we're pusruing). However, libgit2 1.1.0 if backwards
compatible *but* still a transition is needed for it.
I've already worked on updating the same in experimental and it is now
accepted as well. Do you think we can do a 1.1.0 transition along with
this as well?

Whilst I didn't build all the reverse-{build-}dependencies but I
believe there shouldn't be much of a problem.

- u

Bug#971571: transition: libgit2

2020-12-07 Thread Utkarsh Gupta

Hi Peter,

On Sun, Dec 6, 2020 at 11:06 AM peter green  wrote:
> In addition to the packages mentioned here, it seems there is another
> package involved: golang-gopkg-libgit2-git2go.v28 . It only builds
> arch-all packages and does not directly depend on the library, but it
> FTBFS and it's autopkgtest fails with the new version.
>
> The FTBFS was picked up in a rebuild test by Lucas and a bug report
> was filed https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976522

Yes, because v28 is only compatible with libgit2 v0.28. For libgit2
v1.0, we need v30 for git2go. So I've uploaded
golang-gopkg-libgit2-git2go.v30 to NEW and once accepted, I'll file an
RM for v28.

The only reverse-{,build-}dependency is gitaly, it seems. So I'm CCing
Praveen so he gets a heads up.

Bug#971571: transition: libgit2

2020-12-04 Thread Utkarsh Gupta

Hi,

On Sat, Dec 5, 2020 at 1:41 AM Sebastian Ramacher  wrote:
> Scheduled the binNMUs except for horizon-eda (involved in python3.9-defaults).

Great, thank you!
I've, meanwhile, uploaded python-pygit2 and libgit-raw-perl! Will
hopefully get on to ruby-rugged, as well! \o/


- u

Bug#971571: transition: libgit2

2020-12-04 Thread Utkarsh Gupta

Hi Sebastian,

On Fri, Dec 4, 2020 at 10:54 PM Sebastian Ramacher  wrote:
> Please go ahead with the upload to unstable.

Great, thanks, I did an upload just now! :)


- u

Bug#972161: buster-pu: package ruby2.5/2.5.5-3+deb10u3

2020-10-13 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
X-Debbugs-CC: debian-r...@lists.debian.org
Severity: normal

Hello,

ruby2.5 was affected by CVE-2020-25613, where WEBrick, a simple HTTP
server bundled with Ruby, had not checked the transfer-encoding header
value rigorously.

This has been fixed in Sid, Bullseye, and Stretch.
Here's the debdiff for buster-pu:

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

diff -Nru ruby2.5-2.5.5/debian/changelog ruby2.5-2.5.5/debian/changelog
--- ruby2.5-2.5.5/debian/changelog2020-07-04 00:07:58.0 +0530
+++ ruby2.5-2.5.5/debian/changelog2020-10-13 18:32:32.0 +0530
@@ -1,3 +1,10 @@
+ruby2.5 (2.5.5-3+deb10u3) buster; urgency=high
+
+  * Add patch to fix a potential HTTP request smuggling
+vulnerability in WEBrick. (Fixes: CVE-2020-25613)
+
+ -- Utkarsh Gupta   Tue, 13 Oct 2020 18:32:32 +0530
+
 ruby2.5 (2.5.5-3+deb10u2) buster-security; urgency=high

   * Non-maintainer upload by the Security Team.
diff -Nru ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch
ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch
--- ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch1970-01-01
05:30:00.0 +0530
+++ ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch2020-10-13
18:31:51.0 +0530
@@ -0,0 +1,30 @@
+From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh 
+Date: Tue, 29 Sep 2020 13:15:58 +0900
+Subject: [PATCH] Make it more strict to interpret some headers
+
+Some regexps were too tolerant.
+
+--- a/lib/webrick/httprequest.rb
 b/lib/webrick/httprequest.rb
+@@ -226,9 +226,9 @@
+ raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
+   end
+
+-  if /close/io =~ self["connection"]
++  if /\Aclose\z/io =~ self["connection"]
+ @keep_alive = false
+-  elsif /keep-alive/io =~ self["connection"]
++  elsif /\Akeep-alive\z/io =~ self["connection"]
+ @keep_alive = true
+   elsif @http_version < "1.1"
+ @keep_alive = false
+@@ -475,7 +475,7 @@
+   return unless socket
+   if tc = self['transfer-encoding']
+ case tc
+-when /chunked/io then read_chunked(socket, block)
++when /\Achunked\z/io then read_chunked(socket, block)
+ else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
+ end
+   elsif self['content-length'] || @remaining_size
diff -Nru ruby2.5-2.5.5/debian/patches/series
ruby2.5-2.5.5/debian/patches/series
--- ruby2.5-2.5.5/debian/patches/series2020-07-04 00:06:34.0 +0530
+++ ruby2.5-2.5.5/debian/patches/series2020-10-13 18:32:04.0 +0530
@@ -15,3 +15,4 @@
 0015-lib-shell-command-processor.rb-Shell-prevent-unknown.patch
 CVE-2020-10933.patch
 CVE-2020-10663.patch
+CVE-2020-25613.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

- u
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#962264: stretch-pu: package ruby2.3/2.3.3-1+deb9u8

2020-06-05 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
X-Debbugs-CC: debian-r...@lists.debian.org
Severity: normal

Hello,

ruby2.3 was affected by CVE-2020-10663, which was an unsafe object
creation vulnerability.
This has been fixed in Sid, Bullseye, and Jessie already.

Here's the debdiff for stretch-pu:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

diff -Nru ruby2.3-2.3.3/debian/changelog ruby2.3-2.3.3/debian/changelog
--- ruby2.3-2.3.3/debian/changelog2019-12-15 21:58:25.0 +0530
+++ ruby2.3-2.3.3/debian/changelog2020-06-05 14:25:50.0 +0530
@@ -1,3 +1,11 @@
+ruby2.3 (2.3.3-1+deb9u8) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * Add patch to fix unsafe object creation vulnerability.
+(Fixes: CVE-2020-10663)
+
+ -- Utkarsh Gupta   Fri, 05 Jun 2020 14:25:50 +0530
+
 ruby2.3 (2.3.3-1+deb9u7) stretch-security; urgency=high

   * Non-maintainer upload by the Security Team.
diff -Nru ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch
ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch
--- ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch1970-01-01
05:30:00.0 +0530
+++ ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch2020-06-05
14:25:21.0 +0530
@@ -0,0 +1,36 @@
+From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001
+From: usa 
+Date: Mon, 30 Mar 2020 22:22:10 +
+Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01:
+ [Backport #16698]
+
+backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
+ securify fix for CVE-2020-10663. The patch was provided by
Jeremy Evans.
+
+git-svn-id:
svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+Author: Utkarsh Gupta 
+
+--- a/ext/json/parser/parser.c
 b/ext/json/parser/parser.c
+@@ -1739,7 +1739,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+-json->create_additions = 1;
++json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
+--- a/ext/json/parser/parser.rl
 b/ext/json/parser/parser.rl
+@@ -723,7 +723,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+-json->create_additions = 1;
++json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
diff -Nru ruby2.3-2.3.3/debian/patches/series
ruby2.3-2.3.3/debian/patches/series
--- ruby2.3-2.3.3/debian/patches/series2019-12-15 21:58:25.0 +0530
+++ ruby2.3-2.3.3/debian/patches/series2020-06-05 14:25:01.0 +0530
@@ -4,3 +4,4 @@
 Loop-with-String-scan-without-creating-substrings.patch
 WEBrick-prevent-response-splitting-and-header-inject.patch
 lib-shell-command-processor.rb-Shell-prevent-unknown.patch
+CVE-2020-10663.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#962256: stretch-pu: package ruby-json/2.0.1+dfsg-3+deb9u1

2020-06-05 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
X-Debbugs-CC: debian-r...@lists.debian.org
Severity: normal

Hello,

ruby-json was affected by CVE-2020-10663, which was an unsafe object
creation vulnerability.
This has been fixed in Sid, Bullseye, and Jessie already.

Here's the debdiff for stretch-pu:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

diff -Nru ruby-json-2.0.1+dfsg/debian/changelog
ruby-json-2.0.1+dfsg/debian/changelog
--- ruby-json-2.0.1+dfsg/debian/changelog2016-12-06 05:03:24.0 +0530
+++ ruby-json-2.0.1+dfsg/debian/changelog2020-06-05 12:33:14.0 +0530
@@ -1,3 +1,10 @@
+ruby-json (2.0.1+dfsg-3+deb9u1) stretch; urgency=high
+
+  * Add patch to fix unsafe object creation vulnerability.
+(Fixes: CVE-2020-10663
+
+ -- Utkarsh Gupta   Fri, 05 Jun 2020 12:33:14 +0530
+
 ruby-json (2.0.1+dfsg-3) unstable; urgency=medium

   * Add Conflicts: ruby-json-pure (Closes: #847141)
diff -Nru ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
--- ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
1970-01-01 05:30:00.0 +0530
+++ ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
2020-06-05 12:32:48.0 +0530
@@ -0,0 +1,36 @@
+From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001
+From: usa 
+Date: Mon, 30 Mar 2020 22:22:10 +
+Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01:
+ [Backport #16698]
+
+backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
+ securify fix for CVE-2020-10663. The patch was provided by
Jeremy Evans.
+
+git-svn-id:
svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+Author: Utkarsh Gupta 
+
+--- a/ext/json/ext/parser/parser.c
 b/ext/json/ext/parser/parser.c
+@@ -1791,7 +1791,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+-json->create_additions = 1;
++json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
+--- a/ext/json/ext/parser/parser.rl
 b/ext/json/ext/parser/parser.rl
+@@ -686,7 +686,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+-json->create_additions = 1;
++json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
diff -Nru ruby-json-2.0.1+dfsg/debian/patches/series
ruby-json-2.0.1+dfsg/debian/patches/series
--- ruby-json-2.0.1+dfsg/debian/patches/series2016-12-06
05:03:24.0 +0530
+++ ruby-json-2.0.1+dfsg/debian/patches/series2020-06-05
12:32:29.0 +0530
@@ -1,3 +1,4 @@
 02-fix-fuzz.rb-shebang.patch
 04-fix-tests-path.patch
 0003-Remove-additional-gemspec-files.patch
+CVE-2020-10663.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#962255: buster-pu: package ruby-json/2.1.0+dfsg-2+deb10u1

2020-06-05 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
X-Debbugs-CC: debian-r...@lists.debian.org
Severity: normal

Hello,

ruby-json was affected by CVE-2020-10663, which was an unsafe object
creation vulnerability.
This has been fixed in Sid, Bullseye, and Jessie already.

Here's the debdiff for buster-pu:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

diff -Nru ruby-json-2.1.0+dfsg/debian/changelog
ruby-json-2.1.0+dfsg/debian/changelog
--- ruby-json-2.1.0+dfsg/debian/changelog2018-02-25 23:03:06.0 +0530
+++ ruby-json-2.1.0+dfsg/debian/changelog2020-06-05 12:13:54.0 +0530
@@ -1,3 +1,10 @@
+ruby-json (2.1.0+dfsg-2+deb10u1) buster; urgency=high
+
+  * Add patch to fix unsafe object creation vulnerability.
+(Fixes: CVE-2020-10663)
+
+ -- Utkarsh Gupta   Fri, 05 Jun 2020 12:13:54 +0530
+
 ruby-json (2.1.0+dfsg-2) unstable; urgency=medium

   * Team upload.
diff -Nru ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
--- ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
1970-01-01 05:30:00.0 +0530
+++ ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch
2020-06-05 12:12:56.0 +0530
@@ -0,0 +1,36 @@
+From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001
+From: usa 
+Date: Mon, 30 Mar 2020 22:22:10 +
+Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01:
+ [Backport #16698]
+
+backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
+ securify fix for CVE-2020-10663. The patch was provided by
Jeremy Evans.
+
+git-svn-id:
svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+Author: Utkarsh Gupta 
+
+--- a/ext/json/ext/parser/parser.c
 b/ext/json/ext/parser/parser.c
+@@ -1815,7 +1815,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+-json->create_additions = 1;
++json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
+--- a/ext/json/ext/parser/parser.rl
 b/ext/json/ext/parser/parser.rl
+@@ -710,7 +710,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+-json->create_additions = 1;
++json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
diff -Nru ruby-json-2.1.0+dfsg/debian/patches/series
ruby-json-2.1.0+dfsg/debian/patches/series
--- ruby-json-2.1.0+dfsg/debian/patches/series2018-02-25
23:03:06.0 +0530
+++ ruby-json-2.1.0+dfsg/debian/patches/series2020-06-05
12:09:39.0 +0530
@@ -2,3 +2,4 @@
 04-fix-tests-path.patch
 0003-Remove-additional-gemspec-files.patch
 0006-Disable-git-usage-during-build-time.patch
+CVE-2020-10663.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#944228:

2020-03-29 Thread Utkarsh Gupta

Hi all,

On Sat, Mar 28, 2020 at 6:56 PM William Desportes  wrote:
> Done

Thank you! :)

> Done, thank you for the suggestion

Thank you! :)

> I uploaded the file to
> https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-4+deb9u1.dsc

Thank you, this has been uploaded from my side :)


Best,
Utkarsh

Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2020-03-28 Thread Utkarsh Gupta

Hi Adam.

On Tue, 28 Jan 2020 08:35:54 + "Adam D. Barratt"
 wrote:
> Control: tags -1 + confirmed
> Thanks. Please go ahead.

For some reason, this upload never happened.
However, now, the maintainer, William (CCed here) has prepared these
CVE fixes + some new CVEs on top of this, too.
All of these CVE(s) have been fixed in unstable (and in Jessie, too).

Please let me know if we have an ack from your side to upload the fix
for all the CVEs in Stretch?

Attaching the debdiff.

Best,
Utkarsh

debdiff
Description: Binary data

Bug#954714: buster-pu: package rails/2:5.2.2.1+dfsg-1+deb10u1

2020-03-22 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

Hiya,

rails seemed to be affected by CVE-2020-5267.
This has been fixed in Sid and Jessie already.

Here's the debdiff:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

diff -Nru rails-5.2.2.1+dfsg/debian/changelog
rails-5.2.2.1+dfsg/debian/changelog
--- rails-5.2.2.1+dfsg/debian/changelog2019-03-17 17:44:07.0 +0530
+++ rails-5.2.2.1+dfsg/debian/changelog2020-03-22 18:47:31.0 +0530
@@ -1,3 +1,11 @@
+rails (2:5.2.2.1+dfsg-1+deb10u1) buster; urgency=high
+
+  * Team upload.
+  * Add patch to fix possible XSS vector in JS escape helper.
+(Fixes: CVE-2020-5267) (Closes: #954304)
+
+ -- Utkarsh Gupta   Sun, 22 Mar 2020 18:47:31 +0530
+
 rails (2:5.2.2.1+dfsg-1) unstable; urgency=medium

   * Team upload
diff -Nru rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
--- rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
1970-01-01 05:30:00.0 +0530
+++ rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
2020-03-22 18:47:04.0 +0530
@@ -0,0 +1,48 @@
+Description: Fix possible XSS vector in JS escape helper
+ This commit escapes dollar signs and backticks to prevent
+ JS XSS issues when using the `j` or `javascript_escape` helper
+Author: Aaron Patterson 
+Author: Utkarsh Gupta 
+Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1
+Bug-Debian: https://bugs.debian.org/954304
+Last-Update: 2020-03-19
+
+--- a/actionview/lib/action_view/helpers/javascript_helper.rb
 b/actionview/lib/action_view/helpers/javascript_helper.rb
+@@ -12,7 +12,9 @@
+ "\n"=> '\n',
+ "\r"=> '\n',
+ '"' => '\\"',
+-"'" => "\\'"
++"'" => "\\'",
++"`" => "\\`",
++"$" => "\\$"
+   }
+
+   
JS_ESCAPE_MAP["\342\200\250".dup.force_encoding(Encoding::UTF_8).encode!]
= ""
+@@ -26,7 +28,7 @@
+   #   $('some_element').replaceWith('<%= j render
'some/element_template' %>');
+   def escape_javascript(javascript)
+ if javascript
+-  result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {
|match| JS_ESCAPE_MAP[match] }
++  result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u,
JS_ESCAPE_MAP)
+   javascript.html_safe? ? result.html_safe : result
+ else
+   ""
+--- a/actionview/test/template/javascript_helper_test.rb
 b/actionview/test/template/javascript_helper_test.rb
+@@ -32,6 +32,14 @@
+ assert_equal %(dont <\\/close> tags), j(%(dont  tags))
+   end
+
++  def test_escape_backtick
++assert_equal "\\`", escape_javascript("`")
++  end
++
++  def test_escape_dollar_sign
++assert_equal "\\$", escape_javascript("$")
++  end
++
+   def test_escape_javascript_with_safebuffer
+ given = %('quoted' "double-quoted" new-line:\n )
+ expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
diff -Nru rails-5.2.2.1+dfsg/debian/patches/series
rails-5.2.2.1+dfsg/debian/patches/series
--- rails-5.2.2.1+dfsg/debian/patches/series2019-03-17
17:44:07.0 +0530
+++ rails-5.2.2.1+dfsg/debian/patches/series2020-03-22
18:46:39.0 +0530
@@ -1,2 +1,3 @@
 0001-Be-careful-with-that-bundler.patch
 0002-disable-uglify-in-activestorage-rollup-config-js.patch
+CVE-2020-5267.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#954664: stretch-pu: package rails/2:4.2.7.1-1+deb9u2

2020-03-22 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Hiya,

rails seemed to be affected by CVE-2020-5267.
This has been fixed in Sid and Jessie already.

Here's the debdiff:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

diff -Nru rails-4.2.7.1/debian/changelog rails-4.2.7.1/debian/changelog
--- rails-4.2.7.1/debian/changelog2019-04-18 20:21:20.0 +0530
+++ rails-4.2.7.1/debian/changelog2020-03-22 18:05:32.0 +0530
@@ -1,3 +1,11 @@
+rails (2:4.2.7.1-1+deb9u2) stretch; urgency=high
+
+  * Team upload.
+  * Add patch to fix possible XSS vector in JS escape helper.
+(Fixes: CVE-2020-5267) (Closes: #954304)
+
+ -- Utkarsh Gupta   Sun, 22 Mar 2020 18:05:32 +0530
+
 rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium

   * CVE-2018-16476 (Closes: #914847)
diff -Nru rails-4.2.7.1/debian/patches/CVE-2020-5267.patch
rails-4.2.7.1/debian/patches/CVE-2020-5267.patch
--- rails-4.2.7.1/debian/patches/CVE-2020-5267.patch1970-01-01
05:30:00.0 +0530
+++ rails-4.2.7.1/debian/patches/CVE-2020-5267.patch2020-03-22
18:05:00.0 +0530
@@ -0,0 +1,48 @@
+Description: Fix possible XSS vector in JS escape helper
+ This commit escapes dollar signs and backticks to prevent
+ JS XSS issues when using the `j` or `javascript_escape` helper
+Author: Aaron Patterson 
+Author: Utkarsh Gupta 
+Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1
+Bug-Debian: https://bugs.debian.org/954304
+Last-Update: 2020-03-19
+
+--- a/actionview/lib/action_view/helpers/javascript_helper.rb
 b/actionview/lib/action_view/helpers/javascript_helper.rb
+@@ -10,7 +10,9 @@
+ "\n"=> '\n',
+ "\r"=> '\n',
+ '"' => '\\"',
+-"'" => "\\'"
++"'" => "\\'",
++"`" => "\\`",
++"$" => "\\$"
+   }
+
+   JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!]
= ''
+@@ -24,7 +26,7 @@
+   #   $('some_element').replaceWith('<%=j render
'some/element_template' %>');
+   def escape_javascript(javascript)
+ if javascript
+-  result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u)
{|match| JS_ESCAPE_MAP[match] }
++  result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u,
JS_ESCAPE_MAP)
+   javascript.html_safe? ? result.html_safe : result
+ else
+   ''
+--- a/actionview/test/template/javascript_helper_test.rb
 b/actionview/test/template/javascript_helper_test.rb
+@@ -33,6 +33,14 @@
+ assert_equal %(dont <\\/close> tags), j(%(dont  tags))
+   end
+
++  def test_escape_backtick
++assert_equal "\\`", escape_javascript("`")
++  end
++
++  def test_escape_dollar_sign
++assert_equal "\\$", escape_javascript("$")
++  end
++
+   def test_escape_javascript_with_safebuffer
+ given = %('quoted' "double-quoted" new-line:\n )
+ expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
diff -Nru rails-4.2.7.1/debian/patches/series
rails-4.2.7.1/debian/patches/series
--- rails-4.2.7.1/debian/patches/series2019-04-18 20:18:04.0 +0530
+++ rails-4.2.7.1/debian/patches/series2020-03-22 18:04:25.0 +0530
@@ -4,3 +4,4 @@
 0005-relax-json.patch
 006-CVE-2018-16476.patch
 007-CVE-2019-5418_CVE-2019-5419.patch
+CVE-2020-5267.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#953124: buster-pu: package rake/12.3.1-3+deb10u1

2020-03-04 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

Hiya,

rake seemed to be affected by CVE-2020-8130.
This has been fixed in Sid, Bullseye, and Jessie already.
I got an ack to upload from the Security Team.

Here's the debdiff:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

diff -Nru rake-12.3.1/debian/changelog rake-12.3.1/debian/changelog
--- rake-12.3.1/debian/changelog2018-05-02 19:16:41.0 +0530
+++ rake-12.3.1/debian/changelog2020-02-29 20:40:36.0 +0530
@@ -1,3 +1,10 @@
+rake (12.3.1-3+deb10u1) buster; urgency=high
+
+  * Team upload
+  * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta   Sat, 29 Feb 2020 20:40:36 +0530
+
 rake (12.3.1-3) unstable; urgency=medium

   * Revert the drop of the ruby dependency. See Debian bug #897279 for related
diff -Nru rake-12.3.1/debian/patches/CVE-2020-8130.patch
rake-12.3.1/debian/patches/CVE-2020-8130.patch
--- rake-12.3.1/debian/patches/CVE-2020-8130.patch1970-01-01
05:30:00.0 +0530
+++ rake-12.3.1/debian/patches/CVE-2020-8130.patch2020-02-29
20:34:19.0 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA 
+Author: Utkarsh Gupta 
+Origin: 
https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
 b/lib/rake/file_list.rb
+@@ -294,7 +294,7 @@
+   matched = 0
+   each do |fn|
+ begin
+-  open(fn, "r", *options) do |inf|
++  File.open(fn, "r", *options) do |inf|
+ count = 0
+ inf.each do |line|
+   count += 1
diff -Nru rake-12.3.1/debian/patches/series rake-12.3.1/debian/patches/series
--- rake-12.3.1/debian/patches/series2018-05-02 19:16:41.0 +0530
+++ rake-12.3.1/debian/patches/series2020-02-29 20:31:31.0 +0530
@@ -1,3 +1,4 @@
 0001-test-helper-adapt-to-test-installed-package.patch
 0002-rake-testtask-never-include-I-usr-lib-ruby-vendor_ru.patch
 0003-gemspec-drop-git-usage.patch
+CVE-2020-8130.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#953123: stretch-pu: package rake/10.5.0-2+deb9u1

2020-03-04 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Hiya,

rake seemed to be affected by CVE-2020-8130.
This has been fixed in Sid, Bullseye, and Jessie already.
I got an ack to upload from the Security Team.

Here's the debdiff:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

diff -Nru rake-10.5.0/debian/changelog rake-10.5.0/debian/changelog
--- rake-10.5.0/debian/changelodiff -Nru rake-10.5.0/debian/changelog
rake-10.5.0/debian/changelog
--- rake-10.5.0/debian/changelog2016-03-01 23:45:05.0 +0530
+++ rake-10.5.0/debian/changelog2020-02-29 20:57:18.0 +0530
@@ -1,3 +1,10 @@
+rake (10.5.0-2+deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta   Sat, 29 Feb 2020 20:57:18 +0530
+
 rake (10.5.0-2) unstable; urgency=medium

   * Team upload.
diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch
rake-10.5.0/debian/patches/CVE-2020-8130.patch
--- rake-10.5.0/debian/patches/CVE-2020-8130.patch1970-01-01
05:30:00.0 +0530
+++ rake-10.5.0/debian/patches/CVE-2020-8130.patch2020-02-29
20:54:24.0 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA 
+Author: Utkarsh Gupta 
+Origin: 
https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
 b/lib/rake/file_list.rb
+@@ -290,7 +290,7 @@
+   matched = 0
+   each do |fn|
+ begin
+-  open(fn, "r", *options) do |inf|
++  File.open(fn, "r", *options) do |inf|
+ count = 0
+ inf.each do |line|
+   count += 1
diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series
--- rake-10.5.0/debian/patches/series2016-03-01 23:45:05.0 +0530
+++ rake-10.5.0/debian/patches/series2020-02-29 20:54:08.0 +0530
@@ -2,3 +2,4 @@
 skip_permission_test.patch
 autopkgtest.patch
 skip-rake-libdir.patch
+CVE-2020-8130.patch
g2016-03-01 23:45:05.0 +0530
+++ rake-10.5.0/debian/changelog2020-02-29 20:57:18.0 +0530
@@ -1,3 +1,10 @@
+rake (10.5.0-2+deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta   Sat, 29 Feb 2020 20:57:18 +0530
+
 rake (10.5.0-2) unstable; urgency=medium

   * Team upload.
diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch
rake-10.5.0/debian/patches/CVE-2020-8130.patch
--- rake-10.5.0/debian/patches/CVE-2020-8130.patch1970-01-01
05:30:00.0 +0530
+++ rake-10.5.0/debian/patches/CVE-2020-8130.patch2020-02-29
20:54:24.0 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA 
+Author: Utkarsh Gupta 
+Origin: 
https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
 b/lib/rake/file_list.rb
+@@ -290,7 +290,7 @@
+   matched = 0
+   each do |fn|
+ begin
+-  open(fn, "r", *options) do |inf|
++  File.open(fn, "r", *options) do |inf|
+ count = 0
+ inf.each do |line|
+   count += 1
diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series
--- rake-10.5.0/debian/patches/series2016-03-01 23:45:05.0 +0530
+++ rake-10.5.0/debian/patches/series2020-02-29 20:54:08.0 +0530
@@ -2,3 +2,4 @@
 skip_permission_test.patch
 autopkgtest.patch
 skip-rake-libdir.patch
+CVE-2020-8130.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#951130: RM: reel/0.6.1-4

2020-02-11 Thread Utkarsh Gupta

reassign 951130 ftp.debian.org
user pkg-ruby-extras-maintain...@lists.alioth.debian.org
usertags 951130 + ruby2.7-transition
thanks

On Tue, Feb 11, 2020 at 9:39 AM Adam D. Barratt 
wrote:

> This sounds like you want the package removing from unstable?
>

Ah, yes. Fixed.
Thanks!


Best,
Utkarsh

Bug#951129: RM: ruby-websocket-parser/1.0.0-1

2020-02-11 Thread Utkarsh Gupta

reassign 951129 ftp.debian.org
User pkg-ruby-extras-maintain...@lists.alioth.debian.org
Usertags: ruby2.7-transition
thanks

On Tue, Feb 11, 2020 at 9:39 AM Adam D. Barratt 
wrote:

> This sounds like you want the package removing from unstable?
>

Ah, yes. Reassigned to ftp.d.o.
Shall fix the other bugs as well.


Best,
Utkarsh

Bug#951133: RM: berkshelf/4.3.5-2

2020-02-11 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: rm
Severity: normal

Hi,

This package hasn't been in testing since 1057 days and also fails to build
against Ruby 2.7. And also has an RC bug since a long time.

Each of its reverse dependencies are being filed for removal as well.
This was discussed at the Ruby sprints and finally in the Ruby list, too.

I hereby request the removal of the same.


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#951132: RM: ruby-berkshelf-api-client/2.0.2-1

2020-02-11 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: rm
Severity: normal

Hi,

This package hasn't been in testing since 1402 days and also fails to build
against Ruby 2.7. And also has an RC bug since a long time.

Each of its reverse dependencies are being filed for removal as well.
This was discussed at the Ruby sprints and finally in the Ruby list, too.

I hereby request the removal of the same.


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#951131: RM: berkshelf-api/2.2.0-1

2020-02-11 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: rm
Severity: normal

Hi,

This package hasn't been in testing since 1242 days and also fails to build
against Ruby 2.7. And also has an RC bug since a long time.

Each of its reverse dependencies are being filed for removal as well.
This was discussed at the Ruby sprints and finally in the Ruby list, too.

I hereby request the removal of the same.


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#951130: RM: reel/0.6.1-4

2020-02-11 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: rm
Severity: normal

Hi,

This package hasn't been in testing since 1124 days and also fails to build
against Ruby 2.7. And also has an RC bug since a long time.

Each of its reverse dependencies are being filed for removal as well.
This was discussed at the Ruby sprints and finally in the Ruby list, too.

I hereby request the removal of the same.


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#951129: RM: ruby-websocket-parser/1.0.0-1

2020-02-11 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: rm
Severity: normal

Hi,

This package hasn't been in testing since 1578 days and was last uploaded
on 13th October, 2015. This fails to build against Ruby 2.7. And also has
an RC bug since a long time.

Each of its reverse dependencies are being filed for removal as well.
This was discussed at the Ruby sprints and finally in the Ruby list, too.

I hereby request the removal of the same.


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#929331: unblock: ruby-devise/4.5.0-3

2019-05-21 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package ruby-devise.

The latest upload contains a CVE-2019-5421 (and #926348) fix.
Thus requesting you to:
unblock ruby-devise/4.5.0-3


Best,
Utkarsh
---

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Re: Proposal: Repository for fast-paced package backports

2019-05-19 Thread Utkarsh Gupta

Hi Dominik,

On 26/12/18 2:16 am, Dominik George wrote:
> Heisann, alle sammen,
>
> as announced in the recent thread about maintaining, I hereby propose a
> repository that allows making “backports” of packages available to users
> of the stable distribution, if those packages cannot be maintained in
> testing and backported in the usual way. If you are interested in what
> lead up to that, please see bug #915050. I will give a short summary of
> it here.
>
>
> Reasons for having a special place for some packages
> 
>
> (You may want to skip this part if you are familiar with the situation.)
>
> As all developers know (but passers-by may not), for software to enter
> the Debian archive, it is always uploaded to the unstable distribution,
> then migrates to testing (hopefully ;)), which is at some point snapshot
> and made the new stable release. From there on, maintainers have two
> obligations: Firstly, keep the package in stable good and secure, e.g.
> by uploading security fixes for it once they become available upstream,
> or even backport fixes themselves. Secondly, provide the package in
> unstable with updates and ensure its migration, to keep it ready for the
> next stable release.
>
> Now, for some software packages, this process is problematic, because
> upstream may have another idea about software lifecycles. Concerning the
> GitLab example, upstream provides security fixes for three months for
> their stable releases. Backporting fixes from newer versions is very
> hard or impossible because the massive amounts of changes to the
> software in every new versions. This is something that also affects
> other packages, like Mozilla Firefox, which has a firefox package in
> unstable, and a separate firefox-esr package, with the ESR version of
> Firefox. Only the latter migrates to testing.
>
> Users of Debian honour it for its stability, but as an agile software
> lifecycle is adapted by more and more very popular software packages,
> not being able to install these packages in the trusted, well-known
> fashion through the official apt repositories is becoming more and more
> of a drawback.
>
> It can easily be assumed that the normal release and maintenance cycle
> of Debian stable will not change, which is very good, so we should find
> a way to still provide such software as described above to users.
>
>
> Why backports is not enough
> ===
>
> This also is well-known, but for completeness: Formal backports in
> stable-backports are required to be direct backports from testing, and
> are a stepping stone within the upgrade from stable to stable+1. Thus, a
> version of a package that is not in testing can never be in
> stable-backports.
>
> 
>
> Implications for the situation at hand (gitlab)
> ===
>
> As there were quite a few concerns raised (some of which I share, and
> some I don’t): Of course, if a software intended for volatile has a ton
> of dependencies (intended to go into backports), all backports rules and
> powers of the ftp-masters apply. Repeating myself: volatile is not meant
> to ease the life of maintainers.

Did you get a chance to work on it?
This is mostly in reference to #915050. Since GitLab is in good shape
now (people have their own perception of good, though), we'd like to
fast track this and take this forward. 

Let us know about the same :)


Best,
Utkarsh




signature.asc
Description: OpenPGP digital signature

Bug#928868: unblock: ruby-globalid/0.4.2+REALLY.0.3.6-1

2019-05-12 Thread Utkarsh Gupta

Hey,

On Mon 13 May, 2019, 12:42 AM Paul Gevers,  wrote:

> Hi Utkarsh,
>
> On 12-05-2019 11:44, Utkarsh Gupta wrote:
> > Hence, requesting you to:
> > unblock ruby-globalid/0.4.2+REALLY.0.3.6-1
>
> It would have been easier if you would have left the old patches in
> place, but anyways. Thanks for following up and reverting the new
> upstream version in unstable.
>

Ah.

unblocked.
>

Thank you :)


Best,
Utkarsh

Bug#928868: unblock: ruby-globalid/0.4.2+REALLY.0.3.6-1

2019-05-12 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package ruby-globalid.

The latest upload fixes the FTBFS and thus the bug #925178.
It has no test failures now and builds fine with rails, too.

Hence, requesting you to:
unblock ruby-globalid/0.4.2+REALLY.0.3.6-1


Best,
Utkarsh
---

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#926639: unblock: ruby-hangouts-chat/0.0.5-2

2019-04-08 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package ruby-hangouts-chat.

This was affected by #926247, which was an RC bug.
However, in the latest upload, this has been fixed and is good to go.
The bug was reported 2nd April and was fixed on 6th April.

Thus requesting you to:
unblock ruby-hangouts-chat/0.0.5-2


Best,
Utkarsh

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#925604: unblock: ruby-doorkeeper-openid-connect/1.5.5-1

2019-04-03 Thread Utkarsh Gupta

Hey,

On Sat, Mar 30, 2019 at 9:41 PM Ivo De Decker  wrote:

> Control: tags -1 moreinfo
>
> Hi,
>
> On Wed, Mar 27, 2019 at 07:11:57PM +0530, Utkarsh Gupta wrote:
> > Please unblock package ruby-doorkeeper-openid-connect.
> >
> > There was a CVE bug (#924747) reported against the package with severity:
> > grave.
> > It was reported on 16th March and was resolved in the latest upload,
> which was
> > on 24th March.
> > Thus, requesting you to please unblock the same and let it be a part of
> Buster,
> > as was going to :)
>
> This upload seems to include a number of changes other than the fix for the
> security issue. This doesn't seem to comply with the freeze policy. Perhaps
> you can clarify the changes. Otherwise, please revert the upload and
> upload a
> targeted fix for this issue.
>

I do understand your point but the there are only minor changes done except
for the bug fixing :(
I was hoping for it to get unblocked (that is why I didn't do a minor
update but just a patch update).
Also, since gitlab is its only reverse dependency, it'll not be a problem
to unblock I guess?
If not possible, I'd perhaps be targetting for buster-backports, but was
wishing to be unblocked to avoid other workarounds.

Thanks,
>
> Ivo
>

Best,
Utkarsh

Bug#925602: unblock: ruby-globalid/0.4.2-1

2019-03-28 Thread Utkarsh Gupta

Hey,

On Thu, Mar 28, 2019 at 2:16 AM Paul Gevers  wrote:

> Control: tags -1 moreinfo
>
> Hi Utkarsh,
>
> On 27-03-2019 14:30, Utkarsh Gupta wrote:
> > Please unblock package ruby-globalid.
> >
> > Recently, there was a bug (#925178) reported against the package with
> > severity: important.
>
> Did you see my last note in that bug?
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925178#21


Apologies. I didn't see it earlier :(
Answering below.

Care to answer it here?
> '''
> On 24-03-2019 07:21, Debian Bug Tracking System wrote:
> >  ruby-globalid (0.4.2-1) unstable; urgency=medium
> >  .
> >* Team upload
> >* New upstream version 0.4.2
> >* Add patch to fix regression (Closes: #925178)
> >* Drop patches that are merged in upstream
> >* Bump debhelper compatibility level to 11
> >* Bump Standards-Version to 4.3.0 (no changes needed)
> >* Fix insecure URL
>
> Thanks for the quick fix for this issue. However, due to the new
> upstream version and the debhelper compatibility bump this version is
> not eligible [1] for an unblock for buster.
>
> Did rails 2:5.2.2.1+dfsg-1 break ruby-globalid or did it only break the
> autopkgtest of it? I'm asking because this version of rails is fixing a
> CVE's which we want in buster, but the autopkgtest failure (and the
> freeze) is blocking it.
>

It was breaking just the autopkgtest, thus the regression.
Everything else was fine.

Paul
>
> [1] https://release.debian.org/buster/freeze_policy.html
> '''
>
> > The package was in testing and the bug was reported on 20th March and
> > was resolved in the latest upload, which was on 24th March.
> > This also causes regression in the migration of rails' latest update.
> >
> > Hence, request you to:
> >
> > unblock ruby-globalid/0.4.2-1
>
> Not likely in the current state.
>

ruby-activejob from rails is the only reverse dependency of ruby-globalid.
Since the package is in good shape now, perhaps could be given an exception?
And it won't be risky either since ruby-activejob is the only rev-dep :)
Also, it was an RC bug at the last moment (though I understand the scenario
here) :(

Paul
>


Best,
Utkarsh

Bug#925609: unblock: rails/2:5.2.2.1+dfsg-1

2019-03-27 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package rails.

There were 2 bugs (#924520 and #924521) reported against the package with
severity: grave and severity: important, respectively.
Both the bugs were reported on 13th March and were resolved in the latest
upload, which was on 19th March.
The package had previously migrated to testing until the two bugs were
reported against it.
Hence, requesting you to please unblock the same and let it be a part of
Buster, which it was going to :)

Note: This should be unblocked after/in/with reference to the unblock
request for ruby-globalid (#925602).


Best,
Utkarsh

unblock rails/2:5.2.2.1+dfsg-1

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#925607: unblock: ruby-chromedriver-helper/2.1.0-7

2019-03-27 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package ruby-chromedriver-helper.

There was a bug (#924125) reported against the package with severity:
serious.
The bug was reported on 9th March and was resolved in the lastest upload,
which was on 24th March.
The package had previously migrated to testing on 26th February 2019, until
an RC bug was reported against it.
Hence, requesting you to please unblock the same and let it be a part of
Buster, which it was going to :)


Best,
Utkarsh

unblock ruby-chromedriver-helper/2.1.0-7

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#925605: unblock: ruby-carrierwave/1.3.1-2

2019-03-27 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package ruby-carrierwave.

There was a bug (#924830) reported against the package with severity:
serious.
The bug was reported on 17th March and was resolved in the latest upload,
which was on 24th March.
It had previously migrated to testing on 31st January 2019, until an RC bug
was reported against it.
Thus, requesting you to please unblock the same and let it be a part of
Buster, which it was going to :)


Best,
Utkarsh

unblock ruby-carrierwave/1.3.1-2

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#925604: unblock: ruby-doorkeeper-openid-connect/1.5.5-1

2019-03-27 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package ruby-doorkeeper-openid-connect.

There was a CVE bug (#924747) reported against the package with severity:
grave.
It was reported on 16th March and was resolved in the latest upload, which
was on 24th March.
Thus, requesting you to please unblock the same and let it be a part of
Buster, as was going to :)


Best,
Utkarsh

unblock ruby-doorkeeper-openid-connect/1.5.5-1

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#925602: unblock: ruby-globalid/0.4.2-1

2019-03-27 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package ruby-globalid.

Recently, there was a bug (#925178) reported against the package with
severity: important.
The package was in testing and the bug was reported on 20th March and was
resolved in the latest upload, which was on 24th March.
This also causes regression in the migration of rails' latest update.

Hence, request you to:

unblock ruby-globalid/0.4.2-1

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#922316: unblock: ruby-leaflet-rails/1.3.1+dfsg-1

2019-02-14 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package ruby-leaflet-rails

I am writing this on behalf of the Ruby team, requesting you to unblock
ruby-leaflet-rails[1] by the soft freeze.
The autopkgtest regression in testing was due to ruby-capybara[2], which
was not in testing, which was blocked by an RC bug in puma[3]. Since they
migrated on the last day before the soft freeze, there was no time to run
autopkgtest for ruby-leaflet-rails and thus got blocked because of the same.

Hence requesting you to

unblock ruby-leaflet-rails/1.3.1+dfsg-1


[1]: https://tracker.debian.org/pkg/ruby-leaflet-rails
[2]: https://tracker.debian.org/pkg/ruby-capybara
[3]: https://tracker.debian.org/pkg/puma


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled


Best,
Utkarsh

Bug#922310: unblock: ruby-jquery-ui-rails/6.0.1+dfsg-3

2019-02-14 Thread Utkarsh Gupta

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package ruby-jquery-ui-rails

I am writing this on behalf of the Ruby team, requesting you to unblock
ruby-jquery-ui-rails[1] by the soft freeze.
The autopkgtest regression in testing was due to ruby-capybara[2], which
was not in testing, which was blocked by an RC bug in puma[3]. Since they
migrated on the last day before the soft freeze, there was no time to run
autopkgtest for ruby-jquery-ui-rails and thus got blocked because of the
same.

Hence requesting you to

unblock ruby-jquery-ui-rails/6.0.1+dfsg-3


[1]: https://tracker.debian.org/pkg/ruby-jquery-ui-rails
[2]: https://tracker.debian.org/pkg/ruby-capybara
[3]: https://tracker.debian.org/pkg/puma


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled


Best,
Utkarsh

67 matches

Mail list logo