Bug#1028468: bullseye-pu: package tomcat9/9.0.43-2~deb11u5
Package: release.debian.org User: release.debian@packages.debian.org Tags: bullseye Severity: normal Hello, src:tomcat9 has been affected by debbug #1020948 which was fixed in sid and thus would want to backport the fix to bullseye in the next point release. It was noticed that the tomcat-locate-java.sh script which seems to be in charge of identifying the Java version to use doesn't have version 17 listed. This is a trivial (and thus a low regression) fix. Debdiff is duly attached. Let me know if you any more information. TIA! \o/ - u tomcat9_bullseye.debdiff Description: Binary data
Bug#1024055: Upload MariaDB 1:10.3.37-0+deb10u1 ?
Hi Otto, On Mon, Dec 5, 2022 at 5:33 AM Otto Kekäläinen wrote: > I didn't get a reply to this, so asking again. I could take care of the upload but if you'd like to do that, please feel free to do so and I can take care of the paperwork. One quick thing I spotted in the target in d/ch is "buster". Could you please change that to "buster-security" instead? Let me know if you'd like to upload yourself or want me to take care of it. Thanks. - u
Re: Update of debian-archive-keyring in stretch?
Hi Jonathan, On Mon, Oct 11, 2021 at 6:24 AM Utkarsh Gupta wrote: > On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire wrote: > > You will need (but may not want) the commit removing jessie's keys as well. > > Basically all intermediate commits which touch keyrings - a removal is > > really a move from the main keyring to the archive keyring, so it will > > change the makeup of the keyring and fail the validation. > > > > If you actually need the jessie keys kept, as I suspect you do, I can > > prepare a stretch branch with new signatures on it in a few days. > > That'd be really helpful, yes. Though I am still unsure what am I missing. > When you prep a branch for stretch, please let me know and as I said, > that'd be really helpful. Thank you so much! Friendly ping on this. Any status update on this, please? :) Do you think you can take a look at this sooner? Let me/us know. > > I intend to simplify the whole thing significantly in bookworm; this whole > > jetring and gpg validation thing makes for a lot of maintenance pain. > > Perfect, that'll indeed help a lot. :) - u
Re: Update of debian-archive-keyring in stretch?
Hi Jonathan, On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire wrote: > You will need (but may not want) the commit removing jessie's keys as well. > Basically all intermediate commits which touch keyrings - a removal is > really a move from the main keyring to the archive keyring, so it will > change the makeup of the keyring and fail the validation. > > If you actually need the jessie keys kept, as I suspect you do, I can > prepare a stretch branch with new signatures on it in a few days. That'd be really helpful, yes. Though I am still unsure what am I missing. When you prep a branch for stretch, please let me know and as I said, that'd be really helpful. Thank you so much! > I intend to simplify the whole thing significantly in bookworm; this whole > jetring and gpg validation thing makes for a lot of maintenance pain. Perfect, that'll indeed help a lot. :) - u
Re: Update of debian-archive-keyring in stretch?
On Sat, Oct 2, 2021 at 9:35 PM Utkarsh Gupta wrote: > With these 3 commits, I tried to build the package and it failed > with the following error: > 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8< > gpg --no-options --no-default-keyring --no-auto-check-trustdb --trustdb-name ./trustdb.gpg \ > --keyring keyrings/team-members.gpg \ > --verify active-keys/index.gpg active-keys/index > gpg: Signature made Wed Feb 24 20:38:18 2021 UTC > gpg:using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9 > gpg: ./trustdb.gpg: trustdb created > gpg: BAD signature from "Jonathan Wiltshire " [expired] > Makefile:9: recipe for target 'verify-indices' failed > 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8< > > I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b, > that is, updating your key. But it still failed with the same > error. I am not sure what's up? Do you have an idea what's > happening? TIA! I've pushed the changes to my namespace so that it's easy to see what I am doing. The repository/commits could be found here: https://salsa.debian.org/utkarsh/debian-archive-keyring/-/commits/master Please let me know what I am missing. Thank you! - u
Re: Update of debian-archive-keyring in stretch?
Hi Jonathan, On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog wrote: > it would be nice if we could get an update of debian-archive-keyring > in stretch to add the bullseye key just like it has been done in buster a > while ago: > https://tracker.debian.org/news/1236764/accepted-debian-archive-keyring-20191deb10u1-source-all-into-proposed-updates-stable-new-proposed-updates/ Whilst prepping an update for stretch, I cherry-picked the following commits from the salsa repository w cross-checking the update as proposed via #985371: 464dc87f2dc7d5ef84150a1fe5b326ba9bb5174e -> Add automatic signing keys for bullseye. 379aebbdf44d2fa9bde4eb5904c9e860cd13eb28 -> Add Debian Stable Release Key (11/bullseye). 74d1b0366c01b1b4653b5eba24f751655c25bb96 -> Refresh signatures over keyrings/debian-archive-keyring.gpg (and not keyrings/debian-archive-removed-keys.gpg since I'm not removing any keys in this update). With these 3 commits, I tried to build the package and it failed with the following error: 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8< gpg --no-options --no-default-keyring --no-auto-check-trustdb --trustdb-name ./trustdb.gpg \ --keyring keyrings/team-members.gpg \ --verify active-keys/index.gpg active-keys/index gpg: Signature made Wed Feb 24 20:38:18 2021 UTC gpg:using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9 gpg: ./trustdb.gpg: trustdb created gpg: BAD signature from "Jonathan Wiltshire " [expired] Makefile:9: recipe for target 'verify-indices' failed 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8< I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b, that is, updating your key. But it still failed with the same error. I am not sure what's up? Do you have an idea what's happening? TIA! - u
Re: Update of debian-archive-keyring in stretch?
Hello all, On Thu, Aug 26, 2021 at 12:33 AM Utkarsh Gupta wrote: > > The missing key creates problems for example with simple-cdd: > > https://bugs.debian.org/992966 > > Okay, I'll be happy to do the update. Though I wonder if it'd rather > be helpful in just doing a rebuild of buster to stretch instead of > backporting the changes each time? Slight ping on this. I'm inclined towards rebuilding the same package for stretch. Does anybody have an opinion or opposition on this? :) I intend to do this in the next couple of days, so let me know what you think. - u
Re: Update of debian-archive-keyring in stretch?
Hi Raphael, On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog wrote: > it would be nice if we could get an update of debian-archive-keyring > in stretch to add the bullseye key just like it has been done in buster a > while ago: [...] > > The missing key creates problems for example with simple-cdd: > https://bugs.debian.org/992966 Okay, I'll be happy to do the update. Though I wonder if it'd rather be helpful in just doing a rebuild of buster to stretch instead of backporting the changes each time? - u
Bug#991886: buster-pu: package libpam-tacplus/1.3.8-2+deb10u1
Package: release.debian.org User: release.debian@packages.debian.org Tags: buster Severity: normal Hello, src:libpam-tacplus has been affected by CVE-2020-13881 which is fixed in sid & stretch. Thus this -pu update for buster. This update also helps in fixing the versioning problem because as of now, the version in stretch is greater than that in stable. So this update will help fix things for buster. The debdiff is duly attached. Let me know if you any more information. TIA! \o/ - u libpam-tacplus_buster.debdiff Description: Binary data
Bug#991843: unblock: libjdom2-java/2.0.6-1.1
Hi Sebastian, On Tue, Aug 3, 2021 at 10:35 PM Sebastian Ramacher wrote: > Unstable and bullseye contain the same version of libjdom2-java. Are you > sure that the upload reached unstable? There was a bit of a fiasco and processing delay from dak (see my mail at -devel for more information) but the new version of libjdom2-java should now be available in sid. $ rmadison libjdom2-java libjdom2-java | 2.0.6-1 | oldoldstable| source, all libjdom2-java | 2.0.6-1 | oldstable | source, all libjdom2-java | 2.0.6-1 | stable | source, all libjdom2-java | 2.0.6-1.1 | unstable| source libjdom2-java | 2.0.6-2 | testing | source, all libjdom2-java | 2.0.6-2 | unstable| source, all libjdom2-java | 2.0.6-2.1 | buildd-unstable | source, all libjdom2-java | 2.0.6-2.1 | unstable| source, all Please let me know if you need any more information. Thank you! - u
Bug#991844: unblock: libpam-tacplus/1.3.8-2.1
Hi Paul, On Tue, Aug 3, 2021 at 9:46 PM Paul Gevers wrote: > On 03-08-2021 10:46, Utkarsh Gupta wrote: > > src:libpam-tacplus > > ... is not in testing. > > closing this bug as there's nothing to do (no, we're not going to let it > in now). Ugh, my bad for not checking that. Thanks and of course not letting it go to bullseye absolutely makes sense! Thank you and sorry for the noise! - u
Bug#991844: unblock: libpam-tacplus/1.3.8-2.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hey, src:libpam-tacplus has been affected by CVE-2020-13881 which is fixed in sid & stretch. -pu update for buster is also being filed. This update also helps in fixing the versioning problem because as of now, the version in stretch is greater than that in stable and sid. So this update will help fix things for sid and bullseye, at least. Since this is just a CVE fix, I'd request you to unblock this and let it go to bullseye, please? (I am sorry for doing this on the eleventh hour :/) The debdiff is duly attached. Let me know if you any more information. TIA! \o/ - u libpam-tacplus_sid.debdiff Description: Binary data
Bug#991843: unblock: libjdom2-java/2.0.6-1.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hey, src:libjdom2-java has been affected by CVE-2021-33813 which is fixed in sid & stretch. -pu update for buster is also being filed. Since this is just a CVE fix, I'd request you to unblock this and let it go to bullseye, please? (I am sorry for doing this on the eleventh hour :/) The debdiff is duly attached. Let me know if you any more information. TIA! \o/ - u libjdom2-java_sid.debdiff Description: Binary data
Bug#991842: unblock: libjdom1-java/1.1.3-2.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hey, src:libjdom1-java has been affected by CVE-2021-33813 which is fixed in sid & stretch. -pu update for buster is also being filed. Since this is just a CVE fix, I'd request you to unblock this and let it go to bullseye, please? (I am sorry for doing this on the eleventh hour :/) The debdiff is duly attached. Let me know if you any more information. TIA! \o/ - u libjdom1-java_sid.debdiff Description: Binary data
Bug#989037: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1
Hi Paul, [CC'ed team@s.d.o] On Sat, Jul 10, 2021 at 1:34 AM Paul Gevers wrote: > Unblocked the latest version in unstable. Awesome, thank you so much! Just as a heads up, I'll be also filing unblock requests for ruby2.7 (already uploaded) and libjdom1-java & libjdom2-java (yet to upload). All three are CVE fixes and hopefully should be trivial for the release team to evaluate. Let me know if you've any questions, thank you! - u
Bug#989703: unblock: eterm/0.9.6-6.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hey, src:eterm has been affected by CVE-2021-33477 which is fixed in sid & stretch. -pu update for buster has also been filed. Since this is just a CVE fix, I'd request you to unblock this and let it go to bullseye. :) The debdiff is duly attached. Let me know if you any more information. TIA! \o/ - u eterm_sid.debdiff Description: Binary data
Bug#989702: buster-pu: package eterm/0.9.6-5+deb10u1
Package: release.debian.org User: release.debian@packages.debian.org Tags: buster Severity: normal Hello, src:eterm has been affected by CVE-2021-33477 which is fixed in sid & stretch. Since the version in stretch & buster is the same, I'd like to get this update into -pu in the next release so as to avoid upgrade problems. The debdiff is duly attached. Let me know if you any more information. TIA! \o/ - u eterm_buster.debdiff Description: Binary data
Bug#989037: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1
Hi Paul, On Fri, Jun 4, 2021 at 1:38 AM Paul Gevers wrote: > > You haven't answered my question: "does rails still work with the old > > version of ruby-marcel and can the version bump be reverted" > > Ping. Without a proper answer, I can't decide. Thanks, I'm yet to figure that out and hopefully do this on weekend. If it were to work with the older ruby-marcel, can I then just push the newer rails to bullseye directly? Now that marcel's at v1.0 in unstable, I don't want to downgrade again. - u
Bug#989037: unblock: rails/2:6.0.3.7+dfsg-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: debian-r...@lists.debian.org Hello, Rails was recently affected by 3 CVEs (CVE-2021-2290{2,4} and CVE-2021-22885). I'm attaching a filtered diff for your review; the diff is really small and minimal which should be clear by looking at it. The only caveat is that it needs ruby-marcel, which has an unblock request (#989036) opened a few minutes ago. rails has been in unstable for around 9 days now[1]; I've done some testing and it all works OK w/ Bullseye, so it should be good to go. [1]: https://tracker.debian.org/pkg/rails The command used to filter the debdiff is as follows: filterdiff --exclude='*/Gemfile.lock' --exclude='*/CHANGELOG.md' --exclude='*/gem_version.rb' --exclude='*/package.json' --exclude='*/test/*' ../rails.debdiff Let me know if you need any other information from my end. Thanks! - u rails_filtered.debdiff Description: Binary data
Bug#989036: unblock: ruby-marcel/1.0.1+dfsg-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: debian-r...@lists.debian.org Hello, We had to bump ruby-marcel to a newer version because the mimemagic dependency - which relies on GPL-licensed mime type data from freedesktop.org’s shared-mime-info project - is removed. Marcel now directly uses mime type data adapted from the Apache Tika project, distributed under the Apache License. This is the only major change here + some other bug fixes to get everything working. ruby-marcel has been in unstable for around 9 days now[1]; I've done some testing and it all works OK w/ Bullseye, so it should be good to go. [1]: https://tracker.debian.org/pkg/ruby-marcel Since this is licensing + bug fix, I believe it'd be a good idea to have this included in Bullseye; this is also needed for rails to be unblocked (another separate request). Attaching a filtered debdiff for your review. The command used to filter the debdiff is as follows: filterdiff --exclude='*/APACHE-LICENSE' --exclude='*/.*' --exclude='*/data/*' --exclude='*/script/*' --exclude='*/test/*' --exclude='*/Gemfile.lock' --exclude='*/README.md' ../ruby-marcel.debdiff Let me know if you need any other information from my end. Thanks! - u ruby-marcel_filtered.debdiff Description: Binary data
Bug#987531: buster-pu: package opendmarc/1.3.2-6+deb10u2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu User: debian-release@lists.debian.org Usertags: bsp-2021-04-at-salzburg X-Debbugs-Cc: t...@security.debian.org Tags: buster Severity: normal Hello, src:opendmarc has been affected by CVE-2020-12460, which is fixed in sid, bullseye, and stretch. Therefore, I'd like for it to be fixed in buster as well. And hence this pu update. The debdiff is duly attached. Let me know if you need any more information. TIA! - u opendmarc-buster.debdiff Description: Binary data
Bug#987501: unblock ruby-librarian/0.6.4-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock bsp-2021-04-AT-Salzburg Hello, This upload fixes #987113 and is actually a one-liner change: ``` - project_path = Pathname.new(__FILE__).expand_path + project_path = Pathname.pwd.expand_path ``` A more formal debdiff is attached. Requesting you to please unblock this. Should you need any more details, please let me know. TIA! - u ruby-librarian-sid.debdiff Description: Binary data
Bug#987494: buster-pu: package fluidsynth/1.1.11-1+deb10u1
Package: release.debian.org User: release.debian@packages.debian.org X-Debbugs-Cc: t...@security.debian.org, a...@debian.org Usertags: pu bsp-2021-04-AT-Salzburg Tags: buster Severity: normal Hello, src:fluidsynth has been affected by CVE-2021-28421 which is fixed in sid and unblocked for bullseye. Since this affects buster as well, I'm hereby opening a pu update bug for tracking. Thanks to Reiner Herrmann for preparing and testing the update. I've reviewed and it looks good; the debdiff is duly attached. Let me know if you need any more information. TIA! - u fluidsynth-buster.debdiff Description: Binary data
Bug#987489: buster-pu: package jackson-databind/2.9.8-3+deb10u3
Package: release.debian.org User: release.debian@packages.debian.org X-Debbugs-Cc: t...@security.debian.org, a...@debian.org Usertags: pu bsp-2021-04-AT-Salzburg Tags: buster Severity: normal Hello, src:jackson-databind has been affected by 18 CVEs which are fixed in unstable and bullseye (and also jessie). Therefore, I'd like them to be fixed in buster as well. And hence this pu update. The debdiff is duly attached. Let me know if you need any more information. TIA! - u jackson-databind-buster.debdiff Description: Binary data
Bug#987471:
user debian-release@lists.debian.org usertags -1 + bsp-2021-04-AT-Salzburg thank you
Bug#986742: unblock: ruby2.7/2.7.3-1
Hi Sebastian, On Sat, Apr 17, 2021 at 3:08 PM Sebastian Ramacher wrote: > Thanks, please go ahead and remove the moreinfo tag once the version is > available in unstable. Uploaded to unstable, thanks. And removed the tag as well. - u
Bug#986146: unblock: rabbitmq-server/3.8.9-2
Hello, Awesome, thanks for this upload, Thomas. I can confirm that this is a pure bug-fix release only and indeed fixes the problems raised, thereby making this package even better for bullseye. A huge +1 for unblocking. - u
Bug#983113: buster-pu: package ruby-mechanize/2.7.6-1+deb10u1
Package: release.debian.org User: release.debian@packages.debian.org X-Debbugs-Cc: debian-r...@lists.debian.org Usertags: pu Tags: buster Severity: normal Hello, ruby-mechanize was affected by CVE-2021-21289, where the package was vulnerable to command injection vulnerability. This has been fixed in sid, bullseye, and stretch. Here's the debdiff for buster-pu: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< diff -Nru ruby-mechanize-2.7.6/debian/changelog ruby-mechanize-2.7.6/debian/changelog --- ruby-mechanize-2.7.6/debian/changelog2019-01-04 16:57:45.0 +0530 +++ ruby-mechanize-2.7.6/debian/changelog2021-02-19 22:47:27.0 +0530 @@ -1,3 +1,10 @@ +ruby-mechanize (2.7.6-1+deb10u1) buster; urgency=medium + + * Team upload for buster-pu. + * Add patch to prevent OS command injection. (Fixes: CVE-2021-21289) + + -- Utkarsh Gupta Fri, 19 Feb 2021 22:47:27 +0530 + ruby-mechanize (2.7.6-1) unstable; urgency=medium * Team upload diff -Nru ruby-mechanize-2.7.6/debian/patches/CVE-2021-21289.patch ruby-mechanize-2.7.6/debian/patches/CVE-2021-21289.patch --- ruby-mechanize-2.7.6/debian/patches/CVE-2021-21289.patch 1970-01-01 05:30:00.0 +0530 +++ ruby-mechanize-2.7.6/debian/patches/CVE-2021-21289.patch 2021-02-19 22:46:52.0 +0530 @@ -0,0 +1,260 @@ +From aae0b13514a1a0caf93b1cf233733c50e679069a Mon Sep 17 00:00:00 2001 +From: Katsuhiko YOSHIDA +Date: Sat, 20 Jul 2019 11:03:40 +0900 +Subject: [PATCH 1/7] fix(security): prevent command injection in CookieJar + +Related to https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g +--- + lib/mechanize/cookie_jar.rb | 4 ++-- + test/test_mechanize_cookie_jar.rb | 30 ++ + 2 files changed, 32 insertions(+), 2 deletions(-) + +--- a/lib/mechanize/cookie_jar.rb b/lib/mechanize/cookie_jar.rb +@@ -65,7 +65,7 @@ + class CookieJar < ::HTTP::CookieJar + def save(output, *options) + output.respond_to?(:write) or +-return open(output, 'w') { |io| save(io, *options) } ++return ::File.open(output, 'w') { |io| save(io, *options) } + + opthash = { + :format => :yaml, +@@ -119,7 +119,7 @@ + + def load(input, *options) + input.respond_to?(:write) or +-return open(input, 'r') { |io| load(io, *options) } ++return ::File.open(input, 'r') { |io| load(io, *options) } + + opthash = { + :format => :yaml, +--- a/test/test_mechanize_cookie_jar.rb b/test/test_mechanize_cookie_jar.rb +@@ -1,4 +1,5 @@ + require 'mechanize/test_case' ++require 'fileutils' + + class TestMechanizeCookieJar < Mechanize::TestCase + +@@ -500,6 +501,35 @@ + assert_equal(0, @jar.cookies(url).length) + end + ++ def test_prevent_command_injection_when_saving ++url = URI 'http://rubygems.org/' ++path = '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'' ++ ++@jar.add(url, Mechanize::Cookie.new(cookie_values)) ++ ++in_tmpdir do ++ @jar.save_as(path, :cookiestxt) ++ assert_equal(false, File.exist?('vul.txt')) ++end ++ end ++ ++ def test_prevent_command_injection_when_loading ++url = URI 'http://rubygems.org/' ++path = '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'' ++ ++@jar.add(url, Mechanize::Cookie.new(cookie_values)) ++ ++in_tmpdir do ++ @jar.save_as("cookies.txt", :cookiestxt) ++ @jar.clear! ++ ++ assert_raises Errno::ENOENT do ++@jar.load(path, :cookiestxt) ++ end ++ assert_equal(false, File.exist?('vul.txt')) ++end ++ end ++ + def test_save_and_read_expired_cookies + url = URI 'http://rubyforge.org/' + +--- a/lib/mechanize.rb b/lib/mechanize.rb +@@ -396,7 +396,7 @@ + io = if io_or_filename.respond_to? :write then +io_or_filename + else +- open io_or_filename, 'wb' ++ ::File.open(io_or_filename, 'wb') + end + + case page +--- a/test/test_mechanize.rb b/test/test_mechanize.rb +@@ -345,6 +345,14 @@ + end + end + ++ def test_download_does_not_allow_command_injection ++in_tmpdir do ++ @mech.download('http://example', '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'') ++ ++ refute_operator(File, :exist?, "vul.txt") ++end ++ end ++ + def test_get + uri = URI 'http://localhost' + +--- a/lib/mechanize/download.rb b/lib/mechanize/download.rb +@@ -71,7 +71,7 @@ + dirname = File.dirname filename + FileUtils.mkdir_p dirname + +-open filename, 'wb' do |io| ++::File.open(filename, 'wb')do |io| + until @body_io.eof? do + io.write @body_io.read 16384 + end +--- a/test/test_mechanize_download.rb b/test/test_mechanize_download.rb +@@ -46,6 +46,18 @@ + end + end + ++ def test_save_bang_does_not_allow_command_injection ++uri = URI.parse 'http://example/
Re: Re: source-only uploads for future point releases (Re: Bug
Henrique de Moraes Holschuh wrote: > But just in case, what about Jessie ELTS non-free ? A source-only upload should work and the builders would pick it from there. However, uploading to jessie now is not straightforward. There's a different repository altogether, so only those who have their keys added can upload (cf: the ELTS team). Should you have more questions, let me know. Either way, I'll wait for buster-pu and stretch update of intel-microcode and then work on this? (cf: our other thread :)). - u
Bug#981271: buster-pu: package python-bottle/0.12.15-2+deb10u1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: buster Severity: normal Hello, python-bottle was affected by CVE-2020-28473, where the package was vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. This has been fixed in Sid, Bullseye, and Stretch (& Jessie). Here's the debdiff for buster-pu: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< diff -Nru python-bottle-0.12.15/debian/changelog python-bottle-0.12.15/debian/changelog --- python-bottle-0.12.15/debian/changelog2019-03-27 05:13:08.0 +0530 +++ python-bottle-0.12.15/debian/changelog2021-01-28 20:22:22.0 +0530 @@ -1,3 +1,10 @@ +python-bottle (0.12.15-2+deb10u1) buster; urgency=high + + * Non-maintainer upload by the Security team. + * Do not split query strings on `;` anymore. (Fixes: CVE-2020-28473) + + -- Utkarsh Gupta Thu, 28 Jan 2021 20:22:22 +0530 + python-bottle (0.12.15-2) unstable; urgency=medium * Update tox dependency (Closes: #924836) diff -Nru python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch --- python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch 1970-01-01 05:30:00.0 +0530 +++ python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch 2021-01-28 20:21:24.0 +0530 @@ -0,0 +1,25 @@ +From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Wed, 11 Nov 2020 19:24:29 +0100 +Subject: [PATCH] Do not split query strings on `;` anymore. + +Using `;` as a separator instead of `&` was allowed a long time ago, +but is now obsolete and actually invalid according to the 2014 W3C +recommendations. Even if this change is technically backwards-incompatible, +no real-world application should depend on broken behavior. If you REALLY +need this functionality, monkey-patch the _parse_qsl() function. +--- + bottle.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/bottle.py b/bottle.py +@@ -2577,7 +2577,7 @@ + + def _parse_qsl(qs): + r = [] +-for pair in qs.replace(';','&').split('&'): ++for pair in qs.split('&'): + if not pair: continue + nv = pair.split('=', 1) + if len(nv) != 2: nv.append('') diff -Nru python-bottle-0.12.15/debian/patches/series python-bottle-0.12.15/debian/patches/series --- python-bottle-0.12.15/debian/patches/series2019-03-27 05:13:08.0 +0530 +++ python-bottle-0.12.15/debian/patches/series2021-01-28 20:21:33.0 +0530 @@ -1,2 +1,3 @@ 0001-Remove-bottle.py-from-scripts.patch 0002-Add-CLI-manpage.patch +CVE-2020-28473.patch 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< - u --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#971571: transition: libgit2
Hey, On Wed, Dec 9, 2020 at 3:13 PM Utkarsh Gupta wrote: > I'll take a look at python-pygit2 today as well. So leaves us with > ruby-rugged. I'll come to that in next few days if no one beats me to > it. FWIW, I've uploaded both, thereby completing all the blockers. Hopefully this transition should complete soon :) Thanks to everybody who was involved here, especially Ximin and Sebastian! \o/ - u
Bug#971571: transition: libgit2
Hello, On Wed, Dec 9, 2020 at 2:23 AM Sebastian Ramacher wrote: > > So I conclude that it's probably fine to upload libgit2 1.1.0 to unstable > > now? > Okay, then let's do this now. Please go ahead. Awesome, uploaded! I'll take a look at python-pygit2 today as well. So leaves us with ruby-rugged. I'll come to that in next few days if no one beats me to it. - u
Bug#971571: transition: libgit2
Hi Sebastian, On Tue, Dec 8, 2020 at 3:30 PM Sebastian Ramacher wrote: > v30 was accepted. Please perform a source-only upload for the arch: all > packages. That should be done now! \o/ > > The only reverse-{,build-}dependency is gitaly, it seems. So I'm CCing > > Praveen so he gets a heads up. > > Filed #976820 against gitaly. > > In any case, I'll remove golang-gopkg-libgit2-git2go.v28 and > gitaly from testing to unblock this transition. gitaly is blocked by > ruby-faraday which is currently causing a bunch of autopkgtest > regressions. Great, thanks for this! I do have another (stupid) question :) libgit2 upstream has released 1.1.0 after 1.0.1 (which is the transition we're pusruing). However, libgit2 1.1.0 if backwards compatible *but* still a transition is needed for it. I've already worked on updating the same in experimental and it is now accepted as well. Do you think we can do a 1.1.0 transition along with this as well? Whilst I didn't build all the reverse-{build-}dependencies but I believe there shouldn't be much of a problem. - u
Bug#971571: transition: libgit2
Hi Peter, On Sun, Dec 6, 2020 at 11:06 AM peter green wrote: > In addition to the packages mentioned here, it seems there is another > package involved: golang-gopkg-libgit2-git2go.v28 . It only builds > arch-all packages and does not directly depend on the library, but it > FTBFS and it's autopkgtest fails with the new version. > > The FTBFS was picked up in a rebuild test by Lucas and a bug report > was filed https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976522 Yes, because v28 is only compatible with libgit2 v0.28. For libgit2 v1.0, we need v30 for git2go. So I've uploaded golang-gopkg-libgit2-git2go.v30 to NEW and once accepted, I'll file an RM for v28. The only reverse-{,build-}dependency is gitaly, it seems. So I'm CCing Praveen so he gets a heads up.
Bug#971571: transition: libgit2
Hi, On Sat, Dec 5, 2020 at 1:41 AM Sebastian Ramacher wrote: > Scheduled the binNMUs except for horizon-eda (involved in python3.9-defaults). Great, thank you! I've, meanwhile, uploaded python-pygit2 and libgit-raw-perl! Will hopefully get on to ruby-rugged, as well! \o/ - u
Bug#971571: transition: libgit2
Hi Sebastian, On Fri, Dec 4, 2020 at 10:54 PM Sebastian Ramacher wrote: > Please go ahead with the upload to unstable. Great, thanks, I did an upload just now! :) - u
Bug#972161: buster-pu: package ruby2.5/2.5.5-3+deb10u3
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: buster X-Debbugs-CC: debian-r...@lists.debian.org Severity: normal Hello, ruby2.5 was affected by CVE-2020-25613, where WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. This has been fixed in Sid, Bullseye, and Stretch. Here's the debdiff for buster-pu: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< diff -Nru ruby2.5-2.5.5/debian/changelog ruby2.5-2.5.5/debian/changelog --- ruby2.5-2.5.5/debian/changelog2020-07-04 00:07:58.0 +0530 +++ ruby2.5-2.5.5/debian/changelog2020-10-13 18:32:32.0 +0530 @@ -1,3 +1,10 @@ +ruby2.5 (2.5.5-3+deb10u3) buster; urgency=high + + * Add patch to fix a potential HTTP request smuggling +vulnerability in WEBrick. (Fixes: CVE-2020-25613) + + -- Utkarsh Gupta Tue, 13 Oct 2020 18:32:32 +0530 + ruby2.5 (2.5.5-3+deb10u2) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch --- ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch1970-01-01 05:30:00.0 +0530 +++ ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch2020-10-13 18:31:51.0 +0530 @@ -0,0 +1,30 @@ +From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001 +From: Yusuke Endoh +Date: Tue, 29 Sep 2020 13:15:58 +0900 +Subject: [PATCH] Make it more strict to interpret some headers + +Some regexps were too tolerant. + +--- a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb +@@ -226,9 +226,9 @@ + raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'." + end + +- if /close/io =~ self["connection"] ++ if /\Aclose\z/io =~ self["connection"] + @keep_alive = false +- elsif /keep-alive/io =~ self["connection"] ++ elsif /\Akeep-alive\z/io =~ self["connection"] + @keep_alive = true + elsif @http_version < "1.1" + @keep_alive = false +@@ -475,7 +475,7 @@ + return unless socket + if tc = self['transfer-encoding'] + case tc +-when /chunked/io then read_chunked(socket, block) ++when /\Achunked\z/io then read_chunked(socket, block) + else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}." + end + elsif self['content-length'] || @remaining_size diff -Nru ruby2.5-2.5.5/debian/patches/series ruby2.5-2.5.5/debian/patches/series --- ruby2.5-2.5.5/debian/patches/series2020-07-04 00:06:34.0 +0530 +++ ruby2.5-2.5.5/debian/patches/series2020-10-13 18:32:04.0 +0530 @@ -15,3 +15,4 @@ 0015-lib-shell-command-processor.rb-Shell-prevent-unknown.patch CVE-2020-10933.patch CVE-2020-10663.patch +CVE-2020-25613.patch 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< - u --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#962264: stretch-pu: package ruby2.3/2.3.3-1+deb9u8
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: stretch X-Debbugs-CC: debian-r...@lists.debian.org Severity: normal Hello, ruby2.3 was affected by CVE-2020-10663, which was an unsafe object creation vulnerability. This has been fixed in Sid, Bullseye, and Jessie already. Here's the debdiff for stretch-pu: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< diff -Nru ruby2.3-2.3.3/debian/changelog ruby2.3-2.3.3/debian/changelog --- ruby2.3-2.3.3/debian/changelog2019-12-15 21:58:25.0 +0530 +++ ruby2.3-2.3.3/debian/changelog2020-06-05 14:25:50.0 +0530 @@ -1,3 +1,11 @@ +ruby2.3 (2.3.3-1+deb9u8) stretch; urgency=high + + * Non-maintainer upload. + * Add patch to fix unsafe object creation vulnerability. +(Fixes: CVE-2020-10663) + + -- Utkarsh Gupta Fri, 05 Jun 2020 14:25:50 +0530 + ruby2.3 (2.3.3-1+deb9u7) stretch-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch --- ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch1970-01-01 05:30:00.0 +0530 +++ ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch2020-06-05 14:25:21.0 +0530 @@ -0,0 +1,36 @@ +From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001 +From: usa +Date: Mon, 30 Mar 2020 22:22:10 + +Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01: + [Backport #16698] + +backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a + securify fix for CVE-2020-10663. The patch was provided by Jeremy Evans. + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856 b2dd03c8-39d4-4d8f-98ff-823fe69b080e + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +Author: Utkarsh Gupta + +--- a/ext/json/parser/parser.c b/ext/json/parser/parser.c +@@ -1739,7 +1739,7 @@ + } else { + json->max_nesting = 100; + json->allow_nan = 0; +-json->create_additions = 1; ++json->create_additions = 0; + json->create_id = rb_funcall(mJSON, i_create_id, 0); + json->object_class = Qnil; + json->array_class = Qnil; +--- a/ext/json/parser/parser.rl b/ext/json/parser/parser.rl +@@ -723,7 +723,7 @@ + } else { + json->max_nesting = 100; + json->allow_nan = 0; +-json->create_additions = 1; ++json->create_additions = 0; + json->create_id = rb_funcall(mJSON, i_create_id, 0); + json->object_class = Qnil; + json->array_class = Qnil; diff -Nru ruby2.3-2.3.3/debian/patches/series ruby2.3-2.3.3/debian/patches/series --- ruby2.3-2.3.3/debian/patches/series2019-12-15 21:58:25.0 +0530 +++ ruby2.3-2.3.3/debian/patches/series2020-06-05 14:25:01.0 +0530 @@ -4,3 +4,4 @@ Loop-with-String-scan-without-creating-substrings.patch WEBrick-prevent-response-splitting-and-header-inject.patch lib-shell-command-processor.rb-Shell-prevent-unknown.patch +CVE-2020-10663.patch 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#962256: stretch-pu: package ruby-json/2.0.1+dfsg-3+deb9u1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: stretch X-Debbugs-CC: debian-r...@lists.debian.org Severity: normal Hello, ruby-json was affected by CVE-2020-10663, which was an unsafe object creation vulnerability. This has been fixed in Sid, Bullseye, and Jessie already. Here's the debdiff for stretch-pu: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< diff -Nru ruby-json-2.0.1+dfsg/debian/changelog ruby-json-2.0.1+dfsg/debian/changelog --- ruby-json-2.0.1+dfsg/debian/changelog2016-12-06 05:03:24.0 +0530 +++ ruby-json-2.0.1+dfsg/debian/changelog2020-06-05 12:33:14.0 +0530 @@ -1,3 +1,10 @@ +ruby-json (2.0.1+dfsg-3+deb9u1) stretch; urgency=high + + * Add patch to fix unsafe object creation vulnerability. +(Fixes: CVE-2020-10663 + + -- Utkarsh Gupta Fri, 05 Jun 2020 12:33:14 +0530 + ruby-json (2.0.1+dfsg-3) unstable; urgency=medium * Add Conflicts: ruby-json-pure (Closes: #847141) diff -Nru ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch --- ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch 1970-01-01 05:30:00.0 +0530 +++ ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch 2020-06-05 12:32:48.0 +0530 @@ -0,0 +1,36 @@ +From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001 +From: usa +Date: Mon, 30 Mar 2020 22:22:10 + +Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01: + [Backport #16698] + +backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a + securify fix for CVE-2020-10663. The patch was provided by Jeremy Evans. + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856 b2dd03c8-39d4-4d8f-98ff-823fe69b080e + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +Author: Utkarsh Gupta + +--- a/ext/json/ext/parser/parser.c b/ext/json/ext/parser/parser.c +@@ -1791,7 +1791,7 @@ + } else { + json->max_nesting = 100; + json->allow_nan = 0; +-json->create_additions = 1; ++json->create_additions = 0; + json->create_id = rb_funcall(mJSON, i_create_id, 0); + json->object_class = Qnil; + json->array_class = Qnil; +--- a/ext/json/ext/parser/parser.rl b/ext/json/ext/parser/parser.rl +@@ -686,7 +686,7 @@ + } else { + json->max_nesting = 100; + json->allow_nan = 0; +-json->create_additions = 1; ++json->create_additions = 0; + json->create_id = rb_funcall(mJSON, i_create_id, 0); + json->object_class = Qnil; + json->array_class = Qnil; diff -Nru ruby-json-2.0.1+dfsg/debian/patches/series ruby-json-2.0.1+dfsg/debian/patches/series --- ruby-json-2.0.1+dfsg/debian/patches/series2016-12-06 05:03:24.0 +0530 +++ ruby-json-2.0.1+dfsg/debian/patches/series2020-06-05 12:32:29.0 +0530 @@ -1,3 +1,4 @@ 02-fix-fuzz.rb-shebang.patch 04-fix-tests-path.patch 0003-Remove-additional-gemspec-files.patch +CVE-2020-10663.patch 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#962255: buster-pu: package ruby-json/2.1.0+dfsg-2+deb10u1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: buster X-Debbugs-CC: debian-r...@lists.debian.org Severity: normal Hello, ruby-json was affected by CVE-2020-10663, which was an unsafe object creation vulnerability. This has been fixed in Sid, Bullseye, and Jessie already. Here's the debdiff for buster-pu: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< diff -Nru ruby-json-2.1.0+dfsg/debian/changelog ruby-json-2.1.0+dfsg/debian/changelog --- ruby-json-2.1.0+dfsg/debian/changelog2018-02-25 23:03:06.0 +0530 +++ ruby-json-2.1.0+dfsg/debian/changelog2020-06-05 12:13:54.0 +0530 @@ -1,3 +1,10 @@ +ruby-json (2.1.0+dfsg-2+deb10u1) buster; urgency=high + + * Add patch to fix unsafe object creation vulnerability. +(Fixes: CVE-2020-10663) + + -- Utkarsh Gupta Fri, 05 Jun 2020 12:13:54 +0530 + ruby-json (2.1.0+dfsg-2) unstable; urgency=medium * Team upload. diff -Nru ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch --- ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch 1970-01-01 05:30:00.0 +0530 +++ ruby-json-2.1.0+dfsg/debian/patches/CVE-2020-10663.patch 2020-06-05 12:12:56.0 +0530 @@ -0,0 +1,36 @@ +From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001 +From: usa +Date: Mon, 30 Mar 2020 22:22:10 + +Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01: + [Backport #16698] + +backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a + securify fix for CVE-2020-10663. The patch was provided by Jeremy Evans. + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856 b2dd03c8-39d4-4d8f-98ff-823fe69b080e + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +Author: Utkarsh Gupta + +--- a/ext/json/ext/parser/parser.c b/ext/json/ext/parser/parser.c +@@ -1815,7 +1815,7 @@ + } else { + json->max_nesting = 100; + json->allow_nan = 0; +-json->create_additions = 1; ++json->create_additions = 0; + json->create_id = rb_funcall(mJSON, i_create_id, 0); + json->object_class = Qnil; + json->array_class = Qnil; +--- a/ext/json/ext/parser/parser.rl b/ext/json/ext/parser/parser.rl +@@ -710,7 +710,7 @@ + } else { + json->max_nesting = 100; + json->allow_nan = 0; +-json->create_additions = 1; ++json->create_additions = 0; + json->create_id = rb_funcall(mJSON, i_create_id, 0); + json->object_class = Qnil; + json->array_class = Qnil; diff -Nru ruby-json-2.1.0+dfsg/debian/patches/series ruby-json-2.1.0+dfsg/debian/patches/series --- ruby-json-2.1.0+dfsg/debian/patches/series2018-02-25 23:03:06.0 +0530 +++ ruby-json-2.1.0+dfsg/debian/patches/series2020-06-05 12:09:39.0 +0530 @@ -2,3 +2,4 @@ 04-fix-tests-path.patch 0003-Remove-additional-gemspec-files.patch 0006-Disable-git-usage-during-build-time.patch +CVE-2020-10663.patch 8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#944228:
Hi all, On Sat, Mar 28, 2020 at 6:56 PM William Desportes wrote: > Done Thank you! :) > Done, thank you for the suggestion Thank you! :) > I uploaded the file to > https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-4+deb9u1.dsc Thank you, this has been uploaded from my side :) Best, Utkarsh
Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
Hi Adam. On Tue, 28 Jan 2020 08:35:54 + "Adam D. Barratt" wrote: > Control: tags -1 + confirmed > Thanks. Please go ahead. For some reason, this upload never happened. However, now, the maintainer, William (CCed here) has prepared these CVE fixes + some new CVEs on top of this, too. All of these CVE(s) have been fixed in unstable (and in Jessie, too). Please let me know if we have an ack from your side to upload the fix for all the CVEs in Stretch? Attaching the debdiff. Best, Utkarsh debdiff Description: Binary data
Bug#954714: buster-pu: package rails/2:5.2.2.1+dfsg-1+deb10u1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: buster Severity: normal Hiya, rails seemed to be affected by CVE-2020-5267. This has been fixed in Sid and Jessie already. Here's the debdiff: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- diff -Nru rails-5.2.2.1+dfsg/debian/changelog rails-5.2.2.1+dfsg/debian/changelog --- rails-5.2.2.1+dfsg/debian/changelog2019-03-17 17:44:07.0 +0530 +++ rails-5.2.2.1+dfsg/debian/changelog2020-03-22 18:47:31.0 +0530 @@ -1,3 +1,11 @@ +rails (2:5.2.2.1+dfsg-1+deb10u1) buster; urgency=high + + * Team upload. + * Add patch to fix possible XSS vector in JS escape helper. +(Fixes: CVE-2020-5267) (Closes: #954304) + + -- Utkarsh Gupta Sun, 22 Mar 2020 18:47:31 +0530 + rails (2:5.2.2.1+dfsg-1) unstable; urgency=medium * Team upload diff -Nru rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch --- rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch 1970-01-01 05:30:00.0 +0530 +++ rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch 2020-03-22 18:47:04.0 +0530 @@ -0,0 +1,48 @@ +Description: Fix possible XSS vector in JS escape helper + This commit escapes dollar signs and backticks to prevent + JS XSS issues when using the `j` or `javascript_escape` helper +Author: Aaron Patterson +Author: Utkarsh Gupta +Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1 +Bug-Debian: https://bugs.debian.org/954304 +Last-Update: 2020-03-19 + +--- a/actionview/lib/action_view/helpers/javascript_helper.rb b/actionview/lib/action_view/helpers/javascript_helper.rb +@@ -12,7 +12,9 @@ + "\n"=> '\n', + "\r"=> '\n', + '"' => '\\"', +-"'" => "\\'" ++"'" => "\\'", ++"`" => "\\`", ++"$" => "\\$" + } + + JS_ESCAPE_MAP["\342\200\250".dup.force_encoding(Encoding::UTF_8).encode!] = "" +@@ -26,7 +28,7 @@ + # $('some_element').replaceWith('<%= j render 'some/element_template' %>'); + def escape_javascript(javascript) + if javascript +- result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] } ++ result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) + javascript.html_safe? ? result.html_safe : result + else + "" +--- a/actionview/test/template/javascript_helper_test.rb b/actionview/test/template/javascript_helper_test.rb +@@ -32,6 +32,14 @@ + assert_equal %(dont <\\/close> tags), j(%(dont tags)) + end + ++ def test_escape_backtick ++assert_equal "\\`", escape_javascript("`") ++ end ++ ++ def test_escape_dollar_sign ++assert_equal "\\$", escape_javascript("$") ++ end ++ + def test_escape_javascript_with_safebuffer + given = %('quoted' "double-quoted" new-line:\n ) + expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>) diff -Nru rails-5.2.2.1+dfsg/debian/patches/series rails-5.2.2.1+dfsg/debian/patches/series --- rails-5.2.2.1+dfsg/debian/patches/series2019-03-17 17:44:07.0 +0530 +++ rails-5.2.2.1+dfsg/debian/patches/series2020-03-22 18:46:39.0 +0530 @@ -1,2 +1,3 @@ 0001-Be-careful-with-that-bundler.patch 0002-disable-uglify-in-activestorage-rollup-config-js.patch +CVE-2020-5267.patch 8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#954664: stretch-pu: package rails/2:4.2.7.1-1+deb9u2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: stretch Severity: normal Hiya, rails seemed to be affected by CVE-2020-5267. This has been fixed in Sid and Jessie already. Here's the debdiff: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- diff -Nru rails-4.2.7.1/debian/changelog rails-4.2.7.1/debian/changelog --- rails-4.2.7.1/debian/changelog2019-04-18 20:21:20.0 +0530 +++ rails-4.2.7.1/debian/changelog2020-03-22 18:05:32.0 +0530 @@ -1,3 +1,11 @@ +rails (2:4.2.7.1-1+deb9u2) stretch; urgency=high + + * Team upload. + * Add patch to fix possible XSS vector in JS escape helper. +(Fixes: CVE-2020-5267) (Closes: #954304) + + -- Utkarsh Gupta Sun, 22 Mar 2020 18:05:32 +0530 + rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium * CVE-2018-16476 (Closes: #914847) diff -Nru rails-4.2.7.1/debian/patches/CVE-2020-5267.patch rails-4.2.7.1/debian/patches/CVE-2020-5267.patch --- rails-4.2.7.1/debian/patches/CVE-2020-5267.patch1970-01-01 05:30:00.0 +0530 +++ rails-4.2.7.1/debian/patches/CVE-2020-5267.patch2020-03-22 18:05:00.0 +0530 @@ -0,0 +1,48 @@ +Description: Fix possible XSS vector in JS escape helper + This commit escapes dollar signs and backticks to prevent + JS XSS issues when using the `j` or `javascript_escape` helper +Author: Aaron Patterson +Author: Utkarsh Gupta +Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1 +Bug-Debian: https://bugs.debian.org/954304 +Last-Update: 2020-03-19 + +--- a/actionview/lib/action_view/helpers/javascript_helper.rb b/actionview/lib/action_view/helpers/javascript_helper.rb +@@ -10,7 +10,9 @@ + "\n"=> '\n', + "\r"=> '\n', + '"' => '\\"', +-"'" => "\\'" ++"'" => "\\'", ++"`" => "\\`", ++"$" => "\\$" + } + + JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] = '' +@@ -24,7 +26,7 @@ + # $('some_element').replaceWith('<%=j render 'some/element_template' %>'); + def escape_javascript(javascript) + if javascript +- result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {|match| JS_ESCAPE_MAP[match] } ++ result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) + javascript.html_safe? ? result.html_safe : result + else + '' +--- a/actionview/test/template/javascript_helper_test.rb b/actionview/test/template/javascript_helper_test.rb +@@ -33,6 +33,14 @@ + assert_equal %(dont <\\/close> tags), j(%(dont tags)) + end + ++ def test_escape_backtick ++assert_equal "\\`", escape_javascript("`") ++ end ++ ++ def test_escape_dollar_sign ++assert_equal "\\$", escape_javascript("$") ++ end ++ + def test_escape_javascript_with_safebuffer + given = %('quoted' "double-quoted" new-line:\n ) + expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>) diff -Nru rails-4.2.7.1/debian/patches/series rails-4.2.7.1/debian/patches/series --- rails-4.2.7.1/debian/patches/series2019-04-18 20:18:04.0 +0530 +++ rails-4.2.7.1/debian/patches/series2020-03-22 18:04:25.0 +0530 @@ -4,3 +4,4 @@ 0005-relax-json.patch 006-CVE-2018-16476.patch 007-CVE-2019-5418_CVE-2019-5419.patch +CVE-2020-5267.patch 8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#953124: buster-pu: package rake/12.3.1-3+deb10u1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: buster Severity: normal Hiya, rake seemed to be affected by CVE-2020-8130. This has been fixed in Sid, Bullseye, and Jessie already. I got an ack to upload from the Security Team. Here's the debdiff: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- diff -Nru rake-12.3.1/debian/changelog rake-12.3.1/debian/changelog --- rake-12.3.1/debian/changelog2018-05-02 19:16:41.0 +0530 +++ rake-12.3.1/debian/changelog2020-02-29 20:40:36.0 +0530 @@ -1,3 +1,10 @@ +rake (12.3.1-3+deb10u1) buster; urgency=high + + * Team upload + * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130) + + -- Utkarsh Gupta Sat, 29 Feb 2020 20:40:36 +0530 + rake (12.3.1-3) unstable; urgency=medium * Revert the drop of the ruby dependency. See Debian bug #897279 for related diff -Nru rake-12.3.1/debian/patches/CVE-2020-8130.patch rake-12.3.1/debian/patches/CVE-2020-8130.patch --- rake-12.3.1/debian/patches/CVE-2020-8130.patch1970-01-01 05:30:00.0 +0530 +++ rake-12.3.1/debian/patches/CVE-2020-8130.patch2020-02-29 20:34:19.0 +0530 @@ -0,0 +1,18 @@ +Description: Use File.open explicitly. +Author: Hiroshi SHIBATA +Author: Utkarsh Gupta +Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130 +Last-Update: 2020-02-29 + +--- a/lib/rake/file_list.rb b/lib/rake/file_list.rb +@@ -294,7 +294,7 @@ + matched = 0 + each do |fn| + begin +- open(fn, "r", *options) do |inf| ++ File.open(fn, "r", *options) do |inf| + count = 0 + inf.each do |line| + count += 1 diff -Nru rake-12.3.1/debian/patches/series rake-12.3.1/debian/patches/series --- rake-12.3.1/debian/patches/series2018-05-02 19:16:41.0 +0530 +++ rake-12.3.1/debian/patches/series2020-02-29 20:31:31.0 +0530 @@ -1,3 +1,4 @@ 0001-test-helper-adapt-to-test-installed-package.patch 0002-rake-testtask-never-include-I-usr-lib-ruby-vendor_ru.patch 0003-gemspec-drop-git-usage.patch +CVE-2020-8130.patch 8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#953123: stretch-pu: package rake/10.5.0-2+deb9u1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: stretch Severity: normal Hiya, rake seemed to be affected by CVE-2020-8130. This has been fixed in Sid, Bullseye, and Jessie already. I got an ack to upload from the Security Team. Here's the debdiff: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- diff -Nru rake-10.5.0/debian/changelog rake-10.5.0/debian/changelog --- rake-10.5.0/debian/changelodiff -Nru rake-10.5.0/debian/changelog rake-10.5.0/debian/changelog --- rake-10.5.0/debian/changelog2016-03-01 23:45:05.0 +0530 +++ rake-10.5.0/debian/changelog2020-02-29 20:57:18.0 +0530 @@ -1,3 +1,10 @@ +rake (10.5.0-2+deb9u1) stretch; urgency=high + + * Team upload + * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130) + + -- Utkarsh Gupta Sat, 29 Feb 2020 20:57:18 +0530 + rake (10.5.0-2) unstable; urgency=medium * Team upload. diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch rake-10.5.0/debian/patches/CVE-2020-8130.patch --- rake-10.5.0/debian/patches/CVE-2020-8130.patch1970-01-01 05:30:00.0 +0530 +++ rake-10.5.0/debian/patches/CVE-2020-8130.patch2020-02-29 20:54:24.0 +0530 @@ -0,0 +1,18 @@ +Description: Use File.open explicitly. +Author: Hiroshi SHIBATA +Author: Utkarsh Gupta +Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130 +Last-Update: 2020-02-29 + +--- a/lib/rake/file_list.rb b/lib/rake/file_list.rb +@@ -290,7 +290,7 @@ + matched = 0 + each do |fn| + begin +- open(fn, "r", *options) do |inf| ++ File.open(fn, "r", *options) do |inf| + count = 0 + inf.each do |line| + count += 1 diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series --- rake-10.5.0/debian/patches/series2016-03-01 23:45:05.0 +0530 +++ rake-10.5.0/debian/patches/series2020-02-29 20:54:08.0 +0530 @@ -2,3 +2,4 @@ skip_permission_test.patch autopkgtest.patch skip-rake-libdir.patch +CVE-2020-8130.patch g2016-03-01 23:45:05.0 +0530 +++ rake-10.5.0/debian/changelog2020-02-29 20:57:18.0 +0530 @@ -1,3 +1,10 @@ +rake (10.5.0-2+deb9u1) stretch; urgency=high + + * Team upload + * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130) + + -- Utkarsh Gupta Sat, 29 Feb 2020 20:57:18 +0530 + rake (10.5.0-2) unstable; urgency=medium * Team upload. diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch rake-10.5.0/debian/patches/CVE-2020-8130.patch --- rake-10.5.0/debian/patches/CVE-2020-8130.patch1970-01-01 05:30:00.0 +0530 +++ rake-10.5.0/debian/patches/CVE-2020-8130.patch2020-02-29 20:54:24.0 +0530 @@ -0,0 +1,18 @@ +Description: Use File.open explicitly. +Author: Hiroshi SHIBATA +Author: Utkarsh Gupta +Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130 +Last-Update: 2020-02-29 + +--- a/lib/rake/file_list.rb b/lib/rake/file_list.rb +@@ -290,7 +290,7 @@ + matched = 0 + each do |fn| + begin +- open(fn, "r", *options) do |inf| ++ File.open(fn, "r", *options) do |inf| + count = 0 + inf.each do |line| + count += 1 diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series --- rake-10.5.0/debian/patches/series2016-03-01 23:45:05.0 +0530 +++ rake-10.5.0/debian/patches/series2020-02-29 20:54:08.0 +0530 @@ -2,3 +2,4 @@ skip_permission_test.patch autopkgtest.patch skip-rake-libdir.patch +CVE-2020-8130.patch 8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#951130: RM: reel/0.6.1-4
reassign 951130 ftp.debian.org user pkg-ruby-extras-maintain...@lists.alioth.debian.org usertags 951130 + ruby2.7-transition thanks On Tue, Feb 11, 2020 at 9:39 AM Adam D. Barratt wrote: > This sounds like you want the package removing from unstable? > Ah, yes. Fixed. Thanks! Best, Utkarsh
Bug#951129: RM: ruby-websocket-parser/1.0.0-1
reassign 951129 ftp.debian.org User pkg-ruby-extras-maintain...@lists.alioth.debian.org Usertags: ruby2.7-transition thanks On Tue, Feb 11, 2020 at 9:39 AM Adam D. Barratt wrote: > This sounds like you want the package removing from unstable? > Ah, yes. Reassigned to ftp.d.o. Shall fix the other bugs as well. Best, Utkarsh
Bug#951133: RM: berkshelf/4.3.5-2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: rm Severity: normal Hi, This package hasn't been in testing since 1057 days and also fails to build against Ruby 2.7. And also has an RC bug since a long time. Each of its reverse dependencies are being filed for removal as well. This was discussed at the Ruby sprints and finally in the Ruby list, too. I hereby request the removal of the same. Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#951132: RM: ruby-berkshelf-api-client/2.0.2-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: rm Severity: normal Hi, This package hasn't been in testing since 1402 days and also fails to build against Ruby 2.7. And also has an RC bug since a long time. Each of its reverse dependencies are being filed for removal as well. This was discussed at the Ruby sprints and finally in the Ruby list, too. I hereby request the removal of the same. Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#951131: RM: berkshelf-api/2.2.0-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: rm Severity: normal Hi, This package hasn't been in testing since 1242 days and also fails to build against Ruby 2.7. And also has an RC bug since a long time. Each of its reverse dependencies are being filed for removal as well. This was discussed at the Ruby sprints and finally in the Ruby list, too. I hereby request the removal of the same. Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#951130: RM: reel/0.6.1-4
Package: release.debian.org User: release.debian@packages.debian.org Usertags: rm Severity: normal Hi, This package hasn't been in testing since 1124 days and also fails to build against Ruby 2.7. And also has an RC bug since a long time. Each of its reverse dependencies are being filed for removal as well. This was discussed at the Ruby sprints and finally in the Ruby list, too. I hereby request the removal of the same. Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#951129: RM: ruby-websocket-parser/1.0.0-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: rm Severity: normal Hi, This package hasn't been in testing since 1578 days and was last uploaded on 13th October, 2015. This fails to build against Ruby 2.7. And also has an RC bug since a long time. Each of its reverse dependencies are being filed for removal as well. This was discussed at the Ruby sprints and finally in the Ruby list, too. I hereby request the removal of the same. Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#929331: unblock: ruby-devise/4.5.0-3
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hey, Please unblock package ruby-devise. The latest upload contains a CVE-2019-5421 (and #926348) fix. Thus requesting you to: unblock ruby-devise/4.5.0-3 Best, Utkarsh --- -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Re: Proposal: Repository for fast-paced package backports
Hi Dominik, On 26/12/18 2:16 am, Dominik George wrote: > Heisann, alle sammen, > > as announced in the recent thread about maintaining, I hereby propose a > repository that allows making “backports” of packages available to users > of the stable distribution, if those packages cannot be maintained in > testing and backported in the usual way. If you are interested in what > lead up to that, please see bug #915050. I will give a short summary of > it here. > > > Reasons for having a special place for some packages > > > (You may want to skip this part if you are familiar with the situation.) > > As all developers know (but passers-by may not), for software to enter > the Debian archive, it is always uploaded to the unstable distribution, > then migrates to testing (hopefully ;)), which is at some point snapshot > and made the new stable release. From there on, maintainers have two > obligations: Firstly, keep the package in stable good and secure, e.g. > by uploading security fixes for it once they become available upstream, > or even backport fixes themselves. Secondly, provide the package in > unstable with updates and ensure its migration, to keep it ready for the > next stable release. > > Now, for some software packages, this process is problematic, because > upstream may have another idea about software lifecycles. Concerning the > GitLab example, upstream provides security fixes for three months for > their stable releases. Backporting fixes from newer versions is very > hard or impossible because the massive amounts of changes to the > software in every new versions. This is something that also affects > other packages, like Mozilla Firefox, which has a firefox package in > unstable, and a separate firefox-esr package, with the ESR version of > Firefox. Only the latter migrates to testing. > > Users of Debian honour it for its stability, but as an agile software > lifecycle is adapted by more and more very popular software packages, > not being able to install these packages in the trusted, well-known > fashion through the official apt repositories is becoming more and more > of a drawback. > > It can easily be assumed that the normal release and maintenance cycle > of Debian stable will not change, which is very good, so we should find > a way to still provide such software as described above to users. > > > Why backports is not enough > === > > This also is well-known, but for completeness: Formal backports in > stable-backports are required to be direct backports from testing, and > are a stepping stone within the upgrade from stable to stable+1. Thus, a > version of a package that is not in testing can never be in > stable-backports. > > > > Implications for the situation at hand (gitlab) > === > > As there were quite a few concerns raised (some of which I share, and > some I don’t): Of course, if a software intended for volatile has a ton > of dependencies (intended to go into backports), all backports rules and > powers of the ftp-masters apply. Repeating myself: volatile is not meant > to ease the life of maintainers. Did you get a chance to work on it? This is mostly in reference to #915050. Since GitLab is in good shape now (people have their own perception of good, though), we'd like to fast track this and take this forward. Let us know about the same :) Best, Utkarsh signature.asc Description: OpenPGP digital signature
Bug#928868: unblock: ruby-globalid/0.4.2+REALLY.0.3.6-1
Hey, On Mon 13 May, 2019, 12:42 AM Paul Gevers, wrote: > Hi Utkarsh, > > On 12-05-2019 11:44, Utkarsh Gupta wrote: > > Hence, requesting you to: > > unblock ruby-globalid/0.4.2+REALLY.0.3.6-1 > > It would have been easier if you would have left the old patches in > place, but anyways. Thanks for following up and reverting the new > upstream version in unstable. > Ah. unblocked. > Thank you :) Best, Utkarsh
Bug#928868: unblock: ruby-globalid/0.4.2+REALLY.0.3.6-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hey, Please unblock package ruby-globalid. The latest upload fixes the FTBFS and thus the bug #925178. It has no test failures now and builds fine with rails, too. Hence, requesting you to: unblock ruby-globalid/0.4.2+REALLY.0.3.6-1 Best, Utkarsh --- -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#926639: unblock: ruby-hangouts-chat/0.0.5-2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hey, Please unblock package ruby-hangouts-chat. This was affected by #926247, which was an RC bug. However, in the latest upload, this has been fixed and is good to go. The bug was reported 2nd April and was fixed on 6th April. Thus requesting you to: unblock ruby-hangouts-chat/0.0.5-2 Best, Utkarsh -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#925604: unblock: ruby-doorkeeper-openid-connect/1.5.5-1
Hey, On Sat, Mar 30, 2019 at 9:41 PM Ivo De Decker wrote: > Control: tags -1 moreinfo > > Hi, > > On Wed, Mar 27, 2019 at 07:11:57PM +0530, Utkarsh Gupta wrote: > > Please unblock package ruby-doorkeeper-openid-connect. > > > > There was a CVE bug (#924747) reported against the package with severity: > > grave. > > It was reported on 16th March and was resolved in the latest upload, > which was > > on 24th March. > > Thus, requesting you to please unblock the same and let it be a part of > Buster, > > as was going to :) > > This upload seems to include a number of changes other than the fix for the > security issue. This doesn't seem to comply with the freeze policy. Perhaps > you can clarify the changes. Otherwise, please revert the upload and > upload a > targeted fix for this issue. > I do understand your point but the there are only minor changes done except for the bug fixing :( I was hoping for it to get unblocked (that is why I didn't do a minor update but just a patch update). Also, since gitlab is its only reverse dependency, it'll not be a problem to unblock I guess? If not possible, I'd perhaps be targetting for buster-backports, but was wishing to be unblocked to avoid other workarounds. Thanks, > > Ivo > Best, Utkarsh
Bug#925602: unblock: ruby-globalid/0.4.2-1
Hey, On Thu, Mar 28, 2019 at 2:16 AM Paul Gevers wrote: > Control: tags -1 moreinfo > > Hi Utkarsh, > > On 27-03-2019 14:30, Utkarsh Gupta wrote: > > Please unblock package ruby-globalid. > > > > Recently, there was a bug (#925178) reported against the package with > > severity: important. > > Did you see my last note in that bug? > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925178#21 Apologies. I didn't see it earlier :( Answering below. Care to answer it here? > ''' > On 24-03-2019 07:21, Debian Bug Tracking System wrote: > > ruby-globalid (0.4.2-1) unstable; urgency=medium > > . > >* Team upload > >* New upstream version 0.4.2 > >* Add patch to fix regression (Closes: #925178) > >* Drop patches that are merged in upstream > >* Bump debhelper compatibility level to 11 > >* Bump Standards-Version to 4.3.0 (no changes needed) > >* Fix insecure URL > > Thanks for the quick fix for this issue. However, due to the new > upstream version and the debhelper compatibility bump this version is > not eligible [1] for an unblock for buster. > > Did rails 2:5.2.2.1+dfsg-1 break ruby-globalid or did it only break the > autopkgtest of it? I'm asking because this version of rails is fixing a > CVE's which we want in buster, but the autopkgtest failure (and the > freeze) is blocking it. > It was breaking just the autopkgtest, thus the regression. Everything else was fine. Paul > > [1] https://release.debian.org/buster/freeze_policy.html > ''' > > > The package was in testing and the bug was reported on 20th March and > > was resolved in the latest upload, which was on 24th March. > > This also causes regression in the migration of rails' latest update. > > > > Hence, request you to: > > > > unblock ruby-globalid/0.4.2-1 > > Not likely in the current state. > ruby-activejob from rails is the only reverse dependency of ruby-globalid. Since the package is in good shape now, perhaps could be given an exception? And it won't be risky either since ruby-activejob is the only rev-dep :) Also, it was an RC bug at the last moment (though I understand the scenario here) :( Paul > Best, Utkarsh
Bug#925609: unblock: rails/2:5.2.2.1+dfsg-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hey, Please unblock package rails. There were 2 bugs (#924520 and #924521) reported against the package with severity: grave and severity: important, respectively. Both the bugs were reported on 13th March and were resolved in the latest upload, which was on 19th March. The package had previously migrated to testing until the two bugs were reported against it. Hence, requesting you to please unblock the same and let it be a part of Buster, which it was going to :) Note: This should be unblocked after/in/with reference to the unblock request for ruby-globalid (#925602). Best, Utkarsh unblock rails/2:5.2.2.1+dfsg-1 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#925607: unblock: ruby-chromedriver-helper/2.1.0-7
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hey, Please unblock package ruby-chromedriver-helper. There was a bug (#924125) reported against the package with severity: serious. The bug was reported on 9th March and was resolved in the lastest upload, which was on 24th March. The package had previously migrated to testing on 26th February 2019, until an RC bug was reported against it. Hence, requesting you to please unblock the same and let it be a part of Buster, which it was going to :) Best, Utkarsh unblock ruby-chromedriver-helper/2.1.0-7 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#925605: unblock: ruby-carrierwave/1.3.1-2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hey, Please unblock package ruby-carrierwave. There was a bug (#924830) reported against the package with severity: serious. The bug was reported on 17th March and was resolved in the latest upload, which was on 24th March. It had previously migrated to testing on 31st January 2019, until an RC bug was reported against it. Thus, requesting you to please unblock the same and let it be a part of Buster, which it was going to :) Best, Utkarsh unblock ruby-carrierwave/1.3.1-2 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#925604: unblock: ruby-doorkeeper-openid-connect/1.5.5-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hey, Please unblock package ruby-doorkeeper-openid-connect. There was a CVE bug (#924747) reported against the package with severity: grave. It was reported on 16th March and was resolved in the latest upload, which was on 24th March. Thus, requesting you to please unblock the same and let it be a part of Buster, as was going to :) Best, Utkarsh unblock ruby-doorkeeper-openid-connect/1.5.5-1 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#925602: unblock: ruby-globalid/0.4.2-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hey, Please unblock package ruby-globalid. Recently, there was a bug (#925178) reported against the package with severity: important. The package was in testing and the bug was reported on 20th March and was resolved in the latest upload, which was on 24th March. This also causes regression in the migration of rails' latest update. Hence, request you to: unblock ruby-globalid/0.4.2-1 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#922316: unblock: ruby-leaflet-rails/1.3.1+dfsg-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hey, Please unblock package ruby-leaflet-rails I am writing this on behalf of the Ruby team, requesting you to unblock ruby-leaflet-rails[1] by the soft freeze. The autopkgtest regression in testing was due to ruby-capybara[2], which was not in testing, which was blocked by an RC bug in puma[3]. Since they migrated on the last day before the soft freeze, there was no time to run autopkgtest for ruby-leaflet-rails and thus got blocked because of the same. Hence requesting you to unblock ruby-leaflet-rails/1.3.1+dfsg-1 [1]: https://tracker.debian.org/pkg/ruby-leaflet-rails [2]: https://tracker.debian.org/pkg/ruby-capybara [3]: https://tracker.debian.org/pkg/puma -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Best, Utkarsh
Bug#922310: unblock: ruby-jquery-ui-rails/6.0.1+dfsg-3
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hey, Please unblock package ruby-jquery-ui-rails I am writing this on behalf of the Ruby team, requesting you to unblock ruby-jquery-ui-rails[1] by the soft freeze. The autopkgtest regression in testing was due to ruby-capybara[2], which was not in testing, which was blocked by an RC bug in puma[3]. Since they migrated on the last day before the soft freeze, there was no time to run autopkgtest for ruby-jquery-ui-rails and thus got blocked because of the same. Hence requesting you to unblock ruby-jquery-ui-rails/6.0.1+dfsg-3 [1]: https://tracker.debian.org/pkg/ruby-jquery-ui-rails [2]: https://tracker.debian.org/pkg/ruby-capybara [3]: https://tracker.debian.org/pkg/puma -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Best, Utkarsh