[yui-compressor] tag debian/2.4.8-1 created (now 232b334)

[Michael Gilbert]

This is an automated email from the git hooks/post-receive script.

mgilbert pushed a change to tag debian/2.4.8-1
in repository yui-compressor.

at  232b334   (commit)
No new revisions were added by this update.

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-java/yui-compressor.git

___
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

[yui-compressor] 01/01: updates to support upstream version 2.4.8

[Michael Gilbert]

This is an automated email from the git hooks/post-receive script.

mgilbert pushed a commit to branch master
in repository yui-compressor.

commit 232b3349e1d25f989a83a3897977a7fc91587624
Author: Michael Gilbert <mgilb...@debian.org>
Date:   Sat Feb 10 22:18:27 2018 +

updates to support upstream version 2.4.8
---
 debian/changelog  |  9 ++---
 debian/fetch-upstream | 24 
 debian/patches/decompiler.patch   |  6 +++---
 debian/patches/fix_testsuite.diff |  4 ++--
 debian/patches/use-system-libraries.patch | 12 ++--
 debian/rules  |  6 ++
 6 files changed, 31 insertions(+), 30 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 5ff1c01..334502c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,12 @@
-yui-compressor (2.4.7-4) UNRELEASED; urgency=medium
+yui-compressor (2.4.8-1) unstable; urgency=medium
 
-  * Team upload.
+  [ Michael Gilbert ]
+  * New upstream release (closes: #775750).
+
+  [ tony mancill ]
   * Moved the package to Git
 
- -- tony mancill <tmanc...@debian.org>  Wed, 05 Jul 2017 21:42:38 -0700
+ -- Michael Gilbert <mgilb...@debian.org>  Mon, 27 Nov 2017 02:59:22 +
 
 yui-compressor (2.4.7-3) unstable; urgency=medium
 
diff --git a/debian/fetch-upstream b/debian/fetch-upstream
old mode 100644
new mode 100755
index ac033e1..5516a1e
--- a/debian/fetch-upstream
+++ b/debian/fetch-upstream
@@ -1,7 +1,7 @@
 #!/bin/sh
+
 set -e
 
-echo $#
 if test "$#" != "3" ; then
 echo "usage: $0   
"
 exit 1
@@ -12,10 +12,11 @@ rhino_version="$3"
 curdir="$PWD"
 
 # download
-cd /tmp
-wget -N http://yui.zenfs.com/releases/yuicompressor/yuicompressor-$version.zip
-unzip -xq yuicompressor-$version.zip
-rm yuicompressor-$version.zip
+cd $(mktemp -d)
+echo Working in: $(pwd)
+wget -N https://github.com/yui/yuicompressor/archive/v$version.zip
+unzip -xq v$version.zip
+rm v$version.zip
 
 # cleanup
 rm -rf yuicompressor-$version/build
@@ -24,15 +25,14 @@ rm -rf yuicompressor-$version/src/org/mozilla/javascript/*
 
 # download rhino source
 debsnap --verbose rhino $rhino_version
-rhino_tar_version="$(echo $rhino_version | cut -d - -f 1)"
-rhino_dir_version="$(echo $rhino_tar_version | sed "s/\./_/")"
-(cd source-rhino/; tar xvzf rhino_$rhino_tar_version.orig.tar.gz)
-cp -r source-rhino/rhino$rhino_dir_version/src/org/mozilla/* 
yuicompressor-$version/src/org/mozilla/
+(cd source-rhino/; tar xf rhino*.tar.gz)
+rm source-rhino/*.gz source-rhino/*.dsc
+cp -r source-rhino/*/src/org/mozilla/* yuicompressor-$version/src/org/mozilla/
 
 # repack
 mv yuicompressor-$version yui-compressor-$version
-tar czf yui-compressor_$orig_tarball_version.orig.tar.gz 
yui-compressor-$version
+tar cJf yui-compressor_$orig_tarball_version.orig.tar.xz 
yui-compressor-$version
 rm -rf yui-compressor-$version
 rm -rf source-rhino
-mv yui-compressor_$orig_tarball_version.orig.tar.gz $curdir
-echo "Done: successfully created yui-compressor_$version.orig.tar.gz."
+mv yui-compressor_$orig_tarball_version.orig.tar.xz $curdir
+echo "Done: successfully created yui-compressor_$version.orig.tar.xz."
diff --git a/debian/patches/decompiler.patch b/debian/patches/decompiler.patch
index 858e7c0..149477e 100644
--- a/debian/patches/decompiler.patch
+++ b/debian/patches/decompiler.patch
@@ -1,8 +1,8 @@
 YUI patch for the Rhino library's Decompiler.java
 ===
 a/src/org/mozilla/javascript/Decompiler.java.orig  2008-11-14 
10:13:36.0 -0500
-+++ b/src/org/mozilla/javascript/Decompiler.java   2008-11-14 
10:13:36.0 -0500
-@@ -166,6 +166,18 @@
+--- a/src/org/mozilla/javascript/Decompiler.java
 b/src/org/mozilla/javascript/Decompiler.java
+@@ -133,6 +133,18 @@ public class Decompiler
  appendString('/' + regexp + '/' + flags);
  }
  
diff --git a/debian/patches/fix_testsuite.diff 
b/debian/patches/fix_testsuite.diff
index d5eeca0..c7da736 100644
--- a/debian/patches/fix_testsuite.diff
+++ b/debian/patches/fix_testsuite.diff
@@ -4,11 +4,11 @@ Last-Update: 2011-06-12
 Forwarded: not-needed
 --- a/tests/suite.sh
 +++ b/tests/suite.sh
-@@ -18,7 +18,7 @@
+@@ -18,7 +18,7 @@ runtest () {

if [ "$2" == "cssminjs" ]; then 
actual="$(
--  java -jar ../lib/rhino-1.6R7.jar suite.rhino $testfile
+-  java -jar ../lib/rhino-1.7R2.jar suite.rhino $testfile
 +  java -jar /usr/share/java/js.jar suite.rhino $testfile
)"
   
diff --git a/debian/patches/use-system-libraries.patch 
b/debian/patches/use-system-libraries.patch
index 0934517..9f915b3 100644
--- a/debian/patches/use-system-libraries.patch
+++ b/debian/patches/use-system-libraries.patch
@@ -6,28 +6,28 @@ 

[yui-compressor] branch master updated (97d4a4c -> 232b334)

[Michael Gilbert]

This is an automated email from the git hooks/post-receive script.

mgilbert pushed a change to branch master
in repository yui-compressor.

  from  97d4a4c   interim changelog
   new  232b334   updates to support upstream version 2.4.8

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 debian/changelog  |  9 ++---
 debian/fetch-upstream | 24 
 debian/patches/decompiler.patch   |  6 +++---
 debian/patches/fix_testsuite.diff |  4 ++--
 debian/patches/use-system-libraries.patch | 12 ++--
 debian/rules  |  6 ++
 6 files changed, 31 insertions(+), 30 deletions(-)
 mode change 100644 => 100755 debian/fetch-upstream

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-java/yui-compressor.git

___
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

Bug#814167: lwjgl: (Build-)Depends on OpenJDK 7

[Michael Gilbert]

On Wed, Mar 9, 2016 at 10:20 AM, Markus Koschany wrote:
> https://github.com/JetBrains/kotlin
>
> This one seems to be the blocker because kotlin build-depends on
> components of IntelliJ IDEA and all in all that's a lot of stuff for a
> mere library.

This is the huge dependency stack that I was referring to.

> But perhaps I am missing something and it is much simpler...

Possibly, I only did a quick look at it a while ago, so I don't know
if it's the only approach.

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#814167: lwjgl: (Build-)Depends on OpenJDK 7

[Michael Gilbert]

> I have switched the build-dependency to default-jdk and changed
> JAVA_HOME in debian/rules accordingly. However the package FTBFS with
> OpenJDK 8. I guess packaging the latest upstream release would be the
> best option.

2.9.3 is supposed to support building without ant.  I looked at it a
while ago, and it isn't quite that simple.

lwjgl3 is also available, but it has a huge dependency stack with
almost none of it in Debian yet.

I have less interest in lwjgl now than I used to, and I may not be
able to find the time to work on it.

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#648624: updates about liblwjgl-java please.

[Michael Gilbert]

On Sat, Sep 5, 2015 at 10:55 AM, shirish wrote:
> Might spur somebody into action.

In debian, things get done by those willing to scratch an itch.  If
you have this itch, please go scratch it.

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#657281: fop non-free file

[Michael Gilbert]

control: tag -1 patch, pending

Hi, I've uploaded an nmu repacking the tarball without the non-free
file to delayed/5.  See attached.  Please let me know if I should
delay longer.

Best wishes,
Mike
diff -Nru fop-1.1.dfsg/debian/changelog fop-1.1.dfsg2/debian/changelog
--- fop-1.1.dfsg/debian/changelog	2013-05-16 08:49:59.0 +
+++ fop-1.1.dfsg2/debian/changelog	2014-11-01 22:14:22.0 +
@@ -1,3 +1,10 @@
+fop (1:1.1.dfsg2-0.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Remove non-free files from the upstream tarball (closes: 657281).
+
+ -- Michael Gilbert mgilb...@debian.org  Sat, 01 Nov 2014 22:10:15 +
+
 fop (1:1.1.dfsg-2) unstable; urgency=low
 
   * Upload to sid
diff -Nru fop-1.1.dfsg/debian/orig-tar.sh fop-1.1.dfsg2/debian/orig-tar.sh
--- fop-1.1.dfsg/debian/orig-tar.sh	2011-08-19 14:11:11.0 +
+++ fop-1.1.dfsg2/debian/orig-tar.sh	2014-11-01 22:08:50.0 +
@@ -6,7 +6,7 @@
 
 # clean up the upstream tarball
 tar -zxvf $3
-tar -czf $TAR --exclude '*/lib/*' $DIR
+tar -czf $TAR --exclude '*/lib/*' --exclude '*/sRGB*.icm*' $DIR
 rm -rf $DIR $3
 
 # move to directory 'tarballs'
Binary files /tmp/aLFMmtF_YF/fop-1.1.dfsg/src/java/org/apache/fop/pdf/sRGB Color Space Profile.icm and /tmp/qf9O_teixn/fop-1.1.dfsg2/src/java/org/apache/fop/pdf/sRGB Color Space Profile.icm differ
diff -Nru /tmp/aLFMmtF_YF/fop-1.1.dfsg/src/java/org/apache/fop/pdf/sRGB Color Space Profile.icm.LICENSE.txt /tmp/qf9O_teixn/fop-1.1.dfsg2/src/java/org/apache/fop/pdf/sRGB Color Space Profile.icm.LICENSE.txt
--- /tmp/aLFMmtF_YF/fop-1.1.dfsg/src/java/org/apache/fop/pdf/sRGB Color Space Profile.icm.LICENSE.txt	2012-10-16 15:47:36.0 +
+++ /tmp/qf9O_teixn/fop-1.1.dfsg2/src/java/org/apache/fop/pdf/sRGB Color Space Profile.icm.LICENSE.txt	1970-01-01 00:00:00.0 +
@@ -1,14 +0,0 @@
-Obtained from: http://www.srgb.com/usingsrgb.html
-
-The file sRGB Color Space Profile.icm is:
-Copyright (c) 1998 Hewlett-Packard Company
-
-To anyone who acknowledges that the file sRGB Color Space Profile.icm 
-is provided AS IS WITH NO EXPRESS OR IMPLIED WARRANTY:
-permission to use, copy and distribute this file for any purpose is hereby 
-granted without fee, provided that the file is not changed including the HP 
-copyright notice tag, and that the name of Hewlett-Packard Company not be 
-used in advertising or publicity pertaining to distribution of the software 
-without specific, written prior permission.  Hewlett-Packard Company makes 
-no representations about the suitability of this software for any purpose.
-
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#657281: fop non-free file

[Michael Gilbert]

On Sat, Nov 1, 2014 at 6:51 PM, Emmanuel Bourg \wrote:
 Le 01/11/2014 23:29, Michael Gilbert a écrit :

 Hi, I've uploaded an nmu repacking the tarball without the non-free
 file to delayed/5.  See attached.  Please let me know if I should
 delay longer.

 Isn't including the free equivalent profile from the openicc project a
 better solution? This would not degrade the features of the fop package,
 but maybe this has no substantial impact on other packages anyway.

gnewsense did away with it almost two years ago, and there haven't
been any consequences they've, so it looks like it really isn't
needed.

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#759947: nmu for jruby

[Michael Gilbert]

control: tag -1 patch, pending

Hi I've uploaded an nmu to delayed/5 fixing this issue.  Please let me
know if I should delay longer.

Best wishes,
Mike
diff -Nru jruby-1.5.6/debian/changelog jruby-1.5.6/debian/changelog
--- jruby-1.5.6/debian/changelog	2014-10-28 02:28:33.0 -0400
+++ jruby-1.5.6/debian/changelog	2014-11-01 21:08:49.0 -0400
@@ -1,3 +1,10 @@
+jruby (1.5.6-8.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Build-depend openjdk = 7u71-2.5.3 (closes: #759947).
+
+ -- Michael Gilbert mgilb...@debian.org  Sun, 02 Nov 2014 01:02:24 +
+
 jruby (1.5.6-8) unstable; urgency=medium
 
   [ tony mancill ]
diff -Nru jruby-1.5.6/debian/control jruby-1.5.6/debian/control
--- jruby-1.5.6/debian/control	2014-10-28 02:28:33.0 -0400
+++ jruby-1.5.6/debian/control	2014-11-01 21:07:37.0 -0400
@@ -4,7 +4,7 @@
 Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org
 Uploaders: Sebastien Delafond s...@debian.org,
  Torsten Werner twer...@debian.org
-Build-Depends: debhelper (= 9~), default-jdk, ant-optional,
+Build-Depends: debhelper (= 9~), openjdk-7-jdk (= 7u71-2.5.3), ant-optional,
  libasm3-java, libcommons-logging-java, libjarjar-java, libjoda-time-java,
  junit4, libbsf-java, libjline-java, bnd, libconstantine-java,
  netbase, libjgrapht0.8-java, libjcodings-java, libbytelist-java, libjffi-java,
diff -Nru jruby-1.5.6/debian/rules jruby-1.5.6/debian/rules
--- jruby-1.5.6/debian/rules	2014-10-28 02:28:33.0 -0400
+++ jruby-1.5.6/debian/rules	2014-11-01 21:08:02.0 -0400
@@ -3,7 +3,7 @@
 include /usr/share/cdbs/1/rules/debhelper.mk
 include /usr/share/cdbs/1/class/ant.mk
 
-JAVA_HOME:= /usr/lib/jvm/default-java
+JAVA_HOME:= /usr/lib/jvm/java-7-openjdk-$(DEB_BUILD_ARCH)
 DEB_ANT_CLEAN_TARGET := clean-all
 DEB_ANT_BUILD_TARGET := -Ddev.gems=false -DdocsNotNeeded=true \
 -Dshared.lib.dir=/usr/share/java test dist-bin
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#767051: libjinput-java: uninstallable on kfreebsd

[Michael Gilbert]

package: libjinput-java
severity: serious
version: 20100502+dfsg-7

This package currently depends on libjinput-jni, which is currently
not build on the kfreebsds (#657771), so the libjinput-java is
uninstallable on those architectures.

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#761269: FTBFS: requires 'apt' annotation processing tool from JDK = 6

[Michael Gilbert]

On Fri, Oct 10, 2014 at 9:06 AM, Emmanuel Bourg wrote:
 Restoring the apt binary in the openjdk-7-jdk package should fix this
 issue. It was removed in openjdk-7/7u65-2.5.1-5 but it's still available
 upstream.

 This issue will come back with the Java 8 transition.

I looked at what it will take to get this working without java apt.
There is a newer lwjgl3, which doesn't use java apt, so that looks
deceivingly promising, but it requires the kotlin compile, which isn't
in debian.

kotlin itself doesn't look too bad, but it depends (or seems to
depend) on IDEA, which is a huge development environment and a bunch
of other unpackaged dependencies.

So, basically a lot of work is going to need to go into bootsrapping
the dependencies.  So someone should start thinking about that early
in the jessie+1 cycle.  I'm not hugely interested in this package any
more, so I'm not planning to work on that.

In the meantime, for jessie, I think the only solution is getting java
apt back for lwjgl2.

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#648624: lwjgl: upstream = 2.8 needs libasm4-java

[Michael Gilbert]

On Wed, Jan 15, 2014 at 3:31 PM, David Prévot wrote:
 Control: retitle -1 Please upgrade lwjgl to a more recent version

 Hi Michael,

 On Sun, Nov 13, 2011 at 10:55:38AM -0500, Michael Gilbert wrote:

 i worked on packaging the upstream version 2.8.1 today

 It looks like you forgot to push your work in progress to the package
 repository, can you please do so if you still have it handy?

That was a long time ago, and I think I erased the work a while ago.

 but it has a new dependency on asm4 that doesn't exist in debian yet.

 That statement isn’t true anymore, are you still interested into
 upgrading lwjgl?

Definitely.

 I may be interested to use a more recent version of liblwjgl-java as a
 build-dependency for processing in the near future, and am thus ready to
 help upgrading lwjgl via a team upload if that’s OK with you.

If you're interested, please feel free to update as you see fit :)

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#701991: CVE-2013-0253

[Michael Gilbert]

Hi,

I've uploaded an nmu fixing this issue.  Please see attached patch.

Best wishes,
Mike


wagon2.patch
Description: Binary data
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#700090: ERROR: Trying to attach top of widget - Segmentation fault

[Michael Gilbert]

control: severity -1 normal

You have a mix of deb-multimedia packages, which often leads to
problems.  Please try to reproduce this on a clean installation.

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#700090: ERROR: Trying to attach top of widget - Segmentation fault

[Michael Gilbert]

 Debian Release: 7.0
   500 unstablewww.deb-multimedia.org
   500 testing www.deb-multimedia.org

 So which one should I remove? Unstable?

You should remove all packages that you've installed from either.

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

[Michael Gilbert]

 Hi Andreas

 I've uploaded both packages to mentors.

 commons-httpclient - bug #692442 CVE-2012-5783
 axis - bug #692650 CVE-2012-5784

 Since axis uses commons-httpclient, we need fix and upload both
 packages.

 Upstream has ignored axis patch, and rejected commons-httpclient patch.
 Basically, they say commons-httpclient is EOL and they don't want to
 spend time on it. They maybe would apply the patch to the SVN, but
 without revision and without releasing.

According to redhat, there is already an upstream patch for
httpclient, and it differs from yours in some ways:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5783

Please coordinate with them on that fix.

 I've tested the patches and they work ok. So I think it's fine to
 upload.

Please coordinate the axis patch with redhat since they don't have a
solution in their bug tracker yet either.  They will review your work:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5784

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

[Michael Gilbert]

 I've backported the routine to validate certificate name, and I've made
 a patch (attached).

 I'm not sure  it's a good idea apply the patch, it can break programs
 that connect with bad hostnames (ips, host in /etc/hostname, etc)

Would you mind getting your patches for these issues reviewed and
applied by the appropriate upstreams?

Thanks,
Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#692439: closing

[Michael Gilbert]

version: 6.0.35-5+nmu1

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#692440: tomcat7: CVE-2012-2733 CVE-2012-3439

[Michael Gilbert]

Hi, I've uploaded an nmu fixing this issue.  Please see attached patch.

Best wishes,
Mike


tomcat7.patch
Description: Binary data
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#648624: lwjgl: upstream = 2.8 needs libasm4-java

[Michael Gilbert]

package: src:lwjgl
version: 2.7.1+dfsg-1
severity: normal

i worked on packaging the upstream version 2.8.1 today, but it has a
new dependency on asm4 that doesn't exist in debian yet.  it currently
has an RFP bug.



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#648624: (lwjgl: upstream = 2.8 needs libasm4-java

[Michael Gilbert]

affects 623950 lwjgl
thanks

bug # 623950 is the asm4 rfp.



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

[SCM] lwjgl - Lightweight Java Game Library branch, master, updated. upstream/2.5+dfsg-40-gf792bb8

[Michael Gilbert]

The following commit has been merged in the master branch:
commit 7532f52eff099d649668c84bb28534b35fefa184
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sun Nov 13 09:36:40 2011 -0500

fix clean rule

diff --git a/debian/changelog b/debian/changelog
index c4f3579..76aa619 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,14 @@
 lwjgl (2.7.1+dfsg-2) UNRELEASED; urgency=low
 
+  [ Miguel Landaeta ]
   * Team upload.
   * Switch to default-jdk. (Closes: #643537).
   * Make copyright file DEP-5 compliant.
 
- -- Miguel Landaeta mig...@miguel.cc  Sun, 23 Oct 2011 12:51:29 -0430
+  [ Michael Gilbert ]
+  * Fix clean rule.
+
+ -- Michael Gilbert michael.s.gilb...@gmail.com  Sun, 13 Nov 2011 09:36:00 
-0500
 
 lwjgl (2.7.1+dfsg-1) unstable; urgency=low
 
diff --git a/debian/rules b/debian/rules
index dd76869..1ab77a5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -25,9 +25,7 @@ override_dh_auto_install:
 
 override_dh_auto_clean:
find src/native/ -name '*org_lwjgl_*.h' -delete
-   rm -rf src/native/generated/* src/generated/*
-   rm -rf doc/javadoc bin temp
-   rm -f libs/*.jar libs/linux/*
+   rm -rf src/native/generated src/generated doc bin libs dist res temp
jh_clean
 
 get-orig-source:

-- 
lwjgl - Lightweight Java Game Library

___
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

[SCM] lwjgl - Lightweight Java Game Library branch, master, updated. upstream/2.5+dfsg-40-gf792bb8

[Michael Gilbert]

The following commit has been merged in the master branch:
commit 4f4fe2ba044cf0131ee790061aeb4d64049b936d
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sun Nov 13 09:37:23 2011 -0500

fix vcs-git field

diff --git a/debian/changelog b/debian/changelog
index 76aa619..d5a9732 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ lwjgl (2.7.1+dfsg-2) UNRELEASED; urgency=low
 
   [ Michael Gilbert ]
   * Fix clean rule.
+  * Fix Vcs-Git field.
 
  -- Michael Gilbert michael.s.gilb...@gmail.com  Sun, 13 Nov 2011 09:36:00 
-0500
 
diff --git a/debian/control b/debian/control
index bb4b5e5..9f365c4 100644
--- a/debian/control
+++ b/debian/control
@@ -16,7 +16,7 @@ Build-Depends:
  libxt-dev
 Build-Depends-Indep: default-jdk-doc
 Standards-Version: 3.9.2
-Vcs-Git: git://git.debian.org/pkg-java/lwjgl.git
+Vcs-Git: git://git.debian.org/git/pkg-java/lwjgl.git
 Vcs-Browser: http://git.debian.org/?p=pkg-java/lwjgl.git
 Homepage: http://lwjgl.org/
 DM-Upload-Allowed: yes

-- 
lwjgl - Lightweight Java Game Library

___
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

[SCM] lwjgl - Lightweight Java Game Library branch, master, updated. upstream/2.5+dfsg-40-gf792bb8

[Michael Gilbert]

The following commit has been merged in the master branch:
commit 8ef0715b33ae1f8c40d730d33dccd5faf7193f60
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sun Nov 13 09:48:12 2011 -0500

update copyright file

diff --git a/debian/changelog b/debian/changelog
index d5a9732..11a5e06 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ lwjgl (2.7.1+dfsg-2) UNRELEASED; urgency=low
   [ Michael Gilbert ]
   * Fix clean rule.
   * Fix Vcs-Git field.
+  * Update copyright file.
 
  -- Michael Gilbert michael.s.gilb...@gmail.com  Sun, 13 Nov 2011 09:36:00 
-0500
 
diff --git a/debian/copyright b/debian/copyright
index 15f28bc..afed6b1 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,8 +1,9 @@
-Format: http://dep.debian.net/deps/dep5/
+Format: http://anonscm.debian.org/viewvc/dep/web/deps/dep5.mdwn?revision=202 
 Upstream-Name: lwjgl - Lightweight Java Game Library
 Upstream-Contact: LWJGL developers i...@lwjgl.org
 Source: http://java-game-lib.svn.sourceforge.net/viewvc/java-game-lib/
 
+Files: *
 Copyright: 2002-2010, Lightweight Java Game Library Project
 License: BSD
  Redistribution and use in source and binary forms, with or without

-- 
lwjgl - Lightweight Java Game Library

___
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

[SCM] lwjgl - Lightweight Java Game Library tag, debian/2.7.1+dfsg-2, created. upstream/2.5+dfsg-40-gf792bb8

[Michael Gilbert]

The tag, debian/2.7.1+dfsg-2 has been created
at  f792bb87936270129dd3fb31e0af8d11d8bab9be (commit)

- Shortlog 
commit f792bb87936270129dd3fb31e0af8d11d8bab9be
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sun Nov 13 11:00:17 2011 -0500

release 2.7.1+dfsg-2
---

-- 
lwjgl - Lightweight Java Game Library

___
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

Bug#626002: jinput: jinput.jar needs jutils in its Class-Path

[Michael Gilbert]

package: jinput
version: 20100502+dfsg-4
severity: normal

jinput.jar should have /usr/share/java/jutils.jar in its Class-Path in
the manifest file. without this, dependencies need to include jutils
explicitly in their Class-Paths (even though there isn't a direct
depends, which is a bit odd and undesirable).

thanks,
mike



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please 
use
debian-j...@lists.debian.org for discussions and questions.

[SCM] lwjgl - Lightweight Java Game Library branch, master, updated. upstream/2.5+dfsg-33-g8e15984

[Michael Gilbert]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project lwjgl - Lightweight Java Game Library.

The branch, master has been updated
   via  8e15984941d592bbfe790520801a18f19f542094 (commit)
   via  a783cd473d6b368291976bc97653f560c1a3f3ab (commit)
   via  b94afb25310589f105e577af5ab9ba278cd734a5 (commit)
   via  c0830f9108a60ef204aabbb555ef98f4b7ac9af1 (commit)
  from  e6d766cd130c572d07a1359a4a0fb956b0e43fad (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -
commit 8e15984941d592bbfe790520801a18f19f542094
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sat May 7 14:04:19 2011 -0400

automatically unapply patches after build

commit a783cd473d6b368291976bc97653f560c1a3f3ab
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sat May 7 13:59:06 2011 -0400

drop depends on jutils

commit b94afb25310589f105e577af5ab9ba278cd734a5
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sat May 7 13:45:18 2011 -0400

use jh_clean

commit c0830f9108a60ef204aabbb555ef98f4b7ac9af1
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sat May 7 13:41:06 2011 -0400

restore javahelper build-dep

---

Summary of changes:
 debian/changelog|4 ++--
 debian/control  |2 +-
 debian/rules|5 -
 debian/source/local-options |1 +
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index fca7eb9..0e4e939 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,8 +3,8 @@ lwjgl (2.7.1+dfsg-1) UNRELEASED; urgency=low
   * new upstream release:
 - refresh debian patches.
   * add myself as an uploader.
-  * build-depend on jutils
-  * don't build-depend on javahelper or sun-java-6
+  * don't build-depend on sun-java-6
+  * use jh_clean
 
  -- Michael Gilbert michael.s.gilb...@gmail.com  Sun, 03 Apr 2011 16:50:25 
-0400
 
diff --git a/debian/control b/debian/control
index 1d83ca8..9c924c8 100644
--- a/debian/control
+++ b/debian/control
@@ -5,11 +5,11 @@ Maintainer: Debian Java Maintainers 
pkg-java-maintain...@lists.alioth.debian.or
 Uploaders: Gabriele Giacone 1o5g4...@gmail.com, Michael Gilbert 
michael.s.gilb...@gmail.com
 Build-Depends:
  debhelper (= 8),
+ javahelper,
  ant,
  ant-optional,
  openjdk-6-jdk,
  libjinput-java,
- libjutils-java,
  libxrandr-dev,
  libxxf86vm-dev,
  libxcursor-dev,
diff --git a/debian/rules b/debian/rules
index 0d539d4..0ab0f14 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,9 @@ TAR := ../$(NAME)_$(VERSION).orig.tar.gz
 TARDFSG := ../$(NAME)_$(VERSION)+dfsg.orig.tar.gz
 
 export JAVA_HOME=/usr/lib/jvm/java-6-openjdk
+
+# NOTE: jutils is explicitly included here (without a depends in our control
+# file) because jinput.jar lacks jutils in its own Class-Path (bug #626002)
 export CLASSPATH=/usr/share/java/jinput.jar:/usr/share/java/jutils.jar
 
 %:
@@ -25,7 +28,7 @@ override_dh_auto_clean:
rm -rf src/native/generated/* src/generated/*
rm -rf doc/javadoc bin temp
rm -f libs/*.jar libs/linux/*
-   rm -f debian/liblwjgl-java-doc.doc-base.javadoc
+   jh_clean
 
 get-orig-source:
rm -f $(TAR)
diff --git a/debian/source/local-options b/debian/source/local-options
new file mode 100644
index 000..4aceb10
--- /dev/null
+++ b/debian/source/local-options
@@ -0,0 +1 @@
+unapply-patches


hooks/post-receive
-- 
lwjgl - Lightweight Java Game Library

___
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits

[SCM] lwjgl - Lightweight Java Game Library branch, pristine-tar, updated. 7439548c46692cf26d2c402c878ddb05e842c4d0

[Michael Gilbert]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project lwjgl - Lightweight Java Game Library.

The branch, pristine-tar has been updated
   via  7439548c46692cf26d2c402c878ddb05e842c4d0 (commit)
  from  e5582e8475c12982ecbecbeebccca85499d7feed (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -
commit 7439548c46692cf26d2c402c878ddb05e842c4d0
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sun Apr 3 16:46:09 2011 -0400

pristine-tar for 2.7.1+dfsg

---

Summary of changes:
 lwjgl_2.7.1+dfsg.orig.tar.gz.delta |  Bin 0 - 31799 bytes
 lwjgl_2.7.1+dfsg.orig.tar.gz.id|1 +
 2 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/lwjgl_2.7.1+dfsg.orig.tar.gz.delta 
b/lwjgl_2.7.1+dfsg.orig.tar.gz.delta
new file mode 100644
index 000..0b782dc
Binary files /dev/null and b/lwjgl_2.7.1+dfsg.orig.tar.gz.delta differ
diff --git a/lwjgl_2.7.1+dfsg.orig.tar.gz.id b/lwjgl_2.7.1+dfsg.orig.tar.gz.id
new file mode 100644
index 000..7b8ed29
--- /dev/null
+++ b/lwjgl_2.7.1+dfsg.orig.tar.gz.id
@@ -0,0 +1 @@
+09bd29f33e456dfa8ed08d4ecf6caaa361e780d7


hooks/post-receive
-- 
lwjgl - Lightweight Java Game Library

___
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits

[SCM] lwjgl - Lightweight Java Game Library tag, upstream/2.7.1+dfsg, created. upstream/2.5+dfsg-1-g09bd29f

[Michael Gilbert]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project lwjgl - Lightweight Java Game Library.

The tag, upstream/2.7.1+dfsg has been created
at  09bd29f33e456dfa8ed08d4ecf6caaa361e780d7 (commit)

- Log -
commit 09bd29f33e456dfa8ed08d4ecf6caaa361e780d7
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sun Apr 3 16:42:33 2011 -0400

import upstream 2.7.1+dfsg
---


hooks/post-receive
-- 
lwjgl - Lightweight Java Game Library

___
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits

[SCM] lwjgl - Lightweight Java Game Library tag, upstream/2.7.1+dfsg, updated. upstream/2.5+dfsg-2-gcb1276c

[Michael Gilbert]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project lwjgl - Lightweight Java Game Library.

The tag, upstream/2.7.1+dfsg has been updated
to  cb1276cd76e26cb78a6a681349ab5af7b034d31f (commit)
  from  09bd29f33e456dfa8ed08d4ecf6caaa361e780d7

- Log -
commit cb1276cd76e26cb78a6a681349ab5af7b034d31f
Author: Michael Gilbert michael.s.gilb...@gmail.com
Date:   Sun Apr 3 18:06:11 2011 -0400

drop files deleted upstream
---


hooks/post-receive
-- 
lwjgl - Lightweight Java Game Library

___
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits

RFS: yui-builder

[Michael Gilbert]

Hi,

I've packaged yui-builder to help solve bug #512915 in yui.  Would
anyone be so kind as to review and sponsor the upload?
http://mentors.debian.net/debian/pool/main/y/yui-builder

Thanks,
Mike


__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please 
use
debian-j...@lists.debian.org for discussions and questions.

Bug#592182: ant-contrib: missing for task

[Michael Gilbert]

package: ant-contrib
severity: normal
tags: patch

antcontrib.properties is missing an entry for the 'for' task.  see
attached patch that fixes the problem.

best wishes,
mike


ant-contrib.debdiff
Description: Binary data
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please 
use
debian-j...@lists.debian.org for discussions and questions.

[pkg-java] r11322 - in trunk/yuicompressor/debian: . bin patches

[Michael Gilbert]

Author: gilbert-guest
Date: 2009-12-30 23:11:14 + (Wed, 30 Dec 2009)
New Revision: 11322

Added:
   trunk/yuicompressor/debian/README.source
   trunk/yuicompressor/debian/bin/
   trunk/yuicompressor/debian/bin/yui-compressor
   trunk/yuicompressor/debian/fetch-upstream
   trunk/yuicompressor/debian/patches/
   trunk/yuicompressor/debian/patches/decompiler.patch
   trunk/yuicompressor/debian/patches/parser.patch
   trunk/yuicompressor/debian/patches/series
   trunk/yuicompressor/debian/patches/token.patch
   trunk/yuicompressor/debian/patches/tokenstream.patch
   trunk/yuicompressor/debian/patches/use-system-libraries.patch
   trunk/yuicompressor/debian/yui-compressor.1.xml
   trunk/yuicompressor/debian/yui-compressor.install
Removed:
   trunk/yuicompressor/debian/orig-tar.exclude
   trunk/yuicompressor/debian/orig-tar.sh
Modified:
   trunk/yuicompressor/debian/changelog
   trunk/yuicompressor/debian/control
   trunk/yuicompressor/debian/rules
Log:
updates to yui-compressor (should now be ready for upload to unstable)

Added: trunk/yuicompressor/debian/README.source
===
--- trunk/yuicompressor/debian/README.source(rev 0)
+++ trunk/yuicompressor/debian/README.source2009-12-30 23:11:14 UTC (rev 
11322)
@@ -0,0 +1,2 @@
+this package uses quilt for its patch system, see:
+/usr/share/doc/quilt/README.source

Added: trunk/yuicompressor/debian/bin/yui-compressor
===
--- trunk/yuicompressor/debian/bin/yui-compressor   
(rev 0)
+++ trunk/yuicompressor/debian/bin/yui-compressor   2009-12-30 23:11:14 UTC 
(rev 11322)
@@ -0,0 +1,2 @@
+#!/bin/sh
+java -jar /usr/share/yui-compressor/yui-compressor.jar $@

Modified: trunk/yuicompressor/debian/changelog
===
--- trunk/yuicompressor/debian/changelog2009-12-30 22:21:50 UTC (rev 
11321)
+++ trunk/yuicompressor/debian/changelog2009-12-30 23:11:14 UTC (rev 
11322)
@@ -1,4 +1,4 @@
-yuicompressor (2.4.2-1) UNRELEASED; urgency=low
+yui-compressor (2.4.2-1) UNRELEASED; urgency=low
 
   [ Dominik Smatana ]
   * Initial release (closes: #519938)
@@ -11,4 +11,13 @@
   [ Release jar needs a rule set to minimize classpath conflicts
 when used in a build environment that has Rhino ]
 
+  [ Michael Gilbert ]
+  * Download the required rhino source files in the orig tarball
+fetching script.
+  * Add patches for build file to use system rhino and jargs libraries.
+  * Apply yui-compressor patches to the included rhino source.
+  * Add a README.source to describe the patch system.
+  * Add a launcher shell script.
+  * Add a manpage for the shell script.
+
  -- Damien Raude-Morvan draz...@debian.org  Mon, 09 Nov 2009 23:36:47 +0100

Modified: trunk/yuicompressor/debian/control
===
--- trunk/yuicompressor/debian/control  2009-12-30 22:21:50 UTC (rev 11321)
+++ trunk/yuicompressor/debian/control  2009-12-30 23:11:14 UTC (rev 11322)
@@ -1,18 +1,18 @@
-Source: yuicompressor
+Source: yui-compressor
 Section: java
 Priority: optional
 Maintainer: Debian Java Maintainers 
pkg-java-maintainers@lists.alioth.debian.org
-Uploaders: Dominik Smatana dominik.smat...@gmail.com, Damien Raude-Morvan 
draz...@debian.org
-Build-Depends: cdbs, debhelper (= 7), default-jdk, ant
-Build-Depends-Indep: libjargs-java
+Uploaders: Dominik Smatana dominik.smat...@gmail.com , Damien Raude-Morvan 
draz...@debian.org , Michael Gilbert michael.s.gilb...@gmail.com
+Build-Depends: cdbs , debhelper (= 7) , default-jdk , ant , quilt , docbook2x
+Build-Depends-Indep: libjargs-java , rhino (= 1.7R2) , rhino ( 1.7R3)
 Homepage: http://developer.yahoo.com/yui/compressor/
 Vcs-Svn: svn://svn.debian.org/svn/pkg-java/trunk/yuicompressor/
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-java/trunk/yuicompressor/
 Standards-Version: 3.8.3
 
-Package: yuicompressor
+Package: yui-compressor
 Architecture: all
-Depends: default-jre-headless, libjargs-java
+Depends: ${misc:Depends}
 Description: YUI Compressor is JavaScript/CSS minifier
  The YUI Compressor is a JavaScript compressor which, in addition to removing
  comments and white-spaces, obfuscates local variables using the smallest
@@ -22,4 +22,3 @@
  .
  The YUI Compressor is also able to safely compress CSS files. The decision
  on which compressor is being used is made on the file extension (js or css).
-

Added: trunk/yuicompressor/debian/fetch-upstream
===
--- trunk/yuicompressor/debian/fetch-upstream   (rev 0)
+++ trunk/yuicompressor/debian/fetch-upstream   2009-12-30 23:11:14 UTC (rev 
11322)
@@ -0,0 +1,37 @@
+#!/bin/sh
+set -e
+
+echo $#
+if test $# != 2 ; then
+echo usage: $0 upstream version number rhino library version number
+exit

Bug#559765: jetty: CVE-2007-6672 info disclosure

[Michael Gilbert]

On Tue, 08 Dec 2009 09:26:54 +0100, Torsten Werner wrote:
 Michael Gilbert schrieb:
  it is much more straightforward to simply check that the
  existing fix is applied. since you should have a relationship with
  upstream, it should be relatively straightforward to get a response
  from them.
 
 Upstream states that the package is fixed in version 6.1.7 at 
 http://jira.codehaus.org/browse/JETTY-386#action_117699 and this page 
 is linked from 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672. The 
 oldest version from the jetty6 code base we ever had in Debian is 6.1.18.

you've mentioned this before, and i had seen that before submitting the
bug.  if changelog entries were considered sufficient, i would have
had no reason to submit the bug in the first place.

  also, this package is your responsibility, so you can't
  expect others to do your job for you.
 
 You have reported a bug that is more than 2.5 years old. How much 
 history should the maintainer check in your opinion before he ever 
 uploads to Debian? 2 years, 5 years, 10 years, 20 years...?

for security-related issues, yes, the entire lifetime of the program.

  if you think this request is overburdensome/unjustified, you can send an
  email to secur...@debian.org.  be aware that they expect this level of
  thoroughness at a minimum.
 
 I do accept bug reports with false positives from the security team when 
 time constraints do not allow proper checking because getting the 
 information fast is more important in such cases than verifying the 
 information. But that is a different story. You are reporting a bug that 
 has been fixed some years ago and you could have verified it yourself.

like i said, i did do the verification that you mentioned), but again
this is not sufficient.  triaging this issue has been a todo for the
security team for the past 2.5 years, and i am trying to close it off.
please help me out.  thank you.

mike



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#559765: jetty: CVE-2007-6672 info disclosure

[Michael Gilbert]

this reference may be informative:
http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-May/002394.html

mike



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#559765: jetty: CVE-2007-6672 info disclosure

[Michael Gilbert]

reopen 559765
thanks

On Mon, 07 Dec 2009 10:38:07 +0100, Niels Thykier wrote:
 I found the upstream bug report[1] where upstream say they have fixed it
 in 6.1.7 (and provide a fix for earlier versions as well) - I saw no
 reason to doubt this.

changelog notes are not sufficient justification to close a security
issue. the source needs to be checked against a patch, so please find a
way to track that down.  the easiest way is probably to just ask
upstream. thanks.

mike



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#559765: jetty: CVE-2007-6672 info disclosure

[Michael Gilbert]

On Mon, 7 Dec 2009 21:21:14 +0100, Torsten Werner wrote:
 tags 559765 + wontfix
 thanks
 
 On Mon, Dec 7, 2009 at 5:10 PM, Michael Gilbert
 michael.s.gilb...@gmail.com wrote:
  changelog notes are not sufficient justification to close a security
  issue. the source needs to be checked against a patch, so please find a
  way to track that down.  the easiest way is probably to just ask
  upstream. thanks.
 
 No, I think it is your duty as the bug reporter to prove that the
 package is still vulnerable.

because the consequences of security issues can be dire (although in
this case the problem is fairly minor), it is much better to err on the
side of caution when dealing with them.  i can of course spend the time
to study this problem and try to reproduce it, but since there are
already claims that it is fixed, that seems like an unwise use of
time.  it is much more straightforward to simply check that the
existing fix is applied. since you should have a relationship with
upstream, it should be relatively straightforward to get a response
from them. also, this package is your responsibility, so you can't
expect others to do your job for you.

if you think this request is overburdensome/unjustified, you can send an
email to secur...@debian.org.  be aware that they expect this level of
thoroughness at a minimum.

best wishes,
mike



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#559765: jetty: CVE-2007-6672 info disclosure

[Michael Gilbert]

Package: jetty
Version: 6.1.21-1
Severity: serious
Tags: security

Hi,

The following CVE (Common Vulnerabilities  Exposures) id was
published for jetty.

CVE-2007-6672[0]:
| Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass
| protection mechanisms and read the source of files via multiple '/'
| (slash) characters in the URI.

This may already be fixed.  Some of the messages that are linked from
the mitre page indiced that supposedly this was to be fixed in 6.1.7,
but I was unable to track down patches to verify. Please check.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672
http://security-tracker.debian.org/tracker/CVE-2007-6672



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#559788: libgnucrypto-java: embeds classpath

[Michael Gilbert]

package: libgnucrypto-java
version: 2.1.0-4
severity: important
tags: security

hi,

libgnucrypto-java embeds classpath, which is very outdated.  this also
makes security updates very troublesome.  please update the package to
use the libraries provided by classpath.  thanks.

mike



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#559789: libgnucrypto-java: CVE-2008-5659 predictable random number generator

[Michael Gilbert]

Package: libgnucrypto-java
Version: 2.1.0-2
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities  Exposures) id was
published for classpath.  libgnucrypto-java embeds classpath, so it is
also affected.

CVE-2008-5659[0]:
| The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and
| earlier uses a predictable seed based on the system time, which makes
| it easier for context-dependent attackers to conduct brute force
| attacks against cryptographic routines that use this class for
| randomness, as demonstrated against DSA private keys.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5659
http://security-tracker.debian.org/tracker/CVE-2008-5659



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#555226: lucene2: embeds prototype.js

[Michael Gilbert]

package: lucene2
version: 2.9.0+ds1-3
severity: important
tags: security

Hi,

Your package embeds prototype.js, which makes security updates very
cumbersome, difficult, and potentially error-prone. Please update your
package to make use of the system prototype.js provided by the
libjs-prototype binary package.

This is a mass-filing, and the only checking done so far is a version
comparison.  If your package for some reason is not affected or already
uses the system prototype.js, please close this bug with a message
indicating that that is the case.

Thank you very much for your attention on this matter.

Mike



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#555225: lucene2: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities

[Michael Gilbert]

package: lucene2
version: 2.3.1+ds1-1
severity: serious
tags: security

Hi,

Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.

Your package embeds the following prototype.js versions:

  sid: 1.4.0_pre4
  lenny: 1.4.0_pre4
  etch: N/A

This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not.  If it is not affected please close the bug with a
message indicating this along with what you did to check.

The version of your package specified above is the earliest version
with the affected embedded code.  If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.

There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].

If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.

Thank you for your attention to this problem.

Mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3] 
http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers