Processing of commons-math3_3.6.1-2_amd64.changes

[Debian FTP Masters]

commons-math3_3.6.1-2_amd64.changes uploaded successfully to localhost
along with the files:
  commons-math3_3.6.1-2.dsc
  commons-math3_3.6.1-2.debian.tar.xz
  commons-math3_3.6.1-2_amd64.buildinfo
  libcommons-math3-java-doc_3.6.1-2_all.deb
  libcommons-math3-java_3.6.1-2_all.deb

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

commons-math3_3.6.1-2_amd64.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 03 Feb 2017 10:14:20 -0800
Source: commons-math3
Binary: libcommons-math3-java libcommons-math3-java-doc
Architecture: source all
Version: 3.6.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: tony mancill 
Description:
 libcommons-math3-java - Java lightweight mathematics and statistics components
 libcommons-math3-java-doc - Java lightweight mathematics and statistics 
components - document
Closes: 852880
Changes:
 commons-math3 (3.6.1-2) unstable; urgency=medium
 .
   * Team upload.
   * Update 03_libjs-mathjax.patch to add --allow-script-in-comments to
 maven-javadoc-plugin invocation to address FTBFS. (Closes: #852880)
Checksums-Sha1:
 9bd2613a7096dd67d1dfbbddaca1c542b8132262 2161 commons-math3_3.6.1-2.dsc
 b89ccbf8288816f63da02f09ed246a1e6734f883 8104 
commons-math3_3.6.1-2.debian.tar.xz
 763d4a97abeabc63712270197d0a4797680eddcc 13292 
commons-math3_3.6.1-2_amd64.buildinfo
 d51906864e426e5705f79abe48d5ee7c1e9a5bac 1565174 
libcommons-math3-java-doc_3.6.1-2_all.deb
 8fbd8a0a2b1e288bdf4c567c7edae46be2b24262 1940848 
libcommons-math3-java_3.6.1-2_all.deb
Checksums-Sha256:
 5905e1b97832c02eca799819683c3b44578ec5c555f9440d4e95e09b3008ed4f 2161 
commons-math3_3.6.1-2.dsc
 3304bf16bb2bbbee9c764ad5cf466eb8139ddcfb5a0553d4fcb9d511b97ff595 8104 
commons-math3_3.6.1-2.debian.tar.xz
 17e2e54280a9688c606522a335ad0532ec3de5e420d39c9ff3fbd28283e61992 13292 
commons-math3_3.6.1-2_amd64.buildinfo
 4b18fe6d14c9f0731c520e2054dda0848fad408f11bf0524dec79dcc24c88eac 1565174 
libcommons-math3-java-doc_3.6.1-2_all.deb
 948cf02963ced5dbfe0ac0fd1b1d7c8bf0b96f22dd836554676d912d2be6e4a7 1940848 
libcommons-math3-java_3.6.1-2_all.deb
Files:
 a21aa1e7bf20321e09b8cfeb32229e6d 2161 java optional commons-math3_3.6.1-2.dsc
 a9f2164fb653d2c5f01671df83583ae0 8104 java optional 
commons-math3_3.6.1-2.debian.tar.xz
 1d39f7156807d860c0c87d30622706ca 13292 java optional 
commons-math3_3.6.1-2_amd64.buildinfo
 82c3d9283bb32df4f97de5bb91ddd3d1 1565174 doc optional 
libcommons-math3-java-doc_3.6.1-2_all.deb
 e7b1349eda559741fd6604edc033348b 1940848 java optional 
libcommons-math3-java_3.6.1-2_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAliU7oMACgkQIdIFiZdL
PpZx3A//WeBySPJ+vy8A72uOhZiCah/6Ot0Wt+wYmLJGdRaBI1GIsNkc7Y3fXsf3
UAG4RHtDZVedGjsmwgZ9rrO9BKnAyOstlKSvOz6YB71RYPSY9XsJVomei8yDoav/
53+gmnBrzBQsMiYBcev1/cehnuABIPq0dscNTcFv1T6cD2qAlbl+nUDX3uHtv/XO
DGzxMrGaFzmGEWD/iZW5LHvNEgUvuLhmcQs+8GzcGmCfhNWtIRCEvNoulD0/aNzu
EmrEYG/uR36nW8VmIwhTG+lsRKKR18iYiAnr1Y3WMXXerLJQ+4dfgVpRcOv0Sf9Y
JjPJUJgrZzsJ9yLSK+tp1FWVWKrhIxKYh/B7l7OSZcugXChfo1mbac4vMz/ynfFa
jH8beK7vLvgEzGdHobdDdGu7DWiwVvfcr+WldkkGS22utsjyMmUW2/trg7xb5thV
4+yHIbCnej+ldKY4veoJIvOJ29dPMY582/XDHZZusPtf3EjSQniuTRoHTcXonci6
TBj41P6Me7zwt1dujQ8Cg1ohLEDYDmBjM+Z9PCrBGt8Oy1MPpC65f8CbYEqD/QB2
6ohQEv3lLtARN/IFaXeOHRrUBT1q/WzWCsy/W3r7Q2GqLTfpfP9Z8yrMBSjbZKNO
eUMP6OAudbYCwy+6HgsjVjSf4pGVORt2FS/9OvGKQA28R+CF8UA=
=RNrV
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#852880: marked as done (commons-math3: FTBFS: find: '/usr/share/maven-repo/org/codehaus/plexus/plexus-containers/*/*.jar': No such file or directory)

[Debian Bug Tracking System]

Your message dated Fri, 03 Feb 2017 21:18:35 +
with message-id 
and subject line Bug#852880: fixed in commons-math3 3.6.1-2
has caused the Debian Bug report #852880,
regarding commons-math3: FTBFS: find: 
'/usr/share/maven-repo/org/codehaus/plexus/plexus-containers/*/*.jar': No such 
file or directory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
852880: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852880
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: commons-math3
Version: 3.6.1-1
Severity: serious
Tags: stretch sid
User: debian...@lists.debian.org
Usertags: qa-ftbfs-20170128 qa-ftbfs
Justification: FTBFS on amd64

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64.

Relevant part (hopefully):
>  debian/rules build
> dh build --buildsystem=maven
>dh_testdir -O--buildsystem=maven
>dh_update_autotools_config -O--buildsystem=maven
>dh_auto_configure -O--buildsystem=maven
> find: '/usr/share/maven-repo/org/codehaus/plexus/plexus-compiler/*/*.jar': No 
> such file or directory
> find: '/usr/share/maven-repo/org/codehaus/plexus/plexus-compilers/*/*.jar': 
> No such file or directory
> find: '/usr/share/maven-repo/org/codehaus/plexus/plexus-containers/*/*.jar': 
> No such file or directory
>   mh_patchpoms -plibcommons-math3-java --debian-build --keep-pom-version 
> --maven-repo=/<>/debian/maven-repo
>dh_auto_build -O--buildsystem=maven
>   /usr/lib/jvm/default-java/bin/java -noverify -cp 
> /usr/share/maven/boot/plexus-classworlds-2.x.jar:/usr/lib/jvm/default-java/lib/tools.jar
>  -Dmaven.home=/usr/share/maven 
> -Dmaven.multiModuleProjectDirectory=/<> 
> -Dclassworlds.conf=/etc/maven/m2-debian.conf 
> -Dproperties.file.manual=/<>/debian/maven.properties 
> org.codehaus.plexus.classworlds.launcher.Launcher 
> -s/etc/maven/settings-debian.xml -Ddebian.dir=/<>/debian 
> -Dmaven.repo.local=/<>/debian/maven-repo package javadoc:jar 
> javadoc:aggregate -DskipTests -Dnotimestamp=true -Dlocale=en_US
> [INFO] Scanning for projects...
> [INFO]
>  
> [INFO] 
> 
> [INFO] Building Apache Commons Math 3.6.1
> [INFO] 
> 
> [INFO] 
> [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ 
> commons-math3 ---
> [INFO] Using 'UTF-8' encoding to copy filtered resources.
> [INFO] Copying 2 resources
> [INFO] 
> [INFO] --- maven-compiler-plugin:3.2:compile (default-compile) @ 
> commons-math3 ---
> [INFO] Changes detected - recompiling the module!
> [INFO] Compiling 990 source files to /<>/target/classes
> [INFO] 
> /<>/src/main/java/org/apache/commons/math3/optim/BaseOptimizer.java:
>  Some input files use or override a deprecated API.
> [INFO] 
> /<>/src/main/java/org/apache/commons/math3/optim/BaseOptimizer.java:
>  Recompile with -Xlint:deprecation for details.
> [INFO] 
> [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ 
> commons-math3 ---
> [INFO] Using 'UTF-8' encoding to copy filtered resources.
> [INFO] Copying 38 resources
> [INFO] 
> [INFO] --- maven-compiler-plugin:3.2:testCompile (default-testCompile) @ 
> commons-math3 ---
> [INFO] Changes detected - recompiling the module!
> [INFO] Compiling 611 source files to /<>/target/test-classes
> [INFO] 
> /<>/src/test/java/org/apache/commons/math3/optimization/univariate/BrentOptimizerTest.java:
>  Some input files use or override a deprecated API.
> [INFO] 
> /<>/src/test/java/org/apache/commons/math3/optimization/univariate/BrentOptimizerTest.java:
>  Recompile with -Xlint:deprecation for details.
> [INFO] 
> [INFO] --- maven-surefire-plugin:2.17:test (default-test) @ commons-math3 ---
> [INFO] Tests are skipped.
> [INFO] 
> [INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ commons-math3 ---
> [INFO] Building jar: /<>/target/commons-math3-3.6.1.jar
> [INFO] 
> [INFO] --- maven-javadoc-plugin:2.10.4:jar (default-cli) @ commons-math3 ---
> [INFO] 
> Loading source files for package org.apache.commons.math3.dfp...
> Loading source files for package 
> org.apache.commons.math3.geometry.partitioning...
> Loading source files for package 
> org.apache.commons.math3.geometry.partitioning.utilities...
> Loading source files for package org.apache.commons.math3.geometry...
> Loading source files for package 
> org.apache.commons.math3.geometry.spherical.twod...
> Loading source files for 

logback 1:1.1.9-1 MIGRATED to testing

[Debian testing watch]

FYI: The status of the logback source package
in Debian's testing distribution has changed.

  Previous version: 1:1.1.8-1
  Current version:  1:1.1.9-1

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

openjpa 2.4.0-4 MIGRATED to testing

[Debian testing watch]

FYI: The status of the openjpa source package
in Debian's testing distribution has changed.

  Previous version: 2.4.0-3
  Current version:  2.4.0-4

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854030: sweethome3d: Consider adding '-Dsun.java2d.opengl=true' startup option

[Markus Koschany]

On Fri, 03 Feb 2017 10:16:33 +0100 Alessio Gaeta  wrote:
> Package: sweethome3d
> Version: 5.3+dfsg-2
> Severity: wishlist
> 
> Dear Maintainer,
> 
> SH3D 2D interface is very slow and lagging, at least on my machine (an 8 cores
> Intel i7, not exaclty a low-end one). Adding '-Dsun.java2d.opengl=true' to
> startup options (in /usr/share/sweethome3d/sweethome3d.sh) made it usable.
> 
> I know that OpenGL acceleration is always problematic, and I don't know hot 
> its
> support is in OpenJDK (I'm using the Oracle JDK), but OpenGL is already used
> for the 3d view, after all, and in a CAD is a must (drawing a wall with the
> mouse pointer jumping back and forth is a real pain...).

Hello,

thanks for the report. I haven't noticed any performance issues with
Sweethome3d and OpenJDK in the past and I use a rather poor video card
for nowadays standards (Radeon HD 6450 using the Gallium OpenGL
renderer). I haven't tested the Oracle JDK though. We can test your
proposed setting when Stretch is released. I will add it to JAVA_ARGS in
/usr/bin/sweethome3d which seems to be the appropriate place for this
package.

Regards,

Markus





signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854030: sweethome3d: Consider adding '-Dsun.java2d.opengl=true' startup option

[Markus Koschany]

On Fri, 03 Feb 2017 10:16:33 +0100 Alessio Gaeta  wrote:
> Package: sweethome3d
> Version: 5.3+dfsg-2
> Severity: wishlist
> 
> Dear Maintainer,
> 
> SH3D 2D interface is very slow and lagging, at least on my machine (an 8 cores
> Intel i7, not exaclty a low-end one). Adding '-Dsun.java2d.opengl=true' to
> startup options (in /usr/share/sweethome3d/sweethome3d.sh) made it usable.
> 
> I know that OpenGL acceleration is always problematic, and I don't know hot 
> its
> support is in OpenJDK (I'm using the Oracle JDK), but OpenGL is already used
> for the 3d view, after all, and in a CAD is a must (drawing a wall with the
> mouse pointer jumping back and forth is a real pain...).

Hello,

thanks for the report. I haven't noticed any performance issues with
Sweethome3d and OpenJDK in the past and I use a rather poor video card
for nowadays standards (Radeon HD 6450 using the Gallium OpenGL
renderer). I haven't tested the Oracle JDK though. We can test your
proposed setting when Stretch is released. I will add it to JAVA_ARGS in
/usr/bin/sweethome3d which seems to be the appropriate place for this
package.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

xmlbeans 2.6.0+dfsg-1 MIGRATED to testing

[Debian testing watch]

FYI: The status of the xmlbeans source package
in Debian's testing distribution has changed.

  Previous version: 2.6.0-4
  Current version:  2.6.0+dfsg-1

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

netty 1:4.1.7-2 MIGRATED to testing

[Debian testing watch]

FYI: The status of the netty source package
in Debian's testing distribution has changed.

  Previous version: 1:4.0.42-1
  Current version:  1:4.1.7-2

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: found 853134 in svgsalamander/0~svn95-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 853134 svgsalamander/0~svn95-1
Bug #853134 {Done: Bas Couwenberg } [src:svgsalamander] 
svgsalamander: CVE-2017-5617
Marked as found in versions svgsalamander/0~svn95-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
853134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Pending fixes for bugs in the svgsalamander package

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 853134 + pending
Bug #853134 {Done: Bas Couwenberg } [src:svgsalamander] 
svgsalamander: CVE-2017-5617
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
853134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: Pending fixes for bugs in the svgsalamander package

[pkg-java-maintainers]

tag 853134 + pending
thanks

Some bugs in the svgsalamander package are closed in revision
975eaafa1bc3696ecf70b417de6109cf94094645 in branch '  wheezy' by Bas
Couwenberg

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/svgsalamander.git/commit/?id=975eaaf

Commit message:

Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).

(closes: #853134)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: Pending fixes for bugs in the svgsalamander package

[pkg-java-maintainers]

tag 853134 + pending
thanks

Some bugs in the svgsalamander package are closed in revision
c78ebe2de2e70bc6b69600f1c5878951013f4ba1 in branch '  jessie' by Bas
Couwenberg

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/svgsalamander.git/commit/?id=c78ebe2

Commit message:

Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).

(closes: #853134)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Pending fixes for bugs in the svgsalamander package

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 853134 + pending
Bug #853134 [src:svgsalamander] svgsalamander: CVE-2017-5617
Ignoring request to alter tags of bug #853134 to the same tags previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
853134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: Pending fixes for bugs in the svgsalamander package

[pkg-java-maintainers]

tag 853134 + pending
thanks

Some bugs in the svgsalamander package are closed in revision
0463aaee3bee4c864869832a1cbac9986e1bb16b in branch '  wheezy' by Bas
Couwenberg

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/svgsalamander.git/commit/?id=0463aae

Commit message:

Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).

(closes: #853134)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Pending fixes for bugs in the svgsalamander package

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 853134 + pending
Bug #853134 [src:svgsalamander] svgsalamander: CVE-2017-5617
Ignoring request to alter tags of bug #853134 to the same tags previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
853134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: marked as done (svgsalamander: CVE-2017-5617)

[Debian Bug Tracking System]

Your message dated Fri, 03 Feb 2017 08:49:27 +
with message-id 
and subject line Bug#853134: fixed in svgsalamander 1.1.1+dfsg-2
has caused the Debian Bug report #853134,
regarding svgsalamander: CVE-2017-5617
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
853134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: svgsalamander
Version: 1.1.1+dfsg-1
Severity: important
Tags: upstream security
Forwarded: https://github.com/blackears/svgSalamander/issues/11

Hi,

the following vulnerability was published for svgsalamander.

CVE-2017-5617[0]:
SSRF issue

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5617
[1] https://github.com/blackears/svgSalamander/issues/11

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: svgsalamander
Source-Version: 1.1.1+dfsg-2

We believe that the bug you reported is fixed in the latest version of
svgsalamander, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 853...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bas Couwenberg  (supplier of updated svgsalamander package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 03 Feb 2017 08:39:45 +0100
Source: svgsalamander
Binary: libsvgsalamander-java libsvgsalamander-java-doc
Architecture: source all
Version: 1.1.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Bas Couwenberg 
Description:
 libsvgsalamander-java - SVG engine for Java
 libsvgsalamander-java-doc - SVG engine for Java (documentation)
Closes: 853134
Changes:
 svgsalamander (1.1.1+dfsg-2) unstable; urgency=medium
 .
   * Team upload.
   * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).
 (closes: #853134)
Checksums-Sha1:
 3770cbe76b0b2ed4d8b216dcd2837ee7ff1d811f 2196 svgsalamander_1.1.1+dfsg-2.dsc
 2111eb84ec68cf057b61071c450dfcee7e87bd33 8100 
svgsalamander_1.1.1+dfsg-2.debian.tar.xz
 6880a1a8cfa19288d8f604aabaa490876f55b503 175524 
libsvgsalamander-java-doc_1.1.1+dfsg-2_all.deb
 3f00ad19a70a87a6dda71b69bc5a6b202976d412 276870 
libsvgsalamander-java_1.1.1+dfsg-2_all.deb
 7c6eb9fa627a4004811c624e7f8c4ae7e9337935 10382 
svgsalamander_1.1.1+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 f964b53ec7ca5d727effd4918909b2c4cd5c151041c3405806fdb5b1636a90a0 2196 
svgsalamander_1.1.1+dfsg-2.dsc
 2becf22e5b1dbc85febf7db7a77f75689841e0bdf97edf68aedb04401b661c4d 8100 
svgsalamander_1.1.1+dfsg-2.debian.tar.xz
 a8c8246bffe346dca56d2c132e36f0b512fb70d6ee113a0c9e89994b10625e52 175524 
libsvgsalamander-java-doc_1.1.1+dfsg-2_all.deb
 f58ade8578a7a462743f9903fc26dcb5cc0efb9690dd394f07800c16782d7996 276870 
libsvgsalamander-java_1.1.1+dfsg-2_all.deb
 0698de1251aecb2860f78c858a507aa21a2bed515f93af577359146cc03840ca 10382 
svgsalamander_1.1.1+dfsg-2_amd64.buildinfo
Files:
 dd6e331f299d3a709ae870d1ad14784b 2196 java extra svgsalamander_1.1.1+dfsg-2.dsc
 2f1e170e8ea7f7585806f9f9f5f09969 8100 java extra 
svgsalamander_1.1.1+dfsg-2.debian.tar.xz
 0c967507a7b81885f1502562e753d8ba 175524 doc extra 
libsvgsalamander-java-doc_1.1.1+dfsg-2_all.deb
 30bf685e9413bfd49cd77ef9113dc7ca 276870 java extra 
libsvgsalamander-java_1.1.1+dfsg-2_all.deb
 1c99c1e4089232a64dfe45ec41850055 10382 java extra 
svgsalamander_1.1.1+dfsg-2_amd64.buildinfo

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJYlDW9AAoJEGdQ8QrojUrxhWMQAI9u6ubXBi8iLWot+R0QRSZ1
RIaoI14iT3rpe8QqoRAn7tgnqcEzogtHWxcB8i4vMc+WfWxdWrVfz9l8n/0WT/3n
ZZ7bIA8eFxXrCXJ1CF4sf5LT9Ugbib4QMscYkAksex/pNb+TYecKYba+gtyfXkCa
kooWfwaRbLSLiwK1i79mirSAEAs6l6Axiq4YPqDrUeVvSoQjDB1DSVMHSHVVq7Pw
EUzrJjcGV5RiC8qO1zvMduN5aYxeHTaPagxAlhmSzbo1ApUwduc3qDI4Dt1EUFTG
dOuvrFJKzdrd9CZ28Nac/3FSIFlHgB2KGgmOErVbx3Yu8w8eVRjwKZa7NsqqBpTk

Bug#854030: sweethome3d: Consider adding '-Dsun.java2d.opengl=true' startup option

[Alessio Gaeta]

Package: sweethome3d
Version: 5.3+dfsg-2
Severity: wishlist

Dear Maintainer,

SH3D 2D interface is very slow and lagging, at least on my machine (an 8 cores
Intel i7, not exaclty a low-end one). Adding '-Dsun.java2d.opengl=true' to
startup options (in /usr/share/sweethome3d/sweethome3d.sh) made it usable.

I know that OpenGL acceleration is always problematic, and I don't know hot its
support is in OpenJDK (I'm using the Oracle JDK), but OpenGL is already used
for the 3d view, after all, and in a CAD is a must (drawing a wall with the
mouse pointer jumping back and forth is a real pain...).

Thanks you. Regards
--
Alessio Gaeta



-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sweethome3d depends on:
ii  default-jre [java6-runtime] 2:1.8-58
ii  icedtea-netx-common 1.6.2-3.1
ii  java-wrappers   0.1.28
ii  libbatik-java   1.8-4
ii  libfreehep-graphicsio-svg-java  2.1.1-4
ii  libitext-java   2.1.7-11
ii  libjava3d-java  1.5.2+dfsg-11
ii  libsunflow-java 0.07.2.svn396+dfsg-14
ii  openjdk-8-jre [java6-runtime]   8u121-b13-2
ii  oracle-java6-installer [java6-runtime]  6u45-0~webupd8~8
ii  oracle-java7-installer [java6-runtime]  7u80+7u60arm-0~webupd8~1
ii  oracle-java8-installer [java6-runtime]  8u121-1~webupd8~0

Versions of packages sweethome3d recommends:
ii  sweethome3d-furniture  1.6.2-1

sweethome3d suggests no packages.

-- no debconf information

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854028: unblock: svgsalamander/1.1.1+dfsg-2

[Bas Couwenberg]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package svgsalamander

It contains a patch by Vincent Privat to fix CVE-2017-5617 (#853134).

unblock svgsalamander/1.1.1+dfsg-2

Kind Regards,

Bas
diff -Nru svgsalamander-1.1.1+dfsg/debian/changelog 
svgsalamander-1.1.1+dfsg/debian/changelog
--- svgsalamander-1.1.1+dfsg/debian/changelog   2016-08-22 08:31:39.0 
+0200
+++ svgsalamander-1.1.1+dfsg/debian/changelog   2017-02-03 08:39:45.0 
+0100
@@ -1,3 +1,11 @@
+svgsalamander (1.1.1+dfsg-2) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).
+(closes: #853134)
+
+ -- Bas Couwenberg   Fri, 03 Feb 2017 08:39:45 +0100
+
 svgsalamander (1.1.1+dfsg-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
 
svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
--- 
svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
 1970-01-01 01:00:00.0 +0100
+++ 
svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
 2017-02-02 07:34:34.0 +0100
@@ -0,0 +1,109 @@
+Description: Fix CVE-2017-5617: svgSalamander SSRF (Server-Side Request 
Forgery)
+ See: http://www.openwall.com/lists/oss-security/2017/01/27/3
+Author: Vincent Privat
+Origin: https://josm.openstreetmap.de/changeset/11526/josm
+Bug: https://github.com/blackears/svgSalamander/issues/11
+Bug-Debian: https://bugs.debian.org/853134
+
+--- a/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
 b/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
+@@ -112,21 +112,10 @@ public class ImageSVG extends Renderable
+ if (getPres(sty.setName("xlink:href")))
+ {
+ URI src = sty.getURIValue(getXMLBase());
++// CVE-2017-5617: Allow only data scheme
+ if ("data".equals(src.getScheme()))
+ {
+ imageSrc = new URL(null, src.toASCIIString(), new 
Handler());
+-} else
+-{
+-try
+-{
+-imageSrc = src.toURL();
+-} catch (Exception e)
+-{
+-
Logger.getLogger(SVGConst.SVG_LOGGER).log(Level.WARNING,
+-"Could not parse xlink:href " + src, e);
+-//e.printStackTrace();
+-imageSrc = null;
+-}
+ }
+ }
+ } catch (Exception e)
+@@ -134,32 +123,33 @@ public class ImageSVG extends Renderable
+ throw new SVGException(e);
+ }
+ 
+-diagram.getUniverse().registerImage(imageSrc);
+-
+-//Set widths if not set
+-BufferedImage img = diagram.getUniverse().getImage(imageSrc);
+-if (img == null)
++if (imageSrc != null)
+ {
+-xform = new AffineTransform();
+-bounds = new Rectangle2D.Float();
+-return;
+-}
++diagram.getUniverse().registerImage(imageSrc);
+ 
+-if (width == 0)
+-{
+-width = img.getWidth();
+-}
+-if (height == 0)
+-{
+-height = img.getHeight();
+-}
++//Set widths if not set
++BufferedImage img = diagram.getUniverse().getImage(imageSrc);
++if (img == null)
++{
++xform = new AffineTransform();
++bounds = new Rectangle2D.Float();
++return;
++}
+ 
+-//Determine image xform
+-xform = new AffineTransform();
+-//xform.setToScale(this.width / img.getWidth(), this.height / 
img.getHeight());
+-//xform.translate(this.x, this.y);
+-xform.translate(this.x, this.y);
+-xform.scale(this.width / img.getWidth(), this.height / 
img.getHeight());
++if (width == 0)
++{
++width = img.getWidth();
++}
++if (height == 0)
++{
++height = img.getHeight();
++}
++
++//Determine image xform
++xform = new AffineTransform();
++xform.translate(this.x, this.y);
++xform.scale(this.width / img.getWidth(), this.height / 
img.getHeight());
++}
+ 
+ bounds = new Rectangle2D.Float(this.x, this.y, this.width, 
this.height);
+ }
+@@ -328,16 +318,14 @@ public class ImageSVG extends Renderable
+ {
+ URI src = sty.getURIValue(getXMLBase());
+ 
+-URL newVal;
++URL newVal = null;
++// CVE-2017-5617: Allow only data scheme
+ if ("data".equals(src.getScheme()))
+ 

Bug#853134: CVE-2017-5617: svgSalamander

[Sebastiaan Couwenberg]

On 02/02/2017 07:09 PM, Sebastiaan Couwenberg wrote:
> On 02/02/2017 07:44 AM, Sebastiaan Couwenberg wrote:
>> On 02/01/2017 10:08 AM, Bas Couwenberg wrote:
>>> On 2017-02-01 09:35, Bas Couwenberg wrote:
 Including the JOSM developers (josm-...@openstreetmap.org) is also a
 good idea, they (and Vincent Privat in particular) have contributed
 patches to svgSalamander recently.

 I'll report the issue in the JOSM Trac since it also affects the
 embedded copy in their upstream SVN repo.
>>>
>>> JOSM issue: https://josm.openstreetmap.de/ticket/14319
>>
>> Vicent Privat has fixed the issue for JOSM, and I've added a patch to
>> the svgsalamander Debian package with his changes.
>>
>> We may want to include the regression test too, but I'm not sure how
>> that works in svgsalamander.
>>
>> If we can't do that easily, we should just keep the patch as-is without
>> the regression tests that are included for JOSM.
> 
> I want the fixed package uploaded ASAP, preferably today because
> tomorrow I leave for FOSDEM and aren't likely to be able to do an upload.

I've uploaded the fixed svgsalamander to unstable, and also ported the
patch to the package in jessie & wheezy.

I'll coordinate with the security & LTS teams before uploading to
package for jessie & wheezy.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

svgsalamander_1.1.1+dfsg-2_amd64.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 03 Feb 2017 08:39:45 +0100
Source: svgsalamander
Binary: libsvgsalamander-java libsvgsalamander-java-doc
Architecture: source all
Version: 1.1.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Bas Couwenberg 
Description:
 libsvgsalamander-java - SVG engine for Java
 libsvgsalamander-java-doc - SVG engine for Java (documentation)
Closes: 853134
Changes:
 svgsalamander (1.1.1+dfsg-2) unstable; urgency=medium
 .
   * Team upload.
   * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).
 (closes: #853134)
Checksums-Sha1:
 3770cbe76b0b2ed4d8b216dcd2837ee7ff1d811f 2196 svgsalamander_1.1.1+dfsg-2.dsc
 2111eb84ec68cf057b61071c450dfcee7e87bd33 8100 
svgsalamander_1.1.1+dfsg-2.debian.tar.xz
 6880a1a8cfa19288d8f604aabaa490876f55b503 175524 
libsvgsalamander-java-doc_1.1.1+dfsg-2_all.deb
 3f00ad19a70a87a6dda71b69bc5a6b202976d412 276870 
libsvgsalamander-java_1.1.1+dfsg-2_all.deb
 7c6eb9fa627a4004811c624e7f8c4ae7e9337935 10382 
svgsalamander_1.1.1+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 f964b53ec7ca5d727effd4918909b2c4cd5c151041c3405806fdb5b1636a90a0 2196 
svgsalamander_1.1.1+dfsg-2.dsc
 2becf22e5b1dbc85febf7db7a77f75689841e0bdf97edf68aedb04401b661c4d 8100 
svgsalamander_1.1.1+dfsg-2.debian.tar.xz
 a8c8246bffe346dca56d2c132e36f0b512fb70d6ee113a0c9e89994b10625e52 175524 
libsvgsalamander-java-doc_1.1.1+dfsg-2_all.deb
 f58ade8578a7a462743f9903fc26dcb5cc0efb9690dd394f07800c16782d7996 276870 
libsvgsalamander-java_1.1.1+dfsg-2_all.deb
 0698de1251aecb2860f78c858a507aa21a2bed515f93af577359146cc03840ca 10382 
svgsalamander_1.1.1+dfsg-2_amd64.buildinfo
Files:
 dd6e331f299d3a709ae870d1ad14784b 2196 java extra svgsalamander_1.1.1+dfsg-2.dsc
 2f1e170e8ea7f7585806f9f9f5f09969 8100 java extra 
svgsalamander_1.1.1+dfsg-2.debian.tar.xz
 0c967507a7b81885f1502562e753d8ba 175524 doc extra 
libsvgsalamander-java-doc_1.1.1+dfsg-2_all.deb
 30bf685e9413bfd49cd77ef9113dc7ca 276870 java extra 
libsvgsalamander-java_1.1.1+dfsg-2_all.deb
 1c99c1e4089232a64dfe45ec41850055 10382 java extra 
svgsalamander_1.1.1+dfsg-2_amd64.buildinfo

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJYlDW9AAoJEGdQ8QrojUrxhWMQAI9u6ubXBi8iLWot+R0QRSZ1
RIaoI14iT3rpe8QqoRAn7tgnqcEzogtHWxcB8i4vMc+WfWxdWrVfz9l8n/0WT/3n
ZZ7bIA8eFxXrCXJ1CF4sf5LT9Ugbib4QMscYkAksex/pNb+TYecKYba+gtyfXkCa
kooWfwaRbLSLiwK1i79mirSAEAs6l6Axiq4YPqDrUeVvSoQjDB1DSVMHSHVVq7Pw
EUzrJjcGV5RiC8qO1zvMduN5aYxeHTaPagxAlhmSzbo1ApUwduc3qDI4Dt1EUFTG
dOuvrFJKzdrd9CZ28Nac/3FSIFlHgB2KGgmOErVbx3Yu8w8eVRjwKZa7NsqqBpTk
qRwypgufVaFXp9J3+T2GOi/zX5XmYWkS+SB3STQUb/CNS/vUSZJb+IsY8MyJu72F
WnoCkB7ciC6mibcyMQnwZRU6xvO2hpFraqmtbSrBjlzeORXtCLqJBjvBkSaiSdV4
Ag3c4JO/cfjXQOwmhwzjClLFHaNwG9ru3udkPvZZGUE723GxbMZt4oPgbZH3a2hM
iSIoI+oZMemIIEWiOm/mxGk/lIeBk7WTfX8CpsdOfywaqphqj8I4NV/YODL1mQC2
x2YwBXDWGPVd9TPxLWf8zTQqeGrPkG+zwRmPzQutHLF0jHA9HDseGvI41xW1WGJN
pg5niHnEbZKXlIS3WyB0
=VIpb
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853998: marked as done (CVE-2017-3250 / CVE-2017-3249 / CVE-2017-3247 / CVE-2016-5528 / CVE-2016-5519)

[Debian Bug Tracking System]

Your message dated Fri, 3 Feb 2017 17:25:57 +0100
with message-id <20170203162557.nqyxbmc6lqdebwjm@pisco.westfalen.local>
and subject line Re: Bug#853998: CVE-2017-3250 / CVE-2017-3249 / CVE-2017-3247 
/ CVE-2016-5528 / CVE-2016-5519
has caused the Debian Bug report #853998,
regarding CVE-2017-3250 / CVE-2017-3249 / CVE-2017-3247 / CVE-2016-5528 / 
CVE-2016-5519
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
853998: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853998
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: glassfish
Severity: grave
Tags: security

So Oracle has these lovely, unspecified vulnerabilities reported against 
Glassfish,
but it's my understanding that the Debian package only provides a minor subset
what usually constitutes Java, so could you have a look, which of 

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

might possibly affect the Debian package?

Cheers,
Moritz
--- End Message ---
--- Begin Message ---
On Fri, Feb 03, 2017 at 12:16:07AM +0100, Emmanuel Bourg wrote:
> Le 2/02/2017 à 23:08, Moritz Muehlenhoff a écrit :
> 
> > So Oracle has these lovely, unspecified vulnerabilities reported against 
> > Glassfish,
> > but it's my understanding that the Debian package only provides a minor 
> > subset
> > what usually constitutes Java, so could you have a look, which of 
> > 
> > http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
> > 
> > might possibly affect the Debian package?
> 
> I think this is unlikely to affect our packages. We only have two
> specification packages (glassfish-javaee and glassfish-jmac-api) and an
> Object/Relational mapper (glassfish-toplink-essentials) that is never
> used at runtime.

OK, I've marked these as not-affected in the security tracker, then.

Cheers,
Moritz--- End Message ---
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

jsemver 0.9.0-2 MIGRATED to testing

[Debian testing watch]

FYI: The status of the jsemver source package
in Debian's testing distribution has changed.

  Previous version: 0.9.0-1
  Current version:  0.9.0-2

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

netty-tcnative 1.1.33.Fork26-1 MIGRATED to testing

[Debian testing watch]

FYI: The status of the netty-tcnative source package
in Debian's testing distribution has changed.

  Previous version: 1.1.33.Fork25-1
  Current version:  1.1.33.Fork26-1

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.