Re: [Pkg-javascript-devel] Bug#863481: Bug#863481: [node-concat-stream] Uninitialized Memory Exposure

2017-05-28 Thread Ross Gammon 
Hi Bastien,

On 05/27/2017 09:47 PM, roucaries bastien wrote:
> I can do it but I do not know that is the best:
> - let 1.6 go to unstable
> - patch old version
>
> Could you ask release team.
>
> The debdiff between the two version is so small that I have doubt
>

I had almost finished the email to the release team, when I did some
final checks. And whilst I agree the unrelated changes upstream are very
small, I unfortunately enabled the testsuite in 1.6 (in experimental)
now that node-tape is available in unstable. As node-tape is not
available in testing (stretch), I would have to disable the tests when
moving to unstable.

All in all, I think it will be easier to create a stretch branch in git
& add a patch which will also make the unblocking process easier.

I will work on that today. But if I run out of time, please feel free to
take it forward.

Regards,

Ross

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Processing of node-readable-stream_2.2.9-1_amd64.changes

2017-05-28 Thread Debian FTP Masters 
node-readable-stream_2.2.9-1_amd64.changes uploaded successfully to localhost
along with the files:
  node-readable-stream_2.2.9-1.dsc
  node-readable-stream_2.2.9.orig.tar.gz
  node-readable-stream_2.2.9-1.debian.tar.xz
  node-readable-stream_2.2.9-1_all.deb
  node-readable-stream_2.2.9-1_amd64.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] node-create-hmac_1.1.4-2_source.changes REJECTED

2017-05-28 Thread Debian FTP Masters 


node-create-hmac_1.1.4-2.dsc: Invalid size hash for 
node-create-hmac_1.1.4.orig.tar.gz:
According to the control file the size hash should be 1990,
but node-create-hmac_1.1.4.orig.tar.gz has 1978.

If you did not include node-create-hmac_1.1.4.orig.tar.gz in your upload, a 
different version
might already be known to the archive software.



===

Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.


-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] node-readable-stream_2.2.9-1_amd64.changes is NEW

2017-05-28 Thread Debian FTP Masters 
binary:node-readable-stream is NEW.
binary:node-readable-stream is NEW.
source:node-readable-stream is NEW.

Your package has been put into the NEW queue, which requires manual action
from the ftpteam to process. The upload was otherwise valid (it had a good
OpenPGP signature and file hashes are valid), so please be patient.

Packages are routinely processed through to the archive, and do feel
free to browse the NEW queue[1].

If there is an issue with the upload, you will receive an email from a
member of the ftpteam.

If you have any questions, you may reply to this email.

[1]: https://ftp-master.debian.org/new.html
 or https://ftp-master.debian.org/backports-new.html for *-backports

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Processing of node-create-hmac_1.1.4-2_source.changes

2017-05-28 Thread Debian FTP Masters 
node-create-hmac_1.1.4-2_source.changes uploaded successfully to localhost
along with the files:
  node-create-hmac_1.1.4-2.dsc
  node-create-hmac_1.1.4-2.debian.tar.xz
  node-create-hmac_1.1.4-2_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Processing of node-create-hmac_1.1.4-2_source.changes

2017-05-28 Thread Debian FTP Masters 
node-create-hmac_1.1.4-2_source.changes uploaded successfully to localhost
along with the files:
  node-create-hmac_1.1.4-2.dsc
  node-create-hmac_1.1.4-2.debian.tar.xz
  node-create-hmac_1.1.4-2_amd64.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] RFS: node-raw-loader -- raw loader module for webpack

2017-05-28 Thread Daniel Ring 
Hello,

I've finished packaging node-raw-loader (a dependency of webpack; ITP #863466),
and I'm currently looking for a sponsor for it. If anyone is interested, please
let me know!

Alioth SCM:
https://anonscm.debian.org/cgit/pkg-javascript/node-raw-loader.git/

Package DSC (mentors.debian.net):
https://mentors.debian.net/debian/pool/main/n/node-raw-loader/node-raw-loader_0.5.1-1.dsc

Sincerely,
Daniel Ring

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#863575: unblock: node-concat-stream/1.5.1-2

2017-05-28 Thread Ross Gammon 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package node-concat-stream

Node-concat-stream is vunerable to Uninitialized Memory Exposure (CWE-201).
This was reported in bug https://bugs.debian.org/cgi-
bin/bugreport.cgi?archive=no=863481. This was fixed upstream, and a version
of the fixing commit is included in this version as a patch. The patch has been
tested with the upstream testsuite, which unfortunately has to be disabled as
the testing framework (node-tape) does not exist in testing.

More information can be found in the attached debdiff (between tesing &
unstable), in the patch description.

unblock node-concat-stream/1.5.1-2

-- System Information:
Debian Release: stretch/sid
  APT prefers yakkety-updates
  APT policy: (500, 'yakkety-updates'), (500, 'yakkety-security'), (500,
'yakkety'), (100, 'yakkety-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -Nru node-concat-stream-1.5.1/debian/changelog node-concat-stream-1.5.1/debian/changelog
--- node-concat-stream-1.5.1/debian/changelog	2015-11-08 17:03:58.0 +0100
+++ node-concat-stream-1.5.1/debian/changelog	2017-05-28 16:19:49.0 +0200
@@ -1,3 +1,12 @@
+node-concat-stream (1.5.1-2) unstable; urgency=high
+
+  * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201
+(Closes: #863481)
+  * Use stretch git branch
+  * Use Ubuntu email address
+
+ -- Ross Gammon   Sun, 28 May 2017 16:19:49 +0200
+
 node-concat-stream (1.5.1-1) unstable; urgency=low
 
   * Initial release (Closes: #796351)
diff -Nru node-concat-stream-1.5.1/debian/control node-concat-stream-1.5.1/debian/control
--- node-concat-stream-1.5.1/debian/control	2015-11-08 17:03:58.0 +0100
+++ node-concat-stream-1.5.1/debian/control	2017-05-28 16:19:49.0 +0200
@@ -2,13 +2,13 @@
 Section: web
 Priority: optional
 Maintainer: Debian Javascript Maintainers 
-Uploaders: Ross Gammon 
+Uploaders: Ross Gammon 
 Build-Depends: debhelper (>= 9),
dh-buildinfo,
nodejs
 Standards-Version: 3.9.6
 Homepage: https://github.com/maxogden/concat-stream#readme
-Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git
+Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git -b stretch
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-concat-stream.git
 
 Package: node-concat-stream
diff -Nru node-concat-stream-1.5.1/debian/gbp.conf node-concat-stream-1.5.1/debian/gbp.conf
--- node-concat-stream-1.5.1/debian/gbp.conf	2015-11-08 17:03:58.0 +0100
+++ node-concat-stream-1.5.1/debian/gbp.conf	2017-05-28 16:19:49.0 +0200
@@ -6,7 +6,7 @@
 
 # The default name for the Debian branch is "master".
 # Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
 
 # git-import-orig uses the following names for the upstream tags.
 # Change the value if you are not using git-import-orig
diff -Nru node-concat-stream-1.5.1/debian/patches/series node-concat-stream-1.5.1/debian/patches/series
--- node-concat-stream-1.5.1/debian/patches/series	2015-11-08 17:03:58.0 +0100
+++ node-concat-stream-1.5.1/debian/patches/series	2017-05-28 16:19:49.0 +0200
@@ -1 +1,2 @@
 readable-stream.patch
+to-string_numbers.patch
diff -Nru node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch
--- node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch	1970-01-01 01:00:00.0 +0100
+++ node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch	2017-05-28 16:19:49.0 +0200
@@ -0,0 +1,81 @@
+Description: to-string numbers written to the stream
+ Node-concat-stream is vulnerable to Uninitialized Memory Exposure. This
+ possible memory disclosure vulnerability exists when a value of type number
+ is provided to the stringConcat() method and results in concatination of
+ uninitialized memory to the stream collection.
+ This is a result of unobstructed use of the Buffer constructor, whose
+ insecure default constructor increases the odds of memory leakage.
+ See https://snyk.io/vuln/npm:concat-stream:20160901 for further details.
+Origin: upstream, https://github.com/maxogden/concat-stream/
+Bug: https://github.com/maxogden/concat-stream/issues/55
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481
+Applied-Upstream: https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- node-concat-stream.orig/index.js
 node-concat-stream/index.js
+@@ -73,6 +73,10 @@
+   return

[Pkg-javascript-devel] Bug#863481: marked as done ([node-concat-stream] Uninitialized Memory Exposure)

2017-05-28 Thread Debian Bug Tracking System 
Your message dated Sun, 28 May 2017 18:18:33 +
with message-id 
and subject line Bug#863481: fixed in node-concat-stream 1.5.1-2
has caused the Debian Bug report #863481,
regarding [node-concat-stream] Uninitialized Memory Exposure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863481: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: node-concat-stream
Version: 1.5.1-1
Severity: grave
Tags: patch security fixed-upstream fixed-in-experimental
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
forwarded: https://snyk.io/vuln/npm:concat-stream:20160901

Overview

concat-stream is writable stream that concatenates strings or binary data and 
calls a callback with the result. Affected versions of the package are 
vulnerable to Uninitialized Memory Exposure.

A possible memory disclosure vulnerability exists when a value of type number 
is provided to the stringConcat() method and results in concatination of 
uninitialized memory to the stream collection.

This is a result of unobstructed use of the Buffer constructor, whose insecure 
default constructor increases the odds of memory leakage.

signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: node-concat-stream
Source-Version: 1.5.1-2

We believe that the bug you reported is fixed in the latest version of
node-concat-stream, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ross Gammon  (supplier of updated node-concat-stream package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 28 May 2017 16:19:49 +0200
Source: node-concat-stream
Binary: node-concat-stream
Architecture: source
Version: 1.5.1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers 

Changed-By: Ross Gammon 
Description:
 node-concat-stream - writable stream that concatenates strings
Closes: 863481
Changes:
 node-concat-stream (1.5.1-2) unstable; urgency=high
 .
   * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201
 (Closes: #863481)
   * Use stretch git branch
   * Use Ubuntu email address
Checksums-Sha1:
 7f4787bb95c36d6f76ea569a31afd81db798adfb 2086 node-concat-stream_1.5.1-2.dsc
 f87920b89e12d1c2612f6112ea5b7589e45f8c05 3688 
node-concat-stream_1.5.1-2.debian.tar.xz
 613ca2b2000d4e010bdc22d60cef4d956a0f2b60 4470 
node-concat-stream_1.5.1-2_source.buildinfo
Checksums-Sha256:
 3e6a7e63ac32de60027497a65fd4381a75a628c6d0ab3850835abcc648f3ad14 2086 
node-concat-stream_1.5.1-2.dsc
 c9e4aee1134fa86470d33cd96f23142856ec97cf66c792aa66845399c9f3f5ec 3688 
node-concat-stream_1.5.1-2.debian.tar.xz
 6b4269f8e7cf5004a381760d6c13601c78e25480fe85515e3792c7182c60b819 4470 
node-concat-stream_1.5.1-2_source.buildinfo
Files:
 37f094fe1d17acfd9cebf4d100448267 2086 web optional 
node-concat-stream_1.5.1-2.dsc
 998cd9f11f3789a60911885de84acfa2 3688 web optional 
node-concat-stream_1.5.1-2.debian.tar.xz
 2d7cf31b12bebbbf04c740ae22950b31 4470 web optional 
node-concat-stream_1.5.1-2_source.buildinfo

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJZKw1ZAAoJEHM+a/k86PbZ4bIP/i0wRHAMIDp4VhfDkSp4nEMC
onjNF1AuuSB1FH52EgTORIsvbi3FKeZMgXL2fzSp9n/OjZUUFhb7hdEPQSSYSU4N
w0rOW15fj4tA1Jw/900cr2zigMkcQF+m+HYp8Zt4yEWTG0tOdvnR8FV7GG+bcERt
P16Agka91uHuw+sKuWBnjHXkfipMXi+S33iO1noaWotGa0CY+ftE5yqYcIc1KMet
kjZgIrBswjgGYwA+77Rvfw38VbKAxhXtwF2fqAMmz8PSLorK+9dg4GEsl3ATZZmF
HNsFmovEr5M7ULn19/bo+zeTRkGG/I8hXohYR1rqTU9hwB9aLSlPJPyLt0kT5E3h
m/6MCIq5sl8hs/YYPfRkLAqGh8qOlAJfwkXQdgPY1u39OCEMXcLPStq5vtMJ1gpL
PcSH7o/6g3v6CuLKaR1mTFBbeXZdDOjGEup89ByC1xhC/XVTziuYhsWUN0m8xTEM
8FqZrKO9hutGFjhSdfzdD58i2oISewuRxrIDFJ58U0WX6W5zb14zLNfLHFsR3pXK
YDZFG8SsDtuFZrLioS4gt9MdTpGyzPleJHn9p0Gt/2mYC/KZJrRNLXvlXHe/2++v
ui260xlF9z/lBre16g2Kj3QqkNN0iWSiGefS0cxg4EBDbOAVqqeFhumoqQWoH7j7
dLfPfvURcnumTQ0E8+uz
=cL0d
-END PGP SIGNATURE End Message ---
--

[Pkg-javascript-devel] Processing of node-concat-stream_1.5.1-2_source.changes

2017-05-28 Thread Debian FTP Masters 
node-concat-stream_1.5.1-2_source.changes uploaded successfully to localhost
along with the files:
  node-concat-stream_1.5.1-2.dsc
  node-concat-stream_1.5.1-2.debian.tar.xz
  node-concat-stream_1.5.1-2_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] node-concat-stream_1.5.1-2_source.changes ACCEPTED into unstable

2017-05-28 Thread Debian FTP Masters 


Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 28 May 2017 16:19:49 +0200
Source: node-concat-stream
Binary: node-concat-stream
Architecture: source
Version: 1.5.1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers 

Changed-By: Ross Gammon 
Description:
 node-concat-stream - writable stream that concatenates strings
Closes: 863481
Changes:
 node-concat-stream (1.5.1-2) unstable; urgency=high
 .
   * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201
 (Closes: #863481)
   * Use stretch git branch
   * Use Ubuntu email address
Checksums-Sha1:
 7f4787bb95c36d6f76ea569a31afd81db798adfb 2086 node-concat-stream_1.5.1-2.dsc
 f87920b89e12d1c2612f6112ea5b7589e45f8c05 3688 
node-concat-stream_1.5.1-2.debian.tar.xz
 613ca2b2000d4e010bdc22d60cef4d956a0f2b60 4470 
node-concat-stream_1.5.1-2_source.buildinfo
Checksums-Sha256:
 3e6a7e63ac32de60027497a65fd4381a75a628c6d0ab3850835abcc648f3ad14 2086 
node-concat-stream_1.5.1-2.dsc
 c9e4aee1134fa86470d33cd96f23142856ec97cf66c792aa66845399c9f3f5ec 3688 
node-concat-stream_1.5.1-2.debian.tar.xz
 6b4269f8e7cf5004a381760d6c13601c78e25480fe85515e3792c7182c60b819 4470 
node-concat-stream_1.5.1-2_source.buildinfo
Files:
 37f094fe1d17acfd9cebf4d100448267 2086 web optional 
node-concat-stream_1.5.1-2.dsc
 998cd9f11f3789a60911885de84acfa2 3688 web optional 
node-concat-stream_1.5.1-2.debian.tar.xz
 2d7cf31b12bebbbf04c740ae22950b31 4470 web optional 
node-concat-stream_1.5.1-2_source.buildinfo

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJZKw1ZAAoJEHM+a/k86PbZ4bIP/i0wRHAMIDp4VhfDkSp4nEMC
onjNF1AuuSB1FH52EgTORIsvbi3FKeZMgXL2fzSp9n/OjZUUFhb7hdEPQSSYSU4N
w0rOW15fj4tA1Jw/900cr2zigMkcQF+m+HYp8Zt4yEWTG0tOdvnR8FV7GG+bcERt
P16Agka91uHuw+sKuWBnjHXkfipMXi+S33iO1noaWotGa0CY+ftE5yqYcIc1KMet
kjZgIrBswjgGYwA+77Rvfw38VbKAxhXtwF2fqAMmz8PSLorK+9dg4GEsl3ATZZmF
HNsFmovEr5M7ULn19/bo+zeTRkGG/I8hXohYR1rqTU9hwB9aLSlPJPyLt0kT5E3h
m/6MCIq5sl8hs/YYPfRkLAqGh8qOlAJfwkXQdgPY1u39OCEMXcLPStq5vtMJ1gpL
PcSH7o/6g3v6CuLKaR1mTFBbeXZdDOjGEup89ByC1xhC/XVTziuYhsWUN0m8xTEM
8FqZrKO9hutGFjhSdfzdD58i2oISewuRxrIDFJ58U0WX6W5zb14zLNfLHFsR3pXK
YDZFG8SsDtuFZrLioS4gt9MdTpGyzPleJHn9p0Gt/2mYC/KZJrRNLXvlXHe/2++v
ui260xlF9z/lBre16g2Kj3QqkNN0iWSiGefS0cxg4EBDbOAVqqeFhumoqQWoH7j7
dLfPfvURcnumTQ0E8+uz
=cL0d
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Processed: limit package to libjs-jquery-tablesorter, found 731095 in 11-3

2017-05-28 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> limit package libjs-jquery-tablesorter
Limiting to bugs with field 'package' containing at least one of 
'libjs-jquery-tablesorter'
Limit currently set to 'package':'libjs-jquery-tablesorter'

> # The version of this package in Debian fails for me because 
> jquery.tablesorter.pager.js in Debian's tablesorter is not compatible with 
> Debian's jquery (3.1.1-2)
> found 731095 11-3
Bug #731095 [libjs-jquery-tablesorter] Please consider switching tablesorter to 
alternate upstream
Marked as found in versions jquery-goodies/11-3.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
731095: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731095
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel