Control: severity -1 normal
Control: tag -1 + pending
Hello,
odoo-16 is the official and latest version available in Debian ("saas"
are not meant to be deployed locally) right now; 17 and 18 will be
packaged soon.
Upgrading from one major version to the next is not directly supported
in Debian:
In case someone out there is stuck real bad with this bug in bookworm,
here's a very nasty workaround for which I of course decline all
responsibility:
$ mkdir /usr/share/fonts/type1/gsfonts
$ ln -sf /usr/share/fonts/X11/Type1/C059-Roman.pfb
/usr/share/fonts/type1/gsfonts/n021003l.pfb
Control: fixed 1059326 4.0.8-1
The earliest fixed version is most likely between 4.0.4-7 and 4.0.4-11.
Cheers,
--
Seb
On Thu, Mar 02 2023, Glenn wrote:
> I think this bug could be more serious than wishlist, as the server
> doesnt start, for me at least.
>
> When trying to start it with the same line from its init file, it
> concludes with the error; No module named 'PyPDF2.utils'
Hi Glenn,
the bug you're
On Mon, Jan 30 2023, Roland Mas wrote:
> golang-github-cavaliergopher-grab has been accepted into
> unstable. Shall I proceed with the aptly upload or would one of you
> guys prefer doing it?
You can go ahead.
Cheers,
--
Seb
On 02/01 15:04, Roland Mas wrote:
> I took the liberty of packaging the cavaliergopher/grab library
Thanks for uploading that to NEW and closing the associated RFP.
> I also updated the packaging for aptly 1.5.0, which I committed and
> pushed to salsa, but I'd rather you had a look before
On 22/11 11:01, Kyle Edwards wrote:
> Package: aptly
> Version: 1.4.0+ds1-7
>
> Aptly 1.4.0 does not support the zstd compression found in Ubuntu 22.04
> packages. Please upgrade Aptly to 1.5.0 to support the new zstd compression.
This was fixed in 1.4.0+ds1-7, as per #1010465[fn:1]. Are you
On 15/11 14:51, Louis-Philippe Véronneau wrote:
> I'm CC-ing Sebastien Delafond explicitly, as he seems to be the
> maintainer of all the packages in the archive that depend or
> build-depend on blist (python-raccoon, python-panwid, elastalert).
>
> In a perfect world, those packages should
On 03/06 03:21, Bastian Germann wrote:
> Source: aptly
> Version: 1.4.0+ds1-7
>
> Now that aptly can publish zstd packages can you please upload the
> current version to bullseye-backports? That would be very helpful,
> e.g., to mirror Ubuntu jammy.
>
> I can also upload it myself if you agree.
Hi Enrico,
see the comment from upstream here:
https://github.com/aptly-dev/aptly/issues/1031#issuecomment-1046299497
I'm tempted to mark this as minor+wontfix, leaving it open to serve as a
reference for other users. What do you think?
Cheers,
--
Seb
Hi Sam,
upstream apparently cannot reproduce the issue anymore[0]. Do you still
this see on your end?
Cheers,
--
Seb
[0] https://github.com/aptly-dev/aptly/issues/403#issuecomment-1024176943
On 06/01 06:10, Salvatore Bonaccorso wrote:
> CVE-2021-46144 has been assigned for the roundcube issue.
Thanks for taking care of this Salvatore. I'll review the debdiffs once
Guilhem sends them, and will take care of the DSA afterwards.
Cheers,
--
Seb
As far as OVAL is concerned, all the relevant MRs are merged in, and the
OVAL files are now being generated on www-master[0] using python3:
[...]
/usr/bin/python3 generate.py -q -d .. -j DebianSecTracker.json -r bullseye
>oval-definitions-bullseye.xml
Cheers,
--
Seb
[0]
With https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/737
now merged, python3 support is in
https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/740. I'll
open an RT ticket to get
https://salsa.debian.org/seb/debian.org/-/commit/72fbf295abfd042835ce786344a13bcf8a81148b
https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/752
On 07/11 10:22, Noah Meyerhans wrote:
> [...] These two OVAL definitions list essentially identical criteria,
> yet their actual status in bullseye is quite different:
>
> CVE-2020-28200 is still present in bullseye and is a legitimate
> finding by any scanner based on these definitions:
>
See https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/737.
On 08/09 16:54, Adrian Bunk wrote:
> I've prepared an NMU for centreon-connectors (versioned as
> 19.10.0-1.1) and uploaded it to DELAYED/14. Please feel free to tell
> me if I should cancel it.
Hi Adrian,
thanks a lot for taking of this, it's really appreciated.
Cheers,
--
Seb
For the Security Team, unblocking 5.7.1 is the preferred option as it
will make supporting WP for the entire bullseye lifecycle much
easier. If the Release Team thinks it's too late at this point for such
an unblock, we'd favor going with 5.6.3 instead.
Cheers,
--
Seb
On 19/02 13:53, Bastian Germann wrote:
> * Package name: mupdf
>Version : 1.14.0+ds1-4+deb10u3
> [...]
> * Avoid a use-after-free in fz_drop_band_writer (CVE-2020-16600)
Hi Bastian,
thanks for your work on this. We think this update should go via
stable-proposed-updates:
On 19/02 09:25, Chris Lamb wrote:
> > Django is vulnerable because it embeds parse_qsl:
> >
> > https://www.djangoproject.com/weblog/2021/feb/19/security-releases/
>
> Security team, let me know if you would like an update for stable.
Hi Chris,
we think this should rather go via s-p-u.
On 12/02 16:07, Thomas Goirand wrote:
> Please find the attached debdiff for the upload to security-master.
Hi Thomas,
this looks good, please upload to security-master.
Cheers,
--
Seb
On 21/01 12:46, Utkarsh Gupta wrote:
> I can create an issue in the original fork. However, just know that
> this library is *not* being maintained at all. So there won't be much
> help from anywhere.
I'm not expecting upstream to fix it either, but it'd feel more
comfortable to close this bug on
On 21/01 12:31, Utkarsh Gupta wrote:
> Aah, okay. So I ran sbuild + autopkgtest 10 times, all passed for me.
> But when I ran these tests locally with rake, it failed for me exactly
> like the report just for the first time. And then passed all 9 times
> afterward.
I haven't been able to
Hi Utkarsh,
since you took care of the last upload, do you also plan to fix this
FTBFS? If not, please let me know and I'll look into it.
Cheers,
--
Seb
Here's upstream's take on the problematic items in this list:
> use libjs-jquery-form
The version in Debian is too old right now, and won't work properly.
> libjs-underscore
The version in Debian is more recent, and needs to be validated.
> libjs-cropper
Different upstreams:
Odoo: 1.5.5
On 11/12 18:59, Sylvain Beucler wrote:
> I did more tests during the past few hours (checking that
> XERCES_DISABLE_DTD does address the memory leak and using a couple
> reverse dependencies) and just uploaded the buster update to security
> master.
I've just rejected this upload, so you can
On 09/12 17:46, Sylvain Beucler wrote:
> Here's a debdiff against buster.
>
> The testsuite passes, provided we modify MemHandlerTest1 to take the
> leak into account.
Hi Sylvain,
thanks for the debdiff, it looks good and the trade-off makes sense. You
can upload to security-master and I'll
On 02/11 08:01, Craig Small wrote:
> Wordpress versions less than 5.5.2 have the following security
> vulnerabilities:
>
> CVE-2020-28039: Protected meta that could lead to arbitrary file deletion.
> CVE-2020-28035: XML-RPC privilege escalation.
> CVE-2020-28036: XML-RPC privilege escalation.
>
On 27/10 16:20, Baptiste Beauplat wrote:
> I've just been given out the access on salsa. Ready to welcome
> testinfra :)
Done:
https://salsa.debian.org/python-team/packages/testinfra
Cheers,
--
Seb
On 23/10 17:11, Baptiste Beauplat wrote:
> Sure. I initially suggested debian because I'm not in the python
> team. I guess that will be the opportunity to join in :)
All right; can you let me know once you've joined, and then we can see
about transferring it there?
Cheers,
--
Seb
On 15/10 09:30, Baptiste Beauplat wrote:
> From what I can see on the package tracker, testinfra hasn't been very
> active packaging wise. No source upload have been done and the package
> hasn't migrated to testing, since 2019.
>
> I do believe that having testinfra in a Debian stable release
tag 947187 + wontfix
close 947187
thanks
This is now unmaintained upstream:
Note: As of June 2020 I do not have time to maintain this repository
anymore and I've thus made it read-only.
FTR, here's where I was with the packaging (the package itself could be
built, but dh_test failed):
On 02/09 09:23, Gianfranco Costamagna wrote:
> source only uploads for non-free are a sad story...
Ah, forgot about that again.
> I'll try to upload the binary shortly!
Do you want me to do that today?
Cheers,
--
Seb
Upstream uses hdf5plugin, but it can be patched out in 2 lines once
https://salsa.debian.org/alteholz/bitshuffle/-/merge_requests/1 is
merged.
I plan on testing whether relaxing the constraint plus including 902ef59
is enough to get the current version of mitmproxy running with tornado6.
If that doesn't work, I'll look into packaging 5.1.1.
Cheers,
--
Seb
On 15/06 10:49, Chris Lamb wrote:
> > The full debdiffs are attached. Can you especially check the
> > versioning scheme and distribution fields for me? I often get this
> > wrong and end up confusing myself. Really appreciated.
>
> They are now attached.
They look fine, please upload to
On 06/06 10:15, Chris Lamb wrote:
> > python-django: CVE-2020-13254 CVE-2020-13596
>
> Security team, would you like an update for stretch and/or buster to
> address these issues? It's fixed in sid, experimental as well as
> jessie LTS. Bullseye is just pending migration time AFAICT.
Hi Chris,
Hi Alexandre,
I noticed opendht 2.1 is now in sid. Is there anything I can do to help
with the next steps, however you see fit?
Cheers,
--
Seb
On 04/05 10:31, Sébastien Delafond wrote:
> > I add a basic d/salsa-ci.yml, that should tell us what's going on.
>
> All the unit tests are passing in salsa:
>
> https://salsa.debian.org/debian/restinio/-/jobs/717236#L1500
Hi Alexandre,
in the current state, do you thi
On 04/05 09:18, Sébastien Delafond wrote:
> I re-ran the build this morning from the repository you created, and it
> passes here in sbuild; TTBOMK it's only binding its test router to
> 127.0.0.1, and not trying to reach anything outside, but I may be
> missing something.
>
&g
On 03/05 19:40, Alexandre Viau wrote:
> Also, I notice that the package's Changelog already has two entries,
> but was it even uploaded once? Should it say UNRELEASED instead, until
> it is uploaded, or should I understand that it was uploaded?
This was my mistake, it should have said UNRELEASED
Control: tag -1 fixed-upstream
Fixed by https://github.com/CCExtractor/ccextractor/pull/1226, merged on
master.
Cheers,
--
Seb
On 27/04 13:13, Felix Salfelder wrote:
> I hope it is more clear now, how I prefer to use the small tarball
> over running the tests, as a matter of principle
It was perfectly clear the first time, and this is where we can agree to
disagree. Starting on this project I had a couple of goals, and
On 27/04 11:02, Felix Salfelder wrote:
> > - salsa-ci
> >
> > - open an issue upstream to integrate my two cmake patches for the
> > scenario "build a release without shipping binaries, yet
> > insist on running the tests during our build"
>
> I will see what I can do about these.
I've pushed my version of restinio's packaging to
https://salsa.debian.org/seb/restinio's master branch. I started from
Felix's initial effort, but a lot of things were missing:
- d/copyright severely lacking
- missing build-deps (most notably on cmake) initially prevented
building as-is
On 21/04 20:23, Thomas Koch wrote:
> I just uploaded persist-el. Thank you and sorry for the delay.
As I had announced in my previous email, I already did that; see msg=19
of #954050, and
https://ftp-master.debian.org/new/persist-el_0.4+dfsg-1.html.
I'll most definitely be out of your way for
On 07/04 14:06, Alexandre Viau wrote:
> - https://bugs.debian.org/950198
Hi Alexandre,
I will look into Felix's packaging of restinio soon.
Cheers,
--
Seb
On 11/04 06:31, Nicholas D Steeves wrote:
> #947017 "ITP: org-drill" is blocked by this RFS (#954050) for a
> required dependency (persist-el). Please sponsor at your earliest
> convenience to we can resume progress on getting org-drill back into
> Debian.
Hello,
I have very little bandwidth
block 954614 by 954572
thanks
This is due to #954572: since ruby-method-source got bumped to 1.0.0,
the requirements for ruby-pry-byebug are not satisfiable anymore. Since
puppet-beaker depend on that, it also fails to run its tests. Ultimately
the solution is to fix #955340.
Cheers,
--
Seb
retitle -1 ITP: pyhst2 -- Python High Speed Tomographic reconstruction
tag -1 + pending
owner -1 s...@debian.org
thanks
retitle 723017 ITP: xrayutilities -- Python x-ray data reduction and analysis
owner 723017 s...@debian.org
tag 723017 + pending
thanks
Hi Axel,
for the record, the Security Team doesn't think this warrants a DSA.
Cheers,
--
Seb
On 09/01 14:24, Pascal Vibet - ADACIS wrote:
> I have an seg-fault in centengine process
> [...]
Hi Pascal,
thanks for opening this; could you report it upstream at
https://github.com/centreon/centreon-engine/issues/ ?
Cheers,
--
Seb
On 08/01 09:56, tho...@koch.ro wrote:
> I intend to start using org-drill again once it is in Debian.
> I've never sponsored yet, but I'm a DD now and should learn how to do it.
> So I can upload.
Perfect: it's a much better solution than me uploading it.
Cheers,
--
Seb
On 07/01 15:07, Nicholas D Steeves wrote:
> Since you're the elpa-org-mode maintainer Would you like to package
> org-drill, which was broken out into its own project for org-mode 9.3
> (possibly earlier)?
>
> Failing that, could I add you as an uploader? I'm happy to do the
> work to package
On 24/12 00:19, Thorsten Glaser wrote:
> While the package is patched to return the system location,
> it still ships /usr/lib/python3/dist-packages/certifi/cacert.pem
> which causes the .deb to be larger than it must.
>
> Furthermore it might lead people to believe using that bundle
> is
Hi Antonio,
the solution currently implemented does indeed test the installed
package: it will install it using
/etc/apt/sources.list.d/autopkgtest.list, and run the entire upstream
test suite against that. You are right that all of this happens in a
docker container.
This is because that all
On 02/10 09:43, Salvatore Bonaccorso wrote:
> Whilst I'm not yet sure if we should really release a futher DSA for
> jackson-databind (we will come back to you on that), a possible idea
> for bullseye (might be better cloned/filled as new bug, but want to
> mention it here already):
Let's do a
Hello,
just a quick follow-up to let you know that this bug is still preventing
ceph-iscsi from being uploaded to sid. As such, I'm again offering my
help if you think the version bump itself is OK, but you don't have
enough time to take care of it.
Cheers,
--
Seb
Upstream indicates that:
We are working actively on that subject. So the next release of
centreon-broker won't need qt4 nor qt5. Qt will be completely removed
from it. We hope this change to be finish for the next release of
Centreon.
This is targetted for 19.10, to be released in
I've tried a bunch of things, essentially reusing my older
pbuilder-based build setup (as opposed to the newer sbuild-based one),
to no avail: I keep getting those extra upper-bound versioned
dependencies in the resulting package.
At this point I see two options:
- build a +deb9u2 that uses
On 26/08 17:42, Adam D. Barratt wrote:
> Our tooling has highlighted a dependency issue. I've not had chance to
> check if it already existed in the earlier package, but:
>
> unsat-dependency: python-cryptography (< 1.6)
>
> stretch has python-cryptography 1.7.1
This is a regression
On 08/08 11:02, Chris Lamb wrote:
> +python-django (1:1.10.7-2+deb9u5) stretch-security; urgency=high
> [...]
> +python-django (1:1.11.23-1~deb10u1) buster-security; urgency=high
Thanks, these both look good; please upload to security-master.
Cheers,
--
Seb
On 06/08 10:20, Chris Lamb wrote:
> Security team (added to CC), would you be interested in uploads for
> buster (currently 1:1.11.22-1~deb10u1) and stretch (currently
> 1:1.10.7-2+deb9u5)?
Hi Chris,
yes, thank you. Can you email us debdiffs ? I'll then take care of the
review and DSAs.
Cheers,
Hello,
upstream doesn't ship one, and I unfortunately do not have the time to
write it myself. If someone does, and also commits to keeping it
synchronized with upstream releases, I'll include it in the package.
Cheers,
--
Seb
On 15/04 21:31, Alessandro -oggei- Ogier wrote:
> I'd like to point out that package in fact depends on file(1)
> and when that package isnt installed py3status fails with an error.
>
> Since on a freshly installed Debian system file package is not an
> essential, this dependency should be
On 27/03 09:26, Michal Politowski wrote:
> Actually I think there is no need to compile x11idle. As the footnote
> https://orgmode.org/manual/Resolving-idle-time.html#DOCF82 says,
> Debian already provides xprintidle, which seems to work for me.
>
> Maybe elpa-org could just suggest that package
On Feb/09, Nicolas Braud-Santoni wrote:
> Ah, I was bitten in the arse by #884428 again.
> The upload to security-master should now be fine :)
>
> Sorry for accidentally duplicating your work, I didn't realise you had
> prepared a backported fix for stable before the issue went public :)
Thanks
On Feb/08, Nicolas Braud-Santoni wrote:
> I backported the fix and prepared an upload.
> The debdiff is attached, and the commands used to produced it are documented
> below.
>
> May I proceed with an upload to security-master?
It looks OK to me, so if it passes testing on your end please
Package: libu2f-host
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for libu2f-host.
CVE-2018-20340[0]:
Unchecked buffer in libu2f-host before 1.1.7 ...
If you fix the vulnerability please also make sure to include the
CVE
On Jan/31, Jonas Smedegaard wrote:
> The underlying issue is that the "js" in python-jsbeautifier stands
> for JavaScript, and python-jsbeautifier fail to properly expose the
> JavaScript part of the project as a shared library!
>
> The straightforward solution is for python-jsbeautifier to also
To me the straightforward solution here is not dpkg-alternative, but
what Ivo recommended, since it only involves modifying *one* package.
Cheers,
--
Seb
https://salsa.debian.org/qt-kde-team/qt/pyside2/merge_requests/2
Here is the corresponding MR:
https://salsa.debian.org/python-team/modules/python-twilio/merge_requests/1
Cheers,
--
Seb
Here is the corresponding MR:
https://salsa.debian.org/python-team/modules/pystaticconfiguration/merge_requests/1
Cheers,
--
Seb
Control: forwarded -1
Control: tag -1 + upstream
Let's wait a bit for upstream's take on this issue, that was triggered
when pytest 3.10 entered unstable last month. If need be, we could
disable TestConfigurationWatcher::* when building the python2 package.
Cheers,
--
Seb
Hi fellows,
I've got a 1.9.10 nagvis package ready in salsa[0], that fixes four of
the currently open bugs including this one. I've also manually included
1:1.7.10+dfsg1-3.2, which wasn't present in the salsa repository.
Would you like an actual MR ? I'm also attaching a debdiff of debian/*
to
Control: tag -1 + upstream
Control: forwarded -1 https://github.com/NagVis/nagvis/issues/79
This has apparently been closed in "recent releases", although upstream
doesn't mention when that happened exactly. Scouring through git log, it
appears to be in this commit:
commit
Hi,
I just uploaded ruby-gitlab 4.5.0-2 to DELAYED/10. Don't hesitate to
cancel or reschedule it if you need to.
Cheers,
--Seb
Python3 package, plus upstream bump to 0.3.7, available at:
https://github.com/sdelafond/python-jenkinsapi
Would you be willing to share or hand over maintenance of this package,
ideally on salsa ?
Cheers,
--
Seb
https://salsa.debian.org/ruby-team/ruby-gitlab/merge_requests/1
The test_auth_aws_region test tries to make an actual HTTP request, it
should be disabled in debian/rules.
Cheers,
--
Seb
I'm OK with ruby-gitlab shipping /usr/bin/ruby-gitlab and
/usr/share/man/man1/ruby-gitlab.1.gz, so unless someone disagrees I will
do that this week.
Cheers,
--
Seb
On Oct/02, Mattia Rizzolo wrote:
> Could you please provide a stretch-backports of python-pyperclip?
>
> If you wish, I'm happy to build such backport myself.
Yes, that will be fine: please do !
Cheers,
--Seb
Sure, shipping this as a separate binary package makes sense. A patch
would be most welcome.
Cheers,
--Seb
On Aug/23, Nicholas D Steeves wrote:
> Is that wrong info page bug still valid? It just occured to me that
> it should be possible to add a few lines to the elpa-org-mode that
> rebinds infopath to put org-mode-doc ahead of emacs' built-in when
> elpa-org-mode is loaded.
>
> If the non emacs
Control: retitle -1 FTBFS in buster
Control: tags -1 - sid + buster
thanks
In sid it builds fine during the 1st run, as shown here:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/mitmproxy.html
The 2nd reproducible run fails because of the "date in the future"
thing:
On Aug/21, Chris Lamb wrote:
> a) You will take the lead on stable/DSA.
> b) I'll carry on with LTS, etc.
Yes.
--Seb
On Aug/19, Chris Lamb wrote:
> Would the security team be interested in one for stretch? If so, I can
> return with a proposed debdiff.
Sorry, missed your email about this. I'm actually done with the patch on
my end.
Cheers,
--Seb
On Jun/23, Chris Lamb wrote:
> I've prepared an upload to fix the following:
>
> php-horde-image (2.3.6-1+deb9u1) stretch-security; urgency=high
>
> * CVE-2017-9773: [...]
>
> * CVE-2017-9774: [...]
>
> * CVE-2017-14650: [...]
>
> The full debdiff is attached. Please let me know if
Hi,
I have just uploaded blinker 1.4+dfsg1-0.2, fixing this FTBFS, to
DELAYED/10. Don't hesitate to cancel or reschedule it if you need to.
Cheers,
--Seb
On Jul/19, Bastien wrote:
> > For reference, upstream change is:
> > https://code.orgmode.org/bzg/org-mode/commit/b186d1d7236c0dc397eadeb004c9a17eaffd3aab
>
> I've received this email with no context -- can you tell me more about
> this issue at stake?
Hi Bastien,
this was Debian bug #887332 :
On Jun/25, Nicholas D Steeves wrote:
> I looked up this bug as soon as I remembered that I'd been neglecting
> it for some time--thankfully I hadn't set myself as owner.
Hi Nicholas,
a quick test in unstable shows that:
* with emacs25 installed but not emacs25-common-non-dfsg, both info(1)
On Jun/25, Andreas Beckmann wrote:
> On Fri, 30 Mar 2018 08:41:38 +0200 Sebastien Delafond
> wrote:
> > mlbviewer no longer works, starting in 2018[0]. A new implementation
> > is in the works[1], with corresponding instructions[2]. It will be
> > packaged later, but in the meantime I've filed
On Jun/21, Alexandre Viau wrote:
> I would like to add that I am willing to provide a patch that
> implements this.
That'd be most welcome !
> However, I would only start working on it after aptly is moved to
> dh-golang to avoid merging issues. See bug #902038 for that.
I've just merged your
Actually, that won't be possible: dam rm shows libspring-java among
other rdeps. We'll just stick with the EOL in debian-security-support.
Cheers,
--Seb
On May/03, Adam D. Barratt wrote:
> There's a few r-deps. Walking the tree gives us:
>
> - redmine-plugin-pretend
> - redmine-plugin-recaptcha
> - redmine-recaptcha
>
> I assume the intent is that those also be removed.
That is correct, sorry for not mentioning the r-deps initially.
Cheers,
On Apr/10, Felix Natter wrote:
> Yes and no. On jessie the patch did not cleanly apply, so I would have
> had to apply that change manually. Since removing the import has no
> effect on the semantics of the program (as long as it still compiles),
> I was too lazy. It should be ok.
Let's leave it
On Mar/22, Chris Lamb wrote:
> > Can I get an ACK from you to upload those to *-security?
>
> Gentle ping on this? :)
Salvatore is mostly away till the end of the week, but he marked those
no-dsa on the 21st, so I guess that would go toward s-p-u instead.
Cheers,
--Seb
1 - 100 of 289 matches
Mail list logo