Bug#1071015: RFS: color-picker/1.0.3-3 -- Powerful screen color picker based on Qt

ast upload: color-picker (1.0.3-3) unstable; urgency=medium . * debian/control: bumped Standards-Version to 4.7.0. * debian/copyright: Updated dates. * debian/patches/01-segfaults.patch: - Created. Thanks to Sudip Mukherjee (Closes: #1060003) Regards, -- Hugo Torres de Lima

Bug#1055605: fstack-clash-protection hardening change breaks building packages with clang on arm64

Package: dpkg-dev Version: 1.22.0 Severity: important Hi, The recent change (https://git.dpkg.org/cgit/dpkg/dpkg.git/diff/?id=11efff1bf) breaks building Debian packages with clang on arm64. LLVM does not have -fstack-clash-protection enabled on aarch64 (https://reviews.llvm.org/D96007). Here

Bug#1053280: RFS: gsimplecal/2.5.1-1 -- lightweight GUI calendar application

gsimplecal (2.5.1-1) unstable; urgency=medium . * New upstream version 2.5.1 Regards, -- Hugo Torres de Lima

Bug#1051730: RFS: viewnior/1.8-2 [QA] -- simple, fast and elegant image viewer

- Using a secure URI in Format field. * debian/upstream/metadata: Created. * debian/rules: - Added hardening. - Removed --parallel argument. Regards, -- Hugo Torres de Lima

Bug#1051183: RFS: gsimplecal/2.5-1 -- lightweight GUI calendar application

Control: tags 1051183 - moreinfo Hi Jeroen, Thanks for your help. I fixed the package and uploaded it to the mentors. On 9/5/23 09:07, Jeroen Ploemen wrote: Control: tags -1 moreinfo On Mon, 04 Sep 2023 00:44:08 -0300 Hugo Torres wrote: I am looking for a sponsor for my package gsimplecal

Bug#1051183: RFS: gsimplecal/2.5-1 -- lightweight GUI calendar application

cal (2.5-1) unstable; urgency=medium . * New upstream version 2.5 * debian/control: bumped·Standards-Version·to 4.6.2 * debian/copyright: Updated upstream copyright year. Regards, -- Hugo Torres de Lima

Bug#1050115: RFS: mp3info/0.8.5a+dfsg-1 -- MP3 technical info viewer and ID3 1.x tag editor

-gtk.files: Removed. - debian/mp3info-gtk.menu: Removed. - debian/patches/04_removing_gtk2_interface.patch: Created. * debian/control: Bumped Standards-Version to 4.6.2. * debian/copyright: Updated. Regards, -- Hugo Torres de Lima

Bug#1032352: RFS: cldump/0.11~dfsg-6 [QA] -- Clarion database files extractor

an/control: Updated Standards-Version for 4.6.2. * debian/copyright: Updated. * debian/patches: Created 01-hardening.patch. Regards, -- Hugo Torres de Lima

Bug#1006991: closed by Aurélien COUDERC (Re: Bug#1006991: libkwin4-effect-builtins1 blocks apt ugrade on Debian testing)

Thanks a lot for your quick response Aurélien! I'm happy to hear that. Last time I ignored the warning, and sabotaged mariadb.. Greets, Hugo On Thu, Mar 10, 2022, 14:21 Debian Bug Tracking System < ow...@bugs.debian.org> wrote: > This is an automatic notification regarding your B

Bug#1006991: libkwin4-effect-builtins1 blocks apt ugrade on Debian testing

Package: libkwin4-effect-builtins1 Version: 4:5.23.5-1 Severity: normal X-Debbugs-Cc: hugop...@gmail.com Dear Maintainer, Apt upgrade is holding all KDE updates back: The following packages have been kept back: breeze breeze-cursor-theme kde-cli-tools kde-cli-tools-data kde-config-gtk-style

Bug#1006688: reportbug: Debian 11 KDE (Mirror download not working on Google Chrome Version 99.0.4844.51)

? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- Package-specific info: ** Environment settings: INTERFACE="text" ** /root/.reportbugrc: reportbug_version "7.10.3+deb11u1" mode novice ui text realname "Hugo B" e

Bug#945281: dwm: new upstream release

Hi Bastian, Thank you very much for this. I'm overwhelmed by work and couldn't find time and energy for Debian lately. I'm really sorry for the lack of responsivity! Best, Hugo On Sun, Dec 12, 2021 at 12:02:06PM +0100, Bastian Germann wrote: > I am sponsoring a NMU (DELAYE

Bug#995086: RFS: color-picker/1.0.2-2 -- Powerful screen color picker based on Qt

r (1.0.2-2) unstable; urgency=medium . * debian/control: Updated Vcs-* URLs. * debian/upstream/io.github.keshavbhatt.color_picker.metainfo.xml: - Added caption tag in images. - Added content_rating tag. Regards, -- Hugo Torres de Lima

Bug#994631: RFS: color-picker/1.0.2-1 -- Powerful screen color picker based on Qt

Necessary the creation of the Debian repository in Salsa. I created the repository in my account to make the migration: https://salsa.debian.org/f9kill/colorpicker -- Hugo Torres de Lima 0x365C8CEF4233E3D8 Sent with ProtonMail Secure Email. signature.asc Description: OpenPGP digital signature

Bug#994631: RFS: color-picker/1.0.2-1 -- Powerful screen color picker based on Qt

r (1.0.2-1) unstable; urgency=medium . * New upstream version 1.0.2 * Upload to unstable. * debian/control: Bumped Standards-Version to 4.6.0. Regards, -- Hugo Torres de Lima

Bug#993344: RFS: gsimplecal/2.2-3 -- lightweight GUI calendar application

ncy=medium . * Upload to unstable. * debian/copyright: Removed extra blank space. Regards, -- Hugo Torres de Lima

Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers

Hi Sebastian, On Tue, Jun 29, 2021 at 09:57:57PM +0200, Sebastian Andrzej Siewior wrote: > On 2019-10-07 08:41:51 [+0200], Hugo Lefeuvre wrote: > > I have discovered this during my regression tests for the jessie update. My > > main worry was to have broken something, I'm glad it

Bug#987759: RFS: color-picker/1.0.1-1 [ITP] -- Powerful screen color picker based on Qt

debian/tests/control has been removed because it does not provide any useful tests, avoiding errors with autopkgtest. -- Hugo Torres de Lima GPG: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Sunday, May 16, 2021 3:14

Bug#988431: RFS: open-invaders/0.3-6 [QA] -- Space Invaders clone

debian/tests/control has been removed because it does not provide any useful tests, avoiding errors with autopkgtest. -- Hugo Torres de Lima GPG: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Sunday, May 16, 2021 10:46

Bug#988431: Additional information

Necessary the creation of the Debian repository in Salsa. I created the repository in my account to make the migration: https://salsa.debian.org/f9kill/open-invaders -- Hugo Torres de Lima GPG: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8 Sent with ProtonMail Secure Email

Bug#988431: RFS: open-invaders/0.3-6 [QA] -- Space Invaders clone

version 4. - Updated the source address. Regards, -- Hugo Torres de Lima

Bug#987759: RFS: color-picker/1.0.1-1 [ITP] -- Powerful screen color picker based on Qt

Necessary the creation of the Debian repository in Salsa. I created the repository in my account to make the migration: https://salsa.debian.org/f9kill/colorpicker -- Hugo Torres de Lima GPG: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8 Sent with ProtonMail Secure Email. signature.asc

Bug#987759: RFS: color-picker/1.0.1-1 [ITP] -- Powerful screen color picker based on Qt

r (1.0.1-1) experimental; urgency=medium . * Initial release (Closes: #987756) Regards, -- Hugo Torres de Lima

Bug#987756: ITP: color-picker -- Powerful screen color picker based on Qt

Package: wnpp Severity: wishlist Owner: Hugo Torres de Lima * Package name: color-picker Version : 1.0.1 Upstream Author : Keshav Bhatt * URL : https://github.com/keshavbhatt/ColorPicker * License : MIT Programming Lang: C++ Description : Powerful

Bug#986314: RFS: gsimplecal/2.1-2 [QA] -- lightweight GUI calendar application

Hi Giovani. Made the recommended changes. -- Hugo Torres de Lima GPG key: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8 Sent with ProtonMail Secure Email. signature.asc Description: OpenPGP digital signature

Bug#986777: RFS: ink/0.5.3-2 [QA] -- tool for checking the ink level of your local printer

CI testing. * debian/upstream/metadata: Created. * debian/watch: - Bumped to version 4. - Updated the source address. Regards, -- Hugo Torres de Lima

Bug#986314: RFS: gsimplecal/2.1-2 [QA] -- lightweight GUI calendar application

Thanks for the answer. - Links vcs- * Updated for salsa. - Version of software updated. Necessary for the creation of the Debian repository in Salsa. I created the repository in my account to make the migration: https://salsa.debian.org/f9kill/gsimplecal -- Hugo Torres de Lima GPG key

Bug#986314: RFS: gsimplecal/2.1-2 [QA] -- lightweight GUI calendar application

n/upstream/metadata: Created. * debian/watch: - Bumped to version 4. - Updated the source address. Regards, -- Hugo Torres de Lima

Bug#945317: xcftools NMU for CVE-2019-5086 and CVE-2019-5087

l at the moment. My intention is to send a patch to fix the open CVE > > in > > stable to you when we have addressed the remaining 32 bit issues. > > Yes that sounds fine. Admittely it was for us in dsa-needed only > because Hugo initially aimed to adress it across all suites top-dow

Bug#982162: msmtp: cannot read custom aliases file (Permission denied)

Source: msmtp Version: 1.8.3 Severity: normal Dear Maintainer, when specifying a custom aliases file in /etc/msmtprc configuration file like this: aliases /etc/aliases.msmtp msmtp returns the following error: $> echo -e "foo" | msmtp -t postmaster msmtp: /etc/aliases.msmtp: Permission

Bug#964627: fractgen: diff for NMU version 2.1.5-1.1

o tell me if I should cancel it. Thank you very much for this NMU. I am completely overloaded with work currently and could not find time to handle this. Feel free to upload to unstable right away! Best Regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B

Bug#964627: fractgen: FTBFS: colorschemeinterface.cc

Hi Lucas, thanks a lot for this bug report. I will do my best to sort this out during the week-end. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Bug#948244: https://unsplash.com/photos/1lfI7wkGWZ4?utm_source=unsplash_medium=referral_content=creditShareLink

https://drive.google.com/file/d/10LwSnTSEk4fe6OrS8cl3kpiyLeLSzQLQ/view?usp=drivesdk Enviado desde Outlook Mobile

Bug#958981: ITP: xreader -- A generic document reader

Package: wnpp Severity: wishlist Starting working on the packing for xreader. Available on: (https://github.com/linuxmint/xreader) hugoziviani

Bug#952769: isc-dhcp-client: Package "isc-dhcp-client" is not installable in the Debian SID PowerPC Port. Unmet dependencies: "libdns1107" and "libisc1104"

Package: isc-dhcp-client Version: 4.4.1-2.1 Severity: grave Tags: d-i a11y Justification: renders package unusable -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: PowerPC Kernel: Linux 5.4.0-4-amd64 (SMP w/16 CPU cores)

Bug#951453: RFS: pysolfc/2.6.4-3 -- collection of more than 1000 solitaire card games

Hi, thanks for your contribution, this should be in unstable by tonight. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description

Bug#907635: add .apk as file extension for jar and jarsigner #907635

Hello, I’m Hugo, and I would like to take this correction (#907635). I think this is not exactly a bug. Could anyone give-me more information if I start upstream or I can start from here downstream. Thanks, Hugo

Bug#907635: add .apk as file extension for jar and jarsigner

Hello, I’m Hugo, and I would like to take this correction (#907635). I think this is not exactly a bug. Could anyone give-me more information if I start upstream or I can start from here downstream. Thanks, Hugo ___ ERROR Related: Package: bash-completion Version: 1:2.8-1

Bug#942763: python-reportlab: CVE-2019-17626: remote code execution in colors.py

there. I have asked upstream regarding the licensing issue. For the rest, I think we should wait for followups, or possibly a better patch. Any comments/advice? cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DF

Bug#947374: cacti: CVE-2019-17357: does not seem to affect stretch

r findings? > > Ah yes; well-spotted. :) Ack, same for stretch in the end. :) BTW, there is a confusion in the jessie update, the changelog says it fixes CVE-2019-17357 and the patch is called CVE-2019-17357.patch, but the actual CVE being fixed is CVE-2019-17358, not CVE-2019-17357. cheers, H

Bug#947374: cacti: CVE-2019-17357: does not seem to affect stretch

t-affected in stretch in the tracker. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature

Bug#945265: new upstream version 0.102.1 to fix CVE-2019-15961

Hi Sebastian, I see that your work migrated to testing, and wondered... are you still intending to prepare updates for stretch and buster? Is there anything I can do to help you? thanks for your work! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B

Bug#942575: buster-pu: package openjpeg2/2.3.0-2+deb10u1

Hi, On Fri, Nov 08, 2019 at 09:56:53PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Fri, 2019-10-18 at 13:23 +0200, Hugo Lefeuvre wrote: > > as discussed in #939553[0], no DSA will be issued by the security > > team for CVE-2018-21010 and this vulne

Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10

a7 https://github.com/ImageMagick/ImageMagick6/commit/4cc316818e5b841ff5a9394a0730d5be6e8686ce backporting them is sufficient to fix the issue. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D3

Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10

(the one used in stretch). This will be fixed in the next security update. cheers, Hugo [0] https://github.com/ImageMagick/ImageMagick/commit/4b85d29608d5bc0ab641f49e80b6cf8965928fb4 [1] https://github.com/ImageMagick/ImageMagick6/commit/663e70e90257797f4634ea8dd4a31e0947d1f266 --

Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10

and 0227. I'll try to ship a patch for this along with the next jessie update. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description

Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

> thanks for your valuable work on this bug! > Yes, I can prepare update on 30-31st of December. that would be great, thanks! :-) cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B2

Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

could handle this update in unstable? I'd love to help, but my Debian time is somewhat limited currently... cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

unstable: I have asked upstream about his plans to release 3.18.1 but did not receive any answer yet. I suppose that we should cherry pick the patch if we want a quick fix. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1E

Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

with the cherry picked patch. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature

Bug#945265: new upstream version 0.102.1 to fix CVE-2019-15961

Dear clamav maintainers, are you planning to address this in stretch/buster via -updates? I can provide some help if needed (and make sure this gets backported to jessie-security). thanks! regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27

Bug#929597: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

should also be able to handle stretch and buster. Anton, you know this package better than me, would you be available to test the update? thanks! regards, Hugo [0] https://sourceforge.net/p/freeimage/svn/1825/ -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3

Bug#942514: CVE-2019-16729 fixed in 1.0.4-1.1+deb8u1

tracker as well. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature

Bug#929597: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

Hi Anton, > Thanks, Hugo, for analyzing the issue in details and proposing the fix. > > Do you want to add the patch into the corresponding forum-thread > in freeimage website? yes, I have just forwarded my message to the SF thread. Let's hope upstream will find some time to

Bug#940575: RFS: fortran-language-server/1.10.2-1 [ITP] -- Fortran Language Server for the Language Server Protocol

ftpmasters have accepted the package. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature

Bug#936214: bleachbit: Python2 removal in sid/bullseye

Bleachbit would be a significant source of annoyance for many Debian users (popcon 2754 at the moment). May I add the py2keep flag, until the Bleachbit Py3 migration completes? regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8

Bug#885261: bleachbit: Depends on unmaintained pygtk

ut they seem to be working on > it). > > It would be super nice to have this new version packaged from a user's > perspective and, also, from an archive/distribution/removal perspective > also. thanks for the heads up. 3.0 will be in the archive asap, I'm working on it. cheers, Hug

Bug#929597: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

ages, unrelated to this patch. I will try to take a look at them in the future. I can provide additional explanations if there is anything unclear. I'd like to get this patch peer-reviewed/merged upstream before shipping it in a Debian release. regards, Hugo -- Hug

Bug#942763: python-reportlab: CVE-2019-17626: remote code execution in colors.py

rough 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with 'https://security-tracker.debian.org/tracker/CVE-2019-17626 regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F

Bug#942578: CVE-2019-17540: heap-based buffer overflow in ReadPSInfo in coders/ps.c

FTR: Dirk Lemstra confirmed that those four commits correspond to the fixes for CVE-2019-17540. -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc

Bug#942578: imagemagick: CVE-2019-17540: heap-based buffer overflow in ReadPSInfo in coders/ps.c

/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95 this looks like what we are searching for; a buffer overflow WRITE of size 1 in ReadPSInfo. I will contact Dirk Lemstra and ask for more information. regards, Hugo [0] https://security-tracker.debian.org/tracker/CVE-2019-17540

Bug#942575: buster-pu: package openjpeg2/2.3.0-2+deb10u1

addresses this issue, along with CVE-2018-20847. This is almost the same debdiff as #942024[1] (for stretch-pu). thanks! cheers, Hugo [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553 [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942024 -- Hugo Lefeuvre (hle

Bug#942514: pam-python: CVE-2019-16729: local root escalation

and can't assess the severity properly. Could you provide some more information related to this vulnerability? an isolated patch would be ideal. thanks! regards, Hugo [0] https://security-tracker.debian.org/tracker/CVE-2019-16729 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA

Bug#941036: cacti: CVE-2019-16723

ACCESS DENIED'; } - } + //} if (getenv('LANG') == '') { putenv('LANG=' . str_replace('-', '_', CACTI_LOCALE) . '.UTF-8'); Try to reproduce: this is sufficient to "fix" the issue and appears to confirm previous analysis. Any comments? cheers, Hugo [0] https://github

Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4

Hi, > I think that second occurrence of 2018-21010 might be incorrect. :-) right, same typo twice. I meant CVE-2016-9112 of course :) > Please go ahead. uploaded, thanks! -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A24

Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.

a bug report, I will take a look at it. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature

Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.

loading. You can find (UNRELEASED) amd64 builds, signed by myself on my Debian webpage: https://people.debian.org/~hle/lts/clamav/ regards, Hugo [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824042 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3

Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.

not seem to change anything on my system. My understanding is that /var/run/clamav/clamd.ctl is created by systemd, not by the daemon itself. Also, I don't think chown clamav /var/run/clamav should survive a restart. Filipe: did you also experience this bug? Thanks. regards, Hugo

Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4

addresses this issue, along with CVE-2018-20847 and CVE-2018-21010. Patches for CVE-2018-20847 and CVE-2018-21010 are straight from upstream. Concerning CVE-2018-21010, I did a few changes to remove non-security related refactoring and improve readability. thanks! cheers, Hugo [0] https

Bug#939553: openjpeg2: CVE-2018-21010

upload 2.3.1 this week, so this should be just fine. > Pay attention to 2.3.0-3 in your dch that's all I care really. I'll > import in git after the upload since it is ready. ack, thanks! regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF2

Bug#939553: openjpeg2: CVE-2018-21010

that this vulnerability would allow significant heap write overflow. Hard to exploit, but this is enough for a DLA, in my opinion. Regarding stretch and buster, I don't think this is worth a DSA, but we could fix this via a point update later on. cheers, Hugo -- Hugo Lefeuvre (hle

Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers

s for pointing that out, I forgot about the file size limit. > So far I don't see anything wrong. I have discovered this during my regression tests for the jessie update. My main worry was to have broken something, I'm glad it's not the case. Thanks for your time! regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature

Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers

.75 MB (ratio 0.00:1) Time: 66.032 sec (1 m 6 s) This is reproducible with 0.101.4 in unstable (not a VM), stretch and jessie (both VMs). cheers, Hugo [0] https://www.bamsoftware.com/hacks/zipbomb/ -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F

Bug#912224: since update 1.3.3.5-4+deb8u5 php ldap authentification failure

the latest 389-ds-base update. Did you notice anything wrong during your tests? Thanks! regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc

Bug#938316: qreator: Python2 removal in sid/bullseye [PATCH]

Hi, I have ported qreator to Python 3, you can find a debdiff in attachment. I did not test everything, so there might still be some issues around. I did not forward it to upstream, feel free to do it if you want. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com

Bug#936214: bleachbit: Python2 removal in sid/bullseye

. > > This is the preferred option. Upstream is currently working on the migration. As far as I am aware, we should not be too far from a final Python 3 release. I have just pinged them. Bleachbit has a fairly high popcon and is active upstream. Bleachbit's removal would

Bug#936051: stretch-pu: package sdl-image1.2/1.2.12-5+deb9u2

Small update: I forgot to close the bug report (#932755) and did not mention CVE-2019-5058 in debian/changelog. You can find an updated debdiff in attachment. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD

Bug#930363: faad2: fix build with gcc-9 [patch]

Hi Fabian, > Am Donnerstag, den 29.08.2019, 08:04 -0400 schrieb Hugo Lefeuvre: > > Fabian (faad2 maintainer and upstream), do you want to handle this? > > Otherwise I can NMU a second time with this patch. > > please go ahead with a second NMU. I am a bit short on time cu

Bug#936056: buster-pu: package sdl-image1.2/1.2.12-10+deb10u1

at the same time, but for a number of reasons sdl-image1.2 was delayed) This is essentially the same update as 1.2.12-5+deb9u2, see #936051. thanks! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_

Bug#936051: stretch-pu: package sdl-image1.2/1.2.12-5+deb9u2

of reasons sdl-image1.2 was delayed) thanks! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl

Bug#930363: faad2: fix build with gcc-9 [patch]

upstream > > https://sourceforge.net/p/faac/bugs/242/ > > patch: > > http://launchpadlibrarian.net/427773869/faad2_2.8.8-3_2.8.8-3ubuntu1.diff.gz > > Now this bug is RC, and preventing CVE fixes from Migration. > Hugo, can you please reupload with the Ubuntu patch? &g

Bug#914641: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956

Hi Fabian, > > Please let me know if you want me to change anything, otherwise I am > > waiting for your ack to upload. > > Please go ahead! OK, uploaded. > Is the list of closed CVEs complete? Yes, everything fixed in sid! cheers, Hugo --

Bug#914641: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956

waiting for your ack to upload. regards, Hugo [0] https://github.com/knik0/faad2/pull/38 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C diff -Nru faad2-2.8.8/debian

Bug#934359: clamav: ZIP bomb causes extreme CPU spikes

gt; > > > Thanks to David Fifield for reviewing the zip-bomb mitigation in > > 0.101.3 and reporting the issue. > > https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html Great! Is anybody working on 0.101.4 updates for stretch/buster? I plan to backpor

Bug#934359: clamav: ZIP bomb causes extreme CPU spikes

am > released as 0.101.3 (the latest one) and prepared an update for stable. > _After_ that, the bugtracker got updated claiming that the fix is not > perfect and other zip bomb was added to the backtracker. I'm sorry if this sounded insistent, it was not intended like that. th

Bug#934359: clamav: ZIP bomb causes extreme CPU spikes

, the current patch is incomplete (see upstream bug report). Upstream is actively working on a more advanced patch. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F

Bug#931449: imagemagick: CVE-2019-13305/CVE-2019-13306

values. My exploitation skills are limited, but this could be an exploitable vulnerability. I think this should be fixed, at least via point release? regards, Hugo [0] https://github.com/ImageMagick/ImageMagick6/commit/5c7fbf9a14fb83c9685ad69d48899f490a37609d [1] https://github.com/ImageMagick

Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

Hi Salvatore, > > Done! You can find an updated debdiff for buster in attachement. The new > > debdiff ships CVE-2019-5058.patch which addresses the remaining issue in > > IMG_xcf.c. > > Is the attachment missing? Right, attachment is missing! Bett

Bug#931740: CVE-2019-12977 analysis

than what he can already do. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature

Bug#932755: sdl-image1.2: multiple security issues

Hi Felix, > > Concerning testing: can I upload the NMU? > > Sure, please go ahead! thanks! I have uploaded the NMU, with some very small changes: I have added a patch for CVE-2019-5058, which addresses issues in a previously uploaded patch for CVE-2018-3977 (via 1.2.12-10).

Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

which addresses the remaining issue in IMG_xcf.c. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature

Bug#932755: sdl-image1.2: multiple security issues

the information. I will update the testing NMU to address these issues as well and perform some triage in the tracker (CVE-2019-5058 is the same as CVE-2018-3977 and CVE-2019-5057 looks familiar as well). regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B

Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

oad this diff yet. I'll just provide an updated version asap. I will also update the testing NMU[2], which I fortunately did not upload yet. Thanks again! regards, Hugo [0] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 [1] https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 [2] https://bugs.debian.o

Bug#885681: gummi: Depends on unmaintained gtksourceview2

. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature

Bug#933242: python-slugify: text-unicode still required dependency

, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature

Bug#932755: sdl-image1.2: multiple security issues

Dear SDL packages maintainers, I have uploaded the jessie LTS update. I will coordinate with the security team for stretch and buster fixes via point release. Concerning testing: can I upload the NMU? cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B

Bug#933218: stretch-pu: package libsdl2-image/2.0.1+dfsg-2+deb9u2

(IMG_pcx.c). (for more information, see #932754) Attached is a debdiff addressing all of them for stretch. All of these patches are from upstream, I have removed whitespace changes and non security related refactoring. This is the same patch as #933147. thanks! cheers, Hugo

Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

) Attached is a debdiff addressing all of them for buster. All of these patches are from upstream, I have removed whitespace changes and non security related refactoring. thanks! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA

Bug#922466: whitelist not working on python3 (buster version)

Hi, Sorry for overlooking this issue. This should be fixed in the next pyzor upload, in the next few days. Thanks for reporting this. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25

Bug#932755: libsdl2-image security issues in testing

the debdiff for unstable (in attachment). I did very quick smoke tests. However it would be surprising that this patch would break anything since it was tested extensively in jessie and upstream versions are identical. (just in case, I smoke test using [0] with valgrind) cheers, Hugo [0] /usr/shar

  1   2   3   4   5   6   7   >