Bug#991293: pillow: CVE-2021-34552 - buffer overflow in Convert.c

On Tue, 20 Jul 2021 06:36:44 +0100 Neil Williams wrote: > This has been fixed upstream in version 8.3. The upstream fix can be > backported to 8.1 in unstable. > > This is a tracking bug to ease migration of pillow into bullseye. > > I have an upload ready for unstable. Attaching the debdiff

Bug#991293: pillow: CVE-2021-34552 - buffer overflow in Convert.c

Source: pillow Version: 8.1.2+dfsg-0.2 Severity: grave Tags: security Justification: user security hole https://security-tracker.debian.org/tracker/CVE-2021-34552 Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly

Bug#991291: developers-reference: replace atter

Source: developers-reference Version: 11.0.20 "Any atter suffix". I am guessing you meant to use the word "other", since "atter" is archaic or dialectal English according to my dictionary. https://salsa.debian.org/debian/developers-reference/-/commit/33fc4a914

Bug#991290: RFS: apt-listchanges/3.25 [ITA] -- package change history notification tool

Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package "apt-listchanges": * Package name: apt-listchanges Version : 3.25 * License : GPL-2+ * Vcs : https://salsa.debian.org/debian/apt-listchanges/ Section

Bug#990956: uploading lintian-brush to testing-proposed-updates

On Wed, Jul 14, 2021 at 10:25:29PM +0200, Paul Gevers wrote: > Hi, > > On 12-07-2021 01:20, Jelmer Vernooij wrote: > > On Sun, Jul 11, 2021 at 09:58:30PM +0200, Paul Gevers wrote: > >> On 11-07-2021 21:47, Jelmer Vernooij wrote: > >>> It's going to be tricky to get this resolved in time before

Bug#991110: python3.9: Please exclude test_concurrent_futures also on alpha

Control: retitle 991110 python3.9: Please exclude test_concurrent_futures also on armhf and alpha Control: severity 991110 serious Control: retitle 99 python3.10: Please exclude test_concurrent_futures also on armhf and alpha Control: severity 99 serious The same failure happened now on

Bug#950174: gvfs-udisks2-volume-monitor.service crashes: No GSettings schemas are installed on the system

Control: severity -1 normal On 2021-01-28 09:46:53 +, Simon McVittie wrote: > Control: retitle -1 gvfs-udisks2-volume-monitor.service crashes: No GSettings > schemas are installed on the system > Control: tags -1 + moreinfo unreproducible > > On Wed, 29 Jan 2020 at 23:22:01 +0100, Pipes

Bug#990990: unblock: libcgroup/2.0

On Mon, Jul 19, 2021 at 03:07:49PM +0200, Santiago Ruano Rincón wrote: > On Thu, 15 Jul 2021 12:27:35 +0200 Paul Gevers wrote: > > Hi, > > > > On 12-07-2021 18:45, Michael Biebl wrote: > > > This was already discussed in > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959022 > > > > > >

Bug#991289: /etc/ImageMagick-6/policy.xml: invalid XML due to broken comment

Package: imagemagick-6-common Version: 8:6.9.11.60+dfsg-1.3 Severity: normal File: /etc/ImageMagick-6/policy.xml Dear Maintainer, Line 77 of /etc/ImageMagick-6/policy.xml (for name="shared-secret") has a comment start marker () causing the start marker on the next line to occur within a comment,

Bug#991288: imagemagick: update Repository in debian/upstream/metadata

Source: imagemagick Version: 8:6.9.11.60+dfsg-1.3 Severity: minor Tags: patch Dear Maintainer, The [Repository in debian/upstream/metadata] responds with 404 Not Found. The [Install from Source] page on the ImageMagick website states: > The authoritative source code repository is

Bug#991282: RFS: runit/2.1.2-41exp1 -- system-wide service supervision

Package: sponsorship-requests Severity: normal X-Debbugs-Cc: plore...@disroot.org Dear mentors, I am looking for a sponsor for my package "runit": * Package name: runit Version : 2.1.2-41exp1 Upstream Author : Gerrit Pape * URL : http://smarden.org/runit/ *

Bug#911431: Bug#988329: ITA: usbredir/0.9.0-1 -- Simple USB host TCP server

retitle 911431 "ITA: usbredir/0.10.0 -- Simple USB host TCP server" tags 988329 - moreinfo thanks Hi Tobi and everyone else, > Please update the package, remove the moreinfo tag and ping me for an > follow up, and I will take a look again. Thanks again for your feedback. I think I fixed all the

Bug#991275: tar doesn't restore all directory timestamps from the extracted archive

On 2021-07-19 20:16:57 +0100, Janos LENART wrote: > I am going to forward this report upstream, but I find it extremely > unlikely they'd change this behavior as that would lead to > surprising results for others depending on the current default. Why would user want the current default? This

Bug#991122: unblock: varnish/6.5.2-1

Control: tags -1 + confirmed Hi Stig On Mon, 19 Jul 2021 at 13:00, Stig Sandbeck Mathisen wrote: > Attached is the diff. Changes are the upstream bugfix, as well as two commits > in the packaging repository: Thanks. Please go ahead and upload to unstable, then remove the moreinfo tag once it

Bug#991287: unblock: containerd/1.4.5~ds1-2

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: z...@debian.org Please unblock package containerd [ Reason ] Backport patch for CVE-2021-32760:

Bug#991019: linux-image-5.10.0-7-armmp: a20 olinuxino-MICRO panic accessing sata disk after the boot.

Control: tag -1 moreinfo On Tue, 2021-07-13 at 04:28 +0200, Flavio Barbara wrote: > Package: src:linux > Version: 5.10.40-1 > Severity: normal > X-Debbugs-Cc: none, f...@maidaccordo.net > > Dear Maintainer, > > after upgrading to bullseye my SBC olimex a20 olinuxino-MICRO, the > system boots

Bug#991275: tar doesn't restore all directory timestamps from the extracted archive

severity 991275 wishlist tags 991275 + wontfix thanks Hi Vincent, I am going to forward this report upstream, but I find it extremely unlikely they'd change this behavior as that would lead to surprising results for others depending on the current default. Regards, On Mon, 19 Jul 2021 at

Bug#991286: unblock: netdiscover/0.7-4

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: eribe...@debian.org Dear Release Team, Please unblock package netdiscover. [ Reason ] The revision 0.7-4 has a patch (030) to add an important fix from the upstream[1].

Bug#901973: ITP: node-destroy -- Node.js stream destruction utility, with quirk handling

Hello, I will be packaging send-transform soon and this is a dependency. Any progress with this? If not, I'll package node-destroy. Kind regards, Shayan Doust On Wed, 20 Jun 2018 16:33:13 -0400 Zebulon McCorkle wrote: > Package: wnpp > Severity: wishlist > Owner: Zebulon McCorkle > > *

Bug#991285: unblock: strip-nondeterminism/1.12-0.1

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock x-debbugs-cc: reproducible-bui...@lists.alioth.debian.org Hi, I'm wondering whether it makes sense to unblock strip-nondeterminism 1.12.0-1, which has been uploaded on 2021-05-07 and which

Bug#991276: Boot existing Host Operating System or VM into Live Mode (grub-live)

Package: live-boot Severity: wishlist X-Debbugs-CC: whonix-de...@whonix.org This is a feature request to adopt / re-implement grub-live. It provides functionality to "Boot existing Host Operating System or VM into Live Mode". 1. install Debian normally. 2. install grub-live 3. choose in grub

Bug#991284: RM: deltachat-core -- ROM; Replaced by a rust rewrite and no longer maintained

Package: ftp.debian.org Severity: normal Hi, The upstream authors of deltachat-core have decided to re-implement the library in Rust, and this package is no longer relevant. Upstream is not continuing to maintain it, and it would just otherwise collect dust in the archive, so I'm requesting

Bug#989630: mke2fs with size limit and default discard will discard data after size limit

On Sun, Jul 18, 2021 at 01:15:05PM -0400, Theodore Y. Ts'o wrote: > tags 989630 +pending > thanks > > I finally had time to investigate this problem. It turns out the only > time this bug manifests is when creating an file system smaller than > (blocksize)**2 bytes (e.g., 16 megabytes when the

Bug#991283: unblock: mesa/20.3.5-1

Package: release.debian.org Severity: normal Tags: moreinfo User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: m...@packages.debian.org, Timo Aaltonen Should the mesa source package be unblocked for bullseye? It was uploaded to unstable several months ago. Please note

Bug#991274: Package libldap-2.4-2 was built without LDAP_CONNECTIONLESS

--On Monday, July 19, 2021 9:59 AM -0700 Ryan Tandy wrote: Why does the new version of sssd require this? Can it not remain optional on their side, if it was in the past? See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539421 for the previous request about LDAP_CONNECTIONLESS. As far as

Bug#991281: virtualbox-ext-pack: missing Depends: ca-certificates

Package: virtualbox-ext-pack Version: 6.1.22-1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed to install. As per definition of the release team this makes the package too buggy for a release, thus the severity.

Bug#991280: firmware-microbit-micropython-dl: fails to install: checksum of downloaded file does not match

Package: firmware-microbit-micropython-dl Version: 1.2.4+dfsg-7 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed to install. As per definition of the release team this makes the package too buggy for a release,

Bug#991274: Package libldap-2.4-2 was built without LDAP_CONNECTIONLESS

Control: severity -1 wishlist Hi, I'm afraid this is too late for Debian 11 (bullseye). We could look at enabling it for Debian 12 (bookworm). On Mon, Jul 19, 2021 at 03:35:38PM +0200, Gerald Vincent wrote: Since 2.4.0, package sssd needs openldap library built with CONNECTIONLESS support

Bug#941199: Upstream has valid debian packaging

Hey guys, is there anything news or a ETA? 3 months later and still not a package available. Cheers, fossdd

Bug#990566: dovecot: CVE-2021-33515 CVE-2021-29157 CVE-2020-28200

On Sat, Jul 17, 2021 at 09:05:32PM +0200, Salvatore Bonaccorso wrote: > > CVE-2021-33515[0]: > > | The submission service in Dovecot before 2.3.15 allows STARTTLS > > | command injection in lib-smtp. Sensitive information can be redirected > > | to an attacker-controlled address. > > > >

Bug#991275: tar doesn't restore all directory timestamps from the extracted archive

I can see that the --delay-directory-restore option solves the issue. But IMHO, this option should be the default to avoid surprising results (the linux package doesn't ensure that the items are "correctly" ordered, if I understand its debian/rules.real file). -- Vincent Lefèvre - Web:

Bug#990832: Updates

Thanks for all of the work and the patching. The debug output that you're showing looks a lot like some of the necessary macros aren't enabled in the postfix config; can you compare what you have to what is listed in README.Debian? I'll try to take another look at the code that you have which

Bug#991279: unblock: jetty9/9.4.39-3

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: a...@debian.org Please unblock package jetty9 [ Reason ] jetty9 in Bullseye is vulnerable to CVE-2021-34429. https://bugs.debian.org/991188 [ Tests ] I have backported all

Bug#757356: Apple keyboard: Scan code event (EV_MSC) not generated when the EV_KEY event is generated by hid-apple.c

On 2021-06-02 17:24:38 +0200, Salvatore Bonaccorso wrote: > Can you, time permitting, starting from there (and needed refreshes) > try to confirm if the patch solves the issue on top of 5.10.40? First, the patch did not apply correctly on top of 5.10.46 (currently in unstable). So I've updated it

Bug#991275: tar doesn't restore all directory timestamps from the extracted archive

Note: I did not do the bug report from the machine for which I posted the results, but there are exactly the same results for this second machine (they are both Debian/unstable machines). -- Vincent Lefèvre - Web: 100% accessible validated (X)HTML - Blog:

Bug#991277: ITP: cutesv -- comprehensive discovery of structural variations of genomic sequences

Package: wnpp Severity: wishlist Subject: ITP: cutesv -- comprehensive discovery of structural variations of genomic sequences Package: wnpp Owner: Steffen Moeller Severity: wishlist * Package name: cutesv Version : 1.0.11 Upstream Author : JiangTao * URL :

Bug#991275: tar doesn't restore all directory timestamps from the extracted archive

Package: tar Version: 1.34+dfsg-1 Severity: important tar doesn't restore all directory timestamps from the extracted archive. Example with tar -xaf /usr/src/linux-source-5.10.tar.xz There are 4712 directories, but 118 of them have a recent timestamp. zira% find linux-source-5.10 -type d |

Bug#991274: Package libldap-2.4-2 was built without LDAP_CONNECTIONLESS

Package: libldap-2.4-2 Version: 2.4.57+dfsg-3 Hi, Since 2.4.0, package sssd needs openldap library built with CONNECTIONLESS support to use cldap:// requests. Without this feature enables, sssd is no longer working properly with Active Directory. We have this kind of error meessage: ``

Bug#991273: acng: for testing dist fails to download by-hash translations

Package: apt-cacher-ng Version: 3.3.1-2~bpo10+1 Severity: normal Dear Maintainer, I tried to install bullseye machine and it fails to download some translations and installation fails: Jul 19 10:29:53 in-target: E: Failed to fetch

Bug#988963: libgc1c2: please drop obsolete Conflicts/Replaces on libgc1 in buster, it interferes with upgrades to bullseye

On Wed, 30 Jun 2021 21:36:54 +0200 Paul Gevers wrote: Hi libgc maintainers, Can you please comment? We missed the 10.10 point release already and 10.11 may happen after we release bullseye, but at least we could improve the upgrade for people upgrading after 10.11. Do you agree with me doing

Bug#990990: unblock: libcgroup/2.0

On Thu, 15 Jul 2021 12:27:35 +0200 Paul Gevers wrote: > Hi, > > On 12-07-2021 18:45, Michael Biebl wrote: > > This was already discussed in > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959022 > > > > My takeaway from that discussion was, that rdeps of cgroup-tools, would > > itself

Bug#991272: unblock: bible-kjv/4.34

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package bible-kjv TL;DR: This fixes #991133 ("important"), a regression from buster. There are two parts to the fix, both small. unblock bible-kjv/4.34 Bug #991133 is that

Bug#991266: postinst: Can't exec systemctl: No such file or directory

Package: proftpd-core Version: 1.3.7b+dfsg-1 Severity: normal Tags: patch X-Debbugs-Cc: plore...@disroot.org Dear Maintainer, during the last upgrade of proftpd i got [...] Setting up proftpd-core (1.3.7b+dfsg-1) ... usermod: no changes Can't exec "systemctl": No such file or directory at

Bug#991271: fossil: Fix TLS hostname verification

Package: fossil Version: 1:2.8-1 Severity: normal Dear Maintainer, It seems fossil 2.8 is also affected by [1] and I think it should be updated as well. The following patch might work as a starting point, but I haven't tested anything beside it reporting an error when the host name doesn't

Bug#945315: pan: error sending posts

Dear Maintainer, is there a chance getting this fixed in Debian even if upstream doesn't seem to care much? Kind regards Thomas

Bug#991264: python2.7: tarfile.py does not catch encoding errors

Package: python2.7 Version: 2.7.16-2+deb10u1 Severity: important Dear Maintainer, /usr/lib/python2.7/tarfile.py does not catch encoding errors in tarfile filenames and throws an exception possibly crashing programs, like duplicity. The problem lies in def _proc_pax(self, tarfile): 1396

Bug#991270: unblock: suricata/6.0.1-3

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package suricata This minimal patch that I added fixes CVE-2021-35063 by backporting the corresponding fix commit from upstream [1]. By doing so it addresses #990835. I

Bug#991133: One other necessary fix

Hi, The other bug was that makeconc.pl tries to run "bible -f gen1:1-rev99:99" to generate the text it builds the raw concordance from; obviously this doesn't work on chroots / buildds. It's also unnecessary, since we have the rawtext file in the source tree, so use that instead. This now

Bug#989785: devscripts: wrap-and-sort ignores --trailing-comma on non-sorted fields/Uploaders

On Tue, Jun 15, 2021 at 01:47:11PM +0900, Norbert Preining wrote: > Hi Mattia, > > > Can you describe with an example or something more specific what you are > > observing? > > Ah, it only happens with *one* Uploader: > $ head -6 debian/control > Source: layer-shell-qt > Section: kde > Priority:

Bug#991268: [Aptitude-devel] Bug#991268: aptitude should provide an option to install packages from lower priority repos (backports, experimental) if the runtime dependency specify a version that can

On Mon, 19 Jul 2021 12:14:40 +0200 Julian Andres Klode wrote: > I'm a bit confused because this bug is about aptitude, and there, this > should work already. It might take a couple times of rejecting solver > choices, though. Did you want to report the bug against apt? I think > we already

Bug#991122: unblock: varnish/6.5.2-1

On Sun, Jul 18, 2021 at 10:14:46AM +0200, Graham Inggs wrote: > Control: tags -1 + moreinfo > > Hi Stig > > Please attach a filtered debdiff to this bug. Something like: > > filterdiff -x '*/build-aux/*' -x '*/doc/html/*' > varnish-6.5.1-1--6.5.2-1.debdiff >filtered.debdiff > > Please also

Bug#991268: [Aptitude-devel] Bug#991268: aptitude should provide an option to install packages from lower priority repos (backports, experimental) if the runtime dependency specify a version that can

On Mon, Jul 19, 2021 at 03:34:37PM +0530, Pirate Praveen wrote: > Package: aptitude > Severity: important > Version: 0.8.13-3 > > aptitude already provide such an option for choosing build dependencies when > building for backports or experimental, it would be great if there is an > option for

Bug#991269: guymager: "AvoidEncaseProblems" is set to off in config file

Package: guymager Version: 0.8.12-1 Severity: important Tags: patch X-Debbugs-Cc: z...@zack.idv.hk Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? I believe the root cause is the default config file

Bug#991268: aptitude should provide an option to install packages from lower priority repos (backports, experimental) if the runtime dependency specify a version that can be satisfied only with these

Package: aptitude Severity: important Version: 0.8.13-3 aptitude already provide such an option for choosing build dependencies when building for backports or experimental, it would be great if there is an option for runtime dependencies as well. Currently we have 3 options, 1. aptitude -t

Bug#991133: parallel building is the problem

tags 991133 +pending -help quit Hi, Right, the issue is that the Makefile isn't parallel-build safe (see e.g. the re-entrant calls of Make for building the concordance); Helmut's cross-building patch replaced $(MAKE) all (not parallel) with some dh_auto_build calls (parallel), and that's

Bug#991267: pg_config.h leaks internal macros

Package: libpq-dev Version: 14~beta2-1 pg_config.h is a public header and needed if an application wants to check the version number at compile time. However, in version 14, it leaks a lot of internal PostgreSQL macros, e.g. OPENSSL_API_COMPAT which breaks applications using OpenSSL directly:

Bug#991133: dh_strip seems to be to blame

On 19/07/2021 09:56, Matthew Vernon wrote: Hi, More on this; a nostrip build works. If I take the unstripped executible and strip it as I did in 4.31 (install -s), then the resulting stripped executible also works. So dh_strip (version in bullseye) is stripping too much out of the

Bug#989010: linux-image-5.10.0-7-amd64: No display (post, grub, boot messages and desktop) after the upgrade to 5.10.38

Source: linux Followup-For: Bug #989010 X-Debbugs-Cc: pitsior...@gmail.com One thing I noticed this weekend. Time it took for 5.10.38/40 to reach testing from unstable: 7 days, despite this awful bug here. Time it took for 5.10.46 to reach testing from unstable: 20+ days and still counting.

Bug#991133: bible-kjv: Search no longer works after upgrading to Bullseye

severity 991133 important tags 991133 +help quit bible(KJV) [Gen1:1]> ??hath Searching for 'hath'... not found. Huh. Thanks for reporting this. If I build 4.32 on my (old-)stable system, this works. Similarly, if I build 4.30 on my bullseye system, this works. 4.31 building on bullseye

Bug#991133: dh_strip seems to be to blame

Hi, More on this; a nostrip build works. If I take the unstripped executible and strip it as I did in 4.31 (install -s), then the resulting stripped executible also works. So dh_strip (version in bullseye) is stripping too much out of the executible and that's breaking the search. dh_strip

Bug#991259: b4: fails with dns.exception.Timeout

Hello, On 7/18/21 10:38 PM, Uwe Kleine-König wrote: I wiresharked the DNS traffic and found out that my provider's DNS server doesn't reply "big" queries without edns: $ dig +noedns fm3._domainkey.messagingengine.com TXT ;; Truncated, retrying in TCP mode. ;;

Bug#991263: libparted2: libparted assertion fails on resizing a certain sun partition table

Package: libparted2 Version: 3.4-1 Severity: normal X-Debbugs-Cc: rincebr...@gmail.com Like it says on the tin - I noticed my drive's partition table was smaller than the drive, tried to resizepart, and boom. I'm assuming I input a somehow invalid value, but an assertion failure was not the