Bug#1053548: check-patroni: does not work well with current Patroni
Hi Michael, Le Fri, Dec 15, 2023 at 02:31:23PM +0100, David Prevot a écrit : > On 2023-12-04 16:59, Michael Banck wrote: […] > > So, what are your plans? I can offer to take over the packaging of > > check-patroni as part of the Postgres team; I'd move the git to > > salsa.debian.org/postgresql and merge in a few of the things I did > > differently. > > Sounds good to me, thanks! FYI, I uploaded the latest version just because I noticed it, but still agree with your plan of taking over under /postgresql whenever you wish. Regards, taffit signature.asc Description: PGP signature
Bug#1065057: bookworm-pu: package php-composer-xdebug-handler/3.0.3-2+deb12u1
Hi Adam, Le Mon, Mar 25, 2024 at 06:44:54PM +, Adam D. Barratt a écrit : > On Thu, 2024-02-29 at 11:18 +0100, David Prévot wrote: > > This is a follow up from composer/DSA-5632-1. […] > + * Track debian/bookworm-security > > Even though this update isn't going to the security archive? Well, the debian/bookworm branch has already been published, and is related to version 2 that was (once) the targeted version for Bookworm. Version 3 was finally pushed to unstable before Bookworm got released and this old debian/bookworm was forgotten until now. I decided to use another branch name for this upload instead of messing with Git history (after all, it’s just a branch name), but I agree it’s a bit of a mess. Regards, taffit signature.asc Description: PGP signature
Bug#1065056: bookworm-pu: package php-composer-class-map-generator/1.0.0-2+deb12u1
Hi Adam, Le Mon, Mar 25, 2024 at 06:43:31PM +, Adam D. Barratt a écrit : > On Thu, 2024-02-29 at 11:10 +0100, David Prévot wrote: > > [1/9 for bookworm] > > > > This is a follow up from composer/DSA-5632-1. […] > All 9 of them. :-/ Yay, sorry about that… > Please go ahead. Thanks! All related package have been uploaded. Regards, taffit signature.asc Description: PGP signature
Bug#1067655: RM: php-league-uri-interfaces -- ROM; Superseded by php-league-uri-src
Control: affects -1 + src:php-league-uri-interfaces Le Mon, Mar 25, 2024 at 09:15:11AM +0100, David Prévot a écrit : […] > Hi, > > Please remove the php-league-uri-interfaces source package. The php-league-uri-interfaces binary package is now built by php-league-uri-src, so the php-league-uri-interfaces source package has become useless. Regards, taffit signature.asc Description: PGP signature
Bug#1067656: RM: php-league-uri -- ROM; Superseded by php-league-uri-src
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: php-league-...@packages.debian.org Control: affects -1 + src:php-league-uri-src Control: affects -1 + src:php-league-uri User: ftp.debian@packages.debian.org Usertags: remove Hi, The php-league-uri binary package is now built by php-league-uri-src, so the php-league-uri source package has become useless. Regards, taffit signature.asc Description: PGP signature
Bug#1067655: RM: php-league-uri-interfaces -- ROM; Superseded by php-league-uri-src
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: php-league-uri-...@packages.debian.org Control: affects -1 + src:php-league-uri-src User: ftp.debian@packages.debian.org Usertags: remove Hi, Please remove the signature.asc Description: PGP signature
Bug#1065720: Useless in Debian nowadays
Package: php-text-wiki Version: 1.2.1-3.1 Severity: serious php-text-wiki has no reverse dependencies anymore. We should probably not ship this package in Trixie (not sure if we actually want to remove it from Bookworm). I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1065719: Useless in Debian nowadays
Package: php-net-dime Version: 1.0.2-3.1 Severity: serious php-net-dime has no reverse dependencies anymore. We should probably not ship this package in Trixie (not sure if we actually want to remove it from Bookworm). I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1065718: Useless in Debian nowadays
Package: php-net-nntp Version: 1.5.0-2.1 Severity: serious php-net-nntp has no reverse dependencies anymore. We should probably not ship this package in Trixie (not sure if we actually want to remove it from Bookworm). I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1065716: Useless in Debian nowadays
Package: php-letodms-core Version: 3.4.2-1.1 Severity: serious php-letodms-core has no reverse dependencies anymore. We should probably not ship this package in Trixie (not sure if we actually want to remove it from Bookworm). I intend to follow up with RM requests in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1065717: Useless in Debian nowadays
Package: php-http-webdav-server Version: 1.0.0RC8-1.1 Severity: serious php-http-webdav-server has no reverse dependencies anymore. We should probably not ship this package in Trixie (not sure if we actually want to remove it from Bookworm). I intend to follow up with RM requests in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1065712: Useless in Debian nowadays
Package: php-net-whois Version: 1.0.5-3.2 Severity: serious X-Debbugs-Cc: Debian PHP PEAR Maintainers [ Filled as RC by a Debian PHP PEAR Maintainers team member to see this package auto-removed from testing. ] php-net-whois has no reverse dependencies anymore. We should probably not ship this package in Trixie (not sure if we actually want to remove it from Bookworm, Bullseye, etc.) I intend to follow up with RM requests in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1065710: Useless in Debian nowadays
Package: debpear Version: 0.5+nmu1 Severity: serious [ Filled as RC by a team member to see this package auto-removed from testing. ] debpear has no reverse dependencies, not seen any development in the last ten years, and has a decreasing popcon (probably in link with the decreasing interest in PEAR as a way to distribute PHP packages compared to Composer). We should probably not ship this package in Trixie (not sure if it is worth removing from Bookworm). I intend to follow up with RM requests in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1065708: Useless in Debian nowadays
Package: php-validate Version: 0.8.5-4.2 Severity: serious X-Debbugs-Cc: Debian PHP PEAR Maintainers [ Filled as RC by a Debian PHP PEAR Maintainers team member to see this package auto-removed from testing. ] php-validate has no reverse dependencies anymore. We should probably not ship this package in Trixie (not sure if we actually want to remove it from Bookworm, Bullseye, etc.) I intend to follow up with RM requests in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1041477: php-net-ftp: PHP Fatal error with Bookworm PHP 8.2
control: tags -1 serious Hi Benjamin, Thank you for the report, and apologies nobody came back to you sooner. Le Wed, Jul 19, 2023 at 11:24:44AM +, Benjamin Renard a écrit : > Package: php-net-ftp > Version: 1:1.4.0-2.1 […] > This package seem not compatible with the PHP 8.2 version included in > Debian Bookworn. Also, this package has no reverse dependencies. Given the amount of care it brought in the last few years, I believe it should be removed from the archive. Bumping the severity to see it removed from testing ASAP, maybe it should also be removed from (at least) Bookworm. I intend to follow up with RM requests in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1065707: Useless in Debian nowadays
Package: libphp-snoopy Version: 2.0.0-3 Severity: serious [ Filled as RC by a team member to see this package auto-removed from testing. ] libphp-snoopy has no reverse dependencies anymore. We should probably not ship this package in Trixie (not sure if we actually want to remove it from Bookworm and Bullseye). I intend to follow up with RM requests in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1065705: Useless in Debian nowadays
Package: php-mdb2 Version: 2.5.0b5-2.1 Severity: serious [ Filled as RC by a team member to see this package auto-removed from testing. ] php-mdb2 has no reverse dependencies anymore (except for php-mdb2-driver-pgsql and php-mdb2-driver-mysql that are also targeted by this bug report). We should probably not ship these packages in Trixie (not sure if we actually want to remove them from Bookworm). I intend to follow up with RM requests in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1041982: Speeding up Symfony 6 transition? [Was: Upcoming transitions (Symfony, PHPUnit, etc.)]
Hi, Le Wed, Feb 21, 2024 at 08:19:06AM +0100, David Prévot a écrit : > […] I wish to > proceed with the transition during the next MiniDebCampHamburg happening > early March (in less than two weeks). > > https://wiki.debian.org/DebianEvents/de/2024/MiniDebCampHamburg And that’s done (in unstable)! It needed some last minute tweaking for debci mostly, but the [excuses] page looks good now. I expect the only blockers will be removal (or fix) of php-laravel-lumen-framework and php-laravel-framework (autoremoval expected March 14 and April 7 respectively, sooner if the release team uses some magic). excuses: https://qa.debian.org/excuses.php?package=symfony Thanks to everyone involved! I intend to follow up with some more major version bump on packages that were waiting for Symfony (php-psr-link, php-psr-log, php-email-validator and some packages from the Doctrine stack…). The next big transition in PHP libraries before Trixie may be PHPUnit 11 if we manage to pull it off. Cheers, taffit signature.asc Description: PGP signature
Bug#1065497: Please allow php-psr-log 3
Hi Sunil, Le Tue, Mar 05, 2024 at 02:47:18PM -0800, Sunil Mohan Adapa a écrit : > On Tue, 5 Mar 2024 14:48:49 +0100 David =?iso-8859-1?Q?Pr=E9vot?= > wrote: > > Package: php-klogger > > Version: 1.2.2-2 > > Severity: important […] > > Please, test your package with php-psr-log 3 and […] > > […] upload to experimental a fix to make your packages work with > > php-psr-log 3 (so we can easily upload it to unstable in sync with > > php-psr-log 3). > > I have patch available for making php-klogger depend on php-psr-log >= 3.0. Thanks for the quick follow up! > However, it does not work with php-psr-log 1.x anymore. So I don't know how > the two packages can be uploaded together. That’s fine, the patched version of php-klogger can be uploaded to experimental now (so we may detect eventual regressions), and once we’re ready, we just have to upload php-psr-log 3 and the patched version of php-klogger in sync. Regards, taffit signature.asc Description: PGP signature
Bug#1065497: Please allow php-psr-log 3
Package: php-klogger Version: 1.2.2-2 Severity: important Hi James, Sunil, AFAICT, php-klogger is the only blocker preventing php-psr-log 3 upload to unstable. php-psr-log 3 is available in experimental since 2021, and recent php-psr-log will be needed for the php-monolog 3 transition. Please, test your package with php-psr-log 3 and relax the versioned dependency if you manage to make your package work with any php-psr-log version, or upload to experimental a fix to make your packages work with php-psr-log 3 (so we can easily upload it to unstable in sync with php-psr-log 3). TIA. Cheers, taffit signature.asc Description: PGP signature
Bug#1063721: spip: has stopped working, complains about PHP version being ‘too recent’
control: severity -1 serious control: found -1 4.1.15+dfsg-1 Hi, Le Sun, Feb 11, 2024 at 07:30:39PM +0100, Axel a écrit : > Package: spip > Version: 4.1.9+dfsg-1+deb12u4 > Severity: important […] > after the upgrade, I could not log in to my site anymore. […] …/ecrire shows: > > “This installation will probably fail, or damage your site. PHP version 8.2.7 > too recent (maximum = 8.1.99)” Ouch, thanks for the feedback, I was able reproduce the issue on a new install (it also breaks on new installation…), I assume changing _PHP_MAX to 8.2.99 in /usr/share/spip/ecrire/inc_version.php should allow one to workaround this issue. Regards, taffit signature.asc Description: PGP signature
Bug#1065266: bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2
Le Sat, Mar 02, 2024 at 11:22:22AM +0100, David Prévot a écrit :
[…]
> [x] attach debdiff against the package in oldstable
Second try.
diff -Nru php-phpseclib-2.0.30/debian/changelog php-phpseclib-2.0.30/debian/changelog
--- php-phpseclib-2.0.30/debian/changelog 2023-12-31 15:36:22.0 +0100
+++ php-phpseclib-2.0.30/debian/changelog 2024-02-27 21:15:41.0 +0100
@@ -1,3 +1,15 @@
+php-phpseclib (2.0.30-2+deb11u2) bullseye; urgency=medium
+
+ * Backport upstream fixes
+- BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+- BigInteger: rm visibility modifiers from static variables
+- ASN1: limit OID length [CVE-2024-27355]
+- Tests: updates for phpseclib 2.0
+- BigInteger: phpseclib 2.0 updates
+- BigInteger: fix getLength()
+
+ -- David Prévot Tue, 27 Feb 2024 21:15:41 +0100
+
php-phpseclib (2.0.30-2+deb11u1) bullseye-security; urgency=medium
* Backport upstream SSH2 changes
diff -Nru php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-27 21:15:41.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 9df0bf0..bbe7c86 100644
+--- a/phpseclib/Math/BigInteger.php
b/phpseclib/Math/BigInteger.php
+@@ -729,6 +729,33 @@ class BigInteger
+ return $result;
+ }
+
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+ * Copy an object
+ *
+@@ -3237,6 +3264,11 @@ class BigInteger
+ $min = $temp;
+ }
+
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new static(1);
+@@ -3344,7 +3376,14 @@ class BigInteger
+ */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
diff -Nru php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch
--- php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch 2024-02-27 21:15:41.0 +0100
@@ -0,0 +1,48 @@
+From: terrafrost
+Date: Fri, 23 Feb 2024 21:55:47 -0600
+Subject: BigInteger: rm visibility modifiers from static variables
+
+the non static variables don't have privacy modifiers so idk that
+the static ones ought to either. phpseclib 3.0 uses privacy
+modifiers but not the 2.0 branch
+
+Origin: upstream, https
Bug#1065268: bullseye-pu: package phpseclib/1.0.19-3+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:phpseclib
User: release.debian@packages.debian.org
Usertags: pu
Hi,
This issue is simalar to #1065264 for bookworm
I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
TIA for considering.
Cheers,
taffit
diff -Nru phpseclib-1.0.19/debian/autoload.php.tpl phpseclib-1.0.19/debian/autoload.php.tpl
--- phpseclib-1.0.19/debian/autoload.php.tpl 2023-12-31 15:43:05.0 +0100
+++ phpseclib-1.0.19/debian/autoload.php.tpl 2024-02-27 21:27:58.0 +0100
@@ -1,7 +1,7 @@
Tue, 27 Feb 2024 21:27:58 +0100
+
phpseclib (1.0.19-3+deb11u1) bullseye-security; urgency=medium
* Track bullseye
diff -Nru phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.0 +0100
+++ phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-27 21:27:58.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 35df7ad..1dd4729 100644
+--- a/phpseclib/Math/BigInteger.php
b/phpseclib/Math/BigInteger.php
+@@ -746,6 +746,33 @@ class Math_BigInteger
+ return $result;
+ }
+
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+ * Copy an object
+ *
+@@ -3283,6 +3310,11 @@ class Math_BigInteger
+ $min = $temp;
+ }
+
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new Math_BigInteger(1);
+@@ -3390,7 +3422,14 @@ class Math_BigInteger
+ */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
Les fichiers binaires /tmp/q2874tUZtM/phpseclib-1.0.19/debian/patches/0030-ASN1-limit-OID-length.patch et /tmp/8dbXhTc93J/phpseclib-1.0.19/debian/patches/0030-ASN1-limit-OID-length.patch sont différents
diff -Nru phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch
--- phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch 1970-01-01 01:00:00.0 +0100
+++ phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch 2024-02-27 21:27:58.0 +0100
@@ -0,0 +1,31 @@
+From: terrafrost
+Date: Sat, 24
Bug#1065266: bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: php-phpsec...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-phpseclib User: release.debian@packages.debian.org Usertags: pu Hi, This issue is similar to #1065263 for bookworm I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next point release. We agreed with the security team that these issues are not worth a DSA. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable TIA for considering. Cheers, taffit signature.asc Description: PGP signature
Bug#1065264: bookworm-pu: package phpseclib/1.0.20-1+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:phpseclib
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
TIA for considering.
Cheers,
taffit
diff -Nru phpseclib-1.0.20/debian/changelog phpseclib-1.0.20/debian/changelog
--- phpseclib-1.0.20/debian/changelog 2023-12-31 11:37:21.0 +0100
+++ phpseclib-1.0.20/debian/changelog 2024-02-26 22:58:32.0 +0100
@@ -1,3 +1,13 @@
+phpseclib (1.0.20-1+deb12u2) bookworm; urgency=medium
+
+ * Backport upstream fixes
+- BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+- ASN1: limit OID length [CVE-2024-27355]
+- BigInteger: fix getLength()
+ * Force system dependencies loading
+
+ -- David Prévot Mon, 26 Feb 2024 22:58:32 +0100
+
phpseclib (1.0.20-1+deb12u1) bookworm-security; urgency=medium
* Track Bookworm
diff -Nru phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.0 +0100
+++ phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-26 22:58:32.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 961e6ca..5f6b8f3 100644
+--- a/phpseclib/Math/BigInteger.php
b/phpseclib/Math/BigInteger.php
+@@ -746,6 +746,33 @@ class Math_BigInteger
+ return $result;
+ }
+
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+ * Copy an object
+ *
+@@ -3283,6 +3310,11 @@ class Math_BigInteger
+ $min = $temp;
+ }
+
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new Math_BigInteger(1);
+@@ -3390,7 +3422,14 @@ class Math_BigInteger
+ */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
Les fichiers binaires /tmp/iyz_ted7Do/phpseclib-1.0.20/debian/patches/0012-ASN1-limit-OID-length.patch et /tmp/6XyXWtF89o/phpseclib-1.0.20/debian/patches/0012-ASN1-limit-OID-length.patch sont différents
diff -Nru phpseclib-1.0.20/debian/patches/0013-BigInteger-fix-getLength.patch phpseclib-1.0.20/debian/patches/0013-BigInteger-fix-getLength.patc
Bug#1065263: bookworm-pu: package php-phpseclib/2.0.42-1+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
TIA for considering.
Cheers,
taffit
diff -Nru php-phpseclib-2.0.42/debian/changelog php-phpseclib-2.0.42/debian/changelog
--- php-phpseclib-2.0.42/debian/changelog 2023-12-31 11:49:50.0 +0100
+++ php-phpseclib-2.0.42/debian/changelog 2024-02-26 23:23:19.0 +0100
@@ -1,3 +1,15 @@
+php-phpseclib (2.0.42-1+deb12u2) bookworm; urgency=medium
+
+ * Backport upstream fixes
+- BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+- BigInteger: rm visibility modifiers from static variables
+- ASN1: limit OID length [CVE-2024-27355]
+- Tests: updates for phpseclib 2.0
+- BigInteger: phpseclib 2.0 updates
+- BigInteger: fix getLength()
+
+ -- David Prévot Mon, 26 Feb 2024 23:23:19 +0100
+
php-phpseclib (2.0.42-1+deb12u1) bookworm-security; urgency=medium
* Track bookworm
diff -Nru php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-26 23:23:19.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 81b69ac..fd9cd57 100644
+--- a/phpseclib/Math/BigInteger.php
b/phpseclib/Math/BigInteger.php
+@@ -729,6 +729,33 @@ class BigInteger
+ return $result;
+ }
+
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+ * Copy an object
+ *
+@@ -3237,6 +3264,11 @@ class BigInteger
+ $min = $temp;
+ }
+
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new static(1);
+@@ -3344,7 +3376,14 @@ class BigInteger
+ */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
diff -Nru php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch
--- php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch 1970-01-01 01:00
Bug#1065261: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u3
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-phpsecl...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib3
User: release.debian@packages.debian.org
Usertags: pu
Hi,
Iâd like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
TIA for considering.
Cheers,
taffit
diff -Nru php-phpseclib3-3.0.19/debian/autoload.php.tpl php-phpseclib3-3.0.19/debian/autoload.php.tpl
--- php-phpseclib3-3.0.19/debian/autoload.php.tpl 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/autoload.php.tpl 2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,31 @@
+ Tue, 27 Feb 2024 21:58:00 +0100
+
php-phpseclib3 (3.0.19-1+deb12u2) bookworm-security; urgency=medium
* Backport upstream SSH2 changes
diff -Nru php-phpseclib3-3.0.19/debian/clean php-phpseclib3-3.0.19/debian/clean
--- php-phpseclib3-3.0.19/debian/clean 2023-12-31 12:13:49.0 +0100
+++ php-phpseclib3-3.0.19/debian/clean 2024-02-27 21:58:00.0 +0100
@@ -1,6 +1,7 @@
-debian/autoload.php.tpl
debian/autoload.tests.php.tpl
+ParagonIE
phpseclib/autoload.php
phpseclib3
+random_compat
tests/.phpunit.result.cache
vendor/
diff -Nru php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,42 @@
+From: terrafrost
+Date: Sat, 24 Feb 2024 08:38:47 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/0358eb163c55a9fd7b3848b9ecc83f6b9e49dbf5
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger/Engines/Engine.php | 14 ++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/phpseclib/Math/BigInteger/Engines/Engine.php b/phpseclib/Math/BigInteger/Engines/Engine.php
+index 2b00bc3..3a735e7 100644
+--- a/phpseclib/Math/BigInteger/Engines/Engine.php
b/phpseclib/Math/BigInteger/Engines/Engine.php
+@@ -781,6 +781,11 @@ abstract class Engine implements \JsonSerializable
+ $min = $temp;
+ }
+
++$length = $max->getLength();
++if ($length > 8196) {
++throw new \RuntimeException("Generation of random prime numbers larger than 8196 has been disabled ($length)");
++}
++
+ $x = static::randomRange($min, $max);
+
+ return static::randomRangePrimeInner($x, $min, $max);
+@@ -985,6 +990,15 @@ abstract class Engine implements \JsonSerializable
+ */
+ public function isPrime($t = false)
+ {
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++$length = $this->getLength();
++if ($length > 8196) {
++throw new \RuntimeException("Primality testing is not supported for numbers larger than 8196 bits ($length)");
++}
++
+ if (!$t) {
+ $t = $this->setupIsPrime();
+ }
diff -Nru php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch
--- php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch 2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,46 @@
+From: terrafrost
+Date: Sat, 24 Feb 2024 08:42:27 -0600
+Subject: Tests: add unit test for EC pub key with excessively large integer
+
+Origin: backport, https://github.com/phpseclib/phpseclib/commit/e17409a3e39baf7c8ed9635c04130802463b117b
+---
+ tests/Unit/File/X509/X509Test.php| 12
+ tests/Unit/File/X509/mal-cert-01.der | Bin 0 ->
Bug#1065079: bullseye-pu: package php-doctrine-annotations/1.11.2-1+deb11u1
Le Thu, Feb 29, 2024 at 03:06:35PM +0100, David Prévot a écrit : > [x] attach debdiff against the package in (old)stable One more time… diff -Nru php-doctrine-annotations-1.11.2/debian/autoload.php.tpl php-doctrine-annotations-1.11.2/debian/autoload.php.tpl --- php-doctrine-annotations-1.11.2/debian/autoload.php.tpl 2020-11-26 19:54:10.0 +0100 +++ php-doctrine-annotations-1.11.2/debian/autoload.php.tpl 2024-02-18 12:30:56.0 +0100 @@ -1,6 +1,6 @@ Sun, 18 Feb 2024 12:32:47 +0100 + php-doctrine-annotations (1.11.2-1) unstable; urgency=medium [ Grégoire Paris ] diff -Nru php-doctrine-annotations-1.11.2/debian/clean php-doctrine-annotations-1.11.2/debian/clean --- php-doctrine-annotations-1.11.2/debian/clean 2020-11-26 19:54:10.0 +0100 +++ php-doctrine-annotations-1.11.2/debian/clean 2024-02-18 12:31:13.0 +0100 @@ -1,3 +1,7 @@ .phpunit.result.cache lib/Doctrine/Common/Annotations/autoload.php +lib/Doctrine/Common/Cache +lib/Doctrine/Common/Lexer +lib/Psr +lib/Symfony vendor/ diff -Nru php-doctrine-annotations-1.11.2/debian/control php-doctrine-annotations-1.11.2/debian/control --- php-doctrine-annotations-1.11.2/debian/control 2021-02-20 14:32:25.0 +0100 +++ php-doctrine-annotations-1.11.2/debian/control 2024-02-18 12:29:35.0 +0100 @@ -10,7 +10,7 @@ phpab, phpunit Standards-Version: 4.5.1 -Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-annotations.git -b debian/latest +Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-annotations.git -b debian/bullseye Vcs-Browser: https://salsa.debian.org/php-team/pear/php-doctrine-annotations Homepage: https://www.doctrine-project.org/projects/annotations.html Rules-Requires-Root: no diff -Nru php-doctrine-annotations-1.11.2/debian/gbp.conf php-doctrine-annotations-1.11.2/debian/gbp.conf --- php-doctrine-annotations-1.11.2/debian/gbp.conf 2021-02-20 14:25:27.0 +0100 +++ php-doctrine-annotations-1.11.2/debian/gbp.conf 2024-02-18 12:29:42.0 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bullseye filter = [ '.gitattributes' ] pristine-tar = True upstream-vcs-tag = %(version%~%-)s diff -Nru php-doctrine-annotations-1.11.2/debian/rules php-doctrine-annotations-1.11.2/debian/rules --- php-doctrine-annotations-1.11.2/debian/rules 2021-02-20 14:32:22.0 +0100 +++ php-doctrine-annotations-1.11.2/debian/rules 2024-02-18 12:31:33.0 +0100 @@ -1,7 +1,7 @@ #!/usr/bin/make -f %: - dh $@ + dh $@ -XCommon/Cache -XCommon/Lexer -Xlib/Psr -XSymfony override_dh_auto_build: phpab \ @@ -9,6 +9,10 @@ --template debian/autoload.php.tpl \ lib/Doctrine/Common/Annotations mkdir --parents vendor + ln -s /usr/share/php/Doctrine/Common/Cache lib/Doctrine/Common + ln -s /usr/share/php/Doctrine/Common/Lexer lib/Doctrine/Common + ln -s /usr/share/php/Psr lib + ln -s /usr/share/php/Symfony lib phpab \ --output vendor/autoload.php \ --template debian/autoload.tests.php.tpl \ signature.asc Description: PGP signature
Bug#1065079: bullseye-pu: package php-doctrine-annotations/1.11.2-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: php-doctrine-annotati...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-doctrine-annotations User: release.debian@packages.debian.org Usertags: pu [6/6 for bullseye] This is a follow up from composer/DSA-5632-1, similar to #1065065 in bookworm. In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. The only change (besides changelog entry) in the binary package is the following (thanks to diffoscope). │ │ ├── ./usr/share/php/Doctrine/Common/Annotations/autoload.php │ │ │ @@ -1,10 +1,10 @@ │ │ │ signature.asc Description: PGP signature
Bug#1065077: bullseye-pu: package php-zend-code/4.0.0-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: php-zend-c...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-zend-code User: release.debian@packages.debian.org Usertags: pu [5/6 for bullseye] This is a follow up from composer/DSA-5632-1, similar to #1065062 in bookworm. In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. The only change (besides changelog entry) in the binary package is the following (thanks to diffoscope). │ │ ├── ./usr/share/php/Laminas/Code/autoload.php │ │ │ @@ -1,14 +1,12 @@ │ │ │ diff -Nru php-zend-code-4.0.0/debian/autoload.php.tpl php-zend-code-4.0.0/debian/autoload.php.tpl --- php-zend-code-4.0.0/debian/autoload.php.tpl 2021-01-11 20:28:16.0 +0100 +++ php-zend-code-4.0.0/debian/autoload.php.tpl 2024-02-18 12:20:19.0 +0100 @@ -1,10 +1,8 @@ Sun, 18 Feb 2024 12:21:22 +0100 + php-zend-code (4.0.0-2) unstable; urgency=medium * Upload to unstable in sync with (reverse-)dependencies diff -Nru php-zend-code-4.0.0/debian/clean php-zend-code-4.0.0/debian/clean --- php-zend-code-4.0.0/debian/clean 2021-01-03 18:07:35.0 +0100 +++ php-zend-code-4.0.0/debian/clean 2024-02-18 12:18:12.0 +0100 @@ -1,4 +1,5 @@ .phpunit.result.cache +Doctrine src/autoload.php vendor/ Laminas/ diff -Nru php-zend-code-4.0.0/debian/control php-zend-code-4.0.0/debian/control --- php-zend-code-4.0.0/debian/control 2021-01-03 18:08:00.0 +0100 +++ php-zend-code-4.0.0/debian/control 2024-02-18 12:13:21.0 +0100 @@ -12,7 +12,7 @@ pkg-php-tools Standards-Version: 4.5.1 Homepage: https://docs.laminas.dev/laminas-code/ -Vcs-Git: https://salsa.debian.org/php-team/pear/php-zend-code.git -b debian/latest +Vcs-Git: https://salsa.debian.org/php-team/pear/php-zend-code.git -b debian/bullseye Vcs-Browser: https://salsa.debian.org/php-team/pear/php-zend-code Rules-Requires-Root: no diff -Nru php-zend-code-4.0.0/debian/gbp.conf php-zend-code-4.0.0/debian/gbp.conf --- php-zend-code-4.0.0/debian/gbp.conf 2021-01-03 18:07:35.0 +0100 +++ php-zend-code-4.0.0/debian/gbp.conf 2024-02-18 12:13:27.0 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bullseye pristine-tar = True pristine-tar-commit = True diff -Nru php-zend-code-4.0.0/debian/rules php-zend-code-4.0.0/debian/rules --- php-zend-code-4.0.0/debian/rules 2021-01-03 18:07:35.0 +0100 +++ php-zend-code-4.0.0/debian/rules 2024-02-18 12:21:22.0 +0100 @@ -7,7 +7,10 @@ --template debian/autoload.php.tpl \ src mkdir --parents vendor Laminas - ln -s ../src Laminas/Code + cp -r src Laminas/Code + ln -s /usr/share/php/Doctrine . + ln -s /usr/share/php/Laminas/EventManager Laminas + ln -s /usr/share/php/Laminas/Stdlib Laminas phpab --output vendor/autoload.php \ --template debian/autoload.tests.php.tpl \ test signature.asc Description: PGP signature
Bug#1065076: bullseye-pu: package php-proxy-manager/2.11.1+1.0.3-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: php-proxy-mana...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-proxy-manager
User: release.debian@packages.debian.org
Usertags: pu
[4/6 for bullseye]
This is a follow up from composer/DSA-5632-1, similar to #1065061 in
bookworm.
In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.
The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).
│ │ ├── ./usr/share/php/ProxyManager/autoload.php
│ │ │ @@ -1,10 +1,10 @@
│ │ │ diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/autoload.php.tpl php-proxy-manager-2.11.1+1.0.3/debian/autoload.php.tpl
--- php-proxy-manager-2.11.1+1.0.3/debian/autoload.php.tpl 2021-01-27 20:55:23.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/autoload.php.tpl 2024-02-18 12:10:10.0 +0100
@@ -1,6 +1,6 @@
Sun, 18 Feb 2024 12:10:39 +0100
+
php-proxy-manager (2.11.1+1.0.3-1) unstable; urgency=medium
[ Nicolas Grekas ]
diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/clean php-proxy-manager-2.11.1+1.0.3/debian/clean
--- php-proxy-manager-2.11.1+1.0.3/debian/clean 2021-01-15 03:02:22.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/clean 2024-02-18 12:10:10.0 +0100
@@ -1,4 +1,6 @@
.phpunit.result.cache
-ProxyManager
+Laminas
+ProxyManager/
src/ProxyManager/autoload.php
+Symfony
vendor/
diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/control php-proxy-manager-2.11.1+1.0.3/debian/control
--- php-proxy-manager-2.11.1+1.0.3/debian/control 2021-01-27 21:03:45.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/control 2024-02-18 12:10:10.0 +0100
@@ -12,7 +12,7 @@
pkg-php-tools
Standards-Version: 4.5.1
Homepage: https://github.com/FriendsOfPHP/proxy-manager-lts
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git -b debian/lts
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git -b debian/bullseye
Vcs-Browser: https://salsa.debian.org/php-team/pear/php-proxy-manager
Rules-Requires-Root: no
diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/gbp.conf php-proxy-manager-2.11.1+1.0.3/debian/gbp.conf
--- php-proxy-manager-2.11.1+1.0.3/debian/gbp.conf 2021-01-27 20:55:23.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/gbp.conf 2024-02-18 12:10:10.0 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/lts
+debian-branch = debian/bullseye
pristine-tar = True
pristine-tar-commit = True
upstream-branch = upstream-lts
diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/patches/0001-Also-skip-system-classes-during-tests.patch php-proxy-manager-2.11.1+1.0.3/debian/patches/0001-Also-skip-system-classes-during-tests.patch
--- php-proxy-manager-2.11.1+1.0.3/debian/patches/0001-Also-skip-system-classes-during-tests.patch 2021-01-27 20:55:23.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/patches/0001-Also-skip-system-classes-during-tests.patch 2024-02-18 12:10:10.0 +0100
@@ -3,22 +3,23 @@
Subject: Also skip system classes during tests
---
- tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 2 ++
- 1 file changed, 2 insertions(+)
+ tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 3 +++
+ 1 file changed, 3 insertions(+)
diff --git a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-index 146eeb0..abded91 100644
+index 146eeb0..37cceb8 100644
--- a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
+++ b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-@@ -112,6 +112,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -112,6 +112,8 @@ final class FatalPreventionFunctionalTest extends TestCase
realpath(__DIR__ . '/../../../src'),
realpath(__DIR__ . '/../../../vendor'),
realpath(__DIR__ . '/../../ProxyManagerTest'),
++realpath(__DIR__ . '/../../../ProxyManager'),
+realpath('/usr/share/php'),
];
return array_filter(
-@@ -138,6 +139,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -138,6 +140,7 @@ final class FatalPreventionFunctionalTest extends TestCase
if (strpos($realPath, $skippedPath) === 0) {
// skip classes defined within ProxyManager, vendor or the test suite
diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/rules php-proxy-manager-2.11.1+1.0.3/debian/rules
--- php-proxy-manager-2.11.1+1.0.3/debian/rules 2021-01-27 20:55:23.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/rules 2024-02-18 12:10:10.0 +0100
@@ -15,7 +15,9 @@
tests/ProxyManagerTest \
tests/ProxyManagerTestAsset \
tests/Stubbed/Laminas/Server
- ln -s src/ProxyManager .
+ cp
Bug#1065075: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u5
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: symf...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:symfony
User: release.debian@packages.debian.org
Usertags: pu
[3/6 for bullseye]
This is a follow up from composer/DSA-5632-1, similar to #1065059 in
bookworm.
In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release. It also adds an upstream patch in order to fix the
testsuite, already referenced via #1061033 in Debian.
The only change (besides changelog entry) in the binary packages is of
the following kind (thanks to diffoscope), for example for
php-symfony-cache.
│ │ ├── ./usr/share/php/Symfony/Component/Cache/autoload.php
│ │ │ @@ -1,14 +1,13 @@
│ │ │ diff -Nru symfony-4.4.19+dfsg/debian/autoload.php
symfony-4.4.19+dfsg/debian/autoload.php
--- symfony-4.4.19+dfsg/debian/autoload.php 2023-11-11 19:09:20.0
+0100
+++ symfony-4.4.19+dfsg/debian/autoload.php 2024-02-18 10:59:51.0
+0100
@@ -1,76 +1,76 @@
Sun, 18 Feb 2024 10:59:51 +0100
+
symfony (4.4.19+dfsg-2+deb11u4) bullseye; urgency=medium
* [Mime] regenerate test certificates (Closes: #1034854)
diff -Nru symfony-4.4.19+dfsg/debian/clean symfony-4.4.19+dfsg/debian/clean
--- symfony-4.4.19+dfsg/debian/clean2023-11-11 19:09:20.0 +0100
+++ symfony-4.4.19+dfsg/debian/clean2024-02-18 10:59:51.0 +0100
@@ -1,5 +1,6 @@
.phpunit.result.cache
CHANGELOG
+build/
debian/autoloaders/
debian/packages_to_build/
vendor/
diff -Nru
symfony-4.4.19+dfsg/debian/patches/make-sure-that-the-submitted-year-is-an-accepted-choice.patch
symfony-4.4.19+dfsg/debian/patches/make-sure-that-the-submitted-year-is-an-accepted-choice.patch
---
symfony-4.4.19+dfsg/debian/patches/make-sure-that-the-submitted-year-is-an-accepted-choice.patch
1970-01-01 01:00:00.0 +0100
+++
symfony-4.4.19+dfsg/debian/patches/make-sure-that-the-submitted-year-is-an-accepted-choice.patch
2024-02-18 10:59:51.0 +0100
@@ -0,0 +1,35 @@
+From: Christian Flothmann
+Date: Tue, 2 Jan 2024 08:56:56 +0100
+Subject: make sure that the submitted year is an accepted choice
+
+Origin: upstream,
https://github.com/symfony/symfony/commit/64f675ced4c60a67f564608fb598dc27ea3de9f6
+Bug-Debian: https://bugs.debian.org/1061033
+---
+ .../Component/Form/Tests/Extension/Core/Type/DateTimeTypeTest.php| 1 +
+ src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTypeTest.php| 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git
a/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTimeTypeTest.php
b/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTimeTypeTest.php
+index 506ec11..3016069 100644
+--- a/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTimeTypeTest.php
b/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTimeTypeTest.php
+@@ -701,6 +701,7 @@ class DateTimeTypeTest extends BaseTypeTest
+ $form = $this->factory->create(static::TESTED_TYPE, null, [
+ 'widget' => $widget,
+ 'empty_data' => $emptyData,
++'years' => range(2018, (int) date('Y')),
+ ]);
+ $form->submit(null);
+
+diff --git
a/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTypeTest.php
b/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTypeTest.php
+index 5891cc0..893fac1 100644
+--- a/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTypeTest.php
b/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTypeTest.php
+@@ -1021,6 +1021,7 @@ class DateTypeTest extends BaseTypeTest
+ $form = $this->factory->create(static::TESTED_TYPE, null, [
+ 'widget' => $widget,
+ 'empty_data' => $emptyData,
++'years' => range(2018, (int) date('Y')),
+ ]);
+ $form->submit(null);
+
diff -Nru symfony-4.4.19+dfsg/debian/patches/series
symfony-4.4.19+dfsg/debian/patches/series
--- symfony-4.4.19+dfsg/debian/patches/series 2023-11-11 19:09:20.0
+0100
+++ symfony-4.4.19+dfsg/debian/patches/series 2024-02-18 10:59:51.0
+0100
@@ -24,3 +24,4 @@
Security-Http-Remove-CSRF-tokens-from-storage-on-successf.patch
Mime-regenerate-test-certificates.patch
TwigBridge-Ensure-CodeExtension-s-filters-properly-escape.patch
+make-sure-that-the-submitted-year-is-an-accepted-choice.patch
diff -Nru
symfony-4.4.19+dfsg/debian/patches/VarDumper-Adapt-to-homemade-autoload.patch
symfony-4.4.19+dfsg/debian/patches/VarDumper-Adapt-to-homemade-autoload.patch
---
symfony-4.4.19+dfsg/debian/patches/VarDumper-Adapt-to-homemade-autoload.patch
2023-11-11 19:09:20.0 +0100
+++
symfony-4.4.19+dfsg/debian/patches/VarDumper-Adapt-to-homemade-autoload.patch
2024-02-18 10:59:51.0 +0100
@@ -4,11 +4,11 @@
Forwarded: no
---
- src/Symfony/Component/VarDumper/Resources/bin/var-dump-server | 8
- 1 file
Bug#1065071: bullseye-pu: package php-symfony-contracts/1.1.10-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: php-symfony-contra...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-symfony-contracts User: release.debian@packages.debian.org Usertags: pu [2/6 for bullseye] This is a follow up from composer/DSA-5632-1, similar to #1065058 in bookworm. In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. The only change (besides changelog entry) in the binary packages is of the following kind (thanks to diffoscope), for example for php-symfony-cache-contracts. │ │ ├── ./usr/share/php/Symfony/Contracts/Cache/autoload.php │ │ │ @@ -1,13 +1,11 @@ │ │ │ diff -Nru php-symfony-contracts-1.1.10/debian/changelog php-symfony-contracts-1.1.10/debian/changelog --- php-symfony-contracts-1.1.10/debian/changelog 2020-09-15 22:17:37.0 +0200 +++ php-symfony-contracts-1.1.10/debian/changelog 2024-02-18 11:57:14.0 +0100 @@ -1,3 +1,9 @@ +php-symfony-contracts (1.1.10-2+deb11u1) bookworm; urgency=medium + + * Force system dependencies loading + + -- David Prévot Sun, 18 Feb 2024 11:57:14 +0100 + php-symfony-contracts (1.1.10-2) unstable; urgency=medium * Revert "stop using deprecated PHPUnit APIs", fixing symfony FTBFS diff -Nru php-symfony-contracts-1.1.10/debian/rules php-symfony-contracts-1.1.10/debian/rules --- php-symfony-contracts-1.1.10/debian/rules 2020-09-15 22:17:37.0 +0200 +++ php-symfony-contracts-1.1.10/debian/rules 2024-02-18 11:57:10.0 +0100 @@ -45,13 +45,13 @@ fi; \ done cp debian/autoload.php . - mkdir --parents vendor Symfony + mkdir --parents vendor Symfony/Contracts phpab \ --output vendor/autoload.php \ --template debian/autoload.tests.php.tpl \ Tests # Mimic expected path for tests - cp -r autoload.php Cache Deprecation EventDispatcher HttpClient Service Translation Symfony/Contracts + cp -r autoload.php Cache EventDispatcher HttpClient Service Translation Symfony/Contracts ln -s /usr/share/php/Symfony/Component Symfony ln -s /usr/share/php/Psr . signature.asc Description: PGP signature
Bug#1065070: bookworm-pu: package php-composer-xdebug-handler/1.4.5-1+deb11u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: php-composer-xdebug-hand...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-composer-xdebug-handler User: release.debian@packages.debian.org Usertags: pu [1/6 for bullseye] This is a follow up from composer/DSA-5632-1, similar to #1065057 in bookworm. In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. The only change (besides changelog entry) in the binary package is the following (thanks to diffoscope). │ │ ├── ./usr/share/php/Composer/XdebugHandler/autoload.php │ │ │ @@ -1,10 +1,10 @@ │ │ │ diff -Nru php-composer-xdebug-handler-1.4.5/debian/autoload.php.tpl php-composer-xdebug-handler-1.4.5/debian/autoload.php.tpl --- php-composer-xdebug-handler-1.4.5/debian/autoload.php.tpl 2020-11-22 16:28:34.0 +0100 +++ php-composer-xdebug-handler-1.4.5/debian/autoload.php.tpl 2024-02-18 09:01:17.0 +0100 @@ -1,6 +1,6 @@ Sun, 18 Feb 2024 09:02:41 +0100 + php-composer-xdebug-handler (1.4.5-1) unstable; urgency=medium [ Martin Matthaei ] diff -Nru php-composer-xdebug-handler-1.4.5/debian/clean php-composer-xdebug-handler-1.4.5/debian/clean --- php-composer-xdebug-handler-1.4.5/debian/clean 2020-11-22 16:28:34.0 +0100 +++ php-composer-xdebug-handler-1.4.5/debian/clean 2024-02-18 09:01:35.0 +0100 @@ -1,4 +1,5 @@ Composer/ +Psr src/autoload.php vendor/ .phpunit.result.cache diff -Nru php-composer-xdebug-handler-1.4.5/debian/control php-composer-xdebug-handler-1.4.5/debian/control --- php-composer-xdebug-handler-1.4.5/debian/control 2020-11-22 16:31:14.0 +0100 +++ php-composer-xdebug-handler-1.4.5/debian/control 2024-02-18 08:59:53.0 +0100 @@ -11,7 +11,7 @@ Standards-Version: 4.5.1 Homepage: https://github.com/composer/xdebug-handler Vcs-Browser: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler -Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler.git -b debian/latest +Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler.git -b debian/bullseye Rules-Requires-Root: no Package: php-composer-xdebug-handler diff -Nru php-composer-xdebug-handler-1.4.5/debian/gbp.conf php-composer-xdebug-handler-1.4.5/debian/gbp.conf --- php-composer-xdebug-handler-1.4.5/debian/gbp.conf 2020-11-22 16:29:46.0 +0100 +++ php-composer-xdebug-handler-1.4.5/debian/gbp.conf 2024-02-18 08:59:57.0 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bullseye pristine-tar = True pristine-tar-commit = True diff -Nru php-composer-xdebug-handler-1.4.5/debian/rules php-composer-xdebug-handler-1.4.5/debian/rules --- php-composer-xdebug-handler-1.4.5/debian/rules 2020-11-22 16:28:34.0 +0100 +++ php-composer-xdebug-handler-1.4.5/debian/rules 2024-02-18 09:02:12.0 +0100 @@ -8,7 +8,8 @@ --template debian/autoload.php.tpl \ src mkdir --parents vendor Composer - ln -s ../src Composer/XdebugHandler + cp -r src Composer/XdebugHandler + ln -s /usr/share/php/Psr . phpab \ --output vendor/autoload.php \ --template debian/autoload.tests.php.tpl \ signature.asc Description: PGP signature
Bug#1065068: bookworm-pu: package php-doctrine-deprecations/1.0.0-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: php-doctrine-deprecati...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-doctrine-deprecations User: release.debian@packages.debian.org Usertags: pu [9/9 for bookworm] This is a follow up from composer/DSA-5632-1 (the last one for Bookworm). In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. The only change (besides changelog entry) in the binary package is the following (thanks to diffoscope). │ │ ├── ./usr/share/php/Doctrine/Deprecations/autoload.php │ │ │ @@ -1,13 +1,13 @@ │ │ │ diff -Nru php-doctrine-deprecations-1.0.0/debian/autoload.php.tpl php-doctrine-deprecations-1.0.0/debian/autoload.php.tpl --- php-doctrine-deprecations-1.0.0/debian/autoload.php.tpl 1970-01-01 01:00:00.0 +0100 +++ php-doctrine-deprecations-1.0.0/debian/autoload.php.tpl 2024-02-15 23:25:51.0 +0100 @@ -0,0 +1,29 @@ + Thu, 15 Feb 2024 23:26:09 +0100 + php-doctrine-deprecations (1.0.0-2) unstable; urgency=medium * Be tolerant about line number pointer (PHP 8.2 related fix) diff -Nru php-doctrine-deprecations-1.0.0/debian/clean php-doctrine-deprecations-1.0.0/debian/clean --- php-doctrine-deprecations-1.0.0/debian/clean 2022-06-19 21:05:43.0 +0200 +++ php-doctrine-deprecations-1.0.0/debian/clean 2024-02-15 23:25:51.0 +0100 @@ -1,5 +1,5 @@ .phpunit.result.cache -debian/autoload.php.tpl debian/autoload.tests.php.tpl lib/Doctrine/Deprecations/autoload.php +lib/Psr vendor/ diff -Nru php-doctrine-deprecations-1.0.0/debian/control php-doctrine-deprecations-1.0.0/debian/control --- php-doctrine-deprecations-1.0.0/debian/control 2022-06-19 21:19:29.0 +0200 +++ php-doctrine-deprecations-1.0.0/debian/control 2024-02-15 23:23:24.0 +0100 @@ -10,7 +10,7 @@ phpunit, pkg-php-tools (>= 1.41~) Standards-Version: 4.6.1 -Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-deprecations.git +Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-deprecations.git -b debian/bookworm Vcs-Browser: https://salsa.debian.org/php-team/pear/php-doctrine-deprecations Homepage: https://www.doctrine-project.org/ Rules-Requires-Root: no diff -Nru php-doctrine-deprecations-1.0.0/debian/gbp.conf php-doctrine-deprecations-1.0.0/debian/gbp.conf --- php-doctrine-deprecations-1.0.0/debian/gbp.conf 2022-06-19 21:07:24.0 +0200 +++ php-doctrine-deprecations-1.0.0/debian/gbp.conf 2024-02-15 23:23:30.0 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm filter = [ '.gitattributes' ] pristine-tar = True upstream-vcs-tag = v%(version%~%-)s diff -Nru php-doctrine-deprecations-1.0.0/debian/install php-doctrine-deprecations-1.0.0/debian/install --- php-doctrine-deprecations-1.0.0/debian/install 2022-06-19 21:05:43.0 +0200 +++ php-doctrine-deprecations-1.0.0/debian/install 2024-02-15 23:25:51.0 +0100 @@ -1 +1 @@ -lib/* usr/share/php +lib/Doctrine usr/share/php diff -Nru php-doctrine-deprecations-1.0.0/debian/rules php-doctrine-deprecations-1.0.0/debian/rules --- php-doctrine-deprecations-1.0.0/debian/rules 2022-06-19 21:05:43.0 +0200 +++ php-doctrine-deprecations-1.0.0/debian/rules 2024-02-15 23:25:51.0 +0100 @@ -4,12 +4,12 @@ dh $@ override_dh_auto_build: - phpabtpl composer.json > debian/autoload.php.tpl phpab \ --output lib/Doctrine/Deprecations/autoload.php \ --template debian/autoload.php.tpl \ lib/Doctrine/Deprecations mkdir --parents vendor + ln -s /usr/share/php/Psr lib/ phpabtpl \ --require doctrine/deprecations \ > debian/autoload.tests.php.tpl signature.asc Description: PGP signature
Bug#1065067: bookworm-pu: package php-doctrine-lexer/2.1.0-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: php-doctrine-le...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-doctrine-lexer User: release.debian@packages.debian.org Usertags: pu [8/9 for bookworm] This is a follow up from composer/DSA-5632-1. In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. The only change (besides changelog entry) in the binary package is the following (thanks to diffoscope). │ │ ├── ./usr/share/php/Doctrine/Common/Lexer/autoload.php │ │ │ @@ -1,11 +1,11 @@ │ │ │ diff -Nru php-doctrine-lexer-2.1.0/debian/autoload.php.tpl php-doctrine-lexer-2.1.0/debian/autoload.php.tpl --- php-doctrine-lexer-2.1.0/debian/autoload.php.tpl 1970-01-01 01:00:00.0 +0100 +++ php-doctrine-lexer-2.1.0/debian/autoload.php.tpl 2024-02-15 23:22:05.0 +0100 @@ -0,0 +1,29 @@ + Thu, 15 Feb 2024 23:22:10 +0100 + php-doctrine-lexer (2.1.0-2) unstable; urgency=medium * Upload to unstable diff -Nru php-doctrine-lexer-2.1.0/debian/clean php-doctrine-lexer-2.1.0/debian/clean --- php-doctrine-lexer-2.1.0/debian/clean 2022-12-12 07:58:13.0 +0100 +++ php-doctrine-lexer-2.1.0/debian/clean 2024-02-15 23:22:05.0 +0100 @@ -1,5 +1,4 @@ .phpunit.result.cache -debian/autoload.php.tpl debian/autoload.tests.php.tpl Doctrine/ src/autoload.php diff -Nru php-doctrine-lexer-2.1.0/debian/control php-doctrine-lexer-2.1.0/debian/control --- php-doctrine-lexer-2.1.0/debian/control 2023-01-01 10:10:48.0 +0100 +++ php-doctrine-lexer-2.1.0/debian/control 2024-02-15 23:20:25.0 +0100 @@ -9,7 +9,7 @@ phpab, phpunit Standards-Version: 4.6.2 -Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-lexer.git -b debian/bookworm +Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-lexer.git -b debian/bookworm-security Vcs-Browser: https://salsa.debian.org/php-team/pear/php-doctrine-lexer Homepage: https://www.doctrine-project.org/projects/lexer.html Rules-Requires-Root: no diff -Nru php-doctrine-lexer-2.1.0/debian/gbp.conf php-doctrine-lexer-2.1.0/debian/gbp.conf --- php-doctrine-lexer-2.1.0/debian/gbp.conf 2023-01-01 10:10:48.0 +0100 +++ php-doctrine-lexer-2.1.0/debian/gbp.conf 2024-02-15 23:20:29.0 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/bookworm +debian-branch = debian/bookworm-security filter = [ '.gitattributes' ] pristine-tar = True upstream-branch = upstream-2.x diff -Nru php-doctrine-lexer-2.1.0/debian/rules php-doctrine-lexer-2.1.0/debian/rules --- php-doctrine-lexer-2.1.0/debian/rules 2022-12-12 07:59:50.0 +0100 +++ php-doctrine-lexer-2.1.0/debian/rules 2024-02-15 23:22:05.0 +0100 @@ -3,13 +3,13 @@ dh $@ override_dh_auto_build: - phpabtpl composer.json > debian/autoload.php.tpl phpab \ --output src/autoload.php \ --template debian/autoload.php.tpl \ src mkdir --parents vendor Doctrine/Common - ln -s ../../src Doctrine/Common/Lexer + cp -r src Doctrine/Common/Lexer + ln -s /usr/share/php/Doctrine/Deprecations Doctrine phpabtpl \ --require doctrine/lexer \ > debian/autoload.tests.php.tpl signature.asc Description: PGP signature
Bug#1065065: bookworm-pu: package php-doctrine-annotations/2.0.1-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: php-doctrine-annotati...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-doctrine-annotations User: release.debian@packages.debian.org Usertags: pu [7/9 for bookworm] This is a follow up from composer/DSA-5632-1. In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. The only change (besides changelog entry) in the binary package is the following (thanks to diffoscope). │ │ ├── ./usr/share/php/Doctrine/Common/Annotations/autoload.php │ │ │ @@ -1,12 +1,12 @@ │ │ │ diff -Nru php-doctrine-annotations-2.0.1/debian/autoload.php.tpl php-doctrine-annotations-2.0.1/debian/autoload.php.tpl --- php-doctrine-annotations-2.0.1/debian/autoload.php.tpl 1970-01-01 01:00:00.0 +0100 +++ php-doctrine-annotations-2.0.1/debian/autoload.php.tpl 2024-02-15 23:14:38.0 +0100 @@ -0,0 +1,30 @@ + Thu, 15 Feb 2024 23:14:38 +0100 + php-doctrine-annotations (2.0.1-1) unstable; urgency=medium [ Alexander M. Turek ] diff -Nru php-doctrine-annotations-2.0.1/debian/clean php-doctrine-annotations-2.0.1/debian/clean --- php-doctrine-annotations-2.0.1/debian/clean 2021-05-23 19:31:29.0 +0200 +++ php-doctrine-annotations-2.0.1/debian/clean 2024-02-15 23:14:38.0 +0100 @@ -1,5 +1,8 @@ .phpunit.result.cache -debian/autoload.php.tpl debian/autoload.tests.php.tpl lib/Doctrine/Common/Annotations/autoload.php +lib/Doctrine/Common/Cache +lib/Doctrine/Common/Lexer +lib/Psr +lib/Symfony vendor/ diff -Nru php-doctrine-annotations-2.0.1/debian/control php-doctrine-annotations-2.0.1/debian/control --- php-doctrine-annotations-2.0.1/debian/control 2023-02-03 05:25:51.0 +0100 +++ php-doctrine-annotations-2.0.1/debian/control 2024-02-15 23:14:38.0 +0100 @@ -13,7 +13,7 @@ phpunit, pkg-php-tools Standards-Version: 4.6.2 -Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-annotations.git +Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-annotations.git -b debian/bookworm Vcs-Browser: https://salsa.debian.org/php-team/pear/php-doctrine-annotations Homepage: https://www.doctrine-project.org/projects/annotations.html Rules-Requires-Root: no diff -Nru php-doctrine-annotations-2.0.1/debian/gbp.conf php-doctrine-annotations-2.0.1/debian/gbp.conf --- php-doctrine-annotations-2.0.1/debian/gbp.conf 2021-02-20 14:25:27.0 +0100 +++ php-doctrine-annotations-2.0.1/debian/gbp.conf 2024-02-15 23:14:38.0 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm filter = [ '.gitattributes' ] pristine-tar = True upstream-vcs-tag = %(version%~%-)s diff -Nru php-doctrine-annotations-2.0.1/debian/rules php-doctrine-annotations-2.0.1/debian/rules --- php-doctrine-annotations-2.0.1/debian/rules 2021-10-11 03:02:26.0 +0200 +++ php-doctrine-annotations-2.0.1/debian/rules 2024-02-15 23:14:38.0 +0100 @@ -1,15 +1,18 @@ #!/usr/bin/make -f %: - dh $@ + dh $@ -XCommon/Cache -XCommon/Lexer -Xlib/Psr -XSymfony override_dh_auto_build: - phpabtpl composer.json > debian/autoload.php.tpl phpab \ --output lib/Doctrine/Common/Annotations/autoload.php \ --template debian/autoload.php.tpl \ lib/Doctrine/Common/Annotations mkdir --parents vendor + ln -s /usr/share/php/Doctrine/Common/Cache lib/Doctrine/Common + ln -s /usr/share/php/Doctrine/Common/Lexer lib/Doctrine/Common + ln -s /usr/share/php/Psr lib + ln -s /usr/share/php/Symfony lib phpabtpl \ --require doctrine/annotations \ --require doctrine/cache \ signature.asc Description: PGP signature
Bug#1065062: bookworm-pu: package php-zend-code/4.8.0-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: php-zend-c...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-zend-code User: release.debian@packages.debian.org Usertags: pu [6/9 for bookworm] This is a follow up from composer/DSA-5632-1. In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. The only change (besides changelog entry) in the binary package is the following (thanks to diffoscope). │ │ ├── ./usr/share/php/Laminas/Code/autoload.php │ │ │ @@ -1,14 +1,14 @@ │ │ │ diff -Nru php-zend-code-4.8.0/debian/autoload.php.tpl php-zend-code-4.8.0/debian/autoload.php.tpl --- php-zend-code-4.8.0/debian/autoload.php.tpl 1970-01-01 01:00:00.0 +0100 +++ php-zend-code-4.8.0/debian/autoload.php.tpl 2024-02-15 23:03:09.0 +0100 @@ -0,0 +1,30 @@ + Thu, 15 Feb 2024 23:03:09 +0100 + php-zend-code (4.8.0-1) unstable; urgency=medium [ Marco Pivetta ] diff -Nru php-zend-code-4.8.0/debian/clean php-zend-code-4.8.0/debian/clean --- php-zend-code-4.8.0/debian/clean 2022-12-11 17:50:13.0 +0100 +++ php-zend-code-4.8.0/debian/clean 2024-02-15 23:03:09.0 +0100 @@ -1,6 +1,6 @@ .phpunit.result.cache -debian/autoload.php.tpl debian/autoload.tests.php.tpl +Doctrine src/autoload.php vendor/ Laminas/ diff -Nru php-zend-code-4.8.0/debian/control php-zend-code-4.8.0/debian/control --- php-zend-code-4.8.0/debian/control 2022-06-18 16:41:55.0 +0200 +++ php-zend-code-4.8.0/debian/control 2024-02-15 23:03:09.0 +0100 @@ -12,7 +12,7 @@ pkg-php-tools (>= 1.41~) Standards-Version: 4.6.1 Homepage: https://docs.laminas.dev/laminas-code/ -Vcs-Git: https://salsa.debian.org/php-team/pear/php-zend-code.git +Vcs-Git: https://salsa.debian.org/php-team/pear/php-zend-code.git -b debian/bookworm Vcs-Browser: https://salsa.debian.org/php-team/pear/php-zend-code Rules-Requires-Root: no diff -Nru php-zend-code-4.8.0/debian/gbp.conf php-zend-code-4.8.0/debian/gbp.conf --- php-zend-code-4.8.0/debian/gbp.conf 2021-04-09 03:16:02.0 +0200 +++ php-zend-code-4.8.0/debian/gbp.conf 2024-02-15 23:03:09.0 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm filter = [ '.gitattributes' ] pristine-tar = True upstream-vcs-tag = %(version%~%-)s diff -Nru php-zend-code-4.8.0/debian/rules php-zend-code-4.8.0/debian/rules --- php-zend-code-4.8.0/debian/rules 2022-12-11 17:50:13.0 +0100 +++ php-zend-code-4.8.0/debian/rules 2024-02-15 23:03:09.0 +0100 @@ -3,12 +3,13 @@ dh $@ -Xindex.md override_dh_auto_build: - phpabtpl composer.json > debian/autoload.php.tpl phpab --output src/autoload.php \ --template debian/autoload.php.tpl \ src mkdir --parents vendor Laminas - ln -s ../src Laminas/Code + cp -r src Laminas/Code + ln -s /usr/share/php/Doctrine . + ln -s /usr/share/php/Laminas/Stdlib Laminas phpabtpl \ --require laminas/laminas-code \ > debian/autoload.tests.php.tpl signature.asc Description: PGP signature
Bug#1065061: bookworm-pu: package php-proxy-manager/2.11.1+1.0.14-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-proxy-mana...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-proxy-manager
User: release.debian@packages.debian.org
Usertags: pu
[5/9 for bookworm]
This is a follow up from composer/DSA-5632-1.
In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.
The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).
│ │ ├── ./usr/share/php/ProxyManager/autoload.php
│ │ │ @@ -1,12 +1,12 @@
│ │ │ diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl
--- php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl 1970-01-01 01:00:00.0 +0100
+++ php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl 2024-02-15 22:58:41.0 +0100
@@ -0,0 +1,30 @@
+ Thu, 15 Feb 2024 22:58:41 +0100
+
php-proxy-manager (2.11.1+1.0.14-1) unstable; urgency=medium
[ Nicolas Grekas ]
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/clean php-proxy-manager-2.11.1+1.0.14/debian/clean
--- php-proxy-manager-2.11.1+1.0.14/debian/clean 2022-10-22 12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/clean 2024-02-15 22:58:41.0 +0100
@@ -1,6 +1,7 @@
.phpunit.result.cache
-ProxyManager
-debian/autoload.php.tpl
debian/autoload.tests.php.tpl
+Laminas
+ProxyManager/
src/ProxyManager/autoload.php
+Symfony
vendor/
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/control php-proxy-manager-2.11.1+1.0.14/debian/control
--- php-proxy-manager-2.11.1+1.0.14/debian/control 2023-01-30 13:41:38.0 +0100
+++ php-proxy-manager-2.11.1+1.0.14/debian/control 2024-02-15 22:58:41.0 +0100
@@ -13,7 +13,7 @@
pkg-php-tools (>= 1.41~)
Standards-Version: 4.6.2
Homepage: https://github.com/FriendsOfPHP/proxy-manager-lts
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git -b debian/bookworm
Vcs-Browser: https://salsa.debian.org/php-team/pear/php-proxy-manager
Rules-Requires-Root: no
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf
--- php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf 2022-10-22 12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf 2024-02-15 22:58:41.0 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/lts
+debian-branch = debian/bookworm
filter = [ '.gitattributes' ]
pristine-tar = True
upstream-branch = upstream-lts
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch
--- php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch 2023-01-30 13:40:33.0 +0100
+++ php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch 2024-02-15 22:58:41.0 +0100
@@ -3,22 +3,23 @@
Subject: Also skip system classes during tests
---
- tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 2 ++
- 1 file changed, 2 insertions(+)
+ tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 3 +++
+ 1 file changed, 3 insertions(+)
diff --git a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-index 8e4f48d..9d65c6f 100644
+index 8e4f48d..eebd45a 100644
--- a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
+++ b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-@@ -109,6 +109,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -109,6 +109,8 @@ final class FatalPreventionFunctionalTest extends TestCase
realpath(__DIR__ . '/../../../src'),
realpath(__DIR__ . '/../../../vendor'),
realpath(__DIR__ . '/../../ProxyManagerTest'),
++realpath(__DIR__ . '/../../../ProxyManager'),
+realpath('/usr/share/php'),
];
return array_filter(
-@@ -135,6 +136,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -135,6 +137,7 @@ final class FatalPreventionFunctionalTest extends TestCase
if (strpos($realPath, $skippedPath) === 0) {
// skip classes defined within ProxyManager, vendor or the test suite
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/rules php-proxy-manager-2.11.1+1.0.14/debian/rules
--- php-proxy-manager-2.11.1+1.0.14/debian/rules 2022-10-22 12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/rules 2024-02-15 22:58:41.0 +0100
@@ -3,7 +3,6 @@
dh $@
override_dh_auto_build:
- phpabtpl composer.json >
Bug#1065060: bookworm-pu: package php-proxy-manager/2.11.1+1.0.14-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-proxy-mana...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-proxy-manager
User: release.debian@packages.debian.org
Usertags: pu
[5/9 for bookworm]
This is a follow up from composer/DSA-5632-1.
In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.
The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).
│ │ ├── ./usr/share/php/ProxyManager/autoload.php
│ │ │ @@ -1,12 +1,12 @@
│ │ │ diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl
php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl
--- php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl 1970-01-01
01:00:00.0 +0100
+++ php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl 2024-02-15
22:58:41.0 +0100
@@ -0,0 +1,30 @@
+ Thu, 15 Feb 2024 22:58:41 +0100
+
php-proxy-manager (2.11.1+1.0.14-1) unstable; urgency=medium
[ Nicolas Grekas ]
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/clean
php-proxy-manager-2.11.1+1.0.14/debian/clean
--- php-proxy-manager-2.11.1+1.0.14/debian/clean2022-10-22
12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/clean2024-02-15
22:58:41.0 +0100
@@ -1,6 +1,7 @@
.phpunit.result.cache
-ProxyManager
-debian/autoload.php.tpl
debian/autoload.tests.php.tpl
+Laminas
+ProxyManager/
src/ProxyManager/autoload.php
+Symfony
vendor/
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/control
php-proxy-manager-2.11.1+1.0.14/debian/control
--- php-proxy-manager-2.11.1+1.0.14/debian/control 2023-01-30
13:41:38.0 +0100
+++ php-proxy-manager-2.11.1+1.0.14/debian/control 2024-02-15
22:58:41.0 +0100
@@ -13,7 +13,7 @@
pkg-php-tools (>= 1.41~)
Standards-Version: 4.6.2
Homepage: https://github.com/FriendsOfPHP/proxy-manager-lts
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git -b
debian/bookworm
Vcs-Browser: https://salsa.debian.org/php-team/pear/php-proxy-manager
Rules-Requires-Root: no
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf
php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf
--- php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf 2022-10-22
12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf 2024-02-15
22:58:41.0 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/lts
+debian-branch = debian/bookworm
filter = [ '.gitattributes' ]
pristine-tar = True
upstream-branch = upstream-lts
diff -Nru
php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch
php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch
---
php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch
2023-01-30 13:40:33.0 +0100
+++
php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch
2024-02-15 22:58:41.0 +0100
@@ -3,22 +3,23 @@
Subject: Also skip system classes during tests
---
- tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 2 ++
- 1 file changed, 2 insertions(+)
+ tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 3 +++
+ 1 file changed, 3 insertions(+)
diff --git
a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-index 8e4f48d..9d65c6f 100644
+index 8e4f48d..eebd45a 100644
--- a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
+++ b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-@@ -109,6 +109,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -109,6 +109,8 @@ final class FatalPreventionFunctionalTest extends TestCase
realpath(__DIR__ . '/../../../src'),
realpath(__DIR__ . '/../../../vendor'),
realpath(__DIR__ . '/../../ProxyManagerTest'),
++realpath(__DIR__ . '/../../../ProxyManager'),
+realpath('/usr/share/php'),
];
return array_filter(
-@@ -135,6 +136,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -135,6 +137,7 @@ final class FatalPreventionFunctionalTest extends TestCase
if (strpos($realPath, $skippedPath) === 0) {
// skip classes defined within ProxyManager, vendor
or the test suite
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/rules
php-proxy-manager-2.11.1+1.0.14/debian/rules
--- php-proxy-manager-2.11.1+1.0.14/debian/rules2022-10-22
12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/rules2024-02-15
22:58:41.0 +0100
@@ -3,7
Bug#1065059: bookworm-pu: package symfony/5.4.23+dfsg-1+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: symf...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:symfony User: release.debian@packages.debian.org Usertags: pu [4/9 for bookworm] This is a follow up from composer/DSA-5632-1 and similar to #1065058. In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. It also adds an upstream patch in order to fix the testsuite, already referenced via #1061033 in Debian. The only change (besides changelog entry) in the binary packages is of the following kind (thanks to diffoscope), for example for php-symfony-cache. │ │ ├── ./usr/share/php/Symfony/Component/Cache/autoload.php │ │ │ @@ -1,16 +1,16 @@ │ │ │ signature.asc Description: PGP signature
Bug#1065058: bookworm-pu: package php-symfony-contracts/2.5.2-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-symfony-contra...@packages.debian.org,
t...@security.debian.org
Control: affects -1 + src:php-symfony-contracts
User: release.debian@packages.debian.org
Usertags: pu
[3/9 for bookworm]
This is a follow up from composer/DSA-5632-1, #1065056 and #1065057.
In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.
The only change (besides changelog entry) in the binary packages is of
the following kind (thanks to diffoscope), for example for
php-symfony-cache-contracts.
│ │ ├── ./usr/share/php/Symfony/Contracts/Cache/autoload.php
│ │ │ @@ -1,14 +1,14 @@
│ │ │ diff -Nru php-symfony-contracts-2.5.2/debian/autoload.php php-symfony-contracts-2.5.2/debian/autoload.php
--- php-symfony-contracts-2.5.2/debian/autoload.php 2022-06-18 17:59:28.0 +0200
+++ php-symfony-contracts-2.5.2/debian/autoload.php 2024-02-15 22:48:06.0 +0100
@@ -3,12 +3,12 @@
// require_once 'Psr/Container/autoload.php'; (already required by Service)
// require_once 'Psr/EventDispatcher/autoload.php'; (already required by EventDispatcher)
-require_once 'Symfony/Contracts/Cache/autoload.php';
-require_once 'Symfony/Contracts/Deprecation/autoload.php';
-require_once 'Symfony/Contracts/EventDispatcher/autoload.php';
-require_once 'Symfony/Contracts/HttpClient/autoload.php';
-require_once 'Symfony/Contracts/Service/autoload.php';
-require_once 'Symfony/Contracts/Translation/autoload.php';
+require_once __DIR__ . '/Cache/autoload.php';
+require_once __DIR__ . '/Deprecation/autoload.php';
+require_once __DIR__ . '/EventDispatcher/autoload.php';
+require_once __DIR__ . '/HttpClient/autoload.php';
+require_once __DIR__ . '/Service/autoload.php';
+require_once __DIR__ . '/Translation/autoload.php';
// if (stream_resolve_include_path('Symfony/Component/Cache/autoload.php')){ (already suggested by Cache)
// include_once 'Symfony/Component/Cache/autoload.php';
diff -Nru php-symfony-contracts-2.5.2/debian/changelog php-symfony-contracts-2.5.2/debian/changelog
--- php-symfony-contracts-2.5.2/debian/changelog 2022-07-01 07:08:46.0 +0200
+++ php-symfony-contracts-2.5.2/debian/changelog 2024-02-15 22:48:06.0 +0100
@@ -1,3 +1,10 @@
+php-symfony-contracts (2.5.2-1+deb12u1) bookworm; urgency=medium
+
+ * Track debian/bookworm-security
+ * Force system dependencies loading
+
+ -- David Prévot Thu, 15 Feb 2024 22:48:06 +0100
+
php-symfony-contracts (2.5.2-1) unstable; urgency=medium
[ Nicolas Grekas ]
diff -Nru php-symfony-contracts-2.5.2/debian/clean php-symfony-contracts-2.5.2/debian/clean
--- php-symfony-contracts-2.5.2/debian/clean 2022-06-18 17:59:28.0 +0200
+++ php-symfony-contracts-2.5.2/debian/clean 2024-02-15 22:48:06.0 +0100
@@ -1,14 +1,14 @@
.phpunit.result.cache
+autoload.php
Cache/autoload.php
+debian/autoloaders/
+debian/autoload.tests.php.tpl
+debian/packages_to_build/
Deprecation/autoload.php
EventDispatcher/autoload.php
HttpClient/autoload.php
+Psr
Service/autoload.php
-Tests/autoload.php
Translation/autoload.php
-autoload.php
-debian/autoloaders/
-debian/packages_to_build/
-debian/*.tpl
Symfony/
vendor/
diff -Nru php-symfony-contracts-2.5.2/debian/control php-symfony-contracts-2.5.2/debian/control
--- php-symfony-contracts-2.5.2/debian/control 2022-06-18 18:24:38.0 +0200
+++ php-symfony-contracts-2.5.2/debian/control 2024-02-15 22:48:06.0 +0100
@@ -15,7 +15,7 @@
pkg-php-tools (>= 1.41~)
Standards-Version: 4.6.1
Homepage: https://symfony.com/components/Contracts
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-symfony-contracts.git -b debian/bookworm
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-symfony-contracts.git -b debian/bookworm-security
Vcs-Browser: https://salsa.debian.org/php-team/pear/php-symfony-contracts
Rules-Requires-Root: no
diff -Nru php-symfony-contracts-2.5.2/debian/gbp.conf php-symfony-contracts-2.5.2/debian/gbp.conf
--- php-symfony-contracts-2.5.2/debian/gbp.conf 2022-06-18 18:24:38.0 +0200
+++ php-symfony-contracts-2.5.2/debian/gbp.conf 2024-02-15 22:48:06.0 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/bookworm
+debian-branch = debian/bookworm-security
pristine-tar = True
upstream-branch = upstream-2
upstream-vcs-tag = v%(version%~%-)s
diff -Nru php-symfony-contracts-2.5.2/debian/php-symfony-cache-contracts.autoload.php.tpl php-symfony-contracts-2.5.2/debian/php-symfony-cache-contracts.autoload.php.tpl
--- php-symfony-contracts-2.5.2/debian/php-symfony-cache-contracts.autoload.php.tpl 1970-01-01 01:00:00.0 +0100
+++ php-symfony-contracts-2.5.2/debian/php-symfony-cache-contracts.autoload.php.tpl 2024-02-15 22:48:06.0 +0100
@@ -0,0 +1,30 @@
+> debian/packages_to_build/$$deb_pkg_name; \
echo "pkg_path='$$pkg_path'" >> debian/packages_to_build/$$deb
Bug#1065057: bookworm-pu: package php-composer-xdebug-handler/3.0.3-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: php-composer-xdebug-hand...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-composer-xdebug-handler User: release.debian@packages.debian.org Usertags: pu [2/9 for bookworm] This is a follow up from composer/DSA-5632-1. In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. The only change (besides changelog entry) in the binary package is the following (thanks to diffoscope). │ │ ├── ./usr/share/php/Composer/XdebugHandler/autoload.php │ │ │ @@ -1,12 +1,12 @@ │ │ │ diff -Nru php-composer-xdebug-handler-3.0.3/debian/autoload.php.tpl php-composer-xdebug-handler-3.0.3/debian/autoload.php.tpl --- php-composer-xdebug-handler-3.0.3/debian/autoload.php.tpl 1970-01-01 01:00:00.0 +0100 +++ php-composer-xdebug-handler-3.0.3/debian/autoload.php.tpl 2024-02-13 17:13:43.0 +0100 @@ -0,0 +1,30 @@ + Tue, 13 Feb 2024 17:13:43 +0100 + php-composer-xdebug-handler (3.0.3-2) unstable; urgency=medium * Upload to unstable for composer 2.3 diff -Nru php-composer-xdebug-handler-3.0.3/debian/clean php-composer-xdebug-handler-3.0.3/debian/clean --- php-composer-xdebug-handler-3.0.3/debian/clean 2022-01-05 14:42:04.0 +0100 +++ php-composer-xdebug-handler-3.0.3/debian/clean 2024-02-13 17:13:43.0 +0100 @@ -1,6 +1,6 @@ .phpunit.result.cache Composer/ -debian/autoload.php.tpl debian/autoload.tests.php.tpl +Psr src/autoload.php vendor/ diff -Nru php-composer-xdebug-handler-3.0.3/debian/control php-composer-xdebug-handler-3.0.3/debian/control --- php-composer-xdebug-handler-3.0.3/debian/control 2022-06-17 19:03:15.0 +0200 +++ php-composer-xdebug-handler-3.0.3/debian/control 2024-02-13 17:13:43.0 +0100 @@ -12,7 +12,7 @@ Standards-Version: 4.6.1 Homepage: https://github.com/composer/xdebug-handler Vcs-Browser: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler -Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler.git -b debian/latest +Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler.git -b debian/bookworm-security Rules-Requires-Root: no Package: php-composer-xdebug-handler diff -Nru php-composer-xdebug-handler-3.0.3/debian/gbp.conf php-composer-xdebug-handler-3.0.3/debian/gbp.conf --- php-composer-xdebug-handler-3.0.3/debian/gbp.conf 2022-01-05 15:28:30.0 +0100 +++ php-composer-xdebug-handler-3.0.3/debian/gbp.conf 2024-02-13 17:13:43.0 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm-security filter = [ '.gitattributes' ] pristine-tar = True upstream-vcs-tag = %(version%~%-)s diff -Nru php-composer-xdebug-handler-3.0.3/debian/rules php-composer-xdebug-handler-3.0.3/debian/rules --- php-composer-xdebug-handler-3.0.3/debian/rules 2022-01-05 14:42:04.0 +0100 +++ php-composer-xdebug-handler-3.0.3/debian/rules 2024-02-13 17:13:43.0 +0100 @@ -3,13 +3,14 @@ dh $@ override_dh_auto_build: - phpabtpl composer.json > debian/autoload.php.tpl phpab \ --output src/autoload.php \ --template debian/autoload.php.tpl \ src mkdir --parents vendor Composer - ln -s ../src Composer/XdebugHandler + cp -r src Composer/XdebugHandler + ln -s /usr/share/php/Composer/Pcre Composer + ln -s /usr/share/php/Psr . phpabtpl \ --require composer/xdebug-handler \ > debian/autoload.tests.php.tpl signature.asc Description: PGP signature
Bug#1065056: bookworm-pu: package php-composer-class-map-generator/1.0.0-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: php-composer-class-map-genera...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-composer-class-map-generator User: release.debian@packages.debian.org Usertags: pu [1/9 for bookworm] This is a follow up from composer/DSA-5632-1. In order to fix a Debian-specific issue related to CVE-2024-24821, we agreed with the security team to push related dependencies via the next point release. The only change (besides changelog entry) in the binary package is the following (thanks to diffoscope). │ │ ├── ./usr/share/php/Composer/ClassMapGenerator/autoload.php │ │ │ @@ -1,12 +1,12 @@ │ │ │ diff -Nru php-composer-class-map-generator-1.0.0/debian/autoload.php.tpl php-composer-class-map-generator-1.0.0/debian/autoload.php.tpl --- php-composer-class-map-generator-1.0.0/debian/autoload.php.tpl 1970-01-01 01:00:00.0 +0100 +++ php-composer-class-map-generator-1.0.0/debian/autoload.php.tpl 2024-02-13 17:00:47.0 +0100 @@ -0,0 +1,30 @@ + Tue, 13 Feb 2024 17:00:52 +0100 + php-composer-class-map-generator (1.0.0-2) unstable; urgency=medium * Upload to unstable diff -Nru php-composer-class-map-generator-1.0.0/debian/clean php-composer-class-map-generator-1.0.0/debian/clean --- php-composer-class-map-generator-1.0.0/debian/clean 2021-12-09 12:41:37.0 +0100 +++ php-composer-class-map-generator-1.0.0/debian/clean 2024-02-13 17:00:47.0 +0100 @@ -1,6 +1,6 @@ .phpunit.result.cache Composer/ -debian/autoload.php.tpl debian/autoload.tests.php.tpl src/autoload.php +Symfony vendor/ diff -Nru php-composer-class-map-generator-1.0.0/debian/control php-composer-class-map-generator-1.0.0/debian/control --- php-composer-class-map-generator-1.0.0/debian/control 2022-07-26 11:03:24.0 +0200 +++ php-composer-class-map-generator-1.0.0/debian/control 2024-02-13 17:00:47.0 +0100 @@ -13,7 +13,7 @@ Standards-Version: 4.6.1 Homepage: https://github.com/composer/class-map-generator Vcs-Browser: https://salsa.debian.org/php-team/pear/php-composer-class-map-generator -Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-class-map-generator.git +Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-class-map-generator.git -b debian/bookworm Rules-Requires-Root: no Package: php-composer-class-map-generator diff -Nru php-composer-class-map-generator-1.0.0/debian/gbp.conf php-composer-class-map-generator-1.0.0/debian/gbp.conf --- php-composer-class-map-generator-1.0.0/debian/gbp.conf 2021-12-09 12:43:32.0 +0100 +++ php-composer-class-map-generator-1.0.0/debian/gbp.conf 2024-02-13 17:00:47.0 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm filter = [ '.gitattributes' ] pristine-tar = True upstream-branch = upstream/latest diff -Nru php-composer-class-map-generator-1.0.0/debian/rules php-composer-class-map-generator-1.0.0/debian/rules --- php-composer-class-map-generator-1.0.0/debian/rules 2022-07-26 08:11:20.0 +0200 +++ php-composer-class-map-generator-1.0.0/debian/rules 2024-02-13 17:00:47.0 +0100 @@ -3,13 +3,14 @@ dh $@ override_dh_auto_build: - phpabtpl composer.json > debian/autoload.php.tpl phpab \ --output src/autoload.php \ --template debian/autoload.php.tpl \ src mkdir --parents vendor Composer - ln -s ../src Composer/ClassMapGenerator + cp -r src Composer/ClassMapGenerator + ln -s /usr/share/php/Composer/Pcre Composer + ln -s /usr/share/php/Symfony . phpabtpl \ --require composer/class-map-generator \ --require symfony/filesystem \ signature.asc Description: PGP signature
Bug#1041982: Speeding up Symfony 6 transition? [Was: Upcoming transitions (Symfony, PHPUnit, etc.)]
control: severity 1039731 serious control: severity 1051989 serious control: severity 1051985 serious control: severity 1039733 serious Le Wed, Feb 21, 2024 at 08:19:06AM +0100, David Prévot a écrit : > Le Wed, Jan 03, 2024 at 07:04:12PM +0100, David Prévot a écrit : > […] > > I’m in favour of raising the severity of bugs blocking this transition > > to RC level ASAP: Symfony 6 has been in experimental for a while now > > I intend to do so early next week And here we are. Cheers, taffit signature.asc Description: PGP signature
Bug#1064641: Useless in Debian
Package: php-sql-formatter Version: 1.2.17+dct1.1.3-1 Severity: serious Tags: sid trixie [ Filled as an RC-bug by the maintainer to see the package auto-removed from testing. ] I packaged php-sql-formatter as used by php-doctrine-bundle, but php-doctrine-bundle got removed a while ago from testing (cf. #996108) and unstable (cf. #1036726). There is a priori little point to ship php-sql-formatter in the next (or current TBH) stable Debian release. I intend to follow up with an RM request in a few months if nobody objects (but feel free to beat me to it). Regards David signature.asc Description: PGP signature
Bug#1041982: Speeding up Symfony 6 transition? [Was: Upcoming transitions (Symfony, PHPUnit, etc.)]
Hi, Le Wed, Jan 03, 2024 at 07:04:12PM +0100, David Prévot a écrit : […] > I’m in favour of raising the severity of bugs blocking this transition > to RC level ASAP: Symfony 6 has been in experimental for a while now I intend to do so early next week: symfony 6 was introduced in experimental during the latest Debian Reunion Hamburg, and I wish to proceed with the transition during the next MiniDebCampHamburg happening early March (in less than two weeks). https://wiki.debian.org/DebianEvents/de/2024/MiniDebCampHamburg This transition should not interfere with any other one, and should not even need any help from the Release Team (no binNMU since they’re all arch:all packages), yet they were helpful last time to speed it up by removing blocking packages from testing because we didn’t raise the blocking bug severity early enough. Regards, taffit signature.asc Description: PGP signature
Bug#979332: New upstream version
Control: severity -1 serious Le Mon, Feb 12, 2024 at 06:15:27PM -0700, skizz...@skizzerz.net a écrit : > Seems the current version is causing errors due to using syntax removed in > PHP 8. I'm seeing the following error message: > TypeError: implode(): Argument #2 ($array) must be of type ?array, string > given /usr/share/php/simplepie/library/SimplePie/Parse/Date.php(544) > > This was fixed upstream a while ago, so I'm bumping this bug in hopes that > the package can be updated. The dokuwiki package depends on this one and > is broken on the pages that make use of the library, causing some wiki pages > to become inaccessible after an upgrade to bookworm. Increasing the severity accordingly (it affects stable too I assume…). Regards David signature.asc Description: PGP signature
Bug#1059291: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u4
Control: retitle -1 bookworm-pu: package spip/4.1.9+dfsg-1+deb12u4
Le Sat, Dec 30, 2023 at 12:06:56PM +0100, Salvatore Bonaccorso a écrit :
> On Fri, Dec 22, 2023 at 01:28:00PM +0100, David Prévot wrote:
[…]
> > This issue is similar to #1059289 for oldstable.
> >
> > Another upstream release fixed a security (XSS) issue. The last two
> > updates of this kind didn’t warrant a DSA, so I guess this one will not
> > warrant one either (security team X-D-CCed in case I’m wrong).
And here we are again, another XSS was fixed (in a plugin not provided
by the version in oldstable), second debdiff attached, thanks in advance
for considering.
Regards,
taffit
diff --git a/debian/changelog b/debian/changelog
index 333c4146c1..23a523a96a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+spip (4.1.9+dfsg-1+deb12u4) bookworm; urgency=medium
+
+ * Backport security fix from 4.1.15
+- fix XSS in uploaded files using bigup
+
+ -- David Prévot Fri, 12 Jan 2024 13:42:36 +0100
+
spip (4.1.9+dfsg-1+deb12u3) bookworm; urgency=medium
* Backport security fix from 4.1.13
diff --git a/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch b/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch
new file mode 100644
index 00..7c72b8539d
--- /dev/null
+++ b/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch
@@ -0,0 +1,79 @@
+From: Matthieu Marcillaud
+Date: Sun, 7 Jan 2024 22:07:19 +0100
+Subject: =?utf-8?q?fix=3A_=C3=89viter_de_possibles_XSS_avec_le_nom_des_fich?=
+ =?utf-8?q?iers_upload=C3=A9s_=28en_js=29?=
+
+(cherry picked from commit df7543f1dc9d04f068dd12c901b89a98db535961)
+
+Origin: upstream, https://git.spip.net/spip/bigup/commit/ada821c076d67d1147a195178223d0b4a6d8cecc
+---
+ plugins-dist/bigup/javascript/bigup.js | 34 ++--
+ plugins-dist/bigup/javascript/bigup.utils.js | 12 +-
+ 2 files changed, 33 insertions(+), 13 deletions(-)
+
+diff --git a/plugins-dist/bigup/javascript/bigup.js b/plugins-dist/bigup/javascript/bigup.js
+index bd84fc1..5b9b5be 100644
+--- a/plugins-dist/bigup/javascript/bigup.js
b/plugins-dist/bigup/javascript/bigup.js
+@@ -190,18 +190,28 @@ function Bigup(params, opts, callbacks) {
+ var extension = $.trouver_extension(file.name);
+
+ var template =
+- '\n'
+- + '\n\t'
+- + '\n\t\t'
+- + '\n\t\t'
+- + '\n\t\t\t' + file.name + ''
+- + '\n\t\t\t' + $.taille_en_octets(file.size) + ''
+- + '\n\t\t'
+- + '\n\t\t'
+- + '\n\t\t\t' + _T("bigup:bouton_annuler") + ''
+- + '\n\t\t'
+- + '\n\t'
+- + '\n\n';
++ '\n' +
++ '\n\t' +
++ '\n\t\t' +
++ '\n\t\t' +
++ '\n\t\t\t' +
++ $.escapeHtml(file.name) +
++ '' +
++ '\n\t\t\t' +
++ $.taille_en_octets(file.size) +
++ '' +
++ '\n\t\t' +
++ '\n\t\t' +
++ '\n\t\t\t' +
++ _T('bigup:bouton_annuler') +
++ '' +
++ '\n\t\t' +
++ '\n\t' +
++ '\n\n';
+
+ return template;
+ }
+diff --git a/plugins-dist/bigup/javascript/bigup.utils.js b/plugins-dist/bigup/javascript/bigup.utils.js
+index 872123b..4a1bad9 100644
+--- a/plugins-dist/bigup/javascript/bigup.utils.js
b/plugins-dist/bigup/javascript/bigup.utils.js
+@@ -171,4 +171,14 @@ $.mime_type_image = function(extension) {
+ break;
+ }
+ return mime;
+-};
+\ No newline at end of file
++};
++
++/** Escape HTML */
++$.escapeHtml = function(unsafe) {
++ return unsafe
++ .replaceAll('&', '')
++ .replaceAll('<', '')
++ .replaceAll('>', '')
++ .replaceAll('"', '')
++ .replaceAll("'", '');
++}
diff --git a/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch b/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch
new file mode 100644
index 00..33e6a87c7e
--- /dev/null
+++ b/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch
@@ -0,0 +1,21 @@
+From: Glop
+Date: Thu, 11 Jan 2024 17:16:45 +0100
+Subject: fix: Ajout d'un point-virgule manquant
+
+(cherry picked from commit ac51139245cea6e6dd44dba47b30122b69ff1f1c)
+
+Origin: upstream, https://git.spip.net/spip/bigup/commit/0757f015717cb72b84dba0e9a375ec71caddf1c2
+---
+ plugins-dist/bigup/javascript/bigup.utils.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins-dist/bigup/javascript/bigup.utils.js b/plugins-dist/bigup/javascript/bigup.utils.js
+index 4a1bad9..a255f2f 100644
+--- a/plugins-dist/bigup/javascript/bigup.utils.js
b/plugins-dist/bigup/javascript/bigup.utils.js
+@@ -181,4 +181,4 @@ $.escapeHtml = function(unsafe) {
+ .replaceAll('>', '')
+ .replaceAll('"', '')
+ .replaceAll("'", '');
+-}
++};
diff --git a/debian/patches/series b/debian/patches/series
index c0ceb74e71..38c2a1189b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,5 @@
0010-security-Utiliser-auth_desensibiliser_se
Bug#1041982: Speeding up Symfony 6 transition? [Was: Upcoming transitions (Symfony, PHPUnit, etc.)]
control: block -1 with 1051989 control: severity 1051989 important control: severity 1051988 important Le Sun, Sep 17, 2023 at 07:57:03PM +0530, David Prévot a écrit : > […] roughly, the > following end user packages (families) are not yet ready. > > civicrm (#1051988) > kanboard (#1051989 and php-pimple) > Laravel (#1051985 and #1039731, and php-faker) > shaarli (#1039733 and php-slim, php-pimple) > > civicrm is not in stable […] Robin already explicitly > agreed that can be Laravel can be removed again from testing until a new > upstream version is packaged. > > I don’t know if there are strong opinions about kanboard and shaarli, > Joseph and James CCed. kanboard has been removed from testing in the mean time (due to #1051989). > […] it may already be time to raise the severity of the > blocking bugs. I’m in favour of raising the severity of bugs blocking this transition to RC level ASAP: Symfony 6 has been in experimental for a while now, and it’s the targeted version for Trixie anyway (6.4 is likely to be the latest LTS version available before the Freeze, while 5.4 will be EOL soon after Trixie gets released). https://symfony.com/releases#symfony-releases-calendar > Athos may try to rebuild packages also depending on recent version of > php-symfony-contracts, php-psr-cache, php-psr-container and php-psr-log > in order to figure out if more package are affected by this transition. That would still be very much welcome if time permits, but IMHO not a blocker (we used to handle such transition without involving the release team nor as much build testing than already done for this transition. Thanks to all people involved, the current state makes us in a better position to move forward). Regards, taffit signature.asc Description: PGP signature
Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10
Le Fri, Dec 22, 2023 at 01:21:56PM +0100, David Prévot a écrit :
[…]
> [x] attach debdiff against the package in oldstable
For real now (the usual running gag of the missing attachement)… Merry
Christmas.
Cheers.
taffit
diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog 2023-07-08 20:38:26.0 +0200
+++ spip-3.2.11/debian/changelog 2023-12-21 19:27:21.0 +0100
@@ -1,3 +1,10 @@
+spip (3.2.11-3+deb11u10) bullseye; urgency=medium
+
+ * Backport security fix from 4.1.13
+- fix XSS when calling some templates
+
+ -- David Prévot Thu, 21 Dec 2023 19:27:21 +0100
+
spip (3.2.11-3+deb11u9) bullseye; urgency=medium
* Backport security fix from 4.1.11
diff -Nru spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch
--- spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch 1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch 2023-12-21 19:26:30.0 +0100
@@ -0,0 +1,68 @@
+From: Cerdic
+Date: Thu, 9 Nov 2023 16:46:19 +0100
+Subject: =?utf-8?q?fix=3A_les_mod=C3=A8les_ins=C3=A9r=C3=A9s_dans_un_texte_?=
+ =?utf-8?q?h=C3=A9ritent_automatiquement_du_contexte=2C_a_l=27insu_des_reda?=
+ =?utf-8?q?cteurs=2E_Securiser_ce_qui_proviendrait_de_variables_envoy=C3=A9?=
+ =?utf-8?q?es_par_l=27utilisateur?=
+
+(cherry picked from commit d993a9797d839218a3fee84f80be60409b2c05f1)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb
+---
+ ecrire/public/assembler.php | 36
+ 1 file changed, 36 insertions(+)
+
+diff --git a/ecrire/public/assembler.php b/ecrire/public/assembler.php
+index 8fc3f7a..ba77e48 100644
+--- a/ecrire/public/assembler.php
b/ecrire/public/assembler.php
+@@ -563,6 +563,20 @@ function inclure_modele($type, $id, $params, $lien, $connect = '', $env = array(
+ $fond = 'modeles/' . $fond;
+ // Creer le contexte
+ $contexte = $env;
++ // securiser le contexte des modèles : tout ce qui arrive de _request() doit être sanitizé
++ foreach ($contexte as $k => &$v) {
++ if (!is_null(_request($k)) && (!is_scalar($v) || (_request($k) === $v))) {
++ include_spip('inc/texte_mini');
++ if (is_scalar($v)) {
++$v = spip_securise_valeur_env_modele($v);
++ } else {
++array_walk_recursive($v, function (&$value, $index) {
++ $value = spip_securise_valeur_env_modele($value);
++});
++ }
++ }
++ }
++
+ $contexte['dir_racine'] = _DIR_RACINE; # eviter de mixer un cache racine et un cache ecrire (meme si pour l'instant les modeles ne sont pas caches, le resultat etant different il faut que le contexte en tienne compte
+
+ // Le numero du modele est mis dans l'environnement
+@@ -616,6 +630,28 @@ function inclure_modele($type, $id, $params, $lien, $connect = '', $env = array(
+ : $retour;
+ }
+
++/**
++ * Sanitizer une valeur venant de _request() et passée à un modèle :
++ * on laisse passer les null, bool et numeriques (id et pagination),
++ * les @+nombre (pagination indirecte)
++ * ou sinon le \w + espace et tirets uniquement, pour les tris/sens tri etc
++ * mais rien de compliqué suceptible d'être interprété
++ *
++ * @param $valeur
++ * @return array|float|int|mixed|string|string[]|null
++ */
++function spip_securise_valeur_env_modele($valeur) {
++ if (is_numeric($valeur) || is_bool($valeur) || is_null($valeur)) {
++ return $valeur;
++ }
++ $valeur = (string)$valeur;
++ if (strpos($valeur, '@') === 0 && is_numeric(substr($valeur, 1))) {
++ return $valeur;
++ }
++ // on laisse passer que les \w, les espaces et les -, le reste est supprimé
++ return preg_replace(",[^\w\s-],", "", $valeur);
++}
++
+ // Un inclure_page qui marche aussi pour l'espace prive
+ // fonction interne a spip, ne pas appeler directement
+ // pour recuperer $page complet, utiliser:
diff -Nru spip-3.2.11/debian/patches/series spip-3.2.11/debian/patches/series
--- spip-3.2.11/debian/patches/series 2023-07-08 20:38:18.0 +0200
+++ spip-3.2.11/debian/patches/series 2023-12-21 19:26:30.0 +0100
@@ -56,3 +56,4 @@
0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch
0058-fix-Inclusion-manquante-dans-5663.patch
+0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch
signature.asc
Description: PGP signature
Bug#1059291: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u3
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:spip
Hi,
This issue is similar to #1059289 for oldstable.
Another upstream release fixed a security (XSS) issue. The last two
updates of this kind didn’t warrant a DSA, so I guess this one will not
warrant one either (security team X-D-CCed in case I’m wrong).
https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html
The 4.1 branch is mostly in maintenance mode, and the patch has been
cherry-picked directly from upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
Thanks in advance.
Regards,
taffit
diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog
--- spip-4.1.9+dfsg/debian/changelog 2023-07-08 20:29:04.0 +0200
+++ spip-4.1.9+dfsg/debian/changelog 2023-12-21 19:24:13.0 +0100
@@ -1,3 +1,10 @@
+spip (4.1.9+dfsg-1+deb12u3) bookworm; urgency=medium
+
+ * Backport security fix from 4.1.13
+- fix XSS when calling some templates
+
+ -- David Prévot Thu, 21 Dec 2023 19:24:13 +0100
+
spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium
* Backport security fix from 4.1.11
diff -Nru spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch
--- spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch 1970-01-01 01:00:00.0 +0100
+++ spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch 2023-12-21 13:56:02.0 +0100
@@ -0,0 +1,68 @@
+From: Cerdic
+Date: Thu, 9 Nov 2023 16:46:19 +0100
+Subject: =?utf-8?q?fix=3A_les_mod=C3=A8les_ins=C3=A9r=C3=A9s_dans_un_texte_?=
+ =?utf-8?q?h=C3=A9ritent_automatiquement_du_contexte=2C_a_l=27insu_des_reda?=
+ =?utf-8?q?cteurs=2E_Securiser_ce_qui_proviendrait_de_variables_envoy=C3=A9?=
+ =?utf-8?q?es_par_l=27utilisateur?=
+
+(cherry picked from commit d993a9797d839218a3fee84f80be60409b2c05f1)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb
+---
+ ecrire/public/assembler.php | 36
+ 1 file changed, 36 insertions(+)
+
+diff --git a/ecrire/public/assembler.php b/ecrire/public/assembler.php
+index a7e9a11..b44c2cb 100644
+--- a/ecrire/public/assembler.php
b/ecrire/public/assembler.php
+@@ -643,6 +643,20 @@ function inclure_modele($type, $id, $params, $lien, string $connect = '', $env =
+ $fond = 'modeles/' . $fond;
+ // Creer le contexte
+ $contexte = $env;
++ // securiser le contexte des modèles : tout ce qui arrive de _request() doit être sanitizé
++ foreach ($contexte as $k => &$v) {
++ if (!is_null(_request($k)) && (!is_scalar($v) || (_request($k) === $v))) {
++ include_spip('inc/texte_mini');
++ if (is_scalar($v)) {
++$v = spip_securise_valeur_env_modele($v);
++ } else {
++array_walk_recursive($v, function (&$value, $index) {
++ $value = spip_securise_valeur_env_modele($value);
++});
++ }
++ }
++ }
++
+ $contexte['dir_racine'] = _DIR_RACINE; # eviter de mixer un cache racine et un cache ecrire (meme si pour l'instant les modeles ne sont pas caches, le resultat etant different il faut que le contexte en tienne compte
+
+ // Le numero du modele est mis dans l'environnement
+@@ -703,6 +717,28 @@ function inclure_modele($type, $id, $params, $lien, string $connect = '', $env =
+ : $retour;
+ }
+
++/**
++ * Sanitizer une valeur venant de _request() et passée à un modèle :
++ * on laisse passer les null, bool et numeriques (id et pagination),
++ * les @+nombre (pagination indirecte)
++ * ou sinon le \w + espace et tirets uniquement, pour les tris/sens tri etc
++ * mais rien de compliqué suceptible d'être interprété
++ *
++ * @param $valeur
++ * @return array|float|int|mixed|string|string[]|null
++ */
++function spip_securise_valeur_env_modele($valeur) {
++ if (is_numeric($valeur) || is_bool($valeur) || is_null($valeur)) {
++ return $valeur;
++ }
++ $valeur = (string)$valeur;
++ if (strpos($valeur, '@') === 0 && is_numeric(substr($valeur, 1))) {
++ return $valeur;
++ }
++ // on laisse passer que les \w, les espaces et les -, le reste est supprimé
++ return preg_replace(",[^\w\s-],", "", $valeur);
++}
++
+ // Un inclure_page qui marche aussi pour l'espace prive
+ // fonction interne a spip, ne pas appeler directement
+ // pour recuperer $page complet, utiliser:
diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series
--- spip-4.1.9+dfsg/debian/patches/series 2023-07-08 20:25:35.0 +0200
Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: s...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:spip Another upstream release fixed a security (XSS) issue. The last two updates of this kind didn’t warrant a DSA, so I guess this one will not warrant one either (security team X-D-CCed in case I’m wrong). https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html The 3.2 branch is not maintained upstream anymore, but the patch has been cherry-picked directly from the 4.1 branch. Also, I’ve already deployed the proposed package on a server providing over 30 SPIP websites. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable Thanks in advance. Regards, taffit signature.asc Description: PGP signature
Bug#1058656: Please fix or ignore test deprecations
Source: libphp-swiftmailer Version: 6.3.0-3 Severity: important Control: affects -1 php-mockery Hi, The latest (1.6.7-1) php-mockery introduced some deprecations, displayed during the testsuite of libphp-swiftmailer: > 2x: shouldNotReceive(), never(), times(0) chaining additional invocation > count methods has been deprecated and will throw an exception in a future > version of Mockery > 1x in > Swift_CharacterStream_ArrayCharacterStreamTest::testByteStreamCanBeImportingUsesValidator > 1x in > Swift_CharacterStream_ArrayCharacterStreamTest::testImportingStreamProducesCorrectCharArray These new deprecation are making the testsuite fail, including during debci, and are thus blocking php-mockery migration. Please consider using SYMFONY_DEPRECATIONS_HELPER=weak /usr/bin/phpunit instead of phpunit (or even better, get the testsuite fixed ;), in order to make the testsuite compatible with the latest php-mockery version. Cheers, signature.asc Description: PGP signature
Bug#1057207: Please ship JetBrainsMono.woff2
Package: fonts-jetbrains-mono Severity: wishlist Control: affects -1 php-symfony-web-profiler-bundle X-Debbugs-Cc: Debian PHP PEAR Maintainers Hi! The php-symfony-web-profiler-bundle package since the recent symfony 6.4 version is shipping JetBrainsMono.woff2. If it can be properly built from source, it would be nice to have it shipped from this package (and “just” symlinked from php-symfony-web-profiler-bundle). Thanks in advance for considering. Regards taffit signature.asc Description: PGP signature
Bug#1057038: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: php-phpsecl...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib3
Hi,
Please allow to fix CVE-2023-49316 (#1057008) in the next point release.
I assume from the bug report wording that it isn’t worth a DSA (security
team X-Debbugs-Cced in case I misunderstood).
The changelog refers to a trivial change (gbp.conf and control) for the
build process, and the three line upstream patch (+comments +test) to
fix the issue.
* Track bookworm
* Math/BinaryField: fix for excessively large degrees [CVE-2023-49316]
(Closes: #1057008)
It passes its (updated) testsuite, but I didn’t have time to test this
update thoroughly.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Thanks in advance for your consideration.
Regards,
taffit
diff -Nru php-phpseclib3-3.0.19/debian/changelog php-phpseclib3-3.0.19/debian/changelog
--- php-phpseclib3-3.0.19/debian/changelog 2023-03-06 08:00:12.0 +0100
+++ php-phpseclib3-3.0.19/debian/changelog 2023-11-28 08:33:28.0 +0100
@@ -1,3 +1,11 @@
+php-phpseclib3 (3.0.19-1+deb12u1) bookworm; urgency=medium
+
+ * Track bookworm
+ * Math/BinaryField: fix for excessively large degrees [CVE-2023-49316]
+(Closes: #1057008)
+
+ -- David Prévot Tue, 28 Nov 2023 08:33:28 +0100
+
php-phpseclib3 (3.0.19-1) unstable; urgency=medium
[ Alexander Vlasov ]
diff -Nru php-phpseclib3-3.0.19/debian/control php-phpseclib3-3.0.19/debian/control
--- php-phpseclib3-3.0.19/debian/control 2023-03-06 08:00:12.0 +0100
+++ php-phpseclib3-3.0.19/debian/control 2023-11-28 08:32:24.0 +0100
@@ -13,7 +13,7 @@
pkg-php-tools (>= 1.41~)
Standards-Version: 4.6.2
Homepage: https://phpseclib.sourceforge.net/
-Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/bookworm
Vcs-Browser: https://salsa.debian.org/php-team/pear/phpseclib
Rules-Requires-Root: no
diff -Nru php-phpseclib3-3.0.19/debian/gbp.conf php-phpseclib3-3.0.19/debian/gbp.conf
--- php-phpseclib3-3.0.19/debian/gbp.conf 2023-03-06 07:51:57.0 +0100
+++ php-phpseclib3-3.0.19/debian/gbp.conf 2023-11-28 08:32:24.0 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
pristine-tar = True
filter = [ '.gitattributes' ]
upstream-vcs-tag = %(version%~%-)s
diff -Nru php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch
--- php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch 2023-11-28 08:32:28.0 +0100
@@ -0,0 +1,56 @@
+From: terrafrost
+Date: Tue, 21 Nov 2023 19:10:46 -0600
+Subject: Math/BinaryField: fix for excessively large degrees
+
+Origin: backport, https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f
+Bug-Debian: https://bugs.debian.org/1057008
+---
+ phpseclib/Math/BinaryField.php | 9 +
+ tests/Unit/Crypt/EC/KeyTest.php | 16
+ 2 files changed, 25 insertions(+)
+
+diff --git a/phpseclib/Math/BinaryField.php b/phpseclib/Math/BinaryField.php
+index 3e21a67..5da8c93 100644
+--- a/phpseclib/Math/BinaryField.php
b/phpseclib/Math/BinaryField.php
+@@ -48,6 +48,15 @@ class BinaryField extends FiniteField
+ public function __construct(...$indices)
+ {
+ $m = array_shift($indices);
++if ($m > 571) {
++/* sect571r1 and sect571k1 are the largest binary curves that https://www.secg.org/sec2-v2.pdf defines
++ altho theoretically there may be legit reasons to use binary finite fields with larger degrees
++ imposing a limit on the maximum size is both reasonable and precedented. in particular,
++ http://tools.ietf.org/html/rfc4253#section-6.1 (The Secure Shell (SSH) Transport Layer Protocol) says
++ "implementations SHOULD check that the packet length is reasonable in order for the implementation to
++avoid denial of service and/or buffer overflow attacks" */
++throw new \OutOfBoundsException('Degrees larger than 571 are not supported');
++}
+ $val = str_repeat('0', $m) . '1';
+ foreach ($indices as $index) {
+ $val[$index] = '1';
+diff --git a/tests/Unit/Crypt/EC/KeyTest.php b/tests/Unit/Crypt/EC/KeyTest.php
+index f0069a3..f423845 100644
+--- a/tes
Bug#1057036: Lots of embedded copies, including many that are already packaged in Debian
Source: ldap-account-manager Version: 8.5-1 Severity: important Tags: security X-Debbugs-Cc: Debian PHP PEAR Maintainers , Debian Security Team Hi, Just noticed via #1057008 and especially [CVE-2023-49316] notes, that ldap-account-manager includes an insane amount of third party package in (but not only) lib/3rdParty/composer. Many of those are already packaged and maintained in Debian. Please consider using (and, if needed, introducing) the proper dependencies. CVE-2023-49316: https://security-tracker.debian.org/tracker/CVE-2023-49316 Regards, taffit signature.asc Description: PGP signature
Bug#1055988: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u4
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: symf...@packages.debian.org, Debian PHP PEAR Maintainers Control: affects -1 + src:symfony Hi, As per #1055986 for Bookworm, I’d like to fix the following security issue in the next point release, as advised by the security team (they do not intend to issue a DSA for that). [TwigBridge] Ensure CodeExtension's filters properly escape their input [CVE-2023-46734] (Closes: #1055774) It also fixes the testsuite using a patch prepared a while ago. [Mime] regenerate test certificates (Closes: #1034854) I didn’t test the packages thoroughly (and I’m not sure to have much time for a while), but at least the testsuites pass. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Thanks in advance, taffit diff -Nru symfony-4.4.19+dfsg/debian/changelog symfony-4.4.19+dfsg/debian/changelog --- symfony-4.4.19+dfsg/debian/changelog 2023-02-27 23:05:34.0 +0100 +++ symfony-4.4.19+dfsg/debian/changelog 2023-11-11 19:09:20.0 +0100 @@ -1,3 +1,12 @@ +symfony (4.4.19+dfsg-2+deb11u4) bullseye; urgency=medium + + * [Mime] regenerate test certificates (Closes: #1034854) + * Backport security fix from Symfony 4.4.51 +- [TwigBridge] Ensure CodeExtension's filters properly escape their input + [CVE-2023-46734] (Closes: #1055774) + + -- David Prévot Sat, 11 Nov 2023 19:09:20 +0100 + symfony (4.4.19+dfsg-2+deb11u3) bullseye; urgency=medium * Drop dependency bump. diff -Nru symfony-4.4.19+dfsg/debian/patches/Mime-regenerate-test-certificates.patch symfony-4.4.19+dfsg/debian/patches/Mime-regenerate-test-certificates.patch --- symfony-4.4.19+dfsg/debian/patches/Mime-regenerate-test-certificates.patch 1970-01-01 01:00:00.0 +0100 +++ symfony-4.4.19+dfsg/debian/patches/Mime-regenerate-test-certificates.patch 2023-11-11 19:09:20.0 +0100 @@ -0,0 +1,801 @@ +From: Nicolas Grekas +Date: Wed, 19 Apr 2023 11:49:13 +0200 +Subject: [Mime] regenerate test certificates + +Origin: upstream, http://github.com/symfony/symfony/commit/0e5e8754fd793b71202ac8554916b55410d4d08f +Bug-Debian: https://bugs.debian.org/1034854 +--- + src/Symfony/Component/Mime/Tests/_data/ca.crt | 36 +++-- + src/Symfony/Component/Mime/Tests/_data/ca.key | 55 ++-- + .../Component/Mime/Tests/_data/create-cert.sh | 14 ++--- + src/Symfony/Component/Mime/Tests/_data/encrypt.crt | 34 ++-- + src/Symfony/Component/Mime/Tests/_data/encrypt.key | 55 ++-- + .../Component/Mime/Tests/_data/encrypt2.crt| 34 ++-- + .../Component/Mime/Tests/_data/encrypt2.key| 55 ++-- + .../Component/Mime/Tests/_data/intermediate.crt| 32 ++-- + .../Component/Mime/Tests/_data/intermediate.key| 55 ++-- + src/Symfony/Component/Mime/Tests/_data/sign.crt| 36 ++--- + src/Symfony/Component/Mime/Tests/_data/sign.key| 55 ++-- + src/Symfony/Component/Mime/Tests/_data/sign2.crt | 32 ++-- + src/Symfony/Component/Mime/Tests/_data/sign2.key | 55 ++-- + src/Symfony/Component/Mime/Tests/_data/sign3.crt | 34 ++-- + src/Symfony/Component/Mime/Tests/_data/sign3.key | 60 +++--- + 15 files changed, 325 insertions(+), 317 deletions(-) + +diff --git a/src/Symfony/Component/Mime/Tests/_data/ca.crt b/src/Symfony/Component/Mime/Tests/_data/ca.crt +index bca02b3..0418947 100644 +--- a/src/Symfony/Component/Mime/Tests/_data/ca.crt b/src/Symfony/Component/Mime/Tests/_data/ca.crt +@@ -1,19 +1,21 @@ + -BEGIN CERTIFICATE- +-MIIDFDCCAfwCCQDaMw8tuy1dgDANBgkqhkiG9w0BAQsFADBMMRcwFQYDVQQDDA5T +-eW1mb255TWltZSBDQTEUMBIGA1UECgwLU3ltZm9ueU1pbWUxDjAMBgNVBAcMBVBh +-cmlzMQswCQYDVQQGEwJGUjAeFw0xOTA0MTkxNDIwMTFaFw0yMzA0MTgxNDIwMTFa +-MEwxFzAVBgNVBAMMDlN5bWZvbnlNaW1lIENBMRQwEgYDVQQKDAtTeW1mb255TWlt +-ZTEOMAwGA1UEBwwFUGFyaXMxCzAJBgNVBAYTAkZSMIIBIjANBgkqhkiG9w0BAQEF +-AAOCAQ8AMIIBCgKCAQEAnvxOWE8qOVkuYbTu6u4Oao2n91FPF6umrcF8mq0uD2G0 +-dtOJuFaR7FeElmJnHfWvqvesCigXyA7kpdVBFGhEo83SGYTbPSGzehWDc7Kvc321 +-UPvNb61T2Ekdo+5ufrpbzlOPtTTaVL98dFEZntYNM3CXnnSSdeKz38NlHHV3QsDZ +-crQRMxHrYi2bgkhxVoAY03ZQRbb95rEE1cfyGZ0x6VSBrVC2nnEUT2vopwny/vy+ +-QSn3oga+ucMkxJdoD8MA13Zh5I4Uiozl82xoWH/zmVrqrrO2lNBv7WYOnwbv6MSr +-5kCE3Kcqzs8qAGv62GYyS4exIMEZsbbPv3cvp9hgYQIDAQABMA0GCSqGSIb3DQEB +-CwUAA4IBAQBuJtPqAX6ApOymDux9sRqxx5FMIIEX2TmanSSSLesP0AVVLv8Am8/p +-Xs8N9e49KoQhnQ3FmdtwY6IV6f3yIMnZxmkXZoUi4zCkSZd/+2iap1c51zV1b6NC +-4C5LZtdWzhons4jOmtmxaMSy08oPPYv1wXATjjfHvqqYa/7axLY1mqbxLYC437Fv +-H5zkdzQM2qXpIgtCjlXfOd/L9Az5DTSH4UvWiiocRdmnxGP+nMEOuUUvLzokJSeq +-Otw4gjxczF8NQ/g/io6iG3w4OfjgRrCpuMv/l3eYClC7vDXOX9S172CpzaD/qkHM +-NFxckxTgT4ylmivmHZWym4xS1bkAAAsd
Bug#1055986: bookworm-pu: package symfony/5.4.23+dfsg-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: symf...@packages.debian.org, Debian PHP PEAR Maintainers
Control: affects -1 + src:symfony
Hi,
I’d like to fix the following two security issues in the next point
release, as advised by the security team (they do not intend to issue a
DSA for that).
[TwigBridge] Ensure CodeExtension's filters properly escape their input
[CVE-2023-46734] (Closes: #1055774)
[Security] Fix possible session fixation when only the *token* changes
[CVE-2023-46733] (Closes: #1055775)
I didn’t test the packages thoroughly (and I’m not sure to have much
time for a while), but at least the testsuites pass.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Thanks in advance,
taffit
diff -Nru symfony-5.4.23+dfsg/debian/changelog symfony-5.4.23+dfsg/debian/changelog
--- symfony-5.4.23+dfsg/debian/changelog 2023-04-29 18:41:44.0 +0200
+++ symfony-5.4.23+dfsg/debian/changelog 2023-11-11 18:59:39.0 +0100
@@ -1,3 +1,14 @@
+symfony (5.4.23+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * debian/gbp.conf: Track bookworm branch
+ * Backport security fixes from Symfony 5.4.31
+- [TwigBridge] Ensure CodeExtension's filters properly escape their input
+ [CVE-2023-46734] (Closes: #1055774)
+- [Security] Fix possible session fixation when only the *token* changes
+ [CVE-2023-46733] (Closes: #1055775)
+
+ -- David Prévot Sat, 11 Nov 2023 18:59:39 +0100
+
symfony (5.4.23+dfsg-1) unstable; urgency=medium
[ Fabien Potencier ]
diff -Nru symfony-5.4.23+dfsg/debian/gbp.conf symfony-5.4.23+dfsg/debian/gbp.conf
--- symfony-5.4.23+dfsg/debian/gbp.conf 2023-02-28 19:54:32.0 +0100
+++ symfony-5.4.23+dfsg/debian/gbp.conf 2023-11-11 18:59:39.0 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
pristine-tar = True
filter = [ '.gitattributes' ]
diff -Nru symfony-5.4.23+dfsg/debian/patches/Security-Fix-possible-session-fixation-when-only-the-toke.patch symfony-5.4.23+dfsg/debian/patches/Security-Fix-possible-session-fixation-when-only-the-toke.patch
--- symfony-5.4.23+dfsg/debian/patches/Security-Fix-possible-session-fixation-when-only-the-toke.patch 1970-01-01 01:00:00.0 +0100
+++ symfony-5.4.23+dfsg/debian/patches/Security-Fix-possible-session-fixation-when-only-the-toke.patch 2023-11-11 18:59:39.0 +0100
@@ -0,0 +1,65 @@
+From: Robert
+Date: Fri, 3 Nov 2023 17:09:59 +0100
+Subject: [Security] Fix possible session fixation when only the *token*
+ changes
+
+Origin: upstream, https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74
+Bug: https://symfony.com/blog/cve-2023-46733-possible-session-fixation
+Bug-Debian: https://bugs.debian.org/1055775
+---
+ .../Http/EventListener/SessionStrategyListener.php | 2 +-
+ .../EventListener/SessionStrategyListenerTest.php | 21 +
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/Symfony/Component/Security/Http/EventListener/SessionStrategyListener.php b/src/Symfony/Component/Security/Http/EventListener/SessionStrategyListener.php
+index 311a52f..c6fcba8 100644
+--- a/src/Symfony/Component/Security/Http/EventListener/SessionStrategyListener.php
b/src/Symfony/Component/Security/Http/EventListener/SessionStrategyListener.php
+@@ -48,7 +48,7 @@ class SessionStrategyListener implements EventSubscriberInterface
+ $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+ $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+-if ('' !== ($user ?? '') && $user === $previousUser) {
++if ('' !== ($user ?? '') && $user === $previousUser && \get_class($token) === \get_class($previousToken)) {
+ return;
+ }
+ }
+diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/SessionStrategyListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/SessionStrategyListenerTest.php
+index 51b8dc1..29ef9b6 100644
+--- a/src/Symfony/Component/Security/Http/Tests/EventListener/SessionStrategyListenerTest.php
b/src/Symfony/Component/Security/Http/Tests/EventListener/SessionStrategyListenerTest.php
+@@ -15,6 +15,7 @@ use PHPUnit\Framework\TestCase;
+ use Symfony\Component\HttpFoundation\Request;
+ use Symfony\Component\HttpFoundation\Session\SessionInterface;
+ use Symfony\Component\Security\Core\Authentication\Token\NullToken;
++use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+ use Symfony\Component\Security\Core\User\InMemoryUs
Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
Hi, Le Thu, Oct 24, 2019 at 05:50:50PM +0200, Kurt Roeckx a écrit : > Package: apache2 > Version: 2.4.38-3 > > Hi, > > I was expecting TLS 1.0 and 1.1 to be disabled Same here. Four years later, RFC 8996 (Deprecating TLS 1.0 and TLS 1.1) has been published and most clients have been updated, so could we please review the default SSLProtocol before Trixie gets released? > Could you change the default to: > SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Regards, taffit signature.asc Description: PGP signature
Bug#1038807: codeblocks: Depends on unmaintained gamin
Hi, Le 24/10/2023 à 19:55, Bastian Germann a écrit : I am uploading a NMU to DELAYED/10 in order to fix this. The changes are in the git repo and atttached as debdiff. Thanks a lot! Feel free to reschedule your upload to DELAYED/0. Regards taffit
Bug#1053548: check-patroni: does not work well with current Patroni
Hi Michael, First of all thanks a lot for your bug report! Le Fri, Oct 06, 2023 at 09:11:32AM +0200, Michael Banck a écrit : > Package: check-patroni > Version: 1.0.0-1 > Severity: normal > Tags: patch > > Hi, > > since version 3.0.4, Patroni displays "streaming" as state if a node is > actually replicating from its leader. This is taken into account by > check-patroni 1.0.0 (see https://github.com/dalibo/check_patroni/pull/30). […] I was hoping to answer to your message sooner, and dig deeper into your advises, but couldn’t find the time yet, and I’m afraid I won’t have much time until at least a few weeks. So please consider this message as an apology and an acknowledgement of the various issues and fixes you pointed. > Actually, I did not realize you had uploaded check-patroni and > independently packaged it for the pkg-postgres team here: > https://salsa.debian.org/postgresql/check-patroni Ha, I quickly prepared this package during DebConf and didn’t try to reach out to the Python or PostgreSQL teams, so thanks for the heads up. FWIW, I’d be happy to move the packaging under the PostgreSQL team umbrella if it makes sense. Regards, taffit signature.asc Description: PGP signature
Bug#1052296: RM: php-psr-log-test -- ROM; Already packaged under another name
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: php-psr-log-t...@packages.debian.org, Debian PHP PEAR Maintainers Control: affects -1 + src:php-psr-log-test Hi, Seems like I missed that Athos already packaged php-fig-log-test when I introduced this package… Please, remove php-psr-log-test from the archive, it’s already available (under another slightly, but probably better, name). Regards, David signature.asc Description: PGP signature
Bug#1052126: Please, drop me from uploaders (and copyright owners)
Source: sphinxcontrib-phpdomain Version: 0.11.2-2 Severity: wishlist Hi, I introduced this package more than ten years ago, and got it removed a few years after that, so I’m not in a position to actually maintain this package (I don’t even have write access to the currently declared VCS). Please, drop me from the Uploaders, and drop me also from the copyright owner (nothing of the few lines I’ve actually edited that still remain in debian/ are worth any copyright). Regards, taffit signature.asc Description: PGP signature
Bug#1041982: [pkg-php-pear] Upcoming transitions (Symfony, PHPUnit, etc.)
Hi, > Le 24/06/2023 à 01:29, William Desportes a écrit : […] > Great, #1041982 does not have much blockers anymore, maybe we can schedule > the transition then. FYI, we had a workshop during DebConf with Athos in order to try and determine what other packages (and relevant blockers) need to be uploaded from experimental to unstable in order to perform this transition. So far, only the four following versioned packages have been determined as needed in sync with Symfony. php-symfony-contracts (>= 3) php-psr-cache (>= 3) php-psr-container (>= 2) php-psr-log (>=3) That led us to notice other packages will become uninstallable (due to the version constraints), or simply broken. A few more bugs have been open in this regard (blocking this transition bug), but roughly, the following end user packages (families) are not yet ready. civicrm (#1051988) kanboard (#1051989 and php-pimple) Laravel (#1051985 and #1039731, and php-faker) shaarli (#1039733 and php-slim, php-pimple) civicrm is not in stable (only recently migrated again to testing after a php-log fix, Dmitry CCed anyway). Laravel was removed from testing during the previous symfony 5 transition, Robin already explicitly agreed that can be Laravel can be removed again from testing until a new upstream version is packaged. I don’t know if there are strong opinions about kanboard and shaarli, Joseph and James CCed. Some bugs are still to be filled (e.g., php-faker, php-slim, and php-pimple), but it may already be time to raise the severity of the blocking bugs. Regards, taffit P.-S.: Pad used to track issues during DebConf. https://pad.dc23.debconf.org/p/symfony6 Athos may try to rebuild packages also depending on recent version of php-symfony-contracts, php-psr-cache, php-psr-container and php-psr-log in order to figure out if more package are affected by this transition. signature.asc Description: PGP signature
Bug#1051988: civicrm-common: Not compatible with symfony 6
Package: civicrm-common Version: 5.53.0+dfsg1-1 Severity: normal X-Debbugs-Cc: Debian PHP PEAR Maintainers User: pkg-php-p...@lists.alioth.debian.org Usertags: symfony Control: affects -1 + src:symfony Control: blocks 1041982 by -1 Hi, civicrm-common is declared to be compatible with Symfony 4 (only) in its composer.json upstream file. It also depends on php-psr-container version 1 while a more recent version of php-psr-container is needed for Symfony 6 that should be released with trixie. Regards taffit signature.asc Description: PGP signature
Bug#1039731: php-laravel-lumen-framework: FTBFS with symfony 6: unsatisfiable build-dependencies
Control: clone -1 -2 Control: reassign -2 php-laravel-framework 8.83.26+dfsg-2 Control: retitle -2 Uninstallable with symfony 6: unsatisfiable dependencies Hi Robin, Le Wed, Jun 28, 2023 at 03:41:28PM -0300, Athos Ribeiro a écrit : > Source: php-laravel-lumen-framework […] > We are about to start the symfony 6 transition in unstable. As for php-laravel-lumen-framework, php-laravel-framework is not yet ready for the symfony 6 transition, documenting the issue in this bug report. As for the symfony 5 transition during the last cycle, I assume we should not block it by Laravel, and be ready to see php-laravel-lumen-framework and php-laravel-lumen-framework removed from testing if they are not yet ready (there is more than a year in the release cycle to get them ready). Cheers taffit signature.asc Description: PGP signature
Bug#1041982: [pkg-php-pear] Upcoming transitions (Symfony, PHPUnit, etc.)
Hi, Le 24/06/2023 à 01:29, William Desportes a écrit : As far as I understand, there was no more change than the composer bump change needed for phpMyAdmin. So I could introduce an OR to allow both versions. That would be nice. And tests pass you said. Great, #1041982 does not have much blockers anymore, maybe we can schedule the transition then. Regards, taffit
Bug#1039731: php-laravel-lumen-framework: FTBFS with symfony 6: unsatisfiable build-dependencies
Hi, Le Wed, Jun 28, 2023 at 03:41:28PM -0300, Athos Ribeiro a écrit : > Source: php-laravel-lumen-framework > Version: 8.3.4-1 […] > We are about to start the symfony 6 transition in unstable. During a test > rebuild, php-laravel-lumen-framework was found to fail to build with symfony > 6. Just documenting in the bug report that it’s a known issue, and that a new major upstream version of Laravel is needed to use Symfony 6. Regards taffit signature.asc Description: PGP signature
Bug#1039733: php-oscarotero-gettext: FTBFS with symfony 6: make[1]: *** [debian/rules:18: override_dh_auto_test] Error 1
Hi James,
Le Wed, Jun 28, 2023 at 03:42:21PM -0300, Athos Ribeiro a écrit :
> Source: php-oscarotero-gettext
> Version: 4.8.7-1
[…]
> We are about to start the symfony 6 transition in unstable. During a test
> rebuild, php-oscarotero-gettext was found to fail to build with symfony 6.
Looking at the composer.json file, the dependency seems to be of the 2
era… ("symfony/yaml": "~2",).
Version 5 of php-oscarotero-gettext published four years ago, doesn’t
depend (directly) on symfony/yaml anymore. Is it possible that the
reverse dependencies (shaarli?) can use the 5 branch?
Regards,
taffit
signature.asc
Description: PGP signature
Bug#1039732: php-monolog: FTBFS with symfony 6: make[1]: *** [debian/rules:25: override_dh_auto_test] Error 1
Hi,
Le Wed, Jun 28, 2023 at 03:41:55PM -0300, Athos Ribeiro a écrit :
[…]
> Relevant part (hopefully):
> > There were 2 failures:
> >
> > 1)
> > Monolog\Handler\StreamHandlerTest::testWriteNonExistingAndNotCreatablePath
> > with data set "/foo/bar/…" ('/foo/bar/9033/4989')
> > Failed asserting that exception of type "UnexpectedValueException" is
> > thrown.
> >
> > 2)
> > Monolog\Handler\StreamHandlerTest::testWriteNonExistingAndNotCreatablePath
> > with data set "file:///foo/bar/…" ('file:///foo/bar/5691/6462')
> > Failed asserting that exception of type "UnexpectedValueException" is
> > thrown.
It’s a false positive probably triggered by the build environment (this
version is used/usable by Symfony 6, that would have been weird ;).
Regards
taffit
signature.asc
Description: PGP signature
Bug#1041982: transition: symfony 6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: symf...@packages.debian.org, pkg-php-p...@lists.alioth.debian.org Control: affects -1 + src:symfony Control: block -1 by 1039731 1039732 1039733 1039734 1039735 Hi, We’d like to prepare the symfony transition. It’s building over a hundred arch:all binary packages, that are (in)directly used by a few hundred other arch:all packages. Given the increased number of related packages, and because the last symfony 5 transition was not as smooth as previous ones, we’re opening a bug even if no package builds need to be handled by the Release Team (but maybe some removals may help at some point). The experimental pseudo-excuse page is unfortunately not very informative about the amount of breakages we could expect, so Athos rebuilt reverse build-dependencies with mass-rebuild. Yet this doesn’t catch uninstallable packages, e.g., phpmyadmin and php-laravel-framework in their current state, depending on php-symfony-$stuff (<< 6~~). https://qa.debian.org/excuses.php?experimental=1=symfony https://people.ubuntu.com/~athos-ribeiro/rebuilds/symfony6/index.html Do you have a way to spot packages in Sid currently depending on symfony (<< 6~) in order to file bugs and eventually provide patches? I hope we can have soon enough a view of the amount of breakage in order to hopefully kick this transition during DebCamp… Regards David signature.asc Description: PGP signature
Bug#1039747: tagging 1039747 ...
Hi, Le Fri, Jul 14, 2023 at 08:56:36AM +0200, David Prévot a écrit : > tags 1039747 + patch > forwarded 1039747 > https://salsa.debian.org/php-team/pear/doctrine/-/merge_requests/1 AFAICT, this change (that I already had locally commited BTW), requires PHPUnit 10 and breaks under PHPUnit 9, so can’t actually be applied until PHPUnit 10 makes it to unstable (but may be uploaded to experimental). Regards, David signature.asc Description: PGP signature
Bug#1040758: bullseye-pu: package spip/3.2.11-3+deb11u9
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:spip
This issue is similar to #1040756 in bookworm.
Another upstream release fixed a security issue. It introduces some
factorisation adding two more clean up in sessions. We agreed with the
security team that this don’t warrant a DSA.
https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html
The 3.2 branch is not maintained upstream anymore, but the patches have
been cherry-picked directly from the 4.1 branch, except for the first
one that needed some slight editing. Also, I’ve already deployed the
proposed package on a server providing over 30 SPIP websites.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Thanks in advance.
Regards,
taffit
diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog 2023-06-11 15:47:39.0 +0200
+++ spip-3.2.11/debian/changelog 2023-07-08 20:38:26.0 +0200
@@ -1,3 +1,11 @@
+spip (3.2.11-3+deb11u9) bullseye; urgency=medium
+
+ * Backport security fix from 4.1.11
+- use an auth_desensibiliser_session() function to centralize extended
+ authentification data filtering.
+
+ -- David Prévot Sat, 08 Jul 2023 20:38:26 +0200
+
spip (3.2.11-3+deb11u8) bullseye; urgency=medium
* Backport security fixes from 4.1.10
diff -Nru spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
--- spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 2023-07-08 20:38:18.0 +0200
@@ -0,0 +1,69 @@
+From: Cerdic
+Date: Mon, 3 Jul 2023 10:23:02 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?=
+ =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?=
+ =?utf-8?q?ration_d=E2=80=99une_session?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur,
+- qu'on utilise lors de la preparation d'une session
+- et dans informer_login
+
+Refs: spip-team/securite#4847
+(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676
+---
+ ecrire/inc/auth.php | 23 ++-
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 12fc4ce..cb61446 100644
+--- a/ecrire/inc/auth.php
b/ecrire/inc/auth.php
+@@ -249,11 +249,7 @@ function auth_init_droits($row) {
+ $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
+
+ // au cas ou : ne pas memoriser les champs sensibles
+- unset($GLOBALS['visiteur_session']['pass']);
+- unset($GLOBALS['visiteur_session']['htpass']);
+- unset($GLOBALS['visiteur_session']['alea_actuel']);
+- unset($GLOBALS['visiteur_session']['alea_futur']);
+- unset($GLOBALS['visiteur_session']['ldap_password']);
++ $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+
+ // creer la session au besoin
+ if (!isset($_COOKIE['spip_session'])) {
+@@ -310,6 +306,22 @@ function auth_init_droits($row) {
+ return ''; // i.e. pas de pb.
+ }
+
++/**
++ * Enlever les clés sensibles d'une ligne auteur
++ * @param array $auteur
++ * @return array
++ */
++function auth_desensibiliser_session(array $auteur) {
++ $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++ foreach ($cles_sensibles as $cle) {
++ if (isset($auteur[$cle])) {
++ unset($auteur[$cle]);
++ }
++ }
++
++ return $auteur;
++}
++
+ /**
+ * Retourne l'url de connexion
+ *
+@@ -490,6 +502,7 @@ function auth_informer_login($login, $serveur = '') {
+ }
+
+ $prefs = unserialize($row['prefs']);
++ $row = auth_desensibiliser_session($row);
+ $infos = array(
+ 'id_auteur' => $row['id_auteur'],
+ 'login' => $row['login'],
diff -Nru spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch
--- spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch 1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch 2023-07-08 20:38:18.0 +02
Bug#1040756: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:spip
Another upstream release fixed a security issue. It introduces some
factorisation adding two more clean up in sessions. We agreed with the
security team that this don’t warrant a DSA.
https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html
The 4.1 branch is mostly in maintenance mode, and the patches have been
cherry-picked directly from upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Thanks in advance.
Regards,
taffit
diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog
--- spip-4.1.9+dfsg/debian/changelog 2023-06-11 15:38:54.0 +0200
+++ spip-4.1.9+dfsg/debian/changelog 2023-07-08 20:29:04.0 +0200
@@ -1,3 +1,11 @@
+spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium
+
+ * Backport security fix from 4.1.11
+- use an auth_desensibiliser_session() function to centralize extended
+ authentification data filtering.
+
+ -- David Prévot Sat, 08 Jul 2023 20:29:04 +0200
+
spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium
[ David Prévot ]
diff -Nru spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
--- spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 1970-01-01 01:00:00.0 +0100
+++ spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 2023-07-08 20:25:35.0 +0200
@@ -0,0 +1,69 @@
+From: Cerdic
+Date: Mon, 3 Jul 2023 10:23:02 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?=
+ =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?=
+ =?utf-8?q?ration_d=E2=80=99une_session?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur,
+- qu'on utilise lors de la preparation d'une session
+- et dans informer_login
+
+Refs: spip-team/securite#4847
+(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676
+---
+ ecrire/inc/auth.php | 23 ++-
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 85d5ab1..6185aff 100644
+--- a/ecrire/inc/auth.php
b/ecrire/inc/auth.php
+@@ -250,11 +250,7 @@ function auth_init_droits($row) {
+ $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
+
+ // au cas ou : ne pas memoriser les champs sensibles
+- unset($GLOBALS['visiteur_session']['pass']);
+- unset($GLOBALS['visiteur_session']['htpass']);
+- unset($GLOBALS['visiteur_session']['alea_actuel']);
+- unset($GLOBALS['visiteur_session']['alea_futur']);
+- unset($GLOBALS['visiteur_session']['ldap_password']);
++ $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+
+ // creer la session au besoin
+ if (!isset($_COOKIE['spip_session'])) {
+@@ -314,6 +310,22 @@ function auth_init_droits($row) {
+ return ''; // i.e. pas de pb.
+ }
+
++/**
++ * Enlever les clés sensibles d'une ligne auteur
++ * @param array $auteur
++ * @return array
++ */
++function auth_desensibiliser_session(array $auteur) {
++ $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++ foreach ($cles_sensibles as $cle) {
++ if (isset($auteur[$cle])) {
++ unset($auteur[$cle]);
++ }
++ }
++
++ return $auteur;
++}
++
+ /**
+ * Retourne l'url de connexion
+ *
+@@ -480,6 +492,7 @@ function auth_informer_login($login, $serveur = '') {
+ }
+
+ $prefs = @unserialize($row['prefs']);
++ $row = auth_desensibiliser_session($row);
+ $infos = [
+ 'id_auteur' => $row['id_auteur'],
+ 'login' => $row['login'],
diff -Nru spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
--- spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch 1970-01-01 01:00:00.0 +0100
+++ spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch 2023-07-08 20:25:35.0 +0200
@@ -0,0 +1,69 @@
+From: Matthieu Marcillaud
+Date: Mon, 3 Jul 2023 10:55:19 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_=60auth=5Fdesensibiliser=5Fsession?=
+ =?utf-8?q?=28
Bug#1039743: phpunit 10 transition [Was: Bug#1039743: christianriesen-base32: FTBFS with phpunit 10: make[1]: *** [debian/rules:19: override_dh_auto_test] Error 2]
Hi, Le 29/06/2023 à 00:24, Athos Ribeiro a écrit : On Wed, Jun 28, 2023 at 10:31:53PM +0100, Adam D. Barratt wrote: On Wed, 2023-06-28 at 17:57 -0300, Athos Ribeiro wrote: […] Severity: serious Justification: FTBFS Tags: trixie sid ftbfs User: pkg-php-p...@lists.alioth.debian.org Usertags: phpunit […] I've picked up an arbitrary bug from the set to reply to here. Thank you for the follow up. […] Should I go ahead and re-set the severity for those bugs? I doubt we’ll manage to handle this transition within a month. Having packages being autoremoved from testing before the transition is ready doesn’t help. So yes, please demote the severity to important. Given the proper usertags you set, it should be easy to handle them in mass. […] I wonder if the processes you are describing here is documented somewhere (severities, when to mass file bugs for transitions, and transition timing expectations after those are filed) so I can avoid generating any unnecessary noise in the future. https://wiki.debian.org/Teams/ReleaseTeam/Transitions#How_transitions_work_in_general Of course, our case is a bit specific (the RT can’t BinNMU arch:all packages), but this gives an idea. We’re around stage 5 according to this check list. Ideally, the recent bugs should have been set as blocking the (not yet existant) transition bug, but again, given the existing usertags, it sourd be easy to handle this in mass soon. Regards taffit OpenPGP_signature Description: OpenPGP digital signature
Bug#1038154: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:spip
[ Request similar to #1038153 for Bullseye ]
Hi,
Congrats to the team for the Bookworm release!
SPIP has been updated upstream to fix some security issues (link to the
French-only announcement follows), and we agreed with the security team
that they don’t warrant a DSA this time.
https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-3-SPIP-4-1-10.html
The main backported fix is the one that limits recursion depth in
protege_champ() function.
The security screen fix (avoiding unserialize use) should already be
fixed in the main code, and the htaccess change is only provided as an
example (in /usr/share/doc/spip).
This version also ships a compatibility fix for PHP 8.1 in the
mutualisation plugin shipped in the Debian package, and some metadata
changes (d/{changelog,control,gbp.conf}).
As an alternative, a 4.1.10+dfsg-1~deb12u1 version could be proposed.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog
--- spip-4.1.9+dfsg/debian/changelog 2023-02-28 21:25:27.0 +0100
+++ spip-4.1.9+dfsg/debian/changelog 2023-06-11 15:38:54.0 +0200
@@ -1,3 +1,19 @@
+spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ [ David Prévot ]
+ * Add CVE to previous changelog entry
+ * Update documented branch
+ * Backport security fixes from 4.1.10
+- Limit recursion depth in protege_champ() function
+- Avoid unserialize use in security screen
+- Properly block hidden files in provided htaccess
+- Update security screen to 1.5.3
+
+ [ RealET ]
+ * mutualisation: PHP 8.1 compatibility fixes #2
+
+ -- David Prévot Sun, 11 Jun 2023 15:38:54 +0200
+
spip (4.1.9+dfsg-1) unstable; urgency=medium
[ Cerdic ]
@@ -15,7 +31,7 @@
* build: Version SPIP 4.1.8
[ Cerdic ]
- * Fix: Sanitizer toutes les valeurs passées aux formulaires
+ * Fix: Sanitizer toutes les valeurs passées aux formulaires [CVE-2023-27372]
* fix: Sanitizer toutes les valeurs passées aux formulaires preventivement
dans l'écran de sécurité
diff -Nru spip-4.1.9+dfsg/debian/control spip-4.1.9+dfsg/debian/control
--- spip-4.1.9+dfsg/debian/control 2023-02-28 19:47:19.0 +0100
+++ spip-4.1.9+dfsg/debian/control 2023-06-11 15:37:44.0 +0200
@@ -5,7 +5,7 @@
Build-Depends: cssmin, debhelper-compat (= 13), dh-apache2, minify
Homepage: https://www.spip.net/
Standards-Version: 4.6.2
-Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/bookworm-security
Vcs-Browser: https://salsa.debian.org/debian/spip
Rules-Requires-Root: no
diff -Nru spip-4.1.9+dfsg/debian/gbp.conf spip-4.1.9+dfsg/debian/gbp.conf
--- spip-4.1.9+dfsg/debian/gbp.conf 2023-02-28 19:47:26.0 +0100
+++ spip-4.1.9+dfsg/debian/gbp.conf 2023-06-11 15:37:44.0 +0200
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/bookworm
+debian-branch = debian/bookworm-security
pristine-tar = True
upstream-branch = upstream-4.1
upstream-vcs-tag = v%(version%~%-)s
diff -Nru spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php
--- spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php 2022-06-17 19:32:19.0 +0200
+++ spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php 2023-06-11 15:37:21.0 +0200
@@ -34,10 +34,6 @@
$url_admin_plugin = 'ecrire/?exec=admin_plugin';
$url_admin_vider = 'ecrire/?exec=admin_vider';
- if (!file_exists(_DIR_IMG . 'mutualiser-128.png')) {
- @copy(find_in_path('mutualiser-128.png'), _DIR_IMG . 'mutualiser-128.png');
- }
-
$titre = _L(count($sites) . ' ' . 'sites mutualiss (' . _T('version') . ' ' . $GLOBALS['spip_version_base'] . ')');
//$page .= "" ;
@@ -151,9 +147,9 @@
if ($compression == '') {
$compression = _L('Activer');
}
+ $configsparticulieres = '';
if (isset($GLOBALS['mutualisation_afficher_config'])) {
$configs = explode(",", $GLOBALS['mutualisation_afficher_config']);
-$configsparticulieres = '';
foreach ($configs as $config) {
$configsparticulieres .= '' . $config . ': ' . lire_config_distante($config, $meta) . "\n";
@@ -226,17 +222,17 @@
. "\n"
. ''
. "\n";
- if ($_GET['tri'] AND isset($plnum[intval(count($c))])) {
+ if (!empty($_GET['tri']) AND isset($plnum[intval(count($c))])) {
$plnum[intval(count($c))] .= $ligne;
} else {
-if ($_GET['tri']) {
+if (!empty($_GET['tri'])) {
$plnum[intval(count($c))] = $ligne;
} else {
Bug#1038153: bullseye-pu: package spip/3.2.11-3+deb11u8
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:spip
Hi,
SPIP has been updated upstream to fix some security issues (link to the
French-only announcement follows), and we agreed with the security team
that they don’t warrant a DSA this time.
https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-3-SPIP-4-1-10.html
The main backported fix is the one that limits recursion depth in
protege_champ() function.
The security screen fix (avoiding unserialize use) should already be
fixed in the main code, and the htaccess change is only provided as an
example (in /usr/share/doc/spip).
As usual, I’ve already deployed the proposed package on a server
providing over 30 SPIP websites.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
Regards,
David
diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog 2023-02-28 22:51:50.0 +0100
+++ spip-3.2.11/debian/changelog 2023-06-11 15:47:39.0 +0200
@@ -1,3 +1,13 @@
+spip (3.2.11-3+deb11u8) bullseye; urgency=medium
+
+ * Backport security fixes from 4.1.10
+- Limit recursion depth in protege_champ() function
+- Avoid unserialize use in security screen
+- Properly block hidden files in provided htaccess
+- Update security screen to 1.5.3
+
+ -- David Prévot Sun, 11 Jun 2023 15:47:39 +0200
+
spip (3.2.11-3+deb11u7) bullseye-security; urgency=medium
* Backport security fixes from v3.2.18
diff -Nru spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch
--- spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch 1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch 2023-06-11 15:47:34.0 +0200
@@ -0,0 +1,37 @@
+From: Cerdic
+Date: Tue, 7 Mar 2023 14:56:30 +0100
+Subject: security: limiter la profondeur de recursion de `protege_champ`
+
+(cherry picked from commit b362e987b41fac344150f97cc563bf4d8c8181fa)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/9b73dbd66e50baf312ba1c7df21efebba4ae08f1
+---
+ ecrire/balise/formulaire_.php | 14 --
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/balise/formulaire_.php b/ecrire/balise/formulaire_.php
+index 34926cf..2b3639b 100644
+--- a/ecrire/balise/formulaire_.php
b/ecrire/balise/formulaire_.php
+@@ -33,9 +33,19 @@ include_spip('inc/texte');
+ * @return string|array
+ * Saisie protégée
+ **/
+-function protege_champ($texte) {
++function protege_champ($texte, $max_prof = 128) {
+ if (is_array($texte)) {
+- $texte = array_map('protege_champ', $texte);
++ // si on dépasse la prof max on tronque
++ if ($max_prof > 0) {
++ return array_map(
++function($v) use ($max_prof) {
++ return protege_champ($v, $max_prof-1);
++},
++$texte
++ );
++ }
++ // si on dépasse la prof max on tronque
++ return [];
+ } else {
+ if (is_null($texte)) {
+ return $texte;
diff -Nru spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
--- spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch 1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch 2023-06-11 15:47:34.0 +0200
@@ -0,0 +1,64 @@
+From: Cerdic
+Date: Tue, 7 Mar 2023 15:03:08 +0100
+Subject: =?utf-8?q?security=3A_Ameliorer_c76770a_en_=C3=A9vitant_un_=60unse?=
+ =?utf-8?q?rialize=60_dans_l=27=C3=A9cran_de_s=C3=A9curit=C3=A9?=
+
+(cherry picked from commit 9b1c3cf455b624163546f1521148897a5c96d5d6)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/9f55790164f7869d2e315a49b3fdc4af0c5b8fdd
+---
+ config/ecran_securite.php | 36 ++--
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 57fc42f..4112e2e 100644
+--- a/config/ecran_securite.php
b/config/ecran_securite.php
+@@ -557,17 +557,41 @@ if (
+ ) {
+ foreach ($_REQUEST as $k => $v) {
+ if (is_string($v)
+- and strpos($v, ':') !== false
+- and strpos($v, '"') !==false
+- and preg_match(',[bidsaO]:,', $v)
+- and @unserialize($v)) {
+- $_REQUEST[$k] = htmlentities($v);
++ and strpbrk($v, "&\"'<>") !== false
++ and preg_match(',^[abis]:\d+[:;],', $v)
++ and __ecran_test_if_serialized($v)
++ ) {
+
Bug#1036723: [pkg-php-pear] Bug#1036723: RM: php-finder-facade/experimental -- ROM; Useless in Debian
Le 24/05/2023 à 21:07, David Prévot a écrit : Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: php-finder-fac...@packages.debian.org, Debian PHP PEAR Maintainers Control: affects -1 + src:php-finder-facade [ Forgot to add the rationales, same as #1036724, sorry. ] Hi, As explained three years ago in #977801, this package is not used anymore, and has not been updated upstream since. Thanks in advance for removing it. Regards, taffit
Bug#1036726: RM: php-doctrine-bundle -- ROM; Useless in Debian
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: php-doctrine-bun...@packages.debian.org, Debian PHP PEAR Maintainers Control: affects -1 + src:php-doctrine-bundle Hi, As explained two years ago in #996108, this package is not used anymore. Thanks in advance for removing it. Regards, taffit signature.asc Description: PGP signature
Bug#1036725: RM: php-token-stream -- ROM; Useless in Debian
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: php-token-str...@packages.debian.org, Debian PHP PEAR Maintainers Control: affects -1 + src:php-token-stream Hi, As explained three years ago in #977802, this package is not used anymore, and has not been updated upstream since. Thanks in advance for removing it. Regards, taffit signature.asc Description: PGP signature
Bug#1036723: RM: php-finder-facade/experimental -- ROM; Useless in Debian
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: php-finder-fac...@packages.debian.org, Debian PHP PEAR Maintainers Control: affects -1 + src:php-finder-facade signature.asc Description: PGP signature
Bug#1036724: RM: php-finder-facade -- ROM; Useless in Debian
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: php-finder-fac...@packages.debian.org, Debian PHP PEAR Maintainers Control: affects -1 + src:php-finder-facade Hi, As explained three years ago in #977801, this package is not used anymore, and has not been updated upstream since. Thanks in advance for removing it. Regards, taffit signature.asc Description: PGP signature
Bug#1034854: [pkg-php-pear] Bug#1034854: symfony: autopkgtest regression: "error:10800075:PKCS7 routines::certificate verify error".
Hi Paul, Thanks for the report. Le 25/04/2023 à 21:43, Paul Gevers a écrit : Source: symfony […] Your package has an autopkgtest, great. However, it fails since April 2023. Meh, between 3 and 19 on Sid and between 11 and 21 on Bookworm. […] Targeted fixes are still welcome. […] 7) Symfony\Component\Mime\Tests\Crypto\SMimeSignerTest::testSignedMessageExtraCerts Verification of the message /tmp/phpe95PWJ failed. Internal error "error:10800075:PKCS7 routines::certificate verify error". Failed asserting that false is true. /tmp/autopkgtest-lxc.oubjjog1/downtmp/build.dE0/src/src/Symfony/Component/Mime/Tests/Crypto/SMimeSignerTest.php:160 /tmp/autopkgtest-lxc.oubjjog1/downtmp/build.dE0/src/src/Symfony/Component/Mime/Tests/Crypto/SMimeSignerTest.php:150 Thanks, hope to find time to look at it (this issue in the Symfony Mime Coponent testsuite) really soon. Regards taffit OpenPGP_signature Description: OpenPGP digital signature
Bug#1034714: [pkg-php-pear] Bug#1034714: bullseye-pu: package php-nyholm-psr7/1.3.2-2+deb11u1
Hi,
Le 22/04/2023 à 12:59, David Prévot a écrit :
[…]
[x] attach debdiff against the package in stable
For real now.diff --git a/debian/changelog b/debian/changelog
index bd0b1d7..a0c6ab8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-nyholm-psr7 (1.3.2-2+deb11u1) bullseye; urgency=medium
+
+ * Fix improper input validation [CVE-2023-29197] (Closes: #1034597)
+ * Use debian/bullseye branch
+
+ -- David Prévot Sat, 22 Apr 2023 12:22:36 +0200
+
php-nyholm-psr7 (1.3.2-2) unstable; urgency=medium
* Fix d/clean
diff --git a/debian/control b/debian/control
index 263202a..79c9ad0 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Build-Depends: debhelper-compat (= 13),
pkg-php-tools
Standards-Version: 4.5.1
Homepage: https://github.com/Nyholm/psr7
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-nyholm-psr7.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-nyholm-psr7.git -b debian/bullseye
Vcs-Browser: https://salsa.debian.org/php-team/pear/php-nyholm-psr7
Rules-Requires-Root: no
diff --git a/debian/gbp.conf b/debian/gbp.conf
index eb7a2c8..bd2dada 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
pristine-tar = True
pristine-tar-commit = True
diff --git a/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch b/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch
new file mode 100644
index 000..85e246f
--- /dev/null
+++ b/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch
@@ -0,0 +1,131 @@
+From: Tobias Nyholm
+Date: Mon, 17 Apr 2023 18:00:04 +0200
+Subject: Merge pull request from GHSA-wjfc-pgfp-pv9c
+
+Improper Input Validation in headers
+
+Origin: backport, https://github.com/Nyholm/psr7/commit/1029a2671cbdd3e075a21952082c2be7c8018426
+Bug-Debian: https://bugs.debian.org/1034597 https://security-tracker.debian.org/tracker/CVE-2023-29197
+---
+ src/MessageTrait.php | 4 ++--
+ tests/RequestTest.php | 46 ++
+ tests/ResponseTest.php | 31 +++
+ 3 files changed, 79 insertions(+), 2 deletions(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 2da949d..4977583 100644
+--- a/src/MessageTrait.php
b/src/MessageTrait.php
+@@ -177,7 +177,7 @@ trait MessageTrait
+ */
+ private function validateAndTrimHeader($header, $values): array
+ {
+-if (!\is_string($header) || 1 !== \preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@", $header)) {
++if (!\is_string($header) || 1 !== \preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@D", $header)) {
+ throw new \InvalidArgumentException('Header name must be an RFC 7230 compatible string.');
+ }
+
+@@ -197,7 +197,7 @@ trait MessageTrait
+ // Assert Non empty array
+ $returnValues = [];
+ foreach ($values as $v) {
+-if ((!\is_numeric($v) && !\is_string($v)) || 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@", (string) $v)) {
++if ((!\is_numeric($v) && !\is_string($v)) || 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@D", (string) $v)) {
+ throw new \InvalidArgumentException('Header values must be RFC 7230 compatible strings.');
+ }
+
+diff --git a/tests/RequestTest.php b/tests/RequestTest.php
+index ddac6d2..8d5d53e 100644
+--- a/tests/RequestTest.php
b/tests/RequestTest.php
+@@ -294,4 +294,50 @@ class RequestTest extends TestCase
+ $request = $request->withUri(new Uri('https://nyholm.tech:443'));
+ $this->assertEquals('nyholm.tech', $request->getHeaderLine('Host'));
+ }
++
++/**
++ * @dataProvider provideHeaderValuesContainingNotAllowedChars
++ */
++public function testCannotHaveHeaderWithInvalidValue(string $name)
++{
++$this->expectException(\InvalidArgumentException::class);
++$this->expectExceptionMessage('Header name must be an RFC 7230 compatible string');
++$r = new Request('GET', 'https://example.com/');
++$r->withHeader($name, 'Bar');
++}
++
++public static function provideHeaderValuesContainingNotAllowedChars(): array
++{
++// Explicit tests for newlines as the most common exploit vector.
++$tests = [
++["new\nline"],
++["new\r\nline"],
++["new\rline"],
++["new\r\n line"],
++["newline\n"],
++["\nnewline"],
++["newline\r\n"],
++["\n\rnewline"],
++];
++
++for ($i = 0; $i <= 0xFF; ++$i) {
++if ("\t" == \chr($i)) {
++continue;
++}
++if (' ' == \chr($i)) {
++
Bug#1034714: bullseye-pu: package php-nyholm-psr7/1.3.2-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: php-nyholm-p...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-nyholm-psr7 Hi, Please note that this request is very similar to #1034713 for php-guzzlehttp-psr7/1.7.0-1+deb11u2 (even the CVE ID is the same). [ Reason ] I’d like to fix an improper input validation [CVE-2023-29197] filed as #1034597. The security team reviewed this bug filed with a non-RC severity, so I assume they don’t expect to release a DSA for it (as for the other php-guzzlehttp-psr7 issue), anyway the team is X-D-Cc. [ Impact ] It’a security flaw. [ Tests ] The (extended for this fix) upstream testsuite is run at build time and debci. [ Risks ] The code change is fairly trivial, and was adapted from upstream (I used the exact same patch as the one targetted for Bookworm). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] It’s just a stricter validation regex. [ Other info ] Thanks a lot for your work! Cheers taffit signature.asc Description: PGP signature
Bug#1034713: bullseye-pu: package php-guzzlehttp-psr7/1.7.0-1+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: php-guzzlehttp-p...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-guzzlehttp-psr7
Hi,
[ Reason ]
I’d like to fix an improper input validation [CVE-2023-29197]
filed as #1034581. This is a follow up from [CVE-2022-24775]
filed as #1008236 that was fixed via a previous point release.
The security team filed those bugs with a non-RC severity, so
I assume they don’t expect to release a DSA for it (as for the
previous main issue), anyway the team is X-D-Cc.
[ Impact ]
It’a security flaw.
[ Tests ]
The (extended for this fix) upstream testsuite is run at build
time and debci.
[ Risks ]
The code change is fairly trivial, and was cherry-picked from
upstream (their fix for the 1.9 branch).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
It’s just a stricter validation regex.
[ Other info ]
Thanks a lot for your work!
Cheers
taffit
diff --git a/debian/changelog b/debian/changelog
index 8635876..0093037 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+php-guzzlehttp-psr7 (1.7.0-1+deb11u2) bullseye; urgency=medium
+
+ * Fix improper input validation [CVE-2023-29197] (Closes: #1034581)
+
+ -- David Prévot Sat, 22 Apr 2023 11:41:36 +0200
+
php-guzzlehttp-psr7 (1.7.0-1+deb11u1) bullseye; urgency=medium
* Track Bullseye
diff --git a/debian/patches/0004-Patch-header-validation-issue.patch b/debian/patches/0004-Patch-header-validation-issue.patch
new file mode 100644
index 000..84b4ad9
--- /dev/null
+++ b/debian/patches/0004-Patch-header-validation-issue.patch
@@ -0,0 +1,87 @@
+From: Graham Campbell
+Date: Mon, 17 Apr 2023 16:33:27 +0100
+Subject: Patch header validation issue
+
+Origin: upstream, https://github.com/guzzle/psr7/commit/18fd8915823bd9ca4156e84849e18970057dc7e4
+Bug-Debian: https://bugs.debian.org/1034581 https://security-tracker.debian.org/tracker/CVE-2023-29197
+---
+ src/MessageTrait.php | 13 ++---
+ tests/RequestTest.php | 5 +
+ tests/ResponseTest.php | 9 +
+ 3 files changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 0ac8663..0bbd63e 100644
+--- a/src/MessageTrait.php
b/src/MessageTrait.php
+@@ -226,12 +226,9 @@ trait MessageTrait
+ throw new \InvalidArgumentException('Header name can not be empty.');
+ }
+
+-if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $header)) {
++if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/D', $header)) {
+ throw new \InvalidArgumentException(
+-sprintf(
+-'"%s" is not valid header name',
+-$header
+-)
++sprintf('"%s" is not valid header name.', $header)
+ );
+ }
+ }
+@@ -263,8 +260,10 @@ trait MessageTrait
+ // Clients must not send a request with line folding and a server sending folded headers is
+ // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
+ // folding is not likely to break any legitimate use case.
+-if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) {
+-throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
++if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/D', $value)) {
++throw new \InvalidArgumentException(
++sprintf('"%s" is not valid header value.', $value)
++);
+ }
+ }
+ }
+diff --git a/tests/RequestTest.php b/tests/RequestTest.php
+index 10ac92a..7dca806 100644
+--- a/tests/RequestTest.php
b/tests/RequestTest.php
+@@ -269,6 +269,10 @@ class RequestTest extends BaseTest
+ // Line folding is technically allowed, but deprecated.
+ // We don't support it.
+ ["new\r\n line"],
++["newline\n"],
++["\nnewline"],
++["newline\r\n"],
++["\r\nnewline"],
+ ];
+
+ for ($i = 0; $i <= 0xff; $i++) {
+@@ -286,6 +290,7 @@ class RequestTest extends BaseTest
+ }
+
+ $tests[] = ["foo" . \chr($i) . "bar"];
++$tests[] = ["foo" . \chr($i)];
+ }
+
+ return $tests;
+diff --git a/tests/ResponseTest.php b/tests/ResponseTest.php
+index 0b6be02..30e106b 100644
+--- a/tests/ResponseTest.php
b/tests/ResponseTest.php
+@@ -284,6 +284,15 @@ class ResponseTest extends BaseTest
+ [[], 'foo', 'Header name must be a string but array provided.'],
+
Bug#1034597: CVE ID (Was: cloning 1034581, reassign -1 to php-nyholm-psr7)
Hi Salvatore, Le 19/04/2023 à 08:33, Salvatore Bonaccorso a écrit : On Wed, Apr 19, 2023 at 08:29:49AM +0200, Salvatore Bonaccorso wrote: […] FWIW, I do not know (yet) if myholm-psr7 will get a own CVE for it. php-slim-psr7 did in fact got one (see #1034580). Okay, actually the project is using CVE-2023-29197 as well per https://github.com/Nyholm/psr7/security/advisories/GHSA-wjfc-pgfp-pv9c Yep, I got it from the changelog, still need to (find time to) figure out the best way to deal with it for Bookworm. Added it as such as well to the tracker. Thanks! Regards taffit OpenPGP_signature Description: OpenPGP digital signature
Bug#1033788: [pkg-php-pear] Bug#1033788: php-symfony-cache: Conflict with PSR Cache
Control: -1 unreproducible Hi, Thank you for your interest in reporting a bug. Le 01/04/2023 à 11:01, DorianCoding a écrit : Package: php-symfony-cache Version: 5.4.21+dfsg-1 […] *** Reporter, please consider answering these questions, where appropriate *** It would have been nice to actual answer these questions. Psr cache and Symfony cache are in conflict and returns the following error: Got error 'PHP message: PHP Fatal error: Declaration of Symfony\\Component\\Cache\\CacheItem::get() must be compatible with Psr\\Cache\\CacheItemInterface::get(): mixed in /usr/share/php/Symfony/Component/Cache/CacheItem.php on line 4 […] ii php-psr-cache 1.0.1-3 Yet, php-psr-cache in version 1 does not enforce “get(): mixed”. --- $ grep -B3 'get();' /usr/share/php/Psr/Cache/CacheItemInterface.php * @return mixed * The value corresponding to this cache item's key, or null if not found. */ public function get(); psr/cache version 3 does enforce the output type, so maybe are you using it from a third party code. That’s the kind of information needed in order to understand and reproduce your issue. Regards, taffit OpenPGP_signature Description: OpenPGP digital signature
Bug#1032131: deb822-style sources.list
Source: apt-setup Severity: wishlist Hi, Thank you for maintaining d-i! I may be late to the bookworm party but… It would be nice if d-i could provide deb822-style sources.list (by default) for newly installed machines. Apologies in advance if I missed a duplicate in a more appropriate module. Cheers, taffit signature.asc Description: PGP signature
Bug#1030851: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u2
Hi,
Le 27/02/2023 à 08:18, David Prévot a écrit :
Le 26/02/2023 à 21:54, Paul Gevers a écrit :
On 08-02-2023 13:53, David Prévot wrote:
[ Tests ]
I didn’t test it thoroughly (I doubt to have much time for at least
another week), but it passes
There are issues with the installability of src:symfony packages as
can be seen from the autopkgtests [1]:
Thank you for the heads up! Shame on me for not checking thoroughly the
autotest result
[…]
I’ll look at it ASAP […] and provide an
updated version with an update to this bug report.
I’ve uploaded symfony/4.4.19+dfsg-2+deb11u3 without the dependency bump,
debdiff against 4.4.19+dfsg-2+deb11u2 attached.
Regards
taffit
diff --git a/debian/changelog b/debian/changelog
index 3f054d84ec..8aac84e7c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+symfony (4.4.19+dfsg-2+deb11u3) bullseye; urgency=medium
+
+ * Drop dependency bump.
+Thanks to Paul Gevers
+
+ -- David Prévot Mon, 27 Feb 2023 23:05:34 +0100
+
symfony (4.4.19+dfsg-2+deb11u2) bullseye; urgency=medium
* Backport security fixes from Symfony 4.4.50
diff --git a/debian/patches/Security-Http-Remove-CSRF-tokens-from-storage-on-successf.patch b/debian/patches/Security-Http-Remove-CSRF-tokens-from-storage-on-successf.patch
index 27842fb9a3..e61a2160e4 100644
--- a/debian/patches/Security-Http-Remove-CSRF-tokens-from-storage-on-successf.patch
+++ b/debian/patches/Security-Http-Remove-CSRF-tokens-from-storage-on-successf.patch
@@ -8,10 +8,9 @@ Origin: backport, https://github.com/symfony/symfony/commit/c75c5699f02da5ebb92c
.../Bundle/SecurityBundle/Resources/config/security.xml| 1 +
.../SecurityBundle/Tests/Functional/CsrfFormLoginTest.php | 6 ++
.../Bundle/SecurityBundle/Tests/Functional/LogoutTest.php | 4 +---
- src/Symfony/Bundle/SecurityBundle/composer.json| 2 +-
.../Http/Session/SessionAuthenticationStrategy.php | 14 +++---
.../Tests/Session/SessionAuthenticationStrategyTest.php| 13 +
- 6 files changed, 33 insertions(+), 7 deletions(-)
+ 5 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
index 3491383..eabe5e5 100644
@@ -81,19 +80,6 @@ index cb7868f..465027f 100644
$client->request('GET', '/logout');
-diff --git a/src/Symfony/Bundle/SecurityBundle/composer.json b/src/Symfony/Bundle/SecurityBundle/composer.json
-index 872ef66..6627cdb 100644
a/src/Symfony/Bundle/SecurityBundle/composer.json
-+++ b/src/Symfony/Bundle/SecurityBundle/composer.json
-@@ -24,7 +24,7 @@
- "symfony/security-core": "^4.4",
- "symfony/security-csrf": "^4.2|^5.0",
- "symfony/security-guard": "^4.2|^5.0",
--"symfony/security-http": "^4.4.5"
-+"symfony/security-http": "^4.4.50"
- },
- "require-dev": {
- "doctrine/doctrine-bundle": "^1.5|^2.0",
diff --git a/src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php b/src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php
index a4bb888..7369105 100644
--- a/src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php
Bug#1030851: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u2
Hi Paul, Le 26/02/2023 à 21:54, Paul Gevers a écrit : On 08-02-2023 13:53, David Prévot wrote: [ Tests ] I didn’t test it thoroughly (I doubt to have much time for at least another week), but it passes There are issues with the installability of src:symfony packages as can be seen from the autopkgtests [1]: Thank you for the heads up! Shame on me for not checking thoroughly the autotest result, but glad I enabled it and thank you again for pointing me the regression! I’ll look at it ASAP (IIRC, it should just be an unneeded version bump to get the patched version), and provide an updated version with an update to this bug report. Regards David
Bug#1031782: Please don’t enforce --allow-dist-rename
Package: debmirror Version: 1:2.35+deb11u1 Severity: normal X-Debbugs-Cc: dpre...@evolix.fr Hi, Trying to mirror several suites from extended-lts currently fails with the following output. > The directory for a dist should be its codename, not a suite. > Use --allow-dist-rename to have debmirror do the conversion automatically. Using --omit-suite-symlinks unfortunately does not allow to bypass the rename_distdir() call, so I had to comment those checks in order to mirror extended-lts containing directory $suite and $suite-lts (e.g., stretch and stretch-lts) both set with “Suite: $suite” (e.g., Suite: stretch). Regards David signature.asc Description: PGP signature
Bug#1030851: [pkg-php-pear] Bug#1030851: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u2
Le 08/02/2023 à 13:53, David Prévot a écrit : Package: release.debian.org Severity: normal Tags: bullseye […] [ Tests ] I didn’t test it thoroughly (I doubt to have much time for at least another week), but it passes … its (updated upstream) testsuite at buildtime, which is the same as the autopkgtest one. Regards David OpenPGP_signature Description: OpenPGP digital signature
Bug#1030851: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: symf...@packages.debian.org, Debian PHP PEAR Maintainers
Control: affects -1 + src:symfony
[ Reason ]
I’ve been asked the security team to provide those fixes for the
upcoming 11.7 point release after their review.
[ Impact ]
Two CVEs have been assigned to Symfony, the version currently in
unstable and bookworm ships the fixes, the attached debdiff is a
proposal for Bullseye.
https://symfony.com/blog/cve-2022-24894-prevent-storing-cookie-headers-in-httpcache
https://symfony.com/blog/cve-2022-24895-csrf-token-fixation
[ Tests ]
I didn’t test it thoroughly (I doubt to have much time for at least
another week), but it passes
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Regards
taffit
diff -Nru symfony-4.4.19+dfsg/debian/changelog symfony-4.4.19+dfsg/debian/changelog
--- symfony-4.4.19+dfsg/debian/changelog 2021-11-24 11:07:00.0 +0100
+++ symfony-4.4.19+dfsg/debian/changelog 2023-02-01 19:38:41.0 +0100
@@ -1,3 +1,13 @@
+symfony (4.4.19+dfsg-2+deb11u2) bullseye; urgency=medium
+
+ * Backport security fixes from Symfony 4.4.50
+- [HttpKernel] Remove private headers before storing responses with
+ HttpCache [CVE-2022-24894]
+- [Security/Http] Remove CSRF tokens from storage on successful login
+ [CVE-2022-24895]
+
+ -- David Prévot Wed, 01 Feb 2023 19:38:41 +0100
+
symfony (4.4.19+dfsg-2+deb11u1) bullseye; urgency=medium
* Prevent CSV injection via formulas [CVE-2021-41270]
diff -Nru symfony-4.4.19+dfsg/debian/patches/HttpKernel-Remove-private-headers-before-storing-response.patch symfony-4.4.19+dfsg/debian/patches/HttpKernel-Remove-private-headers-before-storing-response.patch
--- symfony-4.4.19+dfsg/debian/patches/HttpKernel-Remove-private-headers-before-storing-response.patch 1970-01-01 01:00:00.0 +0100
+++ symfony-4.4.19+dfsg/debian/patches/HttpKernel-Remove-private-headers-before-storing-response.patch 2023-02-01 19:38:41.0 +0100
@@ -0,0 +1,92 @@
+From: Nicolas Grekas
+Date: Thu, 3 Mar 2022 11:39:01 +0100
+Subject: [HttpKernel] Remove private headers before storing responses with
+ HttpCache [CVE-2022-24894]
+
+Origin: upstream, https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
+---
+ src/Symfony/Component/HttpKernel/HttpCache/Store.php | 20 +---
+ .../HttpKernel/Tests/HttpCache/StoreTest.php | 13 +
+ 2 files changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/src/Symfony/Component/HttpKernel/HttpCache/Store.php b/src/Symfony/Component/HttpKernel/HttpCache/Store.php
+index 3b69289..6451b9e 100644
+--- a/src/Symfony/Component/HttpKernel/HttpCache/Store.php
b/src/Symfony/Component/HttpKernel/HttpCache/Store.php
+@@ -26,19 +26,29 @@ class Store implements StoreInterface
+ {
+ protected $root;
+ private $keyCache;
+-private $locks;
++private $locks = [];
++private $options;
+
+ /**
++ * Constructor.
++ *
++ * The available options are:
++ *
++ * * private_headers Set of response headers that should not be stored
++ * when a response is cached. (default: Set-Cookie)
++ *
+ * @throws \RuntimeException
+ */
+-public function __construct(string $root)
++public function __construct(string $root, array $options = [])
+ {
+ $this->root = $root;
+ if (!file_exists($this->root) && !@mkdir($this->root, 0777, true) && !is_dir($this->root)) {
+ throw new \RuntimeException(sprintf('Unable to create the store directory (%s).', $this->root));
+ }
+ $this->keyCache = new \SplObjectStorage();
+-$this->locks = [];
++$this->options = array_merge([
++'private_headers' => ['Set-Cookie'],
++], $options);
+ }
+
+ /**
+@@ -215,6 +225,10 @@ class Store implements StoreInterface
+ $headers = $this->persistResponse($response);
+ unset($headers['age']);
+
++foreach ($this->options['private_headers'] as $h) {
++unset($headers[strtolower($h)]);
++}
++
+ array_unshift($entries, [$storedEnv, $headers]);
+
+ if (!$this->save($key, serialize($entries))) {
+diff --git a/src/Symfony/Component/HttpKernel/Tests/HttpCache/StoreTest.php b/src/Symfony/Component/HttpKernel/Tests/HttpCache/StoreTest.php
+index da1f649..239361b 100644
+--- a/src/Symfony/Component/HttpKernel/Tests/HttpCache/StoreTest.php
b/src/Symfony/Component/HttpKernel/Tests/HttpCache/StoreTest.php
+@@ -12,8 +12,10 @@
+ namespace Symfony\Component\HttpKernel\Tests\HttpCache;
+
+ use PHPUnit\Framework\TestCase;
++use Symfony\Comp
Bug#1030694: Rename init variable to fix conflict with entry point
Package: inotify-tools Version: 3.22.6.0-3 Severity: important Tags: upstream patch Hi! We’ve noticed that fsnotifywait didn’t work as expected: even if the kernel is notified, fsnotifywait was not. The following upstream commit actually fixes the issue, I’ve tested it also on a bullseye server (with the package rebuilt as a backport). https://github.com/inotify-tools/inotify-tools/commit/be8426ce01fbe91cab62bc1131649cc80c60 Unfortunately, it also required the following change in the symbols file. - init@Base 3.21.9.5 + initialized@Base 3.22.6.0 Can you please consider applying this small targeted fix in time for the Bookworm release? Thanks in advance. Regards taffit signature.asc Description: PGP signature
Bug#1030277: [dget] Can’t parse deb822-style .sources files
Control: forcemerge 976673 -1 Le 02/02/2023 à 03:14, Tianyu Chen a écrit : On Wed, Feb 01, 2023 at 10:40:08PM +0100, David Prévot wrote: […] $ dget apt no repository found in /etc/apt/sources.list or sources.list.d at /usr/bin/dget line 378. Is this a duplicate with #976673? Indeed, thanks. No idea how I missed it, sorry. Regards.
Bug#1030277: [dget] Can’t parse deb822-style .sources files
Package: devscripts Version: 2.22.2 Severity: normal Control: user devscri...@packages.debian.org Control: usertags -i + dget Hi, dget parser assumes one-line-style format of sources.list: $ dget apt no repository found in /etc/apt/sources.list or sources.list.d at /usr/bin/dget line 378. Regards taffit -- Package-specific info: --- /etc/devscripts.conf --- Empty. --- ~/.devscripts --- Empty. -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'oldstable-updates'), (500, 'oldstable-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-2-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR:fr Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages devscripts depends on: ii dpkg-dev 1.21.18 ii fakeroot 1.30.1-1.1 ii file 1:5.44-2 ii gnupg 2.2.40-1 ii gnupg22.2.40-1 ii gpgv 2.2.40-1 ii libc6 2.36-8 ii libfile-dirlist-perl 0.05-3 ii libfile-homedir-perl 1.006-2 ii libfile-touch-perl0.12-2 ii libfile-which-perl1.27-2 ii libipc-run-perl 20220807.0-1 ii libmoo-perl 2.005005-1 ii libwww-perl 6.67-1 ii patchutils0.4.2-1 ii perl 5.36.0-7 ii python3 3.11.1-1 ii sensible-utils0.0.17+nmu1 ii wdiff 1.2.2-4 Versions of packages devscripts recommends: ii apt 2.5.5 ii curl7.87.0-2 ii dctrl-tools 2.24-3+b1 ii debian-keyring 2022.12.24 ii dput-ng [dput] 1.35 ii equivs 2.3.1 ii libdistro-info-perl 1.3 ii libdpkg-perl1.21.18 ii libencode-locale-perl 1.05-3 ii libgit-wrapper-perl 0.048-2 ii libgitlab-api-v4-perl 0.26-2 ii liblist-compare-perl0.55-2 ii liblwp-protocol-https-perl 6.10-1 ii libsoap-lite-perl 1.27-2 ii libstring-shellquote-perl 1.04-3 ii libtry-tiny-perl0.31-2 ii liburi-perl 5.17-1 ii licensecheck3.3.5-1 ii lintian 2.116.1 ii man-db 2.11.2-1 ii patch 2.7.6-7 ii pristine-tar1.50 ii python3-apt 2.5.2 ii python3-debian 0.1.49 ii python3-magic 2:0.4.26-3 ii python3-requests2.28.1+dfsg-1 ii python3-unidiff 0.7.3-1 ii python3-xdg 0.28-2 ii strace 5.10-1 ii unzip 6.0-27 ii wget1.21.3-1+b2 ii xz-utils5.4.1-0.0 Versions of packages devscripts suggests: pn adequate ii at3.2.5-1+b1 ii autopkgtest 5.27 pn bls-standalone ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1 ii build-essential 12.9 pn check-all-the-things pn cvs-buildpackage ii debhelper 13.11.4 ii diffoscope233 pn disorderfs ii dose-extra7.0.0-1+b2 pn duck pn elpa-devscripts ii faketime 0.9.10-2.1 pn gnuplot pn how-can-i-help ii libauthen-sasl-perl 2.1600-3 pn libdbd-pg-perl ii libfile-desktopentry-perl 0.22-3 pn libnet-smtps-perl pn libterm-size-perl ii libtimedate-perl 2.3300-2 ii libyaml-syck-perl 1.34-2+b1 ii mailutils [mailx] 1:3.15-3+b2 ii mmdebstrap1.3.1-2 pn mozilla-devscripts ii mutt 2.2.9-1 ii openssh-client [ssh-client] 1:9.1p1-2 pn piuparts ii postgresql-client 15+246 ii postgresql-client-11 [postgresql-client] 11.18-0+deb10u1 ii postgresql-client-13 [postgresql-client] 13.9-0+deb11u1 ii postgresql-client-15 [postgresql-client] 15.1-1+b1 pn
Bug#1022325: lucene4.10: FTBFS: [javac] /<>/test-framework/src/java/org/apache/lucene/util/TestRuleSetupAndRestoreClassEnv.java:298: error: cannot access SelfDescribing
Hi,
Le Sun, Oct 23, 2022 at 02:41:49PM +0200, Lucas Nussbaum a écrit :
> Source: lucene4.10
[…]
> > [javac]
> > /<>/test-framework/src/java/org/apache/lucene/util/TestRuleSetupAndRestoreClassEnv.java:298:
> > error: cannot access SelfDescribing
> > [javac] System.err.println("NOTE: " + e.getMessage() + "
> > Suppressed codecs: " +
> > [javac] ^
> > [javac] class file for org.hamcrest.SelfDescribing not found
Hi,
I just uploaded a fix for this issue during the BSP currently happening
in St-Cergue, Switzerland. A merge request has been submitted.
https://salsa.debian.org/java-team/lucene4.10/-/merge_requests/3
Regards
taffit
signature.asc
Description: PGP signature
Bug#1021739: nekohtml: CVE-2022-24839
Hi, Le Thu, Oct 13, 2022 at 09:17:02PM +0200, Moritz Mühlenhoff a écrit : > Source: nekohtml […] > The following vulnerability was published for nekohtml. > > CVE-2022-24839[0]: I prepared an upload (new upstream release) of this package in order to fix this RC-bug as part of the BSP currently happening in St-Cergue, Switzerland. A merge request has been submitted. https://salsa.debian.org/java-team/nekohtml/-/merge_requests/1 Unless advised otherwise, I intend to upload the updated package tomorrow. Regards taffit signature.asc Description: PGP signature
