Bug#1068862: ITP: node-microsoft-fast -- FAST monorepo, containing web component packages, tools, examples, and documentation

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-microsoft-fast
  Version : 0~20240320-1
  Upstream Contact: https://github.com/Microsoft/fast/issues
* URL : https://github.com/Microsoft/fast
* License : Expat
  Programming Lang: JavaScript
  Description : FAST monorepo, containing web component packages, tools, 
examples, and documentation

FAST is a collection of technologies built on Web Components and modern Web
Standards, designed to help you efficiently tackle some of the most common
challenges in website and application design and development.

* Create reusable UI components with `@microsoft/fast-element`, all based on
  W3C Web Component standards.
* Use `@microsoft/fast-foundation` library to rapidly build W3C OpenUI-based
  (https://open-ui.org/) design systems without re-implementing component
  logic.
* Leverage modern, W3C standards-based SSR for Web Components by plugging in
  `@microsoft/fast-ssr`.
* Bring all the pieces together to build SPAs and rich experiences with our
  Web Components router by installing `@microsoft/fast-router`.
* React users can drop in `@microsoft/fast-react-wrapper` to turn any Web
  Component into a native React component.
* Integrate FAST Web Components with any library, framework, or build system.

This monorepositopry will provide the following packages:
* node-microsoft-fast-colors
* node-microsoft-fast-element
* node-microsoft-fast-foundation
* node-microsoft-fast-react-wrapper
* node-microsoft-fast-router
* node-microsoft-fast-ssr
* node-microsoft-fast-web-utilities

This is required to update node-jupyterlab.

Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709

[Yadd]

On 4/5/24 15:58, Moritz Muehlenhoff wrote:

On Fri, Apr 05, 2024 at 08:16:43AM +0400, Yadd wrote:

On 4/4/24 22:51, Moritz Mühlenhoff wrote:

Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for apache2.

CVE-2024-27316[0]:
https://www.kb.cert.org/vuls/id/421644
https://www.openwall.com/lists/oss-security/2024/04/04/4

CVE-2024-24795[1]:
https://www.openwall.com/lists/oss-security/2024/04/04/5

CVE-2023-38709[2]:
https://www.openwall.com/lists/oss-security/2024/04/04/3

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27316
  https://www.cve.org/CVERecord?id=CVE-2024-27316
[1] https://security-tracker.debian.org/tracker/CVE-2024-24795
  https://www.cve.org/CVERecord?id=CVE-2024-24795
[2] https://security-tracker.debian.org/tracker/CVE-2023-38709
  https://www.cve.org/CVERecord?id=CVE-2023-38709

Please adjust the affected versions in the BTS as needed.


Hi,

I'm ready to push 2.4.59 into bookworm-security. Note that this includes a
test-framework update


Target distribution needs to be bookworm-security, with that please upload.
Can you also preparea the equivalent change for bullseye-security?

The uploads can already happen, but let's keep the update unreleased until
next week, then we can look for regressions reported in unstable (and check
with Ondrej if we received reports based on his repo)

Cheers,
 Moritz


Both Bullseye and Bookworm uploaded. Bullseye version embeds also a 
copyright fix

Bug#1066749: FTBFS: dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1

[Yadd]

Control: tags -1 + moreinfo

Hi,

I'm unable to reproduce this issue. Probably fixed elsewhere during 
time_t transition

Bug#1064558: [Pkg-javascript-devel] Bug#1064558: node-leveldown: FTBFS on mips64el: not ok 1397 Error: batch(array) element must be an object and not `null`

[Yadd]

On 2/24/24 13:10, Sebastian Ramacher wrote:

Source: node-leveldown
Version: 5.6.0+dfsg-4
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)
X-Debbugs-Cc: sramac...@debian.org

https://buildd.debian.org/status/fetch.php?pkg=node-leveldown=mips64el=5.6.0%2Bdfsg-4%2Bb1=1708632735=0

not ok 1397 Error: batch(array) element must be an object and not `null`
   ---
 operator: error
 stack: |-
   Error: batch(array) element must be an object and not `null`
   at AbstractLevelDOWN.batch 
(/usr/share/nodejs/abstract-leveldown/abstract-leveldown.js:163:33)
   at /<>/test/iterator-recursion-test.js:48:8
   at /usr/share/nodejs/abstract-leveldown/abstract-leveldown.js:41:5
   ...

Cheers


Hi Jérémy,

when trying to build on mips64el porterbox, i got this:

make[1]: Entering directory '/home/yadd/node-leveldown'
node-gyp clean
node: error while loading shared libraries: libnode.so.108: cannot open 
shared object file: No such file or directory

make[1]: *** [debian/rules:18: override_dh_auto_clean] Error 127
make[1]: Leaving directory '/home/yadd/node-leveldown'

Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs

[Yadd]

I closed this issue because:
 - I dropped all bad .h files from install
 - I added ABI flags to build
 - cyrus-dev has no reverse dependencies

If I'm wrong, please reopen this issue

Cheers,
Yadd

Bug#1063908: [Debian-pan-maintainers] Bug#1063908: node-jupyter-widgets-{base, base-manager, control}: ships files already in python3-widgetsnbextension

[Yadd]

On 2/14/24 20:26, Andreas Beckmann via Debian-pan-maintainers wrote:

Package: 
node-jupyter-widgets-base,node-jupyter-widgets-base-manager,node-jupyter-widgets-controls
Version: 6.0.7+~cs14.23.94-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package failed to install
because it tries to overwrite other packages files without declaring a
Breaks+Replaces relation.

See policy 7.6 at
https://www.debian.org/doc/debian-policy/ch-relationships.html#overwriting-files-and-replacing-packages-replaces

 From the attached log (scroll to the bottom...):

   Preparing to unpack 
.../node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb ...
   Unpacking node-jupyter-widgets-base (6.0.7+~cs14.23.94-1) ...
   dpkg: error processing archive 
/var/cache/apt/archives/node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb 
(--unpack):
trying to overwrite 
'/usr/share/nodejs/@jupyter-widgets/base/css/index.css', which is also in 
package python3-widgetsnbextension 8.1.1-2
   Errors were encountered while processing:

/var/cache/apt/archives/node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb


Hi,

why does python3-widgetsnbextension install an unusable node.js module 
into a nodejs directory ?

Bug#1063824: zenmap should depends on python3-gi-cairo

[Yadd]

Package: zenmap
Version: 7.94+git20230807.3be01efb1+dfsg-3
Severity: important
X-Debbugs-Cc: y...@debian.org

Hi,

when using zenmap, the "port" tab is broken unless python3-gi-cairo is
installed:

  TypeError: Couldn't find foreign struct converter for 'cairo.Context'

Cheers,
Yadd

Bug#1061341: Fwd: Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs

[Yadd]

On 2/7/24 06:31, ellie timoney wrote:

Hi Xavier,

On Mon, 29 Jan 2024, at 9:59 AM, ellie timoney wrote:

On Thu, 25 Jan 2024, at 3:53 PM, Yadd wrote:

yes there are other errors because some .h require unavailable .h like
config.h


Ooh interesting, I'll have a look


I'm still working on this, but the more I work on it, the more of it turns out 
to need fixing...

I think for now, it makes sense for you to proceed with the packaging changes 
assuming that 32 bit Cyrus will _not_ be ABI compatible when recompiled with 64 
bit time_t.  From the original email, I think that means you'll need to set up 
strict version dependencies between the cyrus-common, cyrus-admin and 
cyrus-clients packages, so that people can't partially upgrade and wind up with 
conflicts.

Cheers,

ellie


Hi,

dependencies are already strict (= ${binary:Version}).
To be able to render cyrus-dev headers compatible with ABI test, I'll 
have to remove the following (missing config.h,...):


/usr/include/cyrus/bufarray.h
/usr/include/cyrus/charset.h
/usr/include/cyrus/command.h
/usr/include/cyrus/crc32.h
/usr/include/cyrus/cyr_qsort_r.h
/usr/include/cyrus/glob.h
/usr/include/cyrus/imapurl.h
/usr/include/cyrus/mappedfile.h
/usr/include/cyrus/procinfo.h
/usr/include/cyrus/rfc822tok.h
/usr/include/cyrus/sieve/sieve_err.h
/usr/include/cyrus/sieve/sieve_interface.h
/usr/include/cyrus/sqldb.h
/usr/include/cyrus/tok.h
/usr/include/cyrus/vparse.h
/usr/include/cyrus/wildmat.h

Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs

[Yadd]

On 1/28/24 20:21, Steve Langasek wrote:

On Tue, Jan 23, 2024 at 08:32:18AM +0400, Yadd wrote:

Control: tags -1 + moreinfo



On 1/23/24 00:43, Steve Langasek wrote:

Package: cyrus-common
Version: 3.8.1-1
Severity: serious
User: debian-...@lists.debian.org
Usertags: time-t



Dear maintainers,



Analysis of the archive for the 64-bit time_t transition[0][1] identifies
cyrus-common as an affected package, on the basis that the headers could not
be compiled and analyzed out of the box using abi-compliance-checker[2], so
we have to assume it's affected.



However, cyrus-commons's shlibs file declares a dependency on a library
package name that contains no ABI information:



according to 
https://adrien.dcln.fr/misc/armhf-time_t/2024-01-17/logs/cyrus-dev/base/log.txt
, this issue looks like a false-positive: test failed because of C error,
not bad report



Am I right here ?


We do not *know* that it's a false positive; we only know that we were
unable to analyze the header files under a-c-c to prove that the ABI is not
affected.

Patches to the check-armhf-time_t script at
https://salsa.debian.org/vorlon/armhf-time_t/-/blob/main/check-armhf-time_t?ref_type=heads
to quirk this package and allow its headers to be analyzed, or changes to
the source package to not ship uncompilable headers ("apt-file search
lib/strarray.h" returns no results), would both be welcome.

Thanks,


Hi,

is it possible to build a salsa-ci job to test this on i386 ?

Best regards,
Yadd

Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs

[Yadd]

Control: tags -1 + moreinfo

On 1/23/24 00:43, Steve Langasek wrote:

Package: cyrus-common
Version: 3.8.1-1
Severity: serious
User: debian-...@lists.debian.org
Usertags: time-t

Dear maintainers,

Analysis of the archive for the 64-bit time_t transition[0][1] identifies
cyrus-common as an affected package, on the basis that the headers could not
be compiled and analyzed out of the box using abi-compliance-checker[2], so
we have to assume it's affected.

However, cyrus-commons's shlibs file declares a dependency on a library
package name that contains no ABI information:


Hi,

according to 
https://adrien.dcln.fr/misc/armhf-time_t/2024-01-17/logs/cyrus-dev/base/log.txt 
, this issue looks like a false-positive: test failed because of C 
error, not bad report


Am I right here ?

Best regards,
Xavier

Bug#1027859: Fwd: pkg-js-tools_0.15.17~bpo11+1_sourceonly.changes REJECTED

[Yadd]

Control: tags -1 + wontfix

>  Forwarded Message 
> Subject: pkg-js-tools_0.15.17~bpo11+1_sourceonly.changes REJECTED
> Date: Wed, 17 Jan 2024 09:17:48 +
> From: Debian FTP Masters 
> To: Yadd , Debian Javascript Maintainers  javascript-de...@lists.alioth.debian.org>
>
>
> not in stable - belongs to sloppy

Update refused, so bug won't be fixed

Regards,
Yadd

Bug#1059829: Thank you

[Yadd]

On 1/16/24 20:36, Georges Khaznadar wrote:

Hello,

Javascript/Npm are not my cup of tea; so, please receive many thanks
about the help you provided to my poor packaging efforts.

If node-html5-qrcode happens to be dfsg-free, which should be the right
umbrella to host it on salsa.d.o? https://salsa.debian.org/js-team or
https://salsa.debian.org/georgesk ?


Hi,

yes I already push it on js-team/node-html5-qrcode. It is fixed now in 
it and ready to be pushed. Do you want I push it ?



I saw that you managed to let salsa's automaton pass 53 of the upstream
tests, and I would like to learn such magics. Please have you some
useful links about them?


Most of JS Team packages uses dh-sequence-nodejs. To start with it: 
https://wiki.debian.org/Javascript/Tutorial and then pkg-js-tools(7)


However, the changes I did here need a minimum knowledge of npm because 
the package doesn't follow exactly the common way (see dh_auto_install hook)



Best regards,   Georges.


Cheers,
Yadd

Bug#1060772: python3-jupyterlab: Using node-corepack downloads yarnpkg from Internet

[Yadd]

Package: python3-jupyterlab
Version: 4.0.9+ds1-1
Severity: important
X-Debbugs-Cc: y...@debian.org

Hi,

the patch 0003-Use-system-provided-yarn.js.patch replaces missing
yarn.js by node-corepack. Please keep in mind that
node-corepack/../yarn.js is a wrapper that downloads yarnpkg from
Internet instead of using Debian's one.

Cheers,
Yadd

Bug#1060312: ITP: node-yarn-plugin-apt -- Yarn plugin to resolve dependencies from packages installed in apt

[Yadd]

On 1/9/24 16:09, Uche wrote:

Package: wnpp
Severity: wishlist
Owner: Robinson Uchechukwu <mailto:estherchidinma...@gmail.com>>
X-Debbugs-CC: debian-de...@lists.debian.org 
<mailto:debian-de...@lists.debian.org>


* Package name    : node-yarn-plugin-apt
   Version         : 1.0.0
   Upstream Author : Debian JavaScript Team
* URL             : https://salsa.debian.org/js-team/yarn-plugin-apt 
<https://salsa.debian.org/js-team/yarn-plugin-apt>

* License         : Expat
   Programming Lang: JavaScript
   Description     : Yarn plugin to resolve dependencies from packages 
installed in apt


  This yarn plugin allows apt installed packages satisfy a nodejs
  project's dependencies.

  The package is a valuable addition to Debian because if facilitates 
the management of
  nodejs projects dependencies by leveraging locally avaliable 
apt-installed packages

  .
  Node.js is an event-based server-side JavaScript engine.


Hi,

take a look also at pkgjs-install and pkgjs-install-minimal

Best regards,
Yadd

Bug#1060152: python3-jupyterlab should provide jupyterlab

[Yadd]

Package: python3-jupyterlab
Severity: normal
X-Debbugs-Cc: y...@debian.org

Hi,

python3-jupyterlab provides bin/jupyterlab, then it should
"Provides: jupyterlab (= ${binary:Version})"

Bug#1059829: node-html5-qrcode: Build using libraries downloaded from Internet during build

[Yadd]

On 1/2/24 09:50, Yadd wrote:

Package: node-html5-qrcode
Version: 2.3.8+repack-3
Severity: serious
Justification: not-dfsg
X-Debbugs-Cc: y...@debian.org

node-html5-qrcode is built using "npm install" which downloads libraries
from Internet. This is totally out of DFSG.


For now, the --omit-dev avoid downloading anything until this package 
will have dependencies but npm still access to Internet for "audit".


Easy to fix: use "pkgjs-run build" instead of npm (and drop build 
dependency to npm)


second bug: package is unusable because not installed correctly (that's 
probably why autopkgtest was disabled...), also third_party/ is missing 
in install


A fixed version of this package is available at
https://salsa.debian.org/js-team/node-html5-qrcode

Bug#1059829: node-html5-qrcode: Build using libraries downloaded from Internet during build

[Yadd]

Package: node-html5-qrcode
Version: 2.3.8+repack-3
Severity: serious
Justification: not-dfsg
X-Debbugs-Cc: y...@debian.org

node-html5-qrcode is built using "npm install" which downloads libraries
from Internet. This is totally out of DFSG.

Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’

[Yadd]

On 12/30/23 00:58, Gudjon I. Gudjonsson wrote:

Hi Yadd

I did try to build Ovito with qwt 6.2 and it works with minor fixes to ovito.
Ovito is compiled with Qt6 so you need to change your dependencies to qwt-qt6.

I suggest that you build against the experimental version of libqwt-qt6-dev
and I will try to get it into unstable as soon as possible.

Regards
Gudjon


Hi Gudjon,

thanks a lot, I'll try to build Oviti with qwt 6.2. Can you share the 
fix you wrote ?


Best regards,
Yadd

Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’

[Yadd]

Hi Gudjon,

yes I'm trying to build ovito. you can find my temporary repository on 
g...@salsa.debian.org:yadd/ovito.git


Best regards,
Yadd

Bug#1059469: ITP: node-ipydatagrid -- Fast Datagrid widget for the Jupyter Notebook and JupyterLab

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-ipydatagrid
  Version : 1.2.0
  Upstream Contact: https://github.com/Bloomberg/ipydatagrid/issues
* URL : https://github.com/Bloomberg/ipydatagrid
* License : BSD-3-Clause
  Programming Lang: JavaScript
  Description : Fast Datagrid widget for the Jupyter Notebook and JupyterLab

node-ipydatagrid provides a fast Datagrid widget for the Jupyter Notebook and
JupyterLab.

This package will be maintained under Debian PAN Maintainers Team

Bug#1059336: ITP: node-html5-qrcode -- qr-code and bar-code scanning library for the web

[Yadd]

On 12/22/23 22:58, Georges Khaznadar wrote:

Package: wnpp
Severity: wishlist
Owner: Georges Khaznadar 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-html5-qrcode
   Version : 2.3.8
   Upstream Contact: https://github.com/mebjas/html5-qrcode/issues
* URL : https://github.com/mebjas/html5-qrcode
* License : Apache-2.0, GPL2
   Programming Lang: nodejs, typescript
   Description : qr-code and bar-code scanning library for the web

  Use this lightweight library to easily / quickly integrate QR code,
  bar code, and other common code scanning capabilities to your web
  application.

So far, debian is missing a package to scan qrcodes and barcodes from
a web page. I intend to maintain this package as a dependency for a
future package SLM, school library management, which I am developping
actively. This latter package allows students to find and recognize
books inside a library by scanning a few qr-codes.

The package node-html5-qrcode is uploaded to
https://salsa.debian.org/georgesk/node-html5-qrcode.git


Hi,

your debian/rules uses npm to build instead of launching direct commands 
but the worst is that you call "npm install" which imports files from 
Internet, this is not compliant with policy.


Cheers,
Yadd

Bug#1058868: [Debichem-devel] Bug#1058868: gemmi: Please build shared library

[Yadd]

Control: tags -1 + wontfix

On 12/19/23 12:43, Andrius Merkys wrote:

Hi,

On 2023-12-17 11:31, Yadd wrote:

currently src:gemmi builds gemmi and gemmi-dev. This doesn't permit to
build any software using gemmi-dev without static linking.

The proposed patch adds package libgemmi1 which contains the shared
library.


I looked into the shared library provided by gemmi v0.6.4 (newer 
upstream release than in your patch). This version of gemmi builds the 
shared library by default. However, the produced shared library does not 
carry a soversion, thus according to Debian principles it is not 
suitable to be packaged as public shared library, alas. Thus static 
linking is the only option for now.


Best wishes,
Andrius


Noted, thank you very much for your time!

Cheers,
Yadd

Bug#1058868: gemmi: Please build shared library

[Yadd]

> I appreciate the idea and your patch, thanks for giving gemmi a look.
> However, I am hesitant to package gemmi shared library for Debian for
> now. The previous two releases had breaking API changes each. If
> upstream handles this properly and bumps the soversion, then this is
> fine, although having to undergo a transition twice a year is still
> quite some work. However, if the upstream does not maintain ABI
> stability inside the same soversion, then I would say the shared
> library is not yet ready for Debian.
>
> You have marked this bug as severity:important. Does this mean you
>  need gemmi's shared library for some package?

Hi,

yas I'm going to package ovito which depends on it. If shared library 
isn't provided, cmake automatically uses libgemmi_cpp.a which then embed 
gemmi into ovito :-(


> I never had the need to manually trigger the ldconfig before. The
> issue might be the lack of 'Section: libs' in binary package
> description.

Maybe it's the issue

Best regards,
Yadd

Bug#1058868: gemmi: Please build shared library

[Yadd]

Source: gemmi
Version: 0.6.3+ds-1
Severity: important
Tags: patch
X-Debbugs-Cc: y...@debian.org

Hi,

currently src:gemmi builds gemmi and gemmi-dev. This doesn't permit to
build any software using gemmi-dev without static linking.

The proposed patch adds package libgemmi1 which contains the shared
library.

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (100, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-5-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- no debconf information
diff --git a/debian/control b/debian/control
index 9f5e3d6..0490b00 100644
--- a/debian/control
+++ b/debian/control
@@ -28,6 +28,7 @@ Architecture: any
 Depends:
  ${misc:Depends},
  ${shlibs:Depends},
+ libgemmi1 (= ${binary:Version})
 Description: library for structural biology - executable
  Library for macromolecular crystallography and structural bioinformatics. For
  working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints
@@ -38,11 +39,27 @@ Description: library for structural biology - executable
  .
  This package contains main gemmi executable.
 
+Package: libgemmi1
+Architecture: any
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Description: sharred library for structural biology
+ Library for macromolecular crystallography and structural bioinformatics. For
+ working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints
+ (monomer library), electron density maps (CCP4), and crystallographic
+ reflection data (MTZ, SF-mmCIF). It understands crystallographic symmetries,
+ it knows how to switch between the real and reciprocal space and it can do a
+ few other things.
+ .
+ This package contains main gemmi shared library.
+
 Package: gemmi-dev
 Architecture: any
 Section: libdevel
 Depends:
  ${misc:Depends},
+ libgemmi1 (= ${binary:Version})
 Description: library for structural biology
  Library for macromolecular crystallography and structural bioinformatics. For
  working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints
diff --git a/debian/gemmi-dev.install b/debian/gemmi-dev.install
index 91a7942..7de1c21 100644
--- a/debian/gemmi-dev.install
+++ b/debian/gemmi-dev.install
@@ -1,2 +1,2 @@
 usr/include/gemmi
-usr/lib/${DEB_HOST_MULTIARCH}
+usr/lib/${DEB_HOST_MULTIARCH}/cmake
diff --git a/debian/libgemmi1.install b/debian/libgemmi1.install
new file mode 100644
index 000..65440b7
--- /dev/null
+++ b/debian/libgemmi1.install
@@ -0,0 +1 @@
+usr/lib/${DEB_HOST_MULTIARCH}/*.so
diff --git a/debian/libgemmi1.postinst b/debian/libgemmi1.postinst
new file mode 100644
index 000..fb2c2d8
--- /dev/null
+++ b/debian/libgemmi1.postinst
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ "$1" = "triggered" ] || [ "$1" = "configure" ]; then
+  ldconfig -r "$DPKG_ROOT/" || ldconfig --verbose -r "$DPKG_ROOT/"
+  exit 0
+fi
+
+exit 0
diff --git a/debian/rules b/debian/rules
index 8228c67..b3e31be 100755
--- a/debian/rules
+++ b/debian/rules
@@ -11,7 +11,7 @@ export DEB_CXXFLAGS_MAINT_APPEND = -fexcess-precision=fast # 
See #1042379
dh $@ --buildsystem cmake --with python3
 
 override_dh_auto_configure:
-   dh_auto_configure -- -DUSE_PYTHON=1 -DINSTALL_EGG_INFO=OFF
+   dh_auto_configure -- -DUSE_PYTHON=1 -DINSTALL_EGG_INFO=OFF 
-DBUILD_SHARED_LIBS=ON
 
 override_dh_auto_test:
dh_auto_build -- check

Bug#1058864: ITP: ovito -- scientific data visualization and analysis software for particle-based simulations

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org

* Package name: ovito
  Version : 3.9.4
  Upstream Contact: https://gitlab.com/stuko/ovito/-/issues
* URL : https://www.ovito.org
* License : GPL-3 or Expat
  Programming Lang: C++
  Description : scientific data visualization and analysis software for 
particle-based simulations

OVITO is a scientific data visualization and analysis software for atomistic,
molecular and other particle-based simulations.

This package is part of Jupyterlab ecosystem.

Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’

[Yadd]

Package: libqwt-qt5-dev
Version: 6.1.4-2
Severity: important
X-Debbugs-Cc: y...@debian.org

Hi,

when trying to compile ovito, I got the following error (with a simple
#include ):


/usr/include/qwt/qwt_plot_layout.h:84:51: error: invalid conversion from ‘int’ 
to ‘QwtPlotLayout::Option’ [-fpermissive]
   84 | const QRectF , Options options = 0x00 );
  |   ^~~~
  |   |
  |   int
In file included from /usr/include/x86_64-linux-gnu/qt6/QtCore/qglobal.h:1401,
 from 
/usr/include/x86_64-linux-gnu/qt6/QtCore/qcoreapplication.h:7,
 from 
/usr/include/x86_64-linux-gnu/qt6/QtCore/QCoreApplication:1,
 from 
/home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/core/Core.h:61,
 from 
/home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/gui/base/GUIBase.h:30,
 from 
/home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/gui/desktop/GUI.h:30,
 from 
/home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/stdobj/gui/StdObjGui.h:30,
 from 
/home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/obj-x86_64-linux-gnu/src/ovito/stdobj/gui/CMakeFiles/StdObjGui.dir/cmake_pch.hxx:5,
 from :


Best regeards,
Yadd

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (100, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-5-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libqwt-qt5-dev depends on:
ii  libc62.37-12
ii  libgcc-s113.2.0-7
ii  libqt5core5a 5.15.10+dfsg-5
ii  libqt5designer5  5.15.10-5
ii  libqt5gui5   5.15.10+dfsg-5
ii  libqt5widgets5   5.15.10+dfsg-5
ii  libqwt-qt5-6 6.1.4-2
ii  libstdc++6   13.2.0-7

libqwt-qt5-dev recommends no packages.

libqwt-qt5-dev suggests no packages.

-- no debconf information

Bug#1058784: esbuild: [armel] install @esbuild/arm

[Yadd]

Package: esbuild
Version: 0.19.8-1
Severity: serious
Tags: ftbfs patch
Justification: node-esbuild-unusable-on-armel
X-Debbugs-Cc: y...@debian.org

Hi,

my armel patch was wrong: armel build uses @esbuild/arm, not
@esbuild/armel.

I fixed this in a merge request [MR4]

[MR4]: 
https://salsa.debian.org/go-team/packages/golang-github-evanw-esbuild/-/merge_requests/4

Bug#1058596: [Pkg-javascript-devel] Bug#1058596: yarnpkg broken on bookworm - yarnpkg --help fails with TypeError: commander.on is not a function

[Yadd]

On 12/13/23 19:17, Praveen Arimbrathodiyil wrote:

Control: fixed -1 1.22.19+~cs24.27.18-4

On Wed, 13 Dec 2023 20:39:39 +0530 Pirate Praveen  
wrote:

We should backport the patches in unstable to bookworm as well.


Updating the fixed info.


Hi,

since severity is grave, please prepare an update for stable also

Cheers,
Yadd

Bug#1058513: [Pkg-javascript-devel] Bug#1058513: node-signal-exit: FTBFS: SyntaxError: Cannot use import statement outside a module

[Yadd]

Control: tags -1 + moreinfo

On 12/13/23 00:52, Lucas Nussbaum wrote:

Source: node-signal-exit
Version: 4.1.0-6
Severity: serious
Justification: FTBFS
Tags: trixie sid ftbfs
User: lu...@debian.org
Usertags: ftbfs-20231212 ftbfs-trixie

Hi,

During a rebuild of all packages in sid, your package failed to build
on amd64.


Relevant part (hopefully):

make[1]: Entering directory '/<>'
tsc -p tsconfig.json
tsc -p tsconfig-esm.json
sh ./scripts/fixup.sh
#cp debian/index.cjs dist/cjs/
make[1]: Leaving directory '/<>'
dh_auto_test --buildsystem=nodejs
ln -s ../. node_modules/signal-exit
/bin/sh -ex debian/tests/pkg-js/test
+ tap -T -R spec test/all-integration-test.ts test/signal-exit-test.ts

/<>/test/all-integration-test.ts:1
import assert from 'assert'
^^



Hi,

I'm unable to reproduce this issue.

Bug#1058078: [Pkg-javascript-devel] Bug#1058078: FTBFS: ESLint couldn't find the config "not-an-aardvark/node" to extend from

[Yadd]

Control: tags -1 + patch

On 12/12/23 09:59, Yadd wrote:

Package: node-eslint-plugin-eslint-plugin
Version: 2.3.0+~0.3.0-4
Severity: serious
Tags: ftbfs
Justification: ftbfs

Hi,

when trying to reproduce node-eslint-plugin-eslint-plugin build, sbuild
fails. Below relevant logs:

eslint --format tap Xcomposer
TAP version 13
1..2
ok 1 - /<>/Xcomposer/lib/rule-composer.js
ok 2 - /<>/Xcomposer/tests/lib/rule-composer.js

eslint --format tap . --ignore-pattern '!.*'

Oops! Something went wrong! :(

ESLint: 6.4.0.

ESLint couldn't find the config "not-an-aardvark/node" to extend from. Please 
check that the name of the config is correct.

The config "not-an-aardvark/node" was referenced from the config file in 
"/<>/.pc/2002_avoid_eslint-plugin-self.patch/.eslintrc.yml".

If you still have problems, please stop by https://gitter.im/eslint/eslint to 
chat with the team.

make[1]: *** [debian/rules:38: override_dh_auto_test] Error 2


Hi Jonas,

this patch seems to fix the problem:

--- a/debian/rules
+++ b/debian/rules
@@ -35,7 +35,7 @@ override_dh_auto_build: $(DOCS) $(CHANGELOGS)

 override_dh_auto_test:
$(ESLINT) Xcomposer
-   $(ESLINT) . --ignore-pattern '!.*'
+   $(ESLINT) . --ignore-pattern .pc
$(MOCHA) --recursive Xcomposer/tests
$(MOCHA) --recursive tests

Bug#1058080: node-eslint-plugin-eslint-plugin: Please add this patch for node-ajv >= 8

[Yadd]

Package: node-eslint-plugin-eslint-plugin
Version: 2.3.0+~0.3.0-3
Severity: important
Tags: ftbfs patch upstream
X-Debbugs-Cc: y...@debian.org

Hi,

here is a patch that updates AJV schemas. It is compatible with current
node-ajv 6 and node-ajv >= 8

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index e799068..317e5a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-eslint-plugin-eslint-plugin (2.3.0+~0.3.0-4) UNRELEASED; urgency=medium
+
+  * Team upload
+
+ -- Yadd   Tue, 12 Dec 2023 09:38:42 +0400
+
 node-eslint-plugin-eslint-plugin (2.3.0+~0.3.0-3) unstable; urgency=medium
 
   * add patch cherry-picked upstream
diff --git a/debian/patches/2006_prepare-for-ajv-8.patch 
b/debian/patches/2006_prepare-for-ajv-8.patch
new file mode 100644
index 000..669
--- /dev/null
+++ b/debian/patches/2006_prepare-for-ajv-8.patch
@@ -0,0 +1,27 @@
+Description: prepare for ajv 8
+Author: Yadd 
+Forwarded: no
+Last-Update: 2023-12-12
+
+--- a/lib/rules/meta-property-ordering.js
 b/lib/rules/meta-property-ordering.js
+@@ -21,7 +21,7 @@
+ fixable: 'code',
+ schema: [{
+   type: 'array',
+-  elements: { type: 'string' },
++  items: { type: 'string' },
+ }],
+   },
+ 
+--- a/lib/rules/test-case-property-ordering.js
 b/lib/rules/test-case-property-ordering.js
+@@ -22,7 +22,7 @@
+ fixable: 'code',
+ schema: [{
+   type: 'array',
+-  elements: { type: 'string' },
++  items: { type: 'string' },
+ }],
+   },
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 5eb779a..1de9aa5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 2003_avoid_eslint-config-not-an-aardvark.patch
 2004_avoid_eslint-config-airbnb-base.patch
 2005_no-require-jsdoc.patch
+2006_prepare-for-ajv-8.patch

Bug#1058078: FTBFS: ESLint couldn't find the config "not-an-aardvark/node" to extend from

[Yadd]

Package: node-eslint-plugin-eslint-plugin
Version: 2.3.0+~0.3.0-4
Severity: serious
Tags: ftbfs
Justification: ftbfs

Hi,

when trying to reproduce node-eslint-plugin-eslint-plugin build, sbuild
fails. Below relevant logs:

eslint --format tap Xcomposer
TAP version 13
1..2
ok 1 - /<>/Xcomposer/lib/rule-composer.js
ok 2 - /<>/Xcomposer/tests/lib/rule-composer.js

eslint --format tap . --ignore-pattern '!.*'

Oops! Something went wrong! :(

ESLint: 6.4.0.

ESLint couldn't find the config "not-an-aardvark/node" to extend from. Please 
check that the name of the config is correct.

The config "not-an-aardvark/node" was referenced from the config file in 
"/<>/.pc/2002_avoid_eslint-plugin-self.patch/.eslintrc.yml".

If you still have problems, please stop by https://gitter.im/eslint/eslint to 
chat with the team.

make[1]: *** [debian/rules:38: override_dh_auto_test] Error 2

Bug#1057707: [Pkg-javascript-devel] Bug#1057707: eslint is incompatible with node-ajv >= 8

[Yadd]

On 12/8/23 03:59, Jonas Smedegaard wrote:

Quoting Yadd (2023-12-07 14:37:31)

Control: tags -1 + patch

On 12/7/23 15:52, Jérémy Lal wrote:



Le jeu. 7 déc. 2023 à 12:45, Yadd mailto:y...@debian.org>> a écrit :

 Package: eslint
 Version: 6.4.0~dfsg+~6.1.9-7
 Severity: important
 Tags: ftbfs upstream

 Hi,

 eslint depends on node-ajv 6 and is incompatible with node-ajv 8
 (available in exeprimental branch). All is in lib/shared/ajv.js:

   - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no
     more available
   - eslint tries to set `ajv._opts.defaultMeta` which is
     `ajv.opts.defaultMeta` in node-ajv 8.

 Changing "ajv/lib/refs/json-schema-draft-04.json" to
 "ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this
 patch which looks to work but 27 tests fail (not the good error string).
 It uses default ajv schemas.

 Help needed here ;-)


I suppose you tried
https://github.com/eslint/eslint/pull/13911/commits
<https://github.com/eslint/eslint/pull/13911/commits>
?


Thanks a lot Jérémy! Based on your suggestion, I succeed to build a patch.

@Jonas, do you agree if I push this to experimental ?


If it succeeds the testsuite then by all means, go for it.


Hi,

sure, all test passed now. Only error strings had to be updated

Cheers,
Yadd

Bug#1057707: [Pkg-javascript-devel] Bug#1057707: eslint is incompatible with node-ajv >= 8

[Yadd]

Control: tags -1 + patch

On 12/7/23 15:52, Jérémy Lal wrote:



Le jeu. 7 déc. 2023 à 12:45, Yadd <mailto:y...@debian.org>> a écrit :


Package: eslint
Version: 6.4.0~dfsg+~6.1.9-7
Severity: important
Tags: ftbfs upstream

Hi,

eslint depends on node-ajv 6 and is incompatible with node-ajv 8
(available in exeprimental branch). All is in lib/shared/ajv.js:

  - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no
    more available
  - eslint tries to set `ajv._opts.defaultMeta` which is
    `ajv.opts.defaultMeta` in node-ajv 8.

Changing "ajv/lib/refs/json-schema-draft-04.json" to
"ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this
patch which looks to work but 27 tests fail (not the good error string).
It uses default ajv schemas.

Help needed here ;-)


I suppose you tried
https://github.com/eslint/eslint/pull/13911/commits 
<https://github.com/eslint/eslint/pull/13911/commits>

?


Thanks a lot Jérémy! Based on your suggestion, I succeed to build a patch.

@Jonas, do you agree if I push this to experimental ?

Best regards,
Yadddiff --git a/debian/control b/debian/control
index 10b6f6fc..35786a59 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends:
  help2man ,
  jq,
  mocha ,
- node-ajv  ,
+ node-ajv (>= 8)  ,
  node-babel-core (>= 7) ,
  node-babel-loader (>= 7) ,
  node-babel-preset-env (>= 7) ,
diff --git a/debian/patches/2012_fix-for-ajv-8.patch b/debian/patches/2012_fix-for-ajv-8.patch
new file mode 100644
index ..f0a2d132
--- /dev/null
+++ b/debian/patches/2012_fix-for-ajv-8.patch
@@ -0,0 +1,351 @@
+Description: fix for node-ajv >= 8
+Author: Evgeny Poberezkin <https://github.com/epoberezkin>
+Origin: upstream, https://github.com/eslint/eslint/pull/13911/files
+Bug: https://github.com/eslint/eslint/issues/13888
+Bug-Debian: https://bugs.debian.org/1057707
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2023-12-07
+
+--- a/conf/config-schema.js
 b/conf/config-schema.js
+@@ -11,8 +11,7 @@
+ globals: { type: "object" },
+ overrides: {
+ type: "array",
+-items: { $ref: "#/definitions/overrideConfig" },
+-additionalItems: false
++items: { $ref: "#/definitions/overrideConfig" }
+ },
+ parser: { type: ["string", "null"] },
+ parserOptions: { type: "object" },
+@@ -33,8 +32,7 @@
+ { type: "string" },
+ {
+ type: "array",
+-items: { type: "string" },
+-additionalItems: false
++items: { type: "string" }
+ }
+ ]
+ },
+@@ -44,7 +42,6 @@
+ {
+ type: "array",
+ items: { type: "string" },
+-additionalItems: false,
+ minItems: 1
+ }
+ ]
+--- a/lib/rule-tester/rule-tester.js
 b/lib/rule-tester/rule-tester.js
+@@ -48,7 +48,7 @@
+ { getRuleOptionsSchema, validate } = require("../shared/config-validator"),
+ { Linter, SourceCodeFixer, interpolate } = require("../linter");
+ 
+-const ajv = require("../shared/ajv")({ strictDefaults: true });
++const ajv = require("../shared/ajv")({ strictSchema: true });
+ 
+ const { SourceCode } = require("../source-code");
+ 
+@@ -398,7 +398,7 @@
+ 
+ if (ajv.errors) {
+ const errors = ajv.errors.map(error => {
+-const field = error.dataPath[0] === "." ? error.dataPath.slice(1) : error.dataPath;
++const field = error.instancePath[0] === "." ? error.instancePath.slice(1) : error.instancePath;
+ 
+ return `\t${field}: ${error.message}`;
+ }).join("\n");
+--- a/lib/rules/array-element-newline.js
 b/lib/rules/array-element-newline.js
+@@ -23,7 +23,6 @@
+ },
+ 
+ fixable: "whitespace",
+-
+ schema: [
+ {
+ oneOf: [
+--- a/lib/rules/eqeqeq.js
 b/lib/rules/eqeqeq.js
+@@ -43,8 +43,7 @@
+ },
+ additionalProperties: false
+ }
+-],
+-additionalItems: false
++]
+ },
+ {
+ type: "array",
+@@ -52,8 +51,7 @@
+ {
+ enum: ["smart", "allow-null"]
+ }
+-],
+-additionalItems: false
++]
+  

Bug#1057707: eslint is incompatible with node-ajv >= 8

[Yadd]

Package: eslint
Version: 6.4.0~dfsg+~6.1.9-7
Severity: important
Tags: ftbfs upstream

Hi,

eslint depends on node-ajv 6 and is incompatible with node-ajv 8
(available in exeprimental branch). All is in lib/shared/ajv.js:

 - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no
   more available
 - eslint tries to set `ajv._opts.defaultMeta` which is
   `ajv.opts.defaultMeta` in node-ajv 8.

Changing "ajv/lib/refs/json-schema-draft-04.json" to
"ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this
patch which looks to work but 27 tests fail (not the good error string).
It uses default ajv schemas.

Help needed here ;-)

--- a/lib/shared/ajv.js
+++ b/lib/shared/ajv.js
@@ -8,8 +8,7 @@
 // Requirements
 
//--

-const Ajv = require("ajv"),
-metaSchema = require("ajv/lib/refs/json-schema-draft-04.json");
+const Ajv = require("ajv");

 
//--
 // Public Interface
@@ -17,6 +16,7 @@

 module.exports = (additionalOptions = {}) => {
 const ajv = new Ajv({
+strict: false,
 meta: false,
 useDefaults: true,
 validateSchema: false,
@@ -26,9 +26,5 @@
 ...additionalOptions
 });

-ajv.addMetaSchema(metaSchema);
-// eslint-disable-next-line no-underscore-dangle
-ajv._opts.defaultMeta = metaSchema.id;
-
 return ajv;
 };

Bug#1056705: node-mqtt: Missing dependency to node-lru-cache

[Yadd]

Package: node-mqtt
Version: 4.3.7-2
Severity: serious
Tags: patch
Justification: Failure
X-Debbugs-Cc: y...@debian.org

Hi,

node-mqtt autopkgtest shows that this package requires node-lru-cache,
however it is not listed in debian/control and then start to fail when
one of its dependencies no more depend on node-lru-cache.

Best regards,
Yadd

Ref: 
https://ci.debian.net/data/autopkgtest/testing/amd64/n/node-mqtt/40126282/log.gz

Bug#1056334: [Pkg-javascript-devel] Bug#1056334: node-ast-types: autopkgtest failure

[Yadd]

Control: tags -1 + moreinfo

On 11/21/23 12:28, Gianfranco Costamagna wrote:

Source: node-ast-types
Version: 0.16.1-2
Severity: serious


Hello, according to ci, the package autopkgtests looks failing.
https://ci.debian.net/packages/n/node-ast-types/unstable/amd64/39617621/


  66s autopkgtest [20:34:26]: test pkg-js-autopkgtest: 
[---

  66s # Using ./package.(json|yaml)
  66s # Node module name is ast-types
  66s # Build files found: tsconfig.json
  66s # Test files found:
  66s # Found debian/tests/pkg-js/files, let's use it
  66s # Files/dir to be installed from source: src
  66s test
  66s tsconfig*
  66s ls: cannot access 'test': No such file or directory


This is strange: it seems that the test isn't launched from source 
directory (which has a test subdir)



  66s # Copy debian/tests/pkg-js content
  66s 'debian/tests/pkg-js' -> 
'/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js'
  66s 'debian/tests/pkg-js/test' -> 
'/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js/test'
  66s 'debian/tests/pkg-js/files' -> 
'/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js/files'

  66s Found debian/tests/test_modules
  66s # let's copy it
  66s Found debian/nodejs/extlinks
  67s @babel/parser linked into node_modules
  67s @babel/types linked into node_modules
  68s tslib linked into node_modules
  68s @types/esprima linked into node_modules
  69s @types/estree linked into node_modules
  69s @types/glob linked into node_modules
  70s @types/mocha linked into node_modules
  70s # Searching module in /usr/lib/nodejs/ast-types
  70s # Searching module in /usr/lib/*/nodejs/ast-types
  70s # Searching module in /usr/share/nodejs/ast-types
  70s # Found /usr/share/nodejs/ast-types
  70s # Searching files to link in /usr/share/nodejs/ast-types
  70s # Launch debian/tests/pkg-js/test with sh -ex
  70s + test /tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp !=
  70s + rm -rf lib
  70s + tsc
  70s Version 4.8.4
  70s tsc: The TypeScript Compiler - Version 4.8.4
  70s
  70s COMMON COMMANDS


The "copy" part of pkg-js-autopkgtest failed, then "tsconfig.json" is 
missing then tsc display this.

Bug#1055525: cryptojs: CVE-2023-46233

[Yadd]

Hi,

this bug is still unfixed even if patch is trivial. Here is a template 
for an updatediff --git a/debian/changelog b/debian/changelog
index 558cbac..849d0f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cryptojs (3.1.2+dfsg-3+deb12u1) bookworm-security; urgency=medium
+
+  * Change default hash algorithm and iteration's for PBKDF2
+(Closes: #1055525)
+
+ -- Yadd   Thu, 16 Nov 2023 10:53:45 +0400
+
 cryptojs (3.1.2+dfsg-3) unstable; urgency=medium
 
   * Add upstream metadata.
diff --git a/debian/patches/CVE-2023-46233.patch 
b/debian/patches/CVE-2023-46233.patch
new file mode 100644
index 000..c321f49
--- /dev/null
+++ b/debian/patches/CVE-2023-46233.patch
@@ -0,0 +1,38 @@
+Description: Change default hash algorithm and iteration's for PBKDF2
+ to prevent weak security by using the default configuration
+Author: evanvosberg 
+Origin: upstream, https://github.com/brix/crypto-js/commit/421dd538
+Bug: https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
+Bug-Debian: https://bugs.debian.org/1055525
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2023-11-16
+
+--- a/components/pbkdf2.js
 b/components/pbkdf2.js
+@@ -11,7 +11,7 @@
+ var Base = C_lib.Base;
+ var WordArray = C_lib.WordArray;
+ var C_algo = C.algo;
+-var SHA1 = C_algo.SHA1;
++var SHA256 = C_algo.SHA256;
+ var HMAC = C_algo.HMAC;
+ 
+ /**
+@@ -22,13 +22,13 @@
+  * Configuration options.
+  *
+  * @property {number} keySize The key size in words to generate. 
Default: 4 (128 bits)
+- * @property {Hasher} hasher The hasher to use. Default: SHA1
++ * @property {Hasher} hasher The hasher to use. Default: SHA256
+  * @property {number} iterations The number of iterations to perform. 
Default: 1
+  */
+ cfg: Base.extend({
+ keySize: 128/32,
+-hasher: SHA1,
+-iterations: 1
++hasher: SHA256,
++iterations: 25
+ }),
+ 
+ /**
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..4fdeacb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-46233.patch

Bug#1056014: cryptojs: Library no more maintained, please keep out of next Debian stable

[Yadd]

Source: cryptojs
Severity: serious
Tags: security upstream
Justification: security
X-Debbugs-Cc: y...@debian.org, Debian Security Team 

Hi,

according to https://github.com/brix/crypto-js#readme it seems that
cryptojs is no more maintained. I just dropped the only one reverse
dependency so cryptojs can be safely removed from Debian.

Bug#1054853: node-katex: FTBFS: TypeError: Cannot read properties of undefined (reading '.cjs')

[Yadd]

Control: reassign -1 node-postcss-loader
Control: affects -1 node-katex
Control: found -1 7.3.3-1

It seems that node-postcss-loader 7.3.3 needs node-cosmiconfig 8 and "jiti".

Bug#1055480: ITP: libwebservice-s3-tiny-perl -- Perl module for using S3 or compatible APIs

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org

* Package name: libwebservice-s3-tiny-perl
  Version : 0.003
  Upstream Contact: James Raspass 
* URL : https://metacpan.org/release/WebService-S3-Tiny
* License : Artistic or GPL-1+ (and part under Apache-2.0)
  Programming Lang: Perl
  Description : Perl module for using S3 or compatible APIs

WebService::S3::Tiny is a little Perl module for using any S3 or compatible
APIs.

It will be maintained under Perl Team umbrella.

Bug#1054432: Not a bug

[Yadd]

Control: severity -1 wishlist

Files are readable

Bug#1054667: [Pkg-javascript-devel] Bug#1054667: node-browserify-sign: CVE-2023-46234

[Yadd]

On 10/27/23 20:20, Moritz Mühlenhoff wrote:

Source: node-browserify-sign
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for node-browserify-sign.

CVE-2023-46234[0]:
| browserify-sign is a package to duplicate the functionality of
| node's crypto public key functions, much of this is based on Fedor
| Indutny's work on indutny/tls.js. An upper bound check issue in
| `dsaVerify` function allows an attacker to construct signatures that
| can be successfully verified by any public key, thus leading to a
| signature forgery attack. All places in this project that involve
| DSA verification of user-input signatures will be affected by this
| vulnerability. This issue has been patched in version 4.2.2.

https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46234
 https://www.cve.org/CVERecord?id=CVE-2023-46234

Please adjust the affected versions in the BTS as needed.


Hi,

please find attached the debdiff for Bookworm

Kind regards,
Yadddiff --git a/debian/changelog b/debian/changelog
index 5e3404f..c421503 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-browserify-sign (4.2.1-3+deb12u1) bookworm-security; urgency=high
+
+  * Team upload
+  * Properly check the upper bound for DSA signatures (Closes: #1054667, 
CVE-2023-46234)
+
+ -- Yadd   Sat, 28 Oct 2023 12:03:04 +0400
+
 node-browserify-sign (4.2.1-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-46234.patch 
b/debian/patches/CVE-2023-46234.patch
new file mode 100644
index 000..152fd72
--- /dev/null
+++ b/debian/patches/CVE-2023-46234.patch
@@ -0,0 +1,68 @@
+Description: properly check the upper bound for DSA signatures
+Author: roadicing 
+Origin: upstream, https://github.com/browserify/browserify-sign/commit/85994cd6
+Bug: 
https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
+Bug-Debian: https://bugs.debian.org/1054667
+Forwarded: not-needed
+Applied-Upstream: 4.2.2, commit: 85994cd6
+Reviewed-By: Yadd 
+Last-Update: 2023-10-28
+
+--- a/browser/verify.js
 b/browser/verify.js
+@@ -78,7 +78,7 @@
+ 
+ function checkValue (b, q) {
+   if (b.cmpn(0) <= 0) throw new Error('invalid sig')
+-  if (b.cmp(q) >= q) throw new Error('invalid sig')
++  if (b.cmp(q) >= 0) throw new Error('invalid sig')
+ }
+ 
+ module.exports = verify
+--- a/test/index.js
 b/test/index.js
+@@ -4,6 +4,8 @@
+ var nCrypto = require('crypto')
+ var bCrypto = require('../browser')
+ var fixtures = require('./fixtures')
++var BN = require('bn.js')
++var parseKeys = require('parse-asn1')
+ 
+ function isNode10 () {
+   return parseInt(process.version.split('.')[1], 10) <= 10
+@@ -100,6 +102,35 @@
+   t.end()
+ })
+   }
++
++  var s = parseKeys(pub).data.q;
++  test(
++f.message + ' against a fake signature',
++{ skip: !s || '(this test only applies to DSA signatures and not EC 
signatures, this is ' + f.scheme + ')' },
++function (t) {
++  var messageBase64 = Buffer.from(f.message, 'base64');
++
++  // forge a fake signature
++  var r = new BN('1');
++
++  try {
++var fakeSig = asn1.signature.encode({ r: r, s: s }, 'der');
++  } catch (e) {
++t.ifError(e);
++t.end();
++return;
++  }
++
++  var bVer = bCrypto.createVerify(f.scheme);
++  t['throws'](
++function () { bVer.update(messageBase64).verify(pub, fakeSig); },
++Error,
++'fake signature is invalid'
++  );
++
++  t.end();
++}
++  );
+ })
+ 
+ fixtures.valid.kvectors.forEach(function (f) {
diff --git a/debian/patches/series b/debian/patches/series
index 8aafdeb..86ff972 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 drop-rmd160-support.patch
+CVE-2023-46234.patch

Bug#1054175: Closing: not a bug

[Yadd]

Control: close -1
Control: notfound -1 2.0.0-2

Closing: unable to reproduce

Bug#1054443: node-graphql: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:21, Bastien Roucariès wrote:

Source:  node-graphql
Version: 16.8.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/src/node-graphql/16.8.1-1/website/src/pages/index.jsx/?hl=2#L2

You should repack or package docusaurus and rebuild

Bastien


No unreadable files here

Bug#1054435: [Pkg-javascript-devel] Bug#1054435: node-react-redux: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:08, Bastien Roucariès wrote:

Source:  node-react-redux
Version: 8.1.2+dfsg1+~cs1.2.3-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory

You should repack or package docusaurus and rebuild

Bastien


No unreadable file here

Bug#1054439: [Pkg-javascript-devel] Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:15, Bastien Roucariès wrote:

Source:  node-rjsf
Version: 5.6.2+~5.0.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54

You should repack or package docusaurus and rebuild

Bastien


No unreadable files here

Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:15, Bastien Roucariès wrote:

Source:  node-rjsf
Version: 5.6.2+~5.0.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54

You should repack or package docusaurus and rebuild

Bastien


No unreadable file here

Bug#1054441: node-ts-jest: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:18, Bastien Roucariès wrote:

Source:  node-ts-jest
Version: 29.1.1+~cs0.2.6-2
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/data/main/n/node-ts-jest/29.1.1%2B~cs0.2.6-2/website/

You should repack or package docusaurus and rebuild

Bastien


No unreadable file here

Bug#1054434: [Pkg-javascript-devel] Bug#1054434: Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian

[Yadd]

On 10/24/23 06:25, Yadd wrote:

Control: tags -1 + moreinfo

On 10/23/23 23:07, Bastien Roucariès wrote:

Source:  node-redux
Version: 4.2.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory

You should repack or package docusaurus and rebuild

Bastien


Hello,

directory docs contains only .md files, totally readable. What is the 
serious bug here ?


Also website/ directory, no unreadable file, no serialized files,... Do 
we have to consider html files as no source because they were written 
with a non free tool ?

Bug#1054434: [Pkg-javascript-devel] Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian

[Yadd]

Control: tags -1 + moreinfo

On 10/23/23 23:07, Bastien Roucariès wrote:

Source:  node-redux
Version: 4.2.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory

You should repack or package docusaurus and rebuild

Bastien


Hello,

directory docs contains only .md files, totally readable. What is the 
serious bug here ?

Bug#1054167: [Pkg-javascript-devel] Bug#1054167: ftbfs: AssertionError in tests

[Yadd]

Control: severity -1 important

Hi,

not really a serious-bug since it exists only when using a color term. 
Fixed anyway in version 2.0.0-4


Cheers,
Yadd

Bug#1054175: [Pkg-javascript-devel] Bug#1054175: node-require-main-filename: failing dh_auto_test

[Yadd]

Control: tags -1 + moreinfo

On 10/18/23 20:27, Tianyu Chen wrote:

Source: node-require-main-filename
Version: 2.0.0-2
Severity: serious
Tags: ftbfs
Justification: fails to build from source
X-Debbugs-Cc: sweetyf...@deepin.org

Hi,

During a rebuild of your package in unstable, your package fails to
build from source.

Full log can be accessed at:


https://build.opensuse.org/package/live_build_log/home:utsweetyfish:node-202309/node-require-main-filename/Debian_Unstable/aarch64

Tail of log for your package:

# Subtest: should default to process.cwd() if require.main is 
undefined
not ok 1 - expected '/usr/src/packages/BUILD' to match 
/(?:.*autopkgtest.*|require-main-filename)/
  ---
[...]

1..1
# failed 1 test
# time=95.325ms
not ok 1 - test.js # time=95.325ms
  ---
  env: {}
  file: test.js
  timeout: 3
  command: /usr/bin/node
  args:
- test.js
  stdio:
- 0
- pipe
- 2
  cwd: /usr/src/packages/BUILD
  exitCode: 1
  ...

1..1
# failed 1 test
# time=1113.041ms
--|-|--|-|-|---
File  | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
--|-|--|-|-|---
All files | 100 |  100 | 100 | 100 |
 index.js | 100 |  100 | 100 | 100 |
--|-|--|-|-|---
dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit 
code 1
make: *** [debian/rules:8: binary] Error 25
dpkg-buildpackage: error: debian/rules binary subprocess returned exit 
status 2

Thanks!
Tianyu Chen @ deepin


Hi,

I'm not able to reproduce this issue

Bug#1053895: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-und...@packages.debian.org
Control: affects -1 + src:node-undici

[ Reason ]
node-undici doesn't clear Cookie and Host headers on cross-origin
redirect.

[ Impact ]
Medium security issue

[ Tests ]
No new test here

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Drop headers Host/Cookie unless same-origin

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 92c0de8..168ee34 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2) bookworm; urgency=medium
+
+  * Delete cookie and host headers on cross-origin redirect
+(Closes: #1053879, CVE-2023-45143)
+
+ -- Yadd   Fri, 13 Oct 2023 22:14:45 +0400
+
 node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium
 
   * Fix security issues (Closes: #1031418):
diff --git a/debian/patches/CVE-2023-45143.patch 
b/debian/patches/CVE-2023-45143.patch
new file mode 100644
index 000..c196bd2
--- /dev/null
+++ b/debian/patches/CVE-2023-45143.patch
@@ -0,0 +1,24 @@
+Description: delete 'cookie' and 'host' headers on cross-origin redirect
+Author: Khafra 
+Origin: upstream, https://github.com/nodejs/undici/commit/e041de35
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
+ https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
+Bug-Debian: https://bugs.debian.org/1053879
+Forwarded: not-needed
+Applied-Upstream: 5.26.2, commit:e041de35
+Reviewed-By: Yadd 
+Last-Update: 2023-10-13
+
+--- a/lib/fetch/index.js
 b/lib/fetch/index.js
+@@ -1204,6 +1204,10 @@
+   if (!sameOrigin(requestCurrentURL(request), locationURL)) {
+ // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
+ request.headersList.delete('authorization')
++
++// "Cookie" and "Host" are forbidden request-headers, which undici 
doesn't implement.
++request.headersList.delete('cookie')
++request.headersList.delete('host')
+   }
+ 
+   // 14. If request’s body is non-null, then set request’s body to the first 
return
diff --git a/debian/patches/series b/debian/patches/series
index ce1440a..297000a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ drop-ssl-tests.patch
 CVE-2023-23936.patch
 CVE-2023-24807.patch
 update-httpbin.org-test-timeout.patch
+CVE-2023-45143.patch

Bug#1053782: RFP: node-vite -- Next Generation Frontend Tooling

[Yadd]

On 10/11/23 10:30, Andrius Merkys wrote:

Package: wnpp
Severity: wishlist
X-Debbugs-Cc: debian-de...@lists.debian.org
Control: block 1042095 by -1

* Package name    : node-vite
   Version : 4.4.11
   Upstream Author : Evan You
* URL : https://github.com/vitejs/vite
* License : Expat
   Programming Lang: JavaScript
   Description : Next Generation Frontend Tooling

Vite is a frontend build tool, including development server and build 
command bundling code with Rollup, pre-configured to output optimized 
static assets for production.


Vite is needed to produce CSS and JS files for sphinx-press-theme.

An estimate of work needed to package Vite:

$ npm2deb depends vite
Dependencies:
NPM   Debian
vite (4.4.11) None
├─ esbuild (^0.18.10) None
├─ fsevents (~2.3.2)  None
├─ postcss (^8.4.27)  node-postcss 
(8.4.20+~cs8.0.23-1)

└─ rollup (^3.27.1)   node-rollup (3.28.0-2)

Build dependencies:
NPM   Debian
@ampproject/remapping (^2.2.1) node-ampproject-remapping 
(2.2.0+~cs5.15.37-1)

@babel/parser (^7.22.7)   None
@babel/types (^7.22.5)    node-babel 
(6.26.0+repack-3~bpo10+1)

@jridgewell/trace-mapping (^0.3.18)   None
@rollup/plugin-alias (^4.0.4) node-rollup-plugin-alias (5.0.0~ds-1)
@rollup/plugin-commonjs (^25.0.3) node-rollup-plugin-commonjs 
(25.0.4+ds1-1)

@rollup/plugin-dynamic-import-vars (^2.0.4)   None
@rollup/plugin-json (^6.0.0) node-rollup-plugin-json (6.0.0+ds1-2)
@rollup/plugin-node-resolve (15.1.0) node-rollup-plugin-node-resolve 
(15.1.0+ds-1)
@rollup/plugin-typescript (^11.1.2) node-rollup-plugin-typescript 
(11.1.2~ds+~1.0.1-1)

@rollup/pluginutils (^5.0.2) node-rollup-pluginutils (5.0.2~ds+~2.8.2-1)
@types/escape-html (^1.0.2)   None
@types/pnpapi (^0.0.2)    None
acorn (^8.10.0)   acorn 
(8.8.1+ds+~cs25.17.7-2)

acorn-walk (^8.2.0)   None
cac (^6.7.14) None
chokidar (^3.5.3) node-chokidar (3.5.3-2)
connect (^3.7.0)  node-connect 
(3.7.0+~3.4.35-1)

connect-history-api-fallback (^2.0.0) None
convert-source-map (^2.0.0) node-convert-source-map (1.9.0+~1.5.2-1)
cors (^2.8.5) node-cors (2.8.5-1)
cross-spawn (^7.0.3)  node-cross-spawn 
(5.1.0-2)
debug (^4.3.4)    node-debug 
(4.3.4+~cs4.1.7-1)

dep-types (link:./src/types)  None
dotenv (^16.3.1)  None
dotenv-expand (^9.0.0)    None
es-module-lexer (^1.3.0)  node-es-module-lexer 
(1.1.0+dfsg-2)
escape-html (^1.0.3)  node-escape-html 
(1.0.3+~1.0.2-2)
estree-walker (^3.0.3)    node-estree-walker 
(2.0.2-5)

etag (^1.8.1) node-etag (1.8.1-3)
fast-glob (^3.3.1)    None
http-proxy (^1.18.1)  node-http-proxy 
(1.18.1-8)
json-stable-stringify (^1.0.2) node-json-stable-stringify 
(1.0.2+repack1+~cs1.0.34-2)

launch-editor-middleware (^2.6.0) None
lightningcss (^1.21.5)    None
magic-string (^0.30.2)    node-magic-string 
(0.30.1-1)
micromatch (^4.0.5)   node-micromatch 
(4.0.5+~4.0.2-1)

mlly (^1.4.0) None
mrmime (^1.0.1)   None
okie (^1.0.1) None
open (^8.4.2) node-open (8.4.0-6)
parse5 (^7.1.2)   node-parse5 
(7.1.2+dfsg-2)

periscopic (^3.1.0)   None
picocolors (^1.0.0)   node-picocolors (1.0.0-4)
picomatch (^2.3.1)    node-anymatch 
(3.1.3+~cs4.6.1-2)

postcss-import (^15.1.0)  None
postcss-load-config (^4.0.1) node-postcss-load-config (2.1.2+~cs6.0.0-1)
postcss-modules (^6.0.0)  node-postcss-modules 
(6.0.0+~cs5.1.3-2)

resolve.exports (^2.0.2)  None
rollup-plugin-license (^3.0.1)    None
sirv (^2.0.3) None
source-map-support (^0.5.21) node-source-map-support (0.5.21+ds+~0.5.4-1)
strip-ansi (^7.1.0)   node-strip-ansi (6.0.1-2)
strip-literal (^1.3.0)    None
tsconfck (^2.1.2) None
tslib (^2.6.1)  

Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1

[Yadd]

On 10/8/23 16:10, Jonathan Wiltshire wrote:

Hi,

This request was approved but not uploaded in time for the previous point
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?


Sorry, I was travelling. I just pushed the update

Thanks!

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

[Yadd]

On 10/8/23 16:04, Jonathan Wiltshire wrote:

Hi,

This request was approved but not uploaded in time for the previous point
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?


Sorry, I was travelling. I just pushed the update

Thanks!

Bug#1036975: bullseye-pu: package node-url-parse/1.5.3-1+deb11u2

[Yadd]

On 10/8/23 16:03, Jonathan Wiltshire wrote:

Hi,

This request was approved but not uploaded in time for the previous point
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?


Sorry, I was travelling. I just pushed the update

Thanks!

Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1

[Yadd]

On 10/8/23 15:55, Jonathan Wiltshire wrote:

Hi,

This request was approved but not uploaded in time for the previous point
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?


Sorry, I was travelling. I just pushed the update

Thanks!

Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng

[ Reason ]
Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
 - an open redirection due to incorrect escape handling
 - an open redirection only when configuration is edited by hand and
   doesn't follow OIDC specifications
 - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
   A little-know feature of OIDC allows the OpenID Provider to fetch the
   Authorization request parameters itself by indicating a request_uri
   parameter. This feature is now restricted to a white list using this
   patch

[ Impact ]
Two low and one medium security issue.

[ Tests ]
Patches includes test updates

[ Risks ]
Outside of test changes, patches are not so big and the test coverage
provided by upstream is good, so risk is moderate.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- open redirection patch: use `URI->new($url)->as_string` in each
  redirections
- OIDC open redirection patch: just rejects requests with `redirect_uri` if
  relying party configuration has no declared redirect URIs.
- SSRF patch:
  * add new configuration parameter to list authorized "request_uris"
  * change the algorithm that manage request_uri parameter

Cheers,
Yadd
diff --git a/debian/NEWS b/debian/NEWS
index c4d7ee951..ba4a14a12 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+  A little-know feature of OIDC allows the OpenID Provider to fetch the
+  Authorization request parameters itself by indicating a request_uri
+  parameter.
+  By default, this feature is now restricted to a white list. See
+  Relying-Party security option to fill this field.
+
+ -- Yadd   Fri, 29 Sep 2023 17:38:51 +0400
+
 lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
 
   AuthBasic now enforces 2FA activation (CVE-2023-28862):
diff --git a/debian/changelog b/debian/changelog
index 5d2c62ac0..35d5599a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+  * Fix open redirection when OIDC RP has no redirect uris
+  * Fix open redirection due to incorrect escape handling
+  * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469)
+
+ -- Yadd   Fri, 29 Sep 2023 16:35:14 +0400
+
 lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
 
   * Fix 2FA issue when using AuthBasic handler (CVE-2023-28862)
@@ -19,7 +27,7 @@ lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
 
 lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium
 
-  * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+  * Fix auth process in password-testing plugins (Closes: #1005302, 
CVE-2021-40874)
 
  -- Yadd   Thu, 24 Feb 2022 15:16:09 +0100
 
diff --git a/debian/clean b/debian/clean
index 73f167814..cdb4a5ae4 100644
--- a/debian/clean
+++ b/debian/clean
@@ -1,3 +1,4 @@
+doc/pages/documentation/current/.buildinfo
 lemonldap-ng-manager/site/htdocs/static/js/conftree.js
 lemonldap-ng-manager/site/htdocs/static/struct.json
 lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch
new file mode 100644
index 0..dce756430
--- /dev/null
+++ b/debian/patches/SSRF-issue.patch
@@ -0,0 +1,627 @@
+Description: fix SSRF vulnerability
+ Issue described here: 
https://security.lauritz-holtmann.de/post/sso-security-ssrf/
+Author: Maxime Besson 
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
+Forwarded: not-needed
+Applied-Upstream: 2.17.1, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Reviewed-By: Yadd 
+Last-Update: 2023-09-23
+
+--- a/doc/sources/admin/idpopenidconnect.rst
 b/doc/sources/admin/idpopenidconnect.rst
+@@ -278,6 +278,11 @@
+   the Session Browser.
+- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the 
use of the :ref:`Resource Owner Password Credentials Grant 
` by this client. This feature only works if you 
have configured a form-based authentication module.
+- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): 
Allow the use of the :ref:`Resource Owner Password Credentials Grant 
` by this client.
++   - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``):
++ which URLs may be called by the portal to fetch the request object (see
++ `request_uri
++ 
<https://openid.net/specs/openid-connect-core-1_0.html#

Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng

[ Reason ]
Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
 - an open redirection only when configuration is edited by hand and
   doesn't follow OIDC specifications
 - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
   A little-know feature of OIDC allows the OpenID Provider to fetch the
   Authorization request parameters itself by indicating a request_uri
   parameter. This feature is now restricted to a white list using this
   patch

[ Impact ]
One low and one medium security issue.

[ Tests ]
Patches includes test updates

[ Risks ]
Outside of test changes, patches are not so big and the test coverage
provided by upstream is good, so risk is moderate.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- open redirection patch: just rejects requests with `redirect_uri` if
  relying party configuration has no declared redirect URIs.
- SSRF patch:
  * add new configuration parameter to list authorized "request_uris"
  * change the algorithm that manage request_uri parameter

Cheers,
Xavier
diff --git a/debian/NEWS b/debian/NEWS
index b8955920b..5295a3cbb 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium
+
+  A little-know feature of OIDC allows the OpenID Provider to fetch the
+  Authorization request parameters itself by indicating a request_uri
+  parameter.
+  By default, this feature is now restricted to a white list. See
+  Relying-Party security option to fill this field.
+
+ -- Yadd   Fri, 29 Sep 2023 17:15:03 +0400
+
 lemonldap-ng (2.0.9+ds-1) unstable; urgency=medium
 
   CVE-2020-24660
diff --git a/debian/changelog b/debian/changelog
index cd4c8a023..148164a94 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium
+
+  * Fix open redirection when OIDC RP has no redirect uris
+  * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469)
+
+ -- Yadd   Fri, 29 Sep 2023 17:18:12 +0400
+
 lemonldap-ng (2.16.1+ds-deb12u1) bookworm; urgency=medium
 
   * Apply login control to auth-slave requests
diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch
new file mode 100644
index 0..3c6ca8b51
--- /dev/null
+++ b/debian/patches/SSRF-issue.patch
@@ -0,0 +1,795 @@
+Description: fix SSRF vulnerability
+ Issue described here: 
https://security.lauritz-holtmann.de/post/sso-security-ssrf/
+Author: Maxime Besson 
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
+Forwarded: not-needed
+Applied-Upstream: 2.17.1, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Reviewed-By: Yadd 
+Last-Update: 2023-09-22
+
+--- a/doc/sources/admin/idpopenidconnect.rst
 b/doc/sources/admin/idpopenidconnect.rst
+@@ -247,6 +247,11 @@
+   This feature only works if you have configured a form-based 
authentication module.
+-  **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): 
Allow the use of the
+   :ref:`Client Credentials Grant ` by this 
client.
++   -  **Allowed URLs for fetching Request Object**: (since version 
``2.17.1``):
++  which URLs may be called by the portal to fetch the request object (see
++  `request_uri
++  
<https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter>`__
++  in OIDC specifications). These URLs may use wildcards 
(``https://app.example.com/*``).
+-  **Authentication level**: Required authentication level to access this 
application
+-  **Access rule**: Lets you specify a :doc:`Perl rule` to 
restrict access to this client
+ 
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
 b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+@@ -4656,6 +4656,7 @@
+ oidcRPMetaDataOptionsComment  => { type => 'longtext' 
},
+ oidcRPMetaDataOptionsOfflineSessionExpiration => { type => 'int' },
+ oidcRPMetaDataOptionsRedirectUris => { type => 'text', },
++oidcRPMetaDataOptionsRequestUris  => { type => 'text', },
+ oidcRPMetaDataOptionsExtraClaims  => {
+ type=> 'keyTextContainer',
+ keyTest => qr/^[\x21\x23-\x5B\x5D-\x7E]+$/,
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
 b/lemonldap-ng-manager/lib/Lemon

Bug#1052428: node-minimatch: please update to 9.x

[Yadd]

On 9/22/23 00:10, Jérémy Lal wrote:

Package: node-minimatch
Version: 5.1.1+~5.1.2-1
Severity: normal

Hi,

nodejs 18.18.0 depends on node-minimatch 9.0.3.

It'd be nice if someone could update that module.

Regards,
Jérémy


Hi,

I'm going to push version 9.0.3 to experimental (breaking changes)

Cheers,
Yadd

Bug#1052301: ITP: node-stdlib -- Standard library for JavaScript and Node.js

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-stdlib
  Version : 0.0.96
  Upstream Contact: The Stdlib Authors
  <https://github.com/stdlib-js/stdlib/graphs/contributors>
* URL : https://github.com/stdlib-js/stdlib
* License : Apache-2.0
  Programming Lang: JavaScript
  Description : Standard library for JavaScript and Node.js

node-stdlib is a standard library for JavaScript and Node.js, with an
emphasis on numerical and scientific computing applications. The library
provides a collection of robust, high performance libraries for mathematics,
statistics, data processing, streams, and more and includes many utilities
expected from a standard library.

node-stdlib is a build dependency of node-jupyterlab. Will be maintained
under JS Team umbrella.

Bug#1052246: ITP: node-vdom-to-html -- Node.js library to turn virtual-dom nodes into HTML

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-vdom-to-html
  Version : 2.3.1
  Upstream Contact: Nathan Tran 
* URL : https://github.com/nthtran/vdom-to-html
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js library to turn virtual-dom nodes into HTML

node-vdom-to-html turn virtual-dom nodes into HTML. virtual-dom is a
collection of modules designed to provide a declarative way of
representing the DOM.

This is a dependency of node-stdlib which is needed to build
node-jupyterlab. Will be maintained under JS Team umbrella.

Bug#1052170: ITP: node-playwright -- JavaScript framework for Web Testing and Automation

[Yadd]

On 9/18/23 21:26, Jérémy Lal wrote:



Le lun. 18 sept. 2023 à 19:15, Yadd <mailto:y...@debian.org>> a écrit :


Package: wnpp
Severity: wishlist
    Owner: Yadd mailto:y...@debian.org>>
X-Debbugs-Cc: debian-de...@lists.debian.org
<mailto:debian-de...@lists.debian.org>

* Package name    : node-playwright
   Version         : 1.38.0
   Upstream Contact: Microsoft Corporation
   <https://github.com/Microsoft/playwright/issues
<https://github.com/Microsoft/playwright/issues>>
* URL             : https://github.com/Microsoft/playwright
<https://github.com/Microsoft/playwright>
* License         : Apache-2.0
   Programming Lang: JavaScript
   Description     : JavaScript framework for Web Testing and Automation

node-playwright is a framework for Web Testing and Automation. It allows
testing Chromium, Firefox and WebKit with a single API. Playwright is
built to enable cross-browser web automation that is ever-green,
capable,
reliable and fast.


Hi, I am a heavy user of node-playwright, so this interests me.
Note that latest version of playwright stopped downloading automatically
the needed browser, which is a good thing.
Playwright is also able to use system-installed chromium, but maybe not 
firefox,

and I'm pretty sure it won't work out of the box with webkitgtk.

Cheers,
Jérémy


Hi,

happy to help you ! You can test my work, available on salsa.

Best regards,
Yadd

Bug#1052170: ITP: node-playwright -- JavaScript framework for Web Testing and Automation

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-playwright
  Version : 1.38.0
  Upstream Contact: Microsoft Corporation
  <https://github.com/Microsoft/playwright/issues>
* URL : https://github.com/Microsoft/playwright
* License : Apache-2.0
  Programming Lang: JavaScript
  Description : JavaScript framework for Web Testing and Automation

node-playwright is a framework for Web Testing and Automation. It allows
testing Chromium, Firefox and WebKit with a single API. Playwright is
built to enable cross-browser web automation that is ever-green, capable,
reliable and fast.

Another node-jupyterlab dependency, will be maintained under JS Team
umbrella.

Bug#1052147: ITP: node-source-map-loader -- Node.js library to extract source maps

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-source-map-loader
  Version : 4.0.1
  Upstream Contact: JS Founadation
  <https://github.com/webpack-contrib/source-map-loader/issues>
* URL : https://github.com/webpack-contrib/source-map-loader
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js library to extract source maps

node-source-map-loader is a JS library to extracts source maps from
existing source files. Can be used in a node-webpack rule.

It's a build dependency of node-jupyterlab, will be maintained under JS
Team umbrella.

Bug#1052143: ITP: node-html-loader -- Node module that exports HTML as string

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-html-loader
  Version : 4.2.0
  Upstream Contact: JS Foundation
  <https://github.com/webpack-contrib/html-loader/issues>
* URL : https://github.com/webpack-contrib/html-loader
* License : Expat
  Programming Lang: JavaScript
  Description : Node module that exports HTML as string

node-html-loader exports HTML as string. HTML is minimized when the
compiler demands. It is typically used as node-webpack plugin.

node-html-loader is a dependency of node-jupyterlab and will be
maintained under JS Team umbrella

Bug#1052140: ITP: node-html-webpack-plugin -- node-webpack plugin to create HTML files

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-html-webpack-plugin
  Version : 5.5.3
  Upstream Contact: JS Foundation
  <https://github.com/jantimon/html-webpack-plugin/issues>
* URL : https://github.com/jantimon/html-webpack-plugin
* License : JavaScript
  Programming Lang: Expat
  Description : node-webpack plugin to create HTML files

node-html-webpack-plugin is a node-webpack plugin that simplifies
creation of HTML files to serve a node-webpack bundle.This is
especially useful for bundles that include a hash in the filename
which changes every compilations

It's a build dependency of node-jupyterlab. Will be maintained under JS
Team umbrella.

Bug#1052076: ITP: node-mathjax-full -- JavaScript library to display math in browsers

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-mathjax-full
  Version : 3.2.2
  Upstream Contact: The MathJax Consortium
  <https://github.com/mathjax/Mathjax-src/issues>
* URL : https://github.com/mathjax/Mathjax-src
* License : Apache-2.0
  Programming Lang: JavaScript
  Description : JavaScript library to display math in browsers

MathJax is an open-source JavaScript display engine for LaTeX, MathML,
and AsciiMath notation that works in all modern browsers. It was
designed with the goal of consolidating the recent advances in web
technologies into a single, definitive, math-on-the-web platform
supporting the major browsers and operating systems.  It requires no
setup on the part of the user (no plugins to download or software to
install), so the page author can write web documents that include
mathematics and be confident that users will be able to view it
naturally and easily.  Simply include MathJax and some mathematics in
a web page, and MathJax does the rest.

node-mathjax-full is a dependency of node-jupyterlab. It will be
maintained under JS Team umbrella.

Bug#1052075: ITP: node-speech-rule-engine -- NodeJS version of the ChromeVox speech rule engine

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-speech-rule-engine
  Version : 3.2.2
  Upstream Contact: Volker Sorge 
* URL : https://github.com/zorkow/speech-rule-engine
* License : Apache-2.0
  Programming Lang: JavaScript
  Description : NodeJS version of the ChromeVox speech rule engine

node-speech-rule-engine (SRE) can translate XML expressions into speech
strings according to rules that can be specified in a syntax using Xpath
expressions.

It's a dependnecy of node-mathjax-full, needed to build node-jupyterlab.
Will be maintained under JS Team upbrella.

Bug#1052054: ITP: node-sort-package-json -- Node.js library to sort package.json

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-sort-package-json
  Version : 2.5.1
  Upstream Contact: Keith Cirkel 
* URL : https://github.com/fisker/git-hooks-list
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js library to sort package.json

node-sort-package-json is a small library useful to sort package.json files
of Node.js modules, not in alphabetic order but in logical order (starting
by name and version).

It's a dependency of node-jupyterlab and will be maintained under JS
Team umbrella.

Bug#1051991: ITP: node-sixel -- Node.js library to manage Sixel images

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-sixel
  Version : 0.16.0
  Upstream Contact: Joerg Breitbart 
* URL : https://github.com/jerch/node-sixel/
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js library to manage Sixel images

node-sixel is a image decoding / encoding library for node and the browser.

It is a build dependency of node-xterm 5 which is required for
node-jupyterlab. Will be maintained under JS Team umbrella.

Bug#1051974: ITP: inwasm -- Inline WebAssembly for Typescript

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: inwasm
  Version : 0.0.13
  Upstream Contact: Joerg Breitbart 
* URL : https://github.com/jerch/inwasm
* License : Expat
  Programming Lang: JavaScript
  Description : Inline WebAssembly for Typescript

InWasm is a small bundler for inline standalone wasm libraries (Web Assembly).
It compiles and bundles the wasm source code inplace, using either
clang, wabt and/or emscripten.

inwasm is a build dependency needed to build node-xterm-wasm-parts,
which is required by node-xterm 5 which update is needed to build
node-jupyterlab. Will be maintained under JS Team umbrella.

Bug#1051930: ITP: node-node-pty -- Node.js library to allow one to fork processes with pseudoterminal file descriptors

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-node-pty
  Version : 1.0.0
  Upstream Contact: node-pty authors
  <https://github.com/microsoft/node-pty/issues>
* URL : https://github.com/microsoft/node-pty/issues
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js library to allow one to fork processes with 
pseudoterminal file descriptors

node-node-pty provides forkpty bindings for node.js. This allows one to fork
processes with pseudoterminal file descriptors. It returns a terminal object
which allows reads and writes. This is useful for:
 * Writing a terminal emulator
 * Getting certain programs to think they are in a terminal

node-node-pty is a dependency of node-xterm 5 which is needed to build
node-jupyterlab. Will be maintained under JS Team umbrella.

Bug#1051823: ITP: libjs-simulate-event -- JavaScript library to trigger DOM events on any element

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: libjs-simulate-event
  Version : 1.4.0
  Upstream Contact: Blake Embrey 
* URL : https://github.com/blakeembrey/simulate-event
* License : Expat
  Programming Lang: JavaScript
  Description : JavaScript library to trigger DOM events on any element

libjs-simulate-event provide a simple way to trigger DOM events on any
element:
  * simulateEvent.simulate(document.body, 'click')

It's a build dependency of node-jupyterlab and will be maintaied under
JS Team umbrella

Bug#1051705: ITP: node-vega-embed -- Node.js library to easily embed vega views

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-vega-embed
  Version : 6.22.2
  Upstream Contact: University of Washington Interactive Data Lab
  <https://github.com/vega/vega-embed/issues>
* URL : https://github.com/vega/vega-embed/issues
* License : BSD-3-Clause
  Programming Lang: $jAVAsCRIPT
  Description : Node.js library to easily embed vega views

node-vega-embed makes it easy to embed interactive node-vega and
node-vega-lite views into web pages.

It's another dependency needed to build node-jupyterlab. Will be
maintained under JS Team umbrella

Bug#1051694: ITP: node-vega-themes -- Themes for stylized Vega and Vega-Lite visualizations

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-vega-themes
  Version : 2.14.0
  Upstream Contact: University of Washington Interactive Data Lab
  <https://github.com/vega/vega-themes/issues>
* URL : https://github.com/vega/vega-themes/issues
* License : BSD-3-Clause
  Programming Lang: JavaScript
  Description : Themes for stylized Vega and Vega-Lite visualizations

A Vega *theme* is a configuration object with default settings for a variety
of visual properties such as colors, typefaces, line widths and spacing. This
module exports a set of named themes, which can be passed as input to the
node-vega or node-vega-lite with node-vega-embed or directly as a
configuration object to the Vega parser.

This package is a dependency of node-vega-embed which is needed to build
node-jupyterlab. Will be maintained under JS Team umbrella.

Bug#1051660: ITP: node-vega-lite -- Node.js library that provides a higher-level grammar for visual analysis for node-vega

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-vega-lite
  Version : 5.14.1
  Upstream Contact: University of Washington Interactive Data Lab
  <https://github.com/vega/vega-lite/issues>
* URL : https://github.com/vega/vega-lite/issues
* License : BSD-3-Clause
  Programming Lang: JavaScript
  Description : Node.js library that provides a higher-level grammar for 
visual analysis for node-vega

node-vega-lite provides a higher-level grammar for visual analysis that
generates complete Vega specifications.
More details available on https://vega.github.io/vega-lite/docs/. Try
available also on line: https://vega.github.io/editor/#/custom/vega-lite

This library is a dependency of node-vega-embed, needed to build
node-jupyterlab. Will be maintained under JS Team umbrella

Bug#1051628: ITP: node-d3-delaunay -- Node.js fast library for computing the Voronoi diagram

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-d3-delaunay
  Version : 6.0.4
  Upstream Contact: Observable, Inc.
  <https://github.com/d3/d3-delaunay/issues>
* URL : https://github.com/d3/d3-delaunay
* License : ISC
  Programming Lang: JavaScript
  Description : Node.js fast library for computing the Voronoi diagram

node-d3-delaunay is a fast library for computing the Voronoi diagram of a set
of two-dimensional points. It is based on included node-delaunator, a fast
library for computing the Delaunay triangulation using sweep algorithms.
The Voronoi diagram is constructed by connecting the circumcenters of
adjacent triangles in the Delaunay triangulation.

It's a missing dependency of node-vega, needed to build node-jupyterlab

Bug#1051608: ITP: node-d3-geo-projection -- Extended geographic projections for node-d3-geo

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-d3-geo-projection
  Version : 4.0.0
  Upstream Contact: Mike Bostock <https://bost.ocks.org/mike>
* URL : https://d3js.org/d3-geo-projection/
* License : ISC
  Programming Lang: JavaScript
  Description : Extended geographic projections for node-d3-geo

node-d3-geo-projection provides extended geographic projections for
node-d3-geo. It's a dependency of node-vega-lite, needed to build
node-jupyterlab. It will be maintained under JS Team umbrella.

Bug#1051601: ITP: node-geojson -- Node.js library to convert geo data into GeoJSON

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-geojson
  Version : 0.5.0
  Upstream Contact: Casey Cesari
  <https://github.com/caseycesari/geojson.js/issues>
* URL : https://github.com/caseycesari/geojson.js
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js library to convert geo data into GeoJSON

node-geojson is a dependency of node-vega-lite and a TS dependency of
node-d3. It will be maintained under JS Team umbrella.

Bug#1051591: ITP: node-vega-tooltip -- Tooltip for node-vega and node-vega-lite

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-vega-tooltip
  Version : 0.33.0
  Upstream Contact: https://github.com/vega/vega-tooltip/issues
* URL : https://github.com/vega/vega-tooltip
* License : BSD-3-Clause
  Programming Lang: JavaScript
  Description : Tooltip for node-vega and node-vega-lite

node-vega-tooltip is a tooltip plugin for Vega and Vega-Lite visualizations.
This plugin implements a custom tooltip handler for Vega that uses custom
HTML tooltips instead of the HTML title attribute.

This is a dependency of node-jupyterlab. It will be maintained under JS
Team umbrella.

Bug#1051583: ITP: node-fast-json-patch -- Node.js implementation of JSON-Patch

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-fast-json-patch
  Version : 3.1.1
  Upstream Contact: Joachim Wester 
* URL : https://github.com/Starcounter-Jack/JSON-Patch
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js implementation of JSON-Patch

node-fast-json-patch is a leaner and meaner implementation of JSON-Patch.
Small footprint. High performance. It can:
 * apply patches (arrays) and single operations on JS object
 * validate a sequence of patches
 * observe for changes and generate patches when a change is detected
 * compare two objects to obtain the difference

node-fast-json-patch is a dependency of node-vega-embed, needed for
node-jupyterlab.

Bug#1051550: node-rollup-plugin-terser: Please update (or embed) to @rollup/plugin-terser

[Yadd]

Package: node-rollup-plugin-terser
Version: 7.0.2+~5.0.1-8
Severity: wishlist

Hi,

rollup-plugin-terser is going to be replaced by @rollup/plugin-terser.
Could you update this package or embed both during transition ?

Cheers,
Yadd

Bug#1051549: ITP: node-jsan -- JavaScript "All The Things" Notation

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-jsan
  Version : 3.1.14
  Upstream Contact: Moshe Kolodny
  <https://github.com/kolodny/jsan/issues>
* URL : https://github.com/kolodny/jsan
* License : Expat
  Programming Lang: JavasCRIPT
  Description : JavaScript "All The Things" Notation

node-jsan Easily stringify and parse any object including objects with
circular references, self references, dates, regexes, `undefined`, errors,
and even functions.

node-jsan is a dependency of node-redux-devtools which is needed by
node-jupyterlab. This package will be maintained under JS Team umbrella.

Bug#1050997: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org
Control: affects -1 + src:lemonldap-ng

[ Reason ]
Version 2.17.0 of lemonldap-ng fixes two low-level security issues:
 * the "login" security regex wasn't applied when using AuthSlave
 * lemonldap-ng portal can be used as open-redirection due to incorrect
   escape handling

This proposal includes these 2 patches for Bookworm

[ Impact ]
Low security issues

[ Tests ]
Test updated, passed both with autopkgtest and build

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
 * check if login value respects the config when login comes from
   AuthSlave
 * Sanitize URLs used in redirections
 * Tests

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 8de0d083f..268c0d993 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-deb12u1) UNRELEASED; urgency=medium
+
+  * Apply login control to auth-slave requests
+  * Fix open redirection due to incorrect escape handling
+
+ -- Yadd   Fri, 01 Sep 2023 10:11:50 +0400
+
 lemonldap-ng (2.16.1+ds-2) unstable; urgency=medium
 
   * Fix incorrect parsing of OP-provided acr
diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml
index 33c3a640d..756ccd252 100644
--- a/debian/gitlab-ci.yml
+++ b/debian/gitlab-ci.yml
@@ -1,4 +1,6 @@
 ---
+variables:
+  RELEASE: 'bookworm'
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
   - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
diff --git a/debian/patches/apply-user-control-to-authslave.patch 
b/debian/patches/apply-user-control-to-authslave.patch
new file mode 100644
index 0..df0ceca39
--- /dev/null
+++ b/debian/patches/apply-user-control-to-authslave.patch
@@ -0,0 +1,83 @@
+Description: [Security] apply user-control to authSlave
+Author: Christophe Maudoux 
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2946
+Forwarded: not-needed
+Applied-Upstream: 2.17.0, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351
+Reviewed-By: Yadd 
+Last-Update: 2023-09-01
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm
 b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm
+@@ -8,6 +8,7 @@
+   PE_OK
+   PE_FORBIDDENIP
+   PE_USERNOTFOUND
++  PE_MALFORMEDUSER
+ );
+ 
+ our $VERSION = '2.0.12';
+@@ -37,11 +38,15 @@
+ $user_header = 'HTTP_' . uc($user_header);
+ $user_header =~ s/\-/_/g;
+ 
+-unless ( $req->{user} = $req->env->{$user_header} ) {
++unless ( $req->env->{$user_header} ) {
+ $self->userLogger->error(
+ "No header " . $self->conf->{slaveUserHeader} . " found" );
+ return PE_USERNOTFOUND;
+ }
++return PE_MALFORMEDUSER
++  unless ( $req->env->{$user_header} =~ /$self->{conf}->{userControl}/o );
++
++$req->{user} = $req->env->{$user_header};
+ return PE_OK;
+ }
+ 
+--- a/lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t
 b/lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t
+@@ -2,7 +2,7 @@
+ use Test::More;
+ use strict;
+ use JSON;
+-use Lemonldap::NG::Portal::Main::Constants qw(PE_FORBIDDENIP PE_USERNOTFOUND);
++use Lemonldap::NG::Portal::Main::Constants qw(PE_FORBIDDENIP PE_USERNOTFOUND 
PE_MALFORMEDUSER);
+ 
+ require 't/test-lib.pm';
+ 
+@@ -17,6 +17,7 @@
+ securedCookie  => 3,
+ authentication => 'Slave',
+ userDB => 'Same',
++userControl=> '^\w{4}$',
+ slaveUserHeader=> 'My-Test',
+ slaveHeaderName=> 'Check-Slave',
+ slaveHeaderContent => 'Password',
+@@ -91,6 +92,27 @@
+   or explain( $json, "error => 4" );
+ count(4);
+ 
++# Good credentials with an unauthorized login
++ok(
++$res = $client->_get(
++'/',
++ip => '127.0.0.1',
++custom => {
++HTTP_MY_TEST => 'dwhoo',
++HTTP_NAME=> 'Dr Who',
++HTTP_CHECK_SLAVE => 'Password',
++}
++
++),
++'Auth query'
++);
++ok( $res->[0] == 401, 'Get 401' ) or explain( $res->[0], 401 );
++ok( $json = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
++  or print STDERR "$@\n" . Dumper($res);
++ok( $json->{error} == PE_MALFORMEDUSER, 'Response is PE_MALFORMEDUSER' )
++  or explain( $json, "error => 40" );
++count(4);
++
+ # Good credentials with acredited IP
+ ok(
+ $

Bug#1050730: bookworm-pu: package cyrus-imapd/3.6.1-4+deb12u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cyrus-im...@packages.debian.org
Control: affects -1 + src:cyrus-imapd

[ Reason ]
I entered a patch some months ago in Bullseye to permits migration to
Cyrus-Imapd 3.6 (Bookworm): without this patch, mailboxes maybe
corrupted.
I added also a postinst check to refuse upgrades if previous  version
wasn't > 3.2.6-2+deb11u2. However, I did a mistake in this patch and
migrations are not blocked. So user that didn't follow Bullseye upgrades
are loosing their mailboxes during Bopokworm upgrades (see #1037346).

[ Impact ]
Data loose risk for users that didn't migrate from 3.2.6-2+deb11u2.

[ Risks ]
No risk here, it just fixes the major risk on upgrades

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
 * fix dpkg --compare-versions use
 * update doc to replace minimal 3.2.10 by 3.2.6-2+deb11u2

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index a6d3c31a..56cfb114 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+cyrus-imapd (3.6.1-4+deb12u1) UNRELEASED; urgency=medium
+
+  * Doc: add patch to fix minimal version needed before upgrade
+(see #1037346)
+  * Fix postint version check (see #1037346)
+
+ -- Yadd   Sat, 26 Aug 2023 07:06:45 +0400
+
 cyrus-imapd (3.6.1-4) unstable; urgency=medium
 
   * Update copyright
diff --git a/debian/cyrus-common.postinst b/debian/cyrus-common.postinst
index 86eb6f0a..10a36946 100755
--- a/debian/cyrus-common.postinst
+++ b/debian/cyrus-common.postinst
@@ -60,7 +60,7 @@ upgradesieve () {
 case "$1" in
 configure)
# Refuse to update if previous version is lower than 3.2.6-2+deb11u2~
-   if [ -z "$1" ] || $(dpkg --compare-versions $1 lt '3.2.6-2+deb11u2~'); 
then
+   if [ -z "$2" ] || $(dpkg --compare-versions $2 lt '3.2.6-2+deb11u2~'); 
then
echo "You must update cyrus-imapd to at least version 
3.2.6-2+deb11u2~" >&2
echo "before updating it to version 3.6.x and run it, else your 
mailboxes" >&2
echo "may be corrupted" >&2
diff --git a/debian/patches/fix-upgrade-versions.patch 
b/debian/patches/fix-upgrade-versions.patch
new file mode 100644
index ..9d0bb2f9
--- /dev/null
+++ b/debian/patches/fix-upgrade-versions.patch
@@ -0,0 +1,37 @@
+Description: fix the minimal version needed to update
+Author: Yadd 
+Bug-Debian: https://bugs.debian.org/1037346
+Forwarded: not-needed
+Last-Update: 2023-07-19
+
+--- a/doc/html/_sources/imap/download/upgrade.rst.txt
 b/doc/html/_sources/imap/download/upgrade.rst.txt
+@@ -25,10 +25,9 @@
+ Versions to upgrade from
+ 
+ 
+-Before upgrading to 3.6, your deployment should be running either:
++Before upgrading to 3.6, your deployment should be running:
+ 
+-* 3.2.10 (or later), or
+-* 3.4.4 (or later)
++* 3.2.6-2+deb11u2 (or later)
+ 
+ If your existing deployment predates these releases, you should first upgrade
+ to one of these versions, let it run for a while, resolve any issues that
+--- a/doc/text/imap/download/upgrade.txt
 b/doc/text/imap/download/upgrade.txt
+@@ -59,11 +59,9 @@
+ Versions to upgrade from
+ 
+ 
+-Before upgrading to 3.6, your deployment should be running either:
++Before upgrading to 3.6, your deployment should be running:
+ 
+-* 3.2.10 (or later), or
+-
+-* 3.4.4 (or later)
++* 3.2.6-2+deb11u2 (or later)
+ 
+ If your existing deployment predates these releases, you should first
+ upgrade to one of these versions, let it run for a while, resolve any
diff --git a/debian/patches/series b/debian/patches/series
index b33e49ac..353fb72b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
 0018-increase-test-timeout.patch
 #0019-propagate-XXFLAGS.patch
 0020_fix-cyr_cd-shebang.patch
+fix-upgrade-versions.patch
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 33c3a640..6a91c217 100644
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,4 +1,7 @@
 ---
+variables:
+  RELEASE: 'bookworm'
+
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
   - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml

Bug#1037346: cyrus-imapd: Stable should have gone from Cyrus 3.2.6 to 3.2.10 first

[Yadd]

On 8/25/23 16:13, Petr Jurášek wrote:

Hi,

we had the same problem. After upgrade was created only mailboxes, which 
had uniqueid in database. We can check it in dump:
/usr/lib/cyrus/bin/cvt_cyrusdb /var/lib/cyrus/mailboxes.db twoskip 
/tmp/aaa.txt flat;

folder without uniqueid doesn't have "I" in dump /tmp/aaa.txt.

It can be repaired _before_ upgrade with:
/usr/lib/cyrus/bin/reconstruct -I
...
pokus.cz!test: update uniqueid from header (null) => 7f54216e52e02e7c
...

I hope, that this repaired mailboxes.db can be upgraded without problem 
and will check it in few days.


I copy mailboxes.db without "reconstruct -I" to test bookworm system and 
run "/usr/lib/cyrus/bin/ctl_cyrusdb -r". After that:

/usr/lib/cyrus/bin/ctl_mboxlist -d | wc -l
458
I run  "reconstruct -I" on test source system and copy to test bookworm 
system, and run "/usr/lib/cyrus/bin/ctl_cyrusdb -r". After that:

/usr/lib/cyrus/bin/ctl_mboxlist -d | wc -l
2280



And there is typo in postinst in cyrus-common package (you must test 
zero size and compare version in variable $2, not $1):

===
case "$1" in
     configure)
     # Refuse to update if previous version is lower than 
3.2.6-2+deb11u2~
     if [ -z "$1" ] || $(dpkg --compare-versions $1 lt 
'3.2.6-2+deb11u2~'); then
     echo "You must update cyrus-imapd to at least version 
3.2.6-2+deb11u2~" >&2
     echo "before updating it to version 3.6.x and run it, else 
your mailboxes" >&2

     echo "may be corrupted" >&2
     exit 1
     fi
===

Regards,
Petr Jurasek


Hi,

thanks for the fix. Did you get this issue when upgrading from 
3.2.6-2+deb11u2 or upgrading from 3.2.6-2 ?

Bug#1042455: golang-github-evanw-esbuild: Please build node-esbuild on armel

[Yadd]

Source: golang-github-evanw-esbuild
Version: 0.14.8-2
Severity: normal
Tags: patch

Hi,

starting from version 0.14.8-2, node-esbuild isn't built for armel 
hurd-i386 powerpc riscv64 architectures.
Since Nodejs 18.7.0+dfsg-2, armel is now supported by Node.js.

The Merge request !3 in your salsa repository fixes this issue.

Best regards,
Yadd

Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1

[Yadd]

Control: tags -1 - moreinfo

On 7/25/23 11:40, Jonathan Wiltshire wrote:

Control: tag -1 = bullseye moreinfo

On Mon, Jul 24, 2023 at 09:37:58PM +0100, Adam D. Barratt wrote:

On Mon, 2023-07-24 at 21:27 +0100, Jonathan Wiltshire wrote:

Control: tag -1 confirmed

On Sun, Jul 09, 2023 at 09:11:26AM +0400, Yadd wrote:

[ Reason ]
node-dottie is vulnerable to prototype pollution (#1040592,
CVE-2023-26132)


By all means go ahead, but it can't be accepted until the situation
in
testing is fixed up (unless we propogate the version from
bookworm-proposed-updates to testing).



The provided diff appears to be against the package in bookworm.
bullseye has 2.0.2-1.


Euf, right - sorry (too many releases started 'b'...)
Please revise the debdiff.

Thanks,


Sorry, here is the new debdiffdiff --git a/debian/changelog b/debian/changelog
index d790b40..59ef133 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-dottie (2.0.2-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #1040592, CVE-2023-26132)
+
+ -- Yadd   Sun, 09 Jul 2023 08:46:31 +0400
+
 node-dottie (2.0.2-1) unstable; urgency=medium
 
   * New upstream version 2.0.2
diff --git a/debian/patches/CVE-2023-26132.patch 
b/debian/patches/CVE-2023-26132.patch
new file mode 100644
index 000..5186407
--- /dev/null
+++ b/debian/patches/CVE-2023-26132.patch
@@ -0,0 +1,76 @@
+Description: rudimentary __proto__ guarding
+Author: Mick Hansen 
+Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c
+Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
+Bug-Debian: https://bugs.debian.org/1040592
+Forwarded: not-needed
+Applied-Upstream: 2.0.6, commit:7d3aee1c
+Reviewed-By: Yadd 
+Last-Update: 2023-07-09
+
+--- a/README.md
 b/README.md
+@@ -42,6 +42,8 @@
+ });
+ ```
+ 
++If you accept arbitrary/user-defined paths to `set` you should call 
`Object.preventExtensions(values)` first to guard against potential pollution.
++
+ ### Transform object
+ Transform object from keys with dottie notation to nested objects
+ 
+--- a/dottie.js
 b/dottie.js
+@@ -72,6 +72,7 @@
+   // Set nested value
+   Dottie.set = function(object, path, value, options) {
+ var pieces = Array.isArray(path) ? path : path.split('.'), current = 
object, piece, length = pieces.length;
++if (pieces[0] === '__proto__') return;
+ 
+ if (typeof current !== 'object') {
+ throw new Error('Parent is not an object.');
+@@ -137,6 +138,9 @@
+ 
+   if (key.indexOf(options.delimiter) !== -1) {
+ pieces = key.split(options.delimiter);
++
++if (pieces[0] === '__proto__') break;
++
+ piecesLength = pieces.length;
+ current = transformed;
+ 
+--- a/test/set.test.js
 b/test/set.test.js
+@@ -45,4 +45,12 @@
+ });
+ expect(data.foo.bar.baz).to.equal('someValue');
+   });
++
++  it('should not attempt to set __proto__', function () {
++var data = {};
++
++dottie.set(data, '__proto__.pollution', 'polluted');
++
++expect(data.__proto__.pollution).to.be.undefined;
++  });
+ });
+\ No newline at end of file
+--- a/test/transform.test.js
 b/test/transform.test.js
+@@ -145,4 +145,16 @@
+ expect(transformed.user.location.city).to.equal('Zanzibar City');
+ expect(transformed.project.title).to.equal('dottie');
+   });
++
++  it("should guard against prototype pollution", function () {
++var values = {
++  'user.name': 'John Doe',
++  '__proto__.pollution': 'pollution'
++};
++
++var transformed = dottie.transform(values);
++expect(transformed.user).not.to.equal(undefined);
++expect(transformed.user.name).to.equal('John Doe');
++expect(transformed.__proto__.pollution).to.be.undefined;
++  });
+ });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..e86da5e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26132.patch
diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto
new file mode 100644
index 000..e69de29

Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1

[Yadd]

Control: tags -1 - moreinfo

On 7/25/23 21:02, Jonathan Wiltshire wrote:

Control: tag -1 moreinfo

On Fri, Apr 21, 2023 at 11:36:54AM +0400, Yadd wrote:

diff --git a/debian/changelog b/debian/changelog
index 628f69a..106d13b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xml2js (0.2.8-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd   Fri, 21 Apr 2023 11:33:31 +0400
+
  node-xml2js (0.2.8-1) unstable; urgency=low
  
* Upstream update


bullseye has 0.2.8-1.1, please ensure you base the proposed debdiff off
that. Remove the moreinfo tag when you are ready for further review.

Thanks,


Hi,

here is the new debdiff

Best regards,
Yadddiff --git a/debian/changelog b/debian/changelog
index fa373bf..22806aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xml2js (0.2.8-1.1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd   Wed, 26 Jul 2023 08:27:13 +0400
+
 node-xml2js (0.2.8-1.1) unstable; urgency=medium
 
   * Non maintainer upload by the Reproducible Builds team.
diff --git a/debian/patches/CVE-2023-0842.patch 
b/debian/patches/CVE-2023-0842.patch
new file mode 100644
index 000..cd03e08
--- /dev/null
+++ b/debian/patches/CVE-2023-0842.patch
@@ -0,0 +1,46 @@
+Description: use Object.create(null) to create all parsed objects
+ (prevent prototype replacement)
+Author: James Crosby 
+Origin: upstream, commit:581b19a6
+Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
+Bug-Debian: https://bugs.debian.org/1034148
+Forwarded: not-needed
+Applied-Upstream: 0.5.0, commit:581b19a6
+Reviewed-By: Yadd 
+Last-Update: 2023-04-21
+
+--- a/src/xml2js.coffee
 b/src/xml2js.coffee
+@@ -105,12 +105,12 @@
+ charkey = @options.charkey
+ 
+ @saxParser.onopentag = (node) =>
+-  obj = {}
++  obj = Object.create(null)
+   obj[charkey] = ""
+   unless @options.ignoreAttrs
+ for own key of node.attributes
+   if attrkey not of obj and not @options.mergeAttrs
+-obj[attrkey] = {}
++obj[attrkey] = Object.create(null)
+   if @options.mergeAttrs
+ obj[key] = node.attributes[key]
+   else
+@@ -158,7 +158,7 @@
+ 
+   # put children into  property and unfold chars if necessary
+   if @options.explicitChildren and not @options.mergeAttrs and typeof obj 
is 'object'
+-node = {}
++node = Object.create(null)
+ # separate attributes
+ if @options.attrkey of obj
+   node[@options.attrkey] = obj[@options.attrkey]
+@@ -193,7 +193,7 @@
+ if @options.explicitRoot
+   # avoid circular references
+   old = obj
+-  obj = {}
++  obj = Object.create(null)
+   obj[nodeName] = old
+ 
+ @resultObject = obj
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..6b5589b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-0842.patch

Bug#1037346: cyrus-imapd: Stable should have gone from Cyrus 3.2.6 to 3.2.10 first

[Yadd]

On 7/18/23 22:24, Gijs Hillenius wrote:

Package: cyrus-imapd
Version: 3.6.1-4
Followup-For: Bug #1037346

Dear Maintainers

The documentation

https://www.cyrusimap.org/3.6/imap/download/upgrade.html#versions-to-upgrade-from

tells me that we should have upgraded from Cyrus 3.2.6 to 3.2.10 before going to
3.6.x. Bullseye stable didn't take us that way, and perhaps neither did 
Bullseye-backports.

Perhaps a check should be made, and stop Cyrus 3.2 from being upgraded?

Best wishes,


Hi,

the patch needed to update to 3.6 is included in version 
3.2.6-2+deb11u2. So the doc should be updated to explain that "we should

have upgraded from Cyrus 3.2.6-2 to 3.2.6-2+deb11u2 before going to 3.6.x"

Regards,
Yadd

Bug#1041010: [Pkg-javascript-devel] Bug#1041010: Bug#1041010: Please include nbconvert-css

[Yadd]

On 7/17/23 17:06, Yadd wrote:

On 7/17/23 16:39, Julian Gilbey wrote:

On Sun, Jul 16, 2023 at 03:04:26PM +0100, Julian Gilbey wrote:

For some reason, nbconvert-css is excluded from the package.  Might it
be possible to include it?

Best wishes,


Hi,

I put node-jupyterlab into experimental because it's still WIP. For 
now I'm
not able to build all @jupyterlab/* components due to missing 
dependencies.

I'll continue this during autumn.


Hi Yadd,

Thanks for the info!  I'm taking a further look at this now and will
report back when I have more information (hopefully soon).
[...]


Quick update: I managed to build @jupyterlab/nbconvert-css using just
a small patch to the node-jupyterlab repo on salsa.  But I'm not sure
if my code is "correct" (though it produces identical output to
upstream) - I've filed an issue upstream about this.
(https://github.com/webpack/webpack.js.org/issues/6969)

When I'm happy that I've done the "right" thing, I'll file a PR
against jupyterlab to drop the deprecated null-loader dependency.  Are
you then happy for me to push the patch directly to the salsa
node-jupyterlab repo?


Hi,

sure you can, thanks !


I just pushed a new version with @jupyterlab/nbconvert-css (the problem 
isn't in webpack but in schema-utils transition)

Bug#1041010: [Pkg-javascript-devel] Bug#1041010: Bug#1041010: Please include nbconvert-css

[Yadd]

On 7/17/23 16:39, Julian Gilbey wrote:

On Sun, Jul 16, 2023 at 03:04:26PM +0100, Julian Gilbey wrote:

For some reason, nbconvert-css is excluded from the package.  Might it
be possible to include it?

Best wishes,


Hi,

I put node-jupyterlab into experimental because it's still WIP. For now I'm
not able to build all @jupyterlab/* components due to missing dependencies.
I'll continue this during autumn.


Hi Yadd,

Thanks for the info!  I'm taking a further look at this now and will
report back when I have more information (hopefully soon).
[...]


Quick update: I managed to build @jupyterlab/nbconvert-css using just
a small patch to the node-jupyterlab repo on salsa.  But I'm not sure
if my code is "correct" (though it produces identical output to
upstream) - I've filed an issue upstream about this.
(https://github.com/webpack/webpack.js.org/issues/6969)

When I'm happy that I've done the "right" thing, I'll file a PR
against jupyterlab to drop the deprecated null-loader dependency.  Are
you then happy for me to push the patch directly to the salsa
node-jupyterlab repo?


Hi,

sure you can, thanks !

Bug#1041220: src:libgitlab-api-v4-perl: fails to migrate to testing for too long: triggers autopkgtest regression in devscripts

[Yadd]

On 7/15/23 22:46, Paul Gevers wrote:

Source: libgitlab-api-v4-perl
Version: 0.26-3
Severity: serious
Control: close -1 0.27-1
Tags: sid trixie
User: release.debian@packages.debian.org
Usertags: out-of-sync
Control: block -1 by 1038486

Dear maintainer(s),

The Release Team considers packages that are out-of-sync between testing 
and unstable for more than 30 days as having a Release Critical bug in 
testing [1]. Your package src:libgitlab-api-v4-perl has been trying to 
migrate for 32 days [2]. Hence, I am filing this bug. The package in 
unstable triggers an autopkgtest issue in devscripts, which is reported 
in bug 1038486.


If a package is out of sync between unstable and testing for a longer 
period, this usually means that bugs in the package in testing cannot be 
fixed via unstable. Additionally, blocked packages can have impact on 
other packages, which makes preparing for the release more difficult. 
Finally, it often exposes issues with the package and/or
its (reverse-)dependencies. We expect maintainers to fix issues that 
hamper the migration of their package in a timely manner.


This bug will trigger auto-removal when appropriate. As with all new 
bugs, there will be at least 30 days before the package is auto-removed.


I have immediately closed this bug with the version in unstable, so if 
that version or a later version migrates, this bug will no longer affect 
testing. I have also tagged this bug to only affect sid and trixie, so 
it doesn't affect (old-)stable.


If you believe your package is unable to migrate to testing due to 
issues beyond your control, don't hesitate to contact the Release Team.


Paul


Hi,

the error looks to be:

 55s t/salsa-config.t .. ok
 56s Undefined subroutine ::to_json called at ./t/salsa.pm line 49.
 56s # Tests were run but no plan was declared and done_testing() was 
not seen.

 56s # Looks like your test exited with 255 just after 1.
 56s t/salsa.t .

Gitlab::API::v4 uses JSON::MaybeXS which may use a different JSON stack. 
I just added a "use JSON" in t/salsa.pm. Maybe this is enough to fix 
this issue


https://salsa.debian.org/debian/devscripts/-/commit/5bbc8778

Regards,
Yadd

Bug#1041010: [Pkg-javascript-devel] Bug#1041010: Please include nbconvert-css

[Yadd]

On 7/14/23 01:40, Julian Gilbey wrote:

Package: node-jupyterlab
Version: 4.0.0~rc1+ds1+~1.0.2-1
Severity: wishlist

Hi Yadd!

Thanks for building this package!

I'm in the process of trying to upgrade (python3-)nbconvert (it's a
dependency of Spyder), and the new version tries to use
https://unpkg.com/@jupyterlab/nbconvert-css@3.6.1/style/index.css
during the build process.  I obviously need to replace this by a local
file, so the node-jupyterlab is the obvious place to look.

For some reason, nbconvert-css is excluded from the package.  Might it
be possible to include it?

Best wishes,


Hi,

I put node-jupyterlab into experimental because it's still WIP. For now 
I'm not able to build all @jupyterlab/* components due to missing 
dependencies. I'll continue this during autumn.


Regards,
Yadd

Bug#1040563: bookworm-pu: package node-tough-cookie/4.0.0-2+deb12u1

[Yadd]

On 7/7/23 21:43, Jonathan Wiltshire wrote:

Control: tag -1 moreinfo

On Fri, Jul 07, 2023 at 09:01:40PM +0400, Yadd wrote:

[ Reason ]
node-tough-cookie is vulnerable to prototype pollution


How has this been fixed in unstable? You'll need an upload there anyway for
version ordering.

Thanks,


Hi,

upload already done in unstable

Cheers,

Bug#1040683: bookworm-pu: package node-webpack/5.75.0+dfsg+~cs17.16.14-1+deb12u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-webp...@packages.debian.org
Control: affects -1 + src:node-webpack

[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154).

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 0053d7ee..a07dd9d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154)
+
+ -- Yadd   Mon, 29 May 2023 07:53:16 +0400
+
 node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-28154.patch 
b/debian/patches/CVE-2023-28154.patch
new file mode 100644
index ..2f651167
--- /dev/null
+++ b/debian/patches/CVE-2023-28154.patch
@@ -0,0 +1,80 @@
+Description: avoid cross-realm objects
+Author: Jack Works 
+Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb
+Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154
+Bug-Debian: https://bugs.debian.org/1032904
+Forwarded: not-needed
+Applied-Upstream: 5.76.1, commit:4b4ca3bb
+Reviewed-By: Yadd 
+Last-Update: 2023-05-29
+
+--- a/lib/dependencies/ImportParserPlugin.js
 b/lib/dependencies/ImportParserPlugin.js
+@@ -137,7 +137,7 @@
+   if (importOptions.webpackInclude !== undefined) 
{
+   if (
+   !importOptions.webpackInclude ||
+-  
importOptions.webpackInclude.constructor.name !== "RegExp"
++  !(importOptions.webpackInclude 
instanceof RegExp)
+   ) {
+   parser.state.module.addWarning(
+   new 
UnsupportedFeatureWarning(
+@@ -146,13 +146,13 @@
+   )
+   );
+   } else {
+-  include = new 
RegExp(importOptions.webpackInclude);
++  include = 
importOptions.webpackInclude;
+   }
+   }
+   if (importOptions.webpackExclude !== undefined) 
{
+   if (
+   !importOptions.webpackExclude ||
+-  
importOptions.webpackExclude.constructor.name !== "RegExp"
++  !(importOptions.webpackExclude 
instanceof RegExp)
+   ) {
+   parser.state.module.addWarning(
+   new 
UnsupportedFeatureWarning(
+@@ -161,7 +161,7 @@
+   )
+   );
+   } else {
+-  exclude = new 
RegExp(importOptions.webpackExclude);
++  exclude = 
importOptions.webpackExclude;
+   }
+   }
+   if (importOptions.webpackExports !== undefined) 
{
+--- a/lib/javascript/JavascriptParser.js
 b/lib/javascript/JavascriptParser.js
+@@ -3635,17 +3635,27 @@
+   return EMPTY_COMMENT_OPTIONS;
+   }
+   let options = {};
++  /** @type {unknown[]} */
+   let errors = [];
+   for (const comment of comments) {
+   const { value } = comment;
+   if (value && webpackCommentRegExp.test(value)) {
+   // try compile only if webpack options comment 
is present
+   try {
+-  const val = 
vm.runInNewContext(`(function(){return {${value}};})()`);
+-  Object.assign(options, val);
++  for (let [key, val] of Object.entries(
++  
vm.runInNewContext(

Bug#1040680: bookworm-pu: package node-openpgp-seek-bzip/1.0.5-2+deb12u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-openpgp-seek-b...@packages.debian.org
Control: affects -1 + src:node-openpgp-seek-bzip

[ Reason ]
src:node-openpgp-seek-bzip provides:
 * a Node.js module (node-openpgp-seek-bzip)
 * command-line scripts (seek-bzip)

This second package is unusable due to missing files and broken links.

[ Impact ]
/usr/bin/seek-bunzip and /usr/bin/seek-table are unusable

[ Tests ]
No changes

[ Risks ]
No risk, this just fix install

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Install missing /usr/share/nodejs/seek-bzip/bin files and fix links in
/usr/bin

Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index daa35de..20dc0b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-openpgp-seek-bzip (1.0.5-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Fix seek-bzip install (Closes: #1040584)
+
+ -- Yadd   Sun, 09 Jul 2023 09:29:47 +0400
+
 node-openpgp-seek-bzip (1.0.5-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/nodejs/links b/debian/nodejs/links
index 0ff514c..6c89a6e 100644
--- a/debian/nodejs/links
+++ b/debian/nodejs/links
@@ -1,2 +1,2 @@
-@openpgp/seek-bzip/bin/seek-bunzip /usr/bin/seek-bunzip
-@openpgp/seek-bzip/bin/seek-bzip-table /usr/bin/seek-table
+seek-bzip/bin/seek-bunzip /usr/bin/seek-bunzip
+seek-bzip/bin/seek-bzip-table /usr/bin/seek-table
diff --git a/debian/seek-bzip.install b/debian/seek-bzip.install
index e772481..8bbbe8d 100644
--- a/debian/seek-bzip.install
+++ b/debian/seek-bzip.install
@@ -1 +1,2 @@
 usr/bin
+usr/share/nodejs/seek-bzip/bin