Bug#1068862: ITP: node-microsoft-fast -- FAST monorepo, containing web component packages, tools, examples, and documentation
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-microsoft-fast Version : 0~20240320-1 Upstream Contact: https://github.com/Microsoft/fast/issues * URL : https://github.com/Microsoft/fast * License : Expat Programming Lang: JavaScript Description : FAST monorepo, containing web component packages, tools, examples, and documentation FAST is a collection of technologies built on Web Components and modern Web Standards, designed to help you efficiently tackle some of the most common challenges in website and application design and development. * Create reusable UI components with `@microsoft/fast-element`, all based on W3C Web Component standards. * Use `@microsoft/fast-foundation` library to rapidly build W3C OpenUI-based (https://open-ui.org/) design systems without re-implementing component logic. * Leverage modern, W3C standards-based SSR for Web Components by plugging in `@microsoft/fast-ssr`. * Bring all the pieces together to build SPAs and rich experiences with our Web Components router by installing `@microsoft/fast-router`. * React users can drop in `@microsoft/fast-react-wrapper` to turn any Web Component into a native React component. * Integrate FAST Web Components with any library, framework, or build system. This monorepositopry will provide the following packages: * node-microsoft-fast-colors * node-microsoft-fast-element * node-microsoft-fast-foundation * node-microsoft-fast-react-wrapper * node-microsoft-fast-router * node-microsoft-fast-ssr * node-microsoft-fast-web-utilities This is required to update node-jupyterlab.
Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
On 4/5/24 15:58, Moritz Muehlenhoff wrote: On Fri, Apr 05, 2024 at 08:16:43AM +0400, Yadd wrote: On 4/4/24 22:51, Moritz Mühlenhoff wrote: Source: apache2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for apache2. CVE-2024-27316[0]: https://www.kb.cert.org/vuls/id/421644 https://www.openwall.com/lists/oss-security/2024/04/04/4 CVE-2024-24795[1]: https://www.openwall.com/lists/oss-security/2024/04/04/5 CVE-2023-38709[2]: https://www.openwall.com/lists/oss-security/2024/04/04/3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27316 https://www.cve.org/CVERecord?id=CVE-2024-27316 [1] https://security-tracker.debian.org/tracker/CVE-2024-24795 https://www.cve.org/CVERecord?id=CVE-2024-24795 [2] https://security-tracker.debian.org/tracker/CVE-2023-38709 https://www.cve.org/CVERecord?id=CVE-2023-38709 Please adjust the affected versions in the BTS as needed. Hi, I'm ready to push 2.4.59 into bookworm-security. Note that this includes a test-framework update Target distribution needs to be bookworm-security, with that please upload. Can you also preparea the equivalent change for bullseye-security? The uploads can already happen, but let's keep the update unreleased until next week, then we can look for regressions reported in unstable (and check with Ondrej if we received reports based on his repo) Cheers, Moritz Both Bullseye and Bookworm uploaded. Bullseye version embeds also a copyright fix
Bug#1066749: FTBFS: dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1
Control: tags -1 + moreinfo Hi, I'm unable to reproduce this issue. Probably fixed elsewhere during time_t transition
Bug#1064558: [Pkg-javascript-devel] Bug#1064558: node-leveldown: FTBFS on mips64el: not ok 1397 Error: batch(array) element must be an object and not `null`
On 2/24/24 13:10, Sebastian Ramacher wrote: Source: node-leveldown Version: 5.6.0+dfsg-4 Severity: serious Tags: ftbfs Justification: fails to build from source (but built successfully in the past) X-Debbugs-Cc: sramac...@debian.org https://buildd.debian.org/status/fetch.php?pkg=node-leveldown=mips64el=5.6.0%2Bdfsg-4%2Bb1=1708632735=0 not ok 1397 Error: batch(array) element must be an object and not `null` --- operator: error stack: |- Error: batch(array) element must be an object and not `null` at AbstractLevelDOWN.batch (/usr/share/nodejs/abstract-leveldown/abstract-leveldown.js:163:33) at /<>/test/iterator-recursion-test.js:48:8 at /usr/share/nodejs/abstract-leveldown/abstract-leveldown.js:41:5 ... Cheers Hi Jérémy, when trying to build on mips64el porterbox, i got this: make[1]: Entering directory '/home/yadd/node-leveldown' node-gyp clean node: error while loading shared libraries: libnode.so.108: cannot open shared object file: No such file or directory make[1]: *** [debian/rules:18: override_dh_auto_clean] Error 127 make[1]: Leaving directory '/home/yadd/node-leveldown'
Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs
I closed this issue because: - I dropped all bad .h files from install - I added ABI flags to build - cyrus-dev has no reverse dependencies If I'm wrong, please reopen this issue Cheers, Yadd
Bug#1063908: [Debian-pan-maintainers] Bug#1063908: node-jupyter-widgets-{base, base-manager, control}: ships files already in python3-widgetsnbextension
On 2/14/24 20:26, Andreas Beckmann via Debian-pan-maintainers wrote: Package: node-jupyter-widgets-base,node-jupyter-widgets-base-manager,node-jupyter-widgets-controls Version: 6.0.7+~cs14.23.94-1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed to install because it tries to overwrite other packages files without declaring a Breaks+Replaces relation. See policy 7.6 at https://www.debian.org/doc/debian-policy/ch-relationships.html#overwriting-files-and-replacing-packages-replaces From the attached log (scroll to the bottom...): Preparing to unpack .../node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb ... Unpacking node-jupyter-widgets-base (6.0.7+~cs14.23.94-1) ... dpkg: error processing archive /var/cache/apt/archives/node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb (--unpack): trying to overwrite '/usr/share/nodejs/@jupyter-widgets/base/css/index.css', which is also in package python3-widgetsnbextension 8.1.1-2 Errors were encountered while processing: /var/cache/apt/archives/node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb Hi, why does python3-widgetsnbextension install an unusable node.js module into a nodejs directory ?
Bug#1063824: zenmap should depends on python3-gi-cairo
Package: zenmap Version: 7.94+git20230807.3be01efb1+dfsg-3 Severity: important X-Debbugs-Cc: y...@debian.org Hi, when using zenmap, the "port" tab is broken unless python3-gi-cairo is installed: TypeError: Couldn't find foreign struct converter for 'cairo.Context' Cheers, Yadd
Bug#1061341: Fwd: Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs
On 2/7/24 06:31, ellie timoney wrote: Hi Xavier, On Mon, 29 Jan 2024, at 9:59 AM, ellie timoney wrote: On Thu, 25 Jan 2024, at 3:53 PM, Yadd wrote: yes there are other errors because some .h require unavailable .h like config.h Ooh interesting, I'll have a look I'm still working on this, but the more I work on it, the more of it turns out to need fixing... I think for now, it makes sense for you to proceed with the packaging changes assuming that 32 bit Cyrus will _not_ be ABI compatible when recompiled with 64 bit time_t. From the original email, I think that means you'll need to set up strict version dependencies between the cyrus-common, cyrus-admin and cyrus-clients packages, so that people can't partially upgrade and wind up with conflicts. Cheers, ellie Hi, dependencies are already strict (= ${binary:Version}). To be able to render cyrus-dev headers compatible with ABI test, I'll have to remove the following (missing config.h,...): /usr/include/cyrus/bufarray.h /usr/include/cyrus/charset.h /usr/include/cyrus/command.h /usr/include/cyrus/crc32.h /usr/include/cyrus/cyr_qsort_r.h /usr/include/cyrus/glob.h /usr/include/cyrus/imapurl.h /usr/include/cyrus/mappedfile.h /usr/include/cyrus/procinfo.h /usr/include/cyrus/rfc822tok.h /usr/include/cyrus/sieve/sieve_err.h /usr/include/cyrus/sieve/sieve_interface.h /usr/include/cyrus/sqldb.h /usr/include/cyrus/tok.h /usr/include/cyrus/vparse.h /usr/include/cyrus/wildmat.h
Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs
On 1/28/24 20:21, Steve Langasek wrote: On Tue, Jan 23, 2024 at 08:32:18AM +0400, Yadd wrote: Control: tags -1 + moreinfo On 1/23/24 00:43, Steve Langasek wrote: Package: cyrus-common Version: 3.8.1-1 Severity: serious User: debian-...@lists.debian.org Usertags: time-t Dear maintainers, Analysis of the archive for the 64-bit time_t transition[0][1] identifies cyrus-common as an affected package, on the basis that the headers could not be compiled and analyzed out of the box using abi-compliance-checker[2], so we have to assume it's affected. However, cyrus-commons's shlibs file declares a dependency on a library package name that contains no ABI information: according to https://adrien.dcln.fr/misc/armhf-time_t/2024-01-17/logs/cyrus-dev/base/log.txt , this issue looks like a false-positive: test failed because of C error, not bad report Am I right here ? We do not *know* that it's a false positive; we only know that we were unable to analyze the header files under a-c-c to prove that the ABI is not affected. Patches to the check-armhf-time_t script at https://salsa.debian.org/vorlon/armhf-time_t/-/blob/main/check-armhf-time_t?ref_type=heads to quirk this package and allow its headers to be analyzed, or changes to the source package to not ship uncompilable headers ("apt-file search lib/strarray.h" returns no results), would both be welcome. Thanks, Hi, is it possible to build a salsa-ci job to test this on i386 ? Best regards, Yadd
Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs
Control: tags -1 + moreinfo On 1/23/24 00:43, Steve Langasek wrote: Package: cyrus-common Version: 3.8.1-1 Severity: serious User: debian-...@lists.debian.org Usertags: time-t Dear maintainers, Analysis of the archive for the 64-bit time_t transition[0][1] identifies cyrus-common as an affected package, on the basis that the headers could not be compiled and analyzed out of the box using abi-compliance-checker[2], so we have to assume it's affected. However, cyrus-commons's shlibs file declares a dependency on a library package name that contains no ABI information: Hi, according to https://adrien.dcln.fr/misc/armhf-time_t/2024-01-17/logs/cyrus-dev/base/log.txt , this issue looks like a false-positive: test failed because of C error, not bad report Am I right here ? Best regards, Xavier
Bug#1027859: Fwd: pkg-js-tools_0.15.17~bpo11+1_sourceonly.changes REJECTED
Control: tags -1 + wontfix > Forwarded Message > Subject: pkg-js-tools_0.15.17~bpo11+1_sourceonly.changes REJECTED > Date: Wed, 17 Jan 2024 09:17:48 + > From: Debian FTP Masters > To: Yadd , Debian Javascript Maintainers javascript-de...@lists.alioth.debian.org> > > > not in stable - belongs to sloppy Update refused, so bug won't be fixed Regards, Yadd
Bug#1059829: Thank you
On 1/16/24 20:36, Georges Khaznadar wrote: Hello, Javascript/Npm are not my cup of tea; so, please receive many thanks about the help you provided to my poor packaging efforts. If node-html5-qrcode happens to be dfsg-free, which should be the right umbrella to host it on salsa.d.o? https://salsa.debian.org/js-team or https://salsa.debian.org/georgesk ? Hi, yes I already push it on js-team/node-html5-qrcode. It is fixed now in it and ready to be pushed. Do you want I push it ? I saw that you managed to let salsa's automaton pass 53 of the upstream tests, and I would like to learn such magics. Please have you some useful links about them? Most of JS Team packages uses dh-sequence-nodejs. To start with it: https://wiki.debian.org/Javascript/Tutorial and then pkg-js-tools(7) However, the changes I did here need a minimum knowledge of npm because the package doesn't follow exactly the common way (see dh_auto_install hook) Best regards, Georges. Cheers, Yadd
Bug#1060772: python3-jupyterlab: Using node-corepack downloads yarnpkg from Internet
Package: python3-jupyterlab Version: 4.0.9+ds1-1 Severity: important X-Debbugs-Cc: y...@debian.org Hi, the patch 0003-Use-system-provided-yarn.js.patch replaces missing yarn.js by node-corepack. Please keep in mind that node-corepack/../yarn.js is a wrapper that downloads yarnpkg from Internet instead of using Debian's one. Cheers, Yadd
Bug#1060312: ITP: node-yarn-plugin-apt -- Yarn plugin to resolve dependencies from packages installed in apt
On 1/9/24 16:09, Uche wrote: Package: wnpp Severity: wishlist Owner: Robinson Uchechukwu <mailto:estherchidinma...@gmail.com>> X-Debbugs-CC: debian-de...@lists.debian.org <mailto:debian-de...@lists.debian.org> * Package name : node-yarn-plugin-apt Version : 1.0.0 Upstream Author : Debian JavaScript Team * URL : https://salsa.debian.org/js-team/yarn-plugin-apt <https://salsa.debian.org/js-team/yarn-plugin-apt> * License : Expat Programming Lang: JavaScript Description : Yarn plugin to resolve dependencies from packages installed in apt This yarn plugin allows apt installed packages satisfy a nodejs project's dependencies. The package is a valuable addition to Debian because if facilitates the management of nodejs projects dependencies by leveraging locally avaliable apt-installed packages . Node.js is an event-based server-side JavaScript engine. Hi, take a look also at pkgjs-install and pkgjs-install-minimal Best regards, Yadd
Bug#1060152: python3-jupyterlab should provide jupyterlab
Package: python3-jupyterlab Severity: normal X-Debbugs-Cc: y...@debian.org Hi, python3-jupyterlab provides bin/jupyterlab, then it should "Provides: jupyterlab (= ${binary:Version})"
Bug#1059829: node-html5-qrcode: Build using libraries downloaded from Internet during build
On 1/2/24 09:50, Yadd wrote: Package: node-html5-qrcode Version: 2.3.8+repack-3 Severity: serious Justification: not-dfsg X-Debbugs-Cc: y...@debian.org node-html5-qrcode is built using "npm install" which downloads libraries from Internet. This is totally out of DFSG. For now, the --omit-dev avoid downloading anything until this package will have dependencies but npm still access to Internet for "audit". Easy to fix: use "pkgjs-run build" instead of npm (and drop build dependency to npm) second bug: package is unusable because not installed correctly (that's probably why autopkgtest was disabled...), also third_party/ is missing in install A fixed version of this package is available at https://salsa.debian.org/js-team/node-html5-qrcode
Bug#1059829: node-html5-qrcode: Build using libraries downloaded from Internet during build
Package: node-html5-qrcode Version: 2.3.8+repack-3 Severity: serious Justification: not-dfsg X-Debbugs-Cc: y...@debian.org node-html5-qrcode is built using "npm install" which downloads libraries from Internet. This is totally out of DFSG.
Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’
On 12/30/23 00:58, Gudjon I. Gudjonsson wrote: Hi Yadd I did try to build Ovito with qwt 6.2 and it works with minor fixes to ovito. Ovito is compiled with Qt6 so you need to change your dependencies to qwt-qt6. I suggest that you build against the experimental version of libqwt-qt6-dev and I will try to get it into unstable as soon as possible. Regards Gudjon Hi Gudjon, thanks a lot, I'll try to build Oviti with qwt 6.2. Can you share the fix you wrote ? Best regards, Yadd
Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’
Hi Gudjon, yes I'm trying to build ovito. you can find my temporary repository on g...@salsa.debian.org:yadd/ovito.git Best regards, Yadd
Bug#1059469: ITP: node-ipydatagrid -- Fast Datagrid widget for the Jupyter Notebook and JupyterLab
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-ipydatagrid Version : 1.2.0 Upstream Contact: https://github.com/Bloomberg/ipydatagrid/issues * URL : https://github.com/Bloomberg/ipydatagrid * License : BSD-3-Clause Programming Lang: JavaScript Description : Fast Datagrid widget for the Jupyter Notebook and JupyterLab node-ipydatagrid provides a fast Datagrid widget for the Jupyter Notebook and JupyterLab. This package will be maintained under Debian PAN Maintainers Team
Bug#1059336: ITP: node-html5-qrcode -- qr-code and bar-code scanning library for the web
On 12/22/23 22:58, Georges Khaznadar wrote: Package: wnpp Severity: wishlist Owner: Georges Khaznadar X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-html5-qrcode Version : 2.3.8 Upstream Contact: https://github.com/mebjas/html5-qrcode/issues * URL : https://github.com/mebjas/html5-qrcode * License : Apache-2.0, GPL2 Programming Lang: nodejs, typescript Description : qr-code and bar-code scanning library for the web Use this lightweight library to easily / quickly integrate QR code, bar code, and other common code scanning capabilities to your web application. So far, debian is missing a package to scan qrcodes and barcodes from a web page. I intend to maintain this package as a dependency for a future package SLM, school library management, which I am developping actively. This latter package allows students to find and recognize books inside a library by scanning a few qr-codes. The package node-html5-qrcode is uploaded to https://salsa.debian.org/georgesk/node-html5-qrcode.git Hi, your debian/rules uses npm to build instead of launching direct commands but the worst is that you call "npm install" which imports files from Internet, this is not compliant with policy. Cheers, Yadd
Bug#1058868: [Debichem-devel] Bug#1058868: gemmi: Please build shared library
Control: tags -1 + wontfix On 12/19/23 12:43, Andrius Merkys wrote: Hi, On 2023-12-17 11:31, Yadd wrote: currently src:gemmi builds gemmi and gemmi-dev. This doesn't permit to build any software using gemmi-dev without static linking. The proposed patch adds package libgemmi1 which contains the shared library. I looked into the shared library provided by gemmi v0.6.4 (newer upstream release than in your patch). This version of gemmi builds the shared library by default. However, the produced shared library does not carry a soversion, thus according to Debian principles it is not suitable to be packaged as public shared library, alas. Thus static linking is the only option for now. Best wishes, Andrius Noted, thank you very much for your time! Cheers, Yadd
Bug#1058868: gemmi: Please build shared library
> I appreciate the idea and your patch, thanks for giving gemmi a look. > However, I am hesitant to package gemmi shared library for Debian for > now. The previous two releases had breaking API changes each. If > upstream handles this properly and bumps the soversion, then this is > fine, although having to undergo a transition twice a year is still > quite some work. However, if the upstream does not maintain ABI > stability inside the same soversion, then I would say the shared > library is not yet ready for Debian. > > You have marked this bug as severity:important. Does this mean you > need gemmi's shared library for some package? Hi, yas I'm going to package ovito which depends on it. If shared library isn't provided, cmake automatically uses libgemmi_cpp.a which then embed gemmi into ovito :-( > I never had the need to manually trigger the ldconfig before. The > issue might be the lack of 'Section: libs' in binary package > description. Maybe it's the issue Best regards, Yadd
Bug#1058868: gemmi: Please build shared library
Source: gemmi Version: 0.6.3+ds-1 Severity: important Tags: patch X-Debbugs-Cc: y...@debian.org Hi, currently src:gemmi builds gemmi and gemmi-dev. This doesn't permit to build any software using gemmi-dev without static linking. The proposed patch adds package libgemmi1 which contains the shared library. -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (900, 'testing'), (100, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.5.0-5-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information diff --git a/debian/control b/debian/control index 9f5e3d6..0490b00 100644 --- a/debian/control +++ b/debian/control @@ -28,6 +28,7 @@ Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, + libgemmi1 (= ${binary:Version}) Description: library for structural biology - executable Library for macromolecular crystallography and structural bioinformatics. For working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints @@ -38,11 +39,27 @@ Description: library for structural biology - executable . This package contains main gemmi executable. +Package: libgemmi1 +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Description: sharred library for structural biology + Library for macromolecular crystallography and structural bioinformatics. For + working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints + (monomer library), electron density maps (CCP4), and crystallographic + reflection data (MTZ, SF-mmCIF). It understands crystallographic symmetries, + it knows how to switch between the real and reciprocal space and it can do a + few other things. + . + This package contains main gemmi shared library. + Package: gemmi-dev Architecture: any Section: libdevel Depends: ${misc:Depends}, + libgemmi1 (= ${binary:Version}) Description: library for structural biology Library for macromolecular crystallography and structural bioinformatics. For working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints diff --git a/debian/gemmi-dev.install b/debian/gemmi-dev.install index 91a7942..7de1c21 100644 --- a/debian/gemmi-dev.install +++ b/debian/gemmi-dev.install @@ -1,2 +1,2 @@ usr/include/gemmi -usr/lib/${DEB_HOST_MULTIARCH} +usr/lib/${DEB_HOST_MULTIARCH}/cmake diff --git a/debian/libgemmi1.install b/debian/libgemmi1.install new file mode 100644 index 000..65440b7 --- /dev/null +++ b/debian/libgemmi1.install @@ -0,0 +1 @@ +usr/lib/${DEB_HOST_MULTIARCH}/*.so diff --git a/debian/libgemmi1.postinst b/debian/libgemmi1.postinst new file mode 100644 index 000..fb2c2d8 --- /dev/null +++ b/debian/libgemmi1.postinst @@ -0,0 +1,8 @@ +#!/bin/sh + +if [ "$1" = "triggered" ] || [ "$1" = "configure" ]; then + ldconfig -r "$DPKG_ROOT/" || ldconfig --verbose -r "$DPKG_ROOT/" + exit 0 +fi + +exit 0 diff --git a/debian/rules b/debian/rules index 8228c67..b3e31be 100755 --- a/debian/rules +++ b/debian/rules @@ -11,7 +11,7 @@ export DEB_CXXFLAGS_MAINT_APPEND = -fexcess-precision=fast # See #1042379 dh $@ --buildsystem cmake --with python3 override_dh_auto_configure: - dh_auto_configure -- -DUSE_PYTHON=1 -DINSTALL_EGG_INFO=OFF + dh_auto_configure -- -DUSE_PYTHON=1 -DINSTALL_EGG_INFO=OFF -DBUILD_SHARED_LIBS=ON override_dh_auto_test: dh_auto_build -- check
Bug#1058864: ITP: ovito -- scientific data visualization and analysis software for particle-based simulations
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org * Package name: ovito Version : 3.9.4 Upstream Contact: https://gitlab.com/stuko/ovito/-/issues * URL : https://www.ovito.org * License : GPL-3 or Expat Programming Lang: C++ Description : scientific data visualization and analysis software for particle-based simulations OVITO is a scientific data visualization and analysis software for atomistic, molecular and other particle-based simulations. This package is part of Jupyterlab ecosystem.
Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’
Package: libqwt-qt5-dev Version: 6.1.4-2 Severity: important X-Debbugs-Cc: y...@debian.org Hi, when trying to compile ovito, I got the following error (with a simple #include ): /usr/include/qwt/qwt_plot_layout.h:84:51: error: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’ [-fpermissive] 84 | const QRectF , Options options = 0x00 ); | ^~~~ | | | int In file included from /usr/include/x86_64-linux-gnu/qt6/QtCore/qglobal.h:1401, from /usr/include/x86_64-linux-gnu/qt6/QtCore/qcoreapplication.h:7, from /usr/include/x86_64-linux-gnu/qt6/QtCore/QCoreApplication:1, from /home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/core/Core.h:61, from /home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/gui/base/GUIBase.h:30, from /home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/gui/desktop/GUI.h:30, from /home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/stdobj/gui/StdObjGui.h:30, from /home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/obj-x86_64-linux-gnu/src/ovito/stdobj/gui/CMakeFiles/StdObjGui.dir/cmake_pch.hxx:5, from : Best regeards, Yadd -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (900, 'testing'), (100, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.5.0-5-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libqwt-qt5-dev depends on: ii libc62.37-12 ii libgcc-s113.2.0-7 ii libqt5core5a 5.15.10+dfsg-5 ii libqt5designer5 5.15.10-5 ii libqt5gui5 5.15.10+dfsg-5 ii libqt5widgets5 5.15.10+dfsg-5 ii libqwt-qt5-6 6.1.4-2 ii libstdc++6 13.2.0-7 libqwt-qt5-dev recommends no packages. libqwt-qt5-dev suggests no packages. -- no debconf information
Bug#1058784: esbuild: [armel] install @esbuild/arm
Package: esbuild Version: 0.19.8-1 Severity: serious Tags: ftbfs patch Justification: node-esbuild-unusable-on-armel X-Debbugs-Cc: y...@debian.org Hi, my armel patch was wrong: armel build uses @esbuild/arm, not @esbuild/armel. I fixed this in a merge request [MR4] [MR4]: https://salsa.debian.org/go-team/packages/golang-github-evanw-esbuild/-/merge_requests/4
Bug#1058596: [Pkg-javascript-devel] Bug#1058596: yarnpkg broken on bookworm - yarnpkg --help fails with TypeError: commander.on is not a function
On 12/13/23 19:17, Praveen Arimbrathodiyil wrote: Control: fixed -1 1.22.19+~cs24.27.18-4 On Wed, 13 Dec 2023 20:39:39 +0530 Pirate Praveen wrote: We should backport the patches in unstable to bookworm as well. Updating the fixed info. Hi, since severity is grave, please prepare an update for stable also Cheers, Yadd
Bug#1058513: [Pkg-javascript-devel] Bug#1058513: node-signal-exit: FTBFS: SyntaxError: Cannot use import statement outside a module
Control: tags -1 + moreinfo On 12/13/23 00:52, Lucas Nussbaum wrote: Source: node-signal-exit Version: 4.1.0-6 Severity: serious Justification: FTBFS Tags: trixie sid ftbfs User: lu...@debian.org Usertags: ftbfs-20231212 ftbfs-trixie Hi, During a rebuild of all packages in sid, your package failed to build on amd64. Relevant part (hopefully): make[1]: Entering directory '/<>' tsc -p tsconfig.json tsc -p tsconfig-esm.json sh ./scripts/fixup.sh #cp debian/index.cjs dist/cjs/ make[1]: Leaving directory '/<>' dh_auto_test --buildsystem=nodejs ln -s ../. node_modules/signal-exit /bin/sh -ex debian/tests/pkg-js/test + tap -T -R spec test/all-integration-test.ts test/signal-exit-test.ts /<>/test/all-integration-test.ts:1 import assert from 'assert' ^^ Hi, I'm unable to reproduce this issue.
Bug#1058078: [Pkg-javascript-devel] Bug#1058078: FTBFS: ESLint couldn't find the config "not-an-aardvark/node" to extend from
Control: tags -1 + patch On 12/12/23 09:59, Yadd wrote: Package: node-eslint-plugin-eslint-plugin Version: 2.3.0+~0.3.0-4 Severity: serious Tags: ftbfs Justification: ftbfs Hi, when trying to reproduce node-eslint-plugin-eslint-plugin build, sbuild fails. Below relevant logs: eslint --format tap Xcomposer TAP version 13 1..2 ok 1 - /<>/Xcomposer/lib/rule-composer.js ok 2 - /<>/Xcomposer/tests/lib/rule-composer.js eslint --format tap . --ignore-pattern '!.*' Oops! Something went wrong! :( ESLint: 6.4.0. ESLint couldn't find the config "not-an-aardvark/node" to extend from. Please check that the name of the config is correct. The config "not-an-aardvark/node" was referenced from the config file in "/<>/.pc/2002_avoid_eslint-plugin-self.patch/.eslintrc.yml". If you still have problems, please stop by https://gitter.im/eslint/eslint to chat with the team. make[1]: *** [debian/rules:38: override_dh_auto_test] Error 2 Hi Jonas, this patch seems to fix the problem: --- a/debian/rules +++ b/debian/rules @@ -35,7 +35,7 @@ override_dh_auto_build: $(DOCS) $(CHANGELOGS) override_dh_auto_test: $(ESLINT) Xcomposer - $(ESLINT) . --ignore-pattern '!.*' + $(ESLINT) . --ignore-pattern .pc $(MOCHA) --recursive Xcomposer/tests $(MOCHA) --recursive tests
Bug#1058080: node-eslint-plugin-eslint-plugin: Please add this patch for node-ajv >= 8
Package: node-eslint-plugin-eslint-plugin Version: 2.3.0+~0.3.0-3 Severity: important Tags: ftbfs patch upstream X-Debbugs-Cc: y...@debian.org Hi, here is a patch that updates AJV schemas. It is compatible with current node-ajv 6 and node-ajv >= 8 Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index e799068..317e5a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-eslint-plugin-eslint-plugin (2.3.0+~0.3.0-4) UNRELEASED; urgency=medium + + * Team upload + + -- Yadd Tue, 12 Dec 2023 09:38:42 +0400 + node-eslint-plugin-eslint-plugin (2.3.0+~0.3.0-3) unstable; urgency=medium * add patch cherry-picked upstream diff --git a/debian/patches/2006_prepare-for-ajv-8.patch b/debian/patches/2006_prepare-for-ajv-8.patch new file mode 100644 index 000..669 --- /dev/null +++ b/debian/patches/2006_prepare-for-ajv-8.patch @@ -0,0 +1,27 @@ +Description: prepare for ajv 8 +Author: Yadd +Forwarded: no +Last-Update: 2023-12-12 + +--- a/lib/rules/meta-property-ordering.js b/lib/rules/meta-property-ordering.js +@@ -21,7 +21,7 @@ + fixable: 'code', + schema: [{ + type: 'array', +- elements: { type: 'string' }, ++ items: { type: 'string' }, + }], + }, + +--- a/lib/rules/test-case-property-ordering.js b/lib/rules/test-case-property-ordering.js +@@ -22,7 +22,7 @@ + fixable: 'code', + schema: [{ + type: 'array', +- elements: { type: 'string' }, ++ items: { type: 'string' }, + }], + }, + diff --git a/debian/patches/series b/debian/patches/series index 5eb779a..1de9aa5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ 2003_avoid_eslint-config-not-an-aardvark.patch 2004_avoid_eslint-config-airbnb-base.patch 2005_no-require-jsdoc.patch +2006_prepare-for-ajv-8.patch
Bug#1058078: FTBFS: ESLint couldn't find the config "not-an-aardvark/node" to extend from
Package: node-eslint-plugin-eslint-plugin Version: 2.3.0+~0.3.0-4 Severity: serious Tags: ftbfs Justification: ftbfs Hi, when trying to reproduce node-eslint-plugin-eslint-plugin build, sbuild fails. Below relevant logs: eslint --format tap Xcomposer TAP version 13 1..2 ok 1 - /<>/Xcomposer/lib/rule-composer.js ok 2 - /<>/Xcomposer/tests/lib/rule-composer.js eslint --format tap . --ignore-pattern '!.*' Oops! Something went wrong! :( ESLint: 6.4.0. ESLint couldn't find the config "not-an-aardvark/node" to extend from. Please check that the name of the config is correct. The config "not-an-aardvark/node" was referenced from the config file in "/<>/.pc/2002_avoid_eslint-plugin-self.patch/.eslintrc.yml". If you still have problems, please stop by https://gitter.im/eslint/eslint to chat with the team. make[1]: *** [debian/rules:38: override_dh_auto_test] Error 2
Bug#1057707: [Pkg-javascript-devel] Bug#1057707: eslint is incompatible with node-ajv >= 8
On 12/8/23 03:59, Jonas Smedegaard wrote: Quoting Yadd (2023-12-07 14:37:31) Control: tags -1 + patch On 12/7/23 15:52, Jérémy Lal wrote: Le jeu. 7 déc. 2023 à 12:45, Yadd mailto:y...@debian.org>> a écrit : Package: eslint Version: 6.4.0~dfsg+~6.1.9-7 Severity: important Tags: ftbfs upstream Hi, eslint depends on node-ajv 6 and is incompatible with node-ajv 8 (available in exeprimental branch). All is in lib/shared/ajv.js: - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no more available - eslint tries to set `ajv._opts.defaultMeta` which is `ajv.opts.defaultMeta` in node-ajv 8. Changing "ajv/lib/refs/json-schema-draft-04.json" to "ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this patch which looks to work but 27 tests fail (not the good error string). It uses default ajv schemas. Help needed here ;-) I suppose you tried https://github.com/eslint/eslint/pull/13911/commits <https://github.com/eslint/eslint/pull/13911/commits> ? Thanks a lot Jérémy! Based on your suggestion, I succeed to build a patch. @Jonas, do you agree if I push this to experimental ? If it succeeds the testsuite then by all means, go for it. Hi, sure, all test passed now. Only error strings had to be updated Cheers, Yadd
Bug#1057707: [Pkg-javascript-devel] Bug#1057707: eslint is incompatible with node-ajv >= 8
Control: tags -1 + patch On 12/7/23 15:52, Jérémy Lal wrote: Le jeu. 7 déc. 2023 à 12:45, Yadd <mailto:y...@debian.org>> a écrit : Package: eslint Version: 6.4.0~dfsg+~6.1.9-7 Severity: important Tags: ftbfs upstream Hi, eslint depends on node-ajv 6 and is incompatible with node-ajv 8 (available in exeprimental branch). All is in lib/shared/ajv.js: - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no more available - eslint tries to set `ajv._opts.defaultMeta` which is `ajv.opts.defaultMeta` in node-ajv 8. Changing "ajv/lib/refs/json-schema-draft-04.json" to "ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this patch which looks to work but 27 tests fail (not the good error string). It uses default ajv schemas. Help needed here ;-) I suppose you tried https://github.com/eslint/eslint/pull/13911/commits <https://github.com/eslint/eslint/pull/13911/commits> ? Thanks a lot Jérémy! Based on your suggestion, I succeed to build a patch. @Jonas, do you agree if I push this to experimental ? Best regards, Yadddiff --git a/debian/control b/debian/control index 10b6f6fc..35786a59 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Build-Depends: help2man , jq, mocha , - node-ajv , + node-ajv (>= 8) , node-babel-core (>= 7) , node-babel-loader (>= 7) , node-babel-preset-env (>= 7) , diff --git a/debian/patches/2012_fix-for-ajv-8.patch b/debian/patches/2012_fix-for-ajv-8.patch new file mode 100644 index ..f0a2d132 --- /dev/null +++ b/debian/patches/2012_fix-for-ajv-8.patch @@ -0,0 +1,351 @@ +Description: fix for node-ajv >= 8 +Author: Evgeny Poberezkin <https://github.com/epoberezkin> +Origin: upstream, https://github.com/eslint/eslint/pull/13911/files +Bug: https://github.com/eslint/eslint/issues/13888 +Bug-Debian: https://bugs.debian.org/1057707 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2023-12-07 + +--- a/conf/config-schema.js b/conf/config-schema.js +@@ -11,8 +11,7 @@ + globals: { type: "object" }, + overrides: { + type: "array", +-items: { $ref: "#/definitions/overrideConfig" }, +-additionalItems: false ++items: { $ref: "#/definitions/overrideConfig" } + }, + parser: { type: ["string", "null"] }, + parserOptions: { type: "object" }, +@@ -33,8 +32,7 @@ + { type: "string" }, + { + type: "array", +-items: { type: "string" }, +-additionalItems: false ++items: { type: "string" } + } + ] + }, +@@ -44,7 +42,6 @@ + { + type: "array", + items: { type: "string" }, +-additionalItems: false, + minItems: 1 + } + ] +--- a/lib/rule-tester/rule-tester.js b/lib/rule-tester/rule-tester.js +@@ -48,7 +48,7 @@ + { getRuleOptionsSchema, validate } = require("../shared/config-validator"), + { Linter, SourceCodeFixer, interpolate } = require("../linter"); + +-const ajv = require("../shared/ajv")({ strictDefaults: true }); ++const ajv = require("../shared/ajv")({ strictSchema: true }); + + const { SourceCode } = require("../source-code"); + +@@ -398,7 +398,7 @@ + + if (ajv.errors) { + const errors = ajv.errors.map(error => { +-const field = error.dataPath[0] === "." ? error.dataPath.slice(1) : error.dataPath; ++const field = error.instancePath[0] === "." ? error.instancePath.slice(1) : error.instancePath; + + return `\t${field}: ${error.message}`; + }).join("\n"); +--- a/lib/rules/array-element-newline.js b/lib/rules/array-element-newline.js +@@ -23,7 +23,6 @@ + }, + + fixable: "whitespace", +- + schema: [ + { + oneOf: [ +--- a/lib/rules/eqeqeq.js b/lib/rules/eqeqeq.js +@@ -43,8 +43,7 @@ + }, + additionalProperties: false + } +-], +-additionalItems: false ++] + }, + { + type: "array", +@@ -52,8 +51,7 @@ + { + enum: ["smart", "allow-null"] + } +-], +-additionalItems: false ++] +
Bug#1057707: eslint is incompatible with node-ajv >= 8
Package: eslint Version: 6.4.0~dfsg+~6.1.9-7 Severity: important Tags: ftbfs upstream Hi, eslint depends on node-ajv 6 and is incompatible with node-ajv 8 (available in exeprimental branch). All is in lib/shared/ajv.js: - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no more available - eslint tries to set `ajv._opts.defaultMeta` which is `ajv.opts.defaultMeta` in node-ajv 8. Changing "ajv/lib/refs/json-schema-draft-04.json" to "ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this patch which looks to work but 27 tests fail (not the good error string). It uses default ajv schemas. Help needed here ;-) --- a/lib/shared/ajv.js +++ b/lib/shared/ajv.js @@ -8,8 +8,7 @@ // Requirements //-- -const Ajv = require("ajv"), -metaSchema = require("ajv/lib/refs/json-schema-draft-04.json"); +const Ajv = require("ajv"); //-- // Public Interface @@ -17,6 +16,7 @@ module.exports = (additionalOptions = {}) => { const ajv = new Ajv({ +strict: false, meta: false, useDefaults: true, validateSchema: false, @@ -26,9 +26,5 @@ ...additionalOptions }); -ajv.addMetaSchema(metaSchema); -// eslint-disable-next-line no-underscore-dangle -ajv._opts.defaultMeta = metaSchema.id; - return ajv; };
Bug#1056705: node-mqtt: Missing dependency to node-lru-cache
Package: node-mqtt Version: 4.3.7-2 Severity: serious Tags: patch Justification: Failure X-Debbugs-Cc: y...@debian.org Hi, node-mqtt autopkgtest shows that this package requires node-lru-cache, however it is not listed in debian/control and then start to fail when one of its dependencies no more depend on node-lru-cache. Best regards, Yadd Ref: https://ci.debian.net/data/autopkgtest/testing/amd64/n/node-mqtt/40126282/log.gz
Bug#1056334: [Pkg-javascript-devel] Bug#1056334: node-ast-types: autopkgtest failure
Control: tags -1 + moreinfo On 11/21/23 12:28, Gianfranco Costamagna wrote: Source: node-ast-types Version: 0.16.1-2 Severity: serious Hello, according to ci, the package autopkgtests looks failing. https://ci.debian.net/packages/n/node-ast-types/unstable/amd64/39617621/ 66s autopkgtest [20:34:26]: test pkg-js-autopkgtest: [--- 66s # Using ./package.(json|yaml) 66s # Node module name is ast-types 66s # Build files found: tsconfig.json 66s # Test files found: 66s # Found debian/tests/pkg-js/files, let's use it 66s # Files/dir to be installed from source: src 66s test 66s tsconfig* 66s ls: cannot access 'test': No such file or directory This is strange: it seems that the test isn't launched from source directory (which has a test subdir) 66s # Copy debian/tests/pkg-js content 66s 'debian/tests/pkg-js' -> '/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js' 66s 'debian/tests/pkg-js/test' -> '/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js/test' 66s 'debian/tests/pkg-js/files' -> '/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js/files' 66s Found debian/tests/test_modules 66s # let's copy it 66s Found debian/nodejs/extlinks 67s @babel/parser linked into node_modules 67s @babel/types linked into node_modules 68s tslib linked into node_modules 68s @types/esprima linked into node_modules 69s @types/estree linked into node_modules 69s @types/glob linked into node_modules 70s @types/mocha linked into node_modules 70s # Searching module in /usr/lib/nodejs/ast-types 70s # Searching module in /usr/lib/*/nodejs/ast-types 70s # Searching module in /usr/share/nodejs/ast-types 70s # Found /usr/share/nodejs/ast-types 70s # Searching files to link in /usr/share/nodejs/ast-types 70s # Launch debian/tests/pkg-js/test with sh -ex 70s + test /tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp != 70s + rm -rf lib 70s + tsc 70s Version 4.8.4 70s tsc: The TypeScript Compiler - Version 4.8.4 70s 70s COMMON COMMANDS The "copy" part of pkg-js-autopkgtest failed, then "tsconfig.json" is missing then tsc display this.
Bug#1055525: cryptojs: CVE-2023-46233
Hi, this bug is still unfixed even if patch is trivial. Here is a template for an updatediff --git a/debian/changelog b/debian/changelog index 558cbac..849d0f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +cryptojs (3.1.2+dfsg-3+deb12u1) bookworm-security; urgency=medium + + * Change default hash algorithm and iteration's for PBKDF2 +(Closes: #1055525) + + -- Yadd Thu, 16 Nov 2023 10:53:45 +0400 + cryptojs (3.1.2+dfsg-3) unstable; urgency=medium * Add upstream metadata. diff --git a/debian/patches/CVE-2023-46233.patch b/debian/patches/CVE-2023-46233.patch new file mode 100644 index 000..c321f49 --- /dev/null +++ b/debian/patches/CVE-2023-46233.patch @@ -0,0 +1,38 @@ +Description: Change default hash algorithm and iteration's for PBKDF2 + to prevent weak security by using the default configuration +Author: evanvosberg +Origin: upstream, https://github.com/brix/crypto-js/commit/421dd538 +Bug: https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf +Bug-Debian: https://bugs.debian.org/1055525 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2023-11-16 + +--- a/components/pbkdf2.js b/components/pbkdf2.js +@@ -11,7 +11,7 @@ + var Base = C_lib.Base; + var WordArray = C_lib.WordArray; + var C_algo = C.algo; +-var SHA1 = C_algo.SHA1; ++var SHA256 = C_algo.SHA256; + var HMAC = C_algo.HMAC; + + /** +@@ -22,13 +22,13 @@ + * Configuration options. + * + * @property {number} keySize The key size in words to generate. Default: 4 (128 bits) +- * @property {Hasher} hasher The hasher to use. Default: SHA1 ++ * @property {Hasher} hasher The hasher to use. Default: SHA256 + * @property {number} iterations The number of iterations to perform. Default: 1 + */ + cfg: Base.extend({ + keySize: 128/32, +-hasher: SHA1, +-iterations: 1 ++hasher: SHA256, ++iterations: 25 + }), + + /** diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..4fdeacb --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-46233.patch
Bug#1056014: cryptojs: Library no more maintained, please keep out of next Debian stable
Source: cryptojs Severity: serious Tags: security upstream Justification: security X-Debbugs-Cc: y...@debian.org, Debian Security Team Hi, according to https://github.com/brix/crypto-js#readme it seems that cryptojs is no more maintained. I just dropped the only one reverse dependency so cryptojs can be safely removed from Debian.
Bug#1054853: node-katex: FTBFS: TypeError: Cannot read properties of undefined (reading '.cjs')
Control: reassign -1 node-postcss-loader Control: affects -1 node-katex Control: found -1 7.3.3-1 It seems that node-postcss-loader 7.3.3 needs node-cosmiconfig 8 and "jiti".
Bug#1055480: ITP: libwebservice-s3-tiny-perl -- Perl module for using S3 or compatible APIs
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org * Package name: libwebservice-s3-tiny-perl Version : 0.003 Upstream Contact: James Raspass * URL : https://metacpan.org/release/WebService-S3-Tiny * License : Artistic or GPL-1+ (and part under Apache-2.0) Programming Lang: Perl Description : Perl module for using S3 or compatible APIs WebService::S3::Tiny is a little Perl module for using any S3 or compatible APIs. It will be maintained under Perl Team umbrella.
Bug#1054432: Not a bug
Control: severity -1 wishlist Files are readable
Bug#1054667: [Pkg-javascript-devel] Bug#1054667: node-browserify-sign: CVE-2023-46234
On 10/27/23 20:20, Moritz Mühlenhoff wrote: Source: node-browserify-sign X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for node-browserify-sign. CVE-2023-46234[0]: | browserify-sign is a package to duplicate the functionality of | node's crypto public key functions, much of this is based on Fedor | Indutny's work on indutny/tls.js. An upper bound check issue in | `dsaVerify` function allows an attacker to construct signatures that | can be successfully verified by any public key, thus leading to a | signature forgery attack. All places in this project that involve | DSA verification of user-input signatures will be affected by this | vulnerability. This issue has been patched in version 4.2.2. https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46234 https://www.cve.org/CVERecord?id=CVE-2023-46234 Please adjust the affected versions in the BTS as needed. Hi, please find attached the debdiff for Bookworm Kind regards, Yadddiff --git a/debian/changelog b/debian/changelog index 5e3404f..c421503 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-browserify-sign (4.2.1-3+deb12u1) bookworm-security; urgency=high + + * Team upload + * Properly check the upper bound for DSA signatures (Closes: #1054667, CVE-2023-46234) + + -- Yadd Sat, 28 Oct 2023 12:03:04 +0400 + node-browserify-sign (4.2.1-3) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-46234.patch b/debian/patches/CVE-2023-46234.patch new file mode 100644 index 000..152fd72 --- /dev/null +++ b/debian/patches/CVE-2023-46234.patch @@ -0,0 +1,68 @@ +Description: properly check the upper bound for DSA signatures +Author: roadicing +Origin: upstream, https://github.com/browserify/browserify-sign/commit/85994cd6 +Bug: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw +Bug-Debian: https://bugs.debian.org/1054667 +Forwarded: not-needed +Applied-Upstream: 4.2.2, commit: 85994cd6 +Reviewed-By: Yadd +Last-Update: 2023-10-28 + +--- a/browser/verify.js b/browser/verify.js +@@ -78,7 +78,7 @@ + + function checkValue (b, q) { + if (b.cmpn(0) <= 0) throw new Error('invalid sig') +- if (b.cmp(q) >= q) throw new Error('invalid sig') ++ if (b.cmp(q) >= 0) throw new Error('invalid sig') + } + + module.exports = verify +--- a/test/index.js b/test/index.js +@@ -4,6 +4,8 @@ + var nCrypto = require('crypto') + var bCrypto = require('../browser') + var fixtures = require('./fixtures') ++var BN = require('bn.js') ++var parseKeys = require('parse-asn1') + + function isNode10 () { + return parseInt(process.version.split('.')[1], 10) <= 10 +@@ -100,6 +102,35 @@ + t.end() + }) + } ++ ++ var s = parseKeys(pub).data.q; ++ test( ++f.message + ' against a fake signature', ++{ skip: !s || '(this test only applies to DSA signatures and not EC signatures, this is ' + f.scheme + ')' }, ++function (t) { ++ var messageBase64 = Buffer.from(f.message, 'base64'); ++ ++ // forge a fake signature ++ var r = new BN('1'); ++ ++ try { ++var fakeSig = asn1.signature.encode({ r: r, s: s }, 'der'); ++ } catch (e) { ++t.ifError(e); ++t.end(); ++return; ++ } ++ ++ var bVer = bCrypto.createVerify(f.scheme); ++ t['throws']( ++function () { bVer.update(messageBase64).verify(pub, fakeSig); }, ++Error, ++'fake signature is invalid' ++ ); ++ ++ t.end(); ++} ++ ); + }) + + fixtures.valid.kvectors.forEach(function (f) { diff --git a/debian/patches/series b/debian/patches/series index 8aafdeb..86ff972 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ drop-rmd160-support.patch +CVE-2023-46234.patch
Bug#1054175: Closing: not a bug
Control: close -1 Control: notfound -1 2.0.0-2 Closing: unable to reproduce
Bug#1054443: node-graphql: website is build with Docusaurus not packaged for debian
Control: severity -1 wishlist On 10/23/23 23:21, Bastien Roucariès wrote: Source: node-graphql Version: 16.8.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/node-graphql/16.8.1-1/website/src/pages/index.jsx/?hl=2#L2 You should repack or package docusaurus and rebuild Bastien No unreadable files here
Bug#1054435: [Pkg-javascript-devel] Bug#1054435: node-react-redux: website is build with Docusaurus not packaged for debian
Control: severity -1 wishlist On 10/23/23 23:08, Bastien Roucariès wrote: Source: node-react-redux Version: 8.1.2+dfsg1+~cs1.2.3-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien No unreadable file here
Bug#1054439: [Pkg-javascript-devel] Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian
Control: severity -1 wishlist On 10/23/23 23:15, Bastien Roucariès wrote: Source: node-rjsf Version: 5.6.2+~5.0.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54 You should repack or package docusaurus and rebuild Bastien No unreadable files here
Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian
Control: severity -1 wishlist On 10/23/23 23:15, Bastien Roucariès wrote: Source: node-rjsf Version: 5.6.2+~5.0.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54 You should repack or package docusaurus and rebuild Bastien No unreadable file here
Bug#1054441: node-ts-jest: website is build with Docusaurus not packaged for debian
Control: severity -1 wishlist On 10/23/23 23:18, Bastien Roucariès wrote: Source: node-ts-jest Version: 29.1.1+~cs0.2.6-2 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/data/main/n/node-ts-jest/29.1.1%2B~cs0.2.6-2/website/ You should repack or package docusaurus and rebuild Bastien No unreadable file here
Bug#1054434: [Pkg-javascript-devel] Bug#1054434: Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian
On 10/24/23 06:25, Yadd wrote: Control: tags -1 + moreinfo On 10/23/23 23:07, Bastien Roucariès wrote: Source: node-redux Version: 4.2.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien Hello, directory docs contains only .md files, totally readable. What is the serious bug here ? Also website/ directory, no unreadable file, no serialized files,... Do we have to consider html files as no source because they were written with a non free tool ?
Bug#1054434: [Pkg-javascript-devel] Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian
Control: tags -1 + moreinfo On 10/23/23 23:07, Bastien Roucariès wrote: Source: node-redux Version: 4.2.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien Hello, directory docs contains only .md files, totally readable. What is the serious bug here ?
Bug#1054167: [Pkg-javascript-devel] Bug#1054167: ftbfs: AssertionError in tests
Control: severity -1 important Hi, not really a serious-bug since it exists only when using a color term. Fixed anyway in version 2.0.0-4 Cheers, Yadd
Bug#1054175: [Pkg-javascript-devel] Bug#1054175: node-require-main-filename: failing dh_auto_test
Control: tags -1 + moreinfo On 10/18/23 20:27, Tianyu Chen wrote: Source: node-require-main-filename Version: 2.0.0-2 Severity: serious Tags: ftbfs Justification: fails to build from source X-Debbugs-Cc: sweetyf...@deepin.org Hi, During a rebuild of your package in unstable, your package fails to build from source. Full log can be accessed at: https://build.opensuse.org/package/live_build_log/home:utsweetyfish:node-202309/node-require-main-filename/Debian_Unstable/aarch64 Tail of log for your package: # Subtest: should default to process.cwd() if require.main is undefined not ok 1 - expected '/usr/src/packages/BUILD' to match /(?:.*autopkgtest.*|require-main-filename)/ --- [...] 1..1 # failed 1 test # time=95.325ms not ok 1 - test.js # time=95.325ms --- env: {} file: test.js timeout: 3 command: /usr/bin/node args: - test.js stdio: - 0 - pipe - 2 cwd: /usr/src/packages/BUILD exitCode: 1 ... 1..1 # failed 1 test # time=1113.041ms --|-|--|-|-|--- File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s --|-|--|-|-|--- All files | 100 | 100 | 100 | 100 | index.js | 100 | 100 | 100 | 100 | --|-|--|-|-|--- dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1 make: *** [debian/rules:8: binary] Error 25 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 Thanks! Tianyu Chen @ deepin Hi, I'm not able to reproduce this issue
Bug#1053895: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-und...@packages.debian.org Control: affects -1 + src:node-undici [ Reason ] node-undici doesn't clear Cookie and Host headers on cross-origin redirect. [ Impact ] Medium security issue [ Tests ] No new test here [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Drop headers Host/Cookie unless same-origin Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 92c0de8..168ee34 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2) bookworm; urgency=medium + + * Delete cookie and host headers on cross-origin redirect +(Closes: #1053879, CVE-2023-45143) + + -- Yadd Fri, 13 Oct 2023 22:14:45 +0400 + node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium * Fix security issues (Closes: #1031418): diff --git a/debian/patches/CVE-2023-45143.patch b/debian/patches/CVE-2023-45143.patch new file mode 100644 index 000..c196bd2 --- /dev/null +++ b/debian/patches/CVE-2023-45143.patch @@ -0,0 +1,24 @@ +Description: delete 'cookie' and 'host' headers on cross-origin redirect +Author: Khafra +Origin: upstream, https://github.com/nodejs/undici/commit/e041de35 +Bug: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g + https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp +Bug-Debian: https://bugs.debian.org/1053879 +Forwarded: not-needed +Applied-Upstream: 5.26.2, commit:e041de35 +Reviewed-By: Yadd +Last-Update: 2023-10-13 + +--- a/lib/fetch/index.js b/lib/fetch/index.js +@@ -1204,6 +1204,10 @@ + if (!sameOrigin(requestCurrentURL(request), locationURL)) { + // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name + request.headersList.delete('authorization') ++ ++// "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. ++request.headersList.delete('cookie') ++request.headersList.delete('host') + } + + // 14. If request’s body is non-null, then set request’s body to the first return diff --git a/debian/patches/series b/debian/patches/series index ce1440a..297000a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ drop-ssl-tests.patch CVE-2023-23936.patch CVE-2023-24807.patch update-httpbin.org-test-timeout.patch +CVE-2023-45143.patch
Bug#1053782: RFP: node-vite -- Next Generation Frontend Tooling
On 10/11/23 10:30, Andrius Merkys wrote: Package: wnpp Severity: wishlist X-Debbugs-Cc: debian-de...@lists.debian.org Control: block 1042095 by -1 * Package name : node-vite Version : 4.4.11 Upstream Author : Evan You * URL : https://github.com/vitejs/vite * License : Expat Programming Lang: JavaScript Description : Next Generation Frontend Tooling Vite is a frontend build tool, including development server and build command bundling code with Rollup, pre-configured to output optimized static assets for production. Vite is needed to produce CSS and JS files for sphinx-press-theme. An estimate of work needed to package Vite: $ npm2deb depends vite Dependencies: NPM Debian vite (4.4.11) None ├─ esbuild (^0.18.10) None ├─ fsevents (~2.3.2) None ├─ postcss (^8.4.27) node-postcss (8.4.20+~cs8.0.23-1) └─ rollup (^3.27.1) node-rollup (3.28.0-2) Build dependencies: NPM Debian @ampproject/remapping (^2.2.1) node-ampproject-remapping (2.2.0+~cs5.15.37-1) @babel/parser (^7.22.7) None @babel/types (^7.22.5) node-babel (6.26.0+repack-3~bpo10+1) @jridgewell/trace-mapping (^0.3.18) None @rollup/plugin-alias (^4.0.4) node-rollup-plugin-alias (5.0.0~ds-1) @rollup/plugin-commonjs (^25.0.3) node-rollup-plugin-commonjs (25.0.4+ds1-1) @rollup/plugin-dynamic-import-vars (^2.0.4) None @rollup/plugin-json (^6.0.0) node-rollup-plugin-json (6.0.0+ds1-2) @rollup/plugin-node-resolve (15.1.0) node-rollup-plugin-node-resolve (15.1.0+ds-1) @rollup/plugin-typescript (^11.1.2) node-rollup-plugin-typescript (11.1.2~ds+~1.0.1-1) @rollup/pluginutils (^5.0.2) node-rollup-pluginutils (5.0.2~ds+~2.8.2-1) @types/escape-html (^1.0.2) None @types/pnpapi (^0.0.2) None acorn (^8.10.0) acorn (8.8.1+ds+~cs25.17.7-2) acorn-walk (^8.2.0) None cac (^6.7.14) None chokidar (^3.5.3) node-chokidar (3.5.3-2) connect (^3.7.0) node-connect (3.7.0+~3.4.35-1) connect-history-api-fallback (^2.0.0) None convert-source-map (^2.0.0) node-convert-source-map (1.9.0+~1.5.2-1) cors (^2.8.5) node-cors (2.8.5-1) cross-spawn (^7.0.3) node-cross-spawn (5.1.0-2) debug (^4.3.4) node-debug (4.3.4+~cs4.1.7-1) dep-types (link:./src/types) None dotenv (^16.3.1) None dotenv-expand (^9.0.0) None es-module-lexer (^1.3.0) node-es-module-lexer (1.1.0+dfsg-2) escape-html (^1.0.3) node-escape-html (1.0.3+~1.0.2-2) estree-walker (^3.0.3) node-estree-walker (2.0.2-5) etag (^1.8.1) node-etag (1.8.1-3) fast-glob (^3.3.1) None http-proxy (^1.18.1) node-http-proxy (1.18.1-8) json-stable-stringify (^1.0.2) node-json-stable-stringify (1.0.2+repack1+~cs1.0.34-2) launch-editor-middleware (^2.6.0) None lightningcss (^1.21.5) None magic-string (^0.30.2) node-magic-string (0.30.1-1) micromatch (^4.0.5) node-micromatch (4.0.5+~4.0.2-1) mlly (^1.4.0) None mrmime (^1.0.1) None okie (^1.0.1) None open (^8.4.2) node-open (8.4.0-6) parse5 (^7.1.2) node-parse5 (7.1.2+dfsg-2) periscopic (^3.1.0) None picocolors (^1.0.0) node-picocolors (1.0.0-4) picomatch (^2.3.1) node-anymatch (3.1.3+~cs4.6.1-2) postcss-import (^15.1.0) None postcss-load-config (^4.0.1) node-postcss-load-config (2.1.2+~cs6.0.0-1) postcss-modules (^6.0.0) node-postcss-modules (6.0.0+~cs5.1.3-2) resolve.exports (^2.0.2) None rollup-plugin-license (^3.0.1) None sirv (^2.0.3) None source-map-support (^0.5.21) node-source-map-support (0.5.21+ds+~0.5.4-1) strip-ansi (^7.1.0) node-strip-ansi (6.0.1-2) strip-literal (^1.3.0) None tsconfck (^2.1.2) None tslib (^2.6.1)
Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1
On 10/8/23 16:10, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
On 10/8/23 16:04, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1036975: bullseye-pu: package node-url-parse/1.5.3-1+deb11u2
On 10/8/23 16:03, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1
On 10/8/23 15:55, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] Two new vulnerabilities have been dicovered and fixed in lemonldap-ng: - an open redirection due to incorrect escape handling - an open redirection only when configuration is edited by hand and doesn't follow OIDC specifications - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: A little-know feature of OIDC allows the OpenID Provider to fetch the Authorization request parameters itself by indicating a request_uri parameter. This feature is now restricted to a white list using this patch [ Impact ] Two low and one medium security issue. [ Tests ] Patches includes test updates [ Risks ] Outside of test changes, patches are not so big and the test coverage provided by upstream is good, so risk is moderate. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - open redirection patch: use `URI->new($url)->as_string` in each redirections - OIDC open redirection patch: just rejects requests with `redirect_uri` if relying party configuration has no declared redirect URIs. - SSRF patch: * add new configuration parameter to list authorized "request_uris" * change the algorithm that manage request_uri parameter Cheers, Yadd diff --git a/debian/NEWS b/debian/NEWS index c4d7ee951..ba4a14a12 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium + + A little-know feature of OIDC allows the OpenID Provider to fetch the + Authorization request parameters itself by indicating a request_uri + parameter. + By default, this feature is now restricted to a white list. See + Relying-Party security option to fill this field. + + -- Yadd Fri, 29 Sep 2023 17:38:51 +0400 + lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium AuthBasic now enforces 2FA activation (CVE-2023-28862): diff --git a/debian/changelog b/debian/changelog index 5d2c62ac0..35d5599a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium + + * Fix open redirection when OIDC RP has no redirect uris + * Fix open redirection due to incorrect escape handling + * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469) + + -- Yadd Fri, 29 Sep 2023 16:35:14 +0400 + lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium * Fix 2FA issue when using AuthBasic handler (CVE-2023-28862) @@ -19,7 +27,7 @@ lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium - * Fix auth process in password-testing plugins (Closes: CVE-2021-20874) + * Fix auth process in password-testing plugins (Closes: #1005302, CVE-2021-40874) -- Yadd Thu, 24 Feb 2022 15:16:09 +0100 diff --git a/debian/clean b/debian/clean index 73f167814..cdb4a5ae4 100644 --- a/debian/clean +++ b/debian/clean @@ -1,3 +1,4 @@ +doc/pages/documentation/current/.buildinfo lemonldap-ng-manager/site/htdocs/static/js/conftree.js lemonldap-ng-manager/site/htdocs/static/struct.json lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch new file mode 100644 index 0..dce756430 --- /dev/null +++ b/debian/patches/SSRF-issue.patch @@ -0,0 +1,627 @@ +Description: fix SSRF vulnerability + Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ +Author: Maxime Besson +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 +Forwarded: not-needed +Applied-Upstream: 2.17.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Reviewed-By: Yadd +Last-Update: 2023-09-23 + +--- a/doc/sources/admin/idpopenidconnect.rst b/doc/sources/admin/idpopenidconnect.rst +@@ -278,6 +278,11 @@ + the Session Browser. +- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the use of the :ref:`Resource Owner Password Credentials Grant ` by this client. This feature only works if you have configured a form-based authentication module. +- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): Allow the use of the :ref:`Resource Owner Password Credentials Grant ` by this client. ++ - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``): ++ which URLs may be called by the portal to fetch the request object (see ++ `request_uri ++ <https://openid.net/specs/openid-connect-core-1_0.html#
Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] Two new vulnerabilities have been dicovered and fixed in lemonldap-ng: - an open redirection only when configuration is edited by hand and doesn't follow OIDC specifications - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: A little-know feature of OIDC allows the OpenID Provider to fetch the Authorization request parameters itself by indicating a request_uri parameter. This feature is now restricted to a white list using this patch [ Impact ] One low and one medium security issue. [ Tests ] Patches includes test updates [ Risks ] Outside of test changes, patches are not so big and the test coverage provided by upstream is good, so risk is moderate. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - open redirection patch: just rejects requests with `redirect_uri` if relying party configuration has no declared redirect URIs. - SSRF patch: * add new configuration parameter to list authorized "request_uris" * change the algorithm that manage request_uri parameter Cheers, Xavier diff --git a/debian/NEWS b/debian/NEWS index b8955920b..5295a3cbb 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium + + A little-know feature of OIDC allows the OpenID Provider to fetch the + Authorization request parameters itself by indicating a request_uri + parameter. + By default, this feature is now restricted to a white list. See + Relying-Party security option to fill this field. + + -- Yadd Fri, 29 Sep 2023 17:15:03 +0400 + lemonldap-ng (2.0.9+ds-1) unstable; urgency=medium CVE-2020-24660 diff --git a/debian/changelog b/debian/changelog index cd4c8a023..148164a94 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium + + * Fix open redirection when OIDC RP has no redirect uris + * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469) + + -- Yadd Fri, 29 Sep 2023 17:18:12 +0400 + lemonldap-ng (2.16.1+ds-deb12u1) bookworm; urgency=medium * Apply login control to auth-slave requests diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch new file mode 100644 index 0..3c6ca8b51 --- /dev/null +++ b/debian/patches/SSRF-issue.patch @@ -0,0 +1,795 @@ +Description: fix SSRF vulnerability + Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ +Author: Maxime Besson +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 +Forwarded: not-needed +Applied-Upstream: 2.17.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Reviewed-By: Yadd +Last-Update: 2023-09-22 + +--- a/doc/sources/admin/idpopenidconnect.rst b/doc/sources/admin/idpopenidconnect.rst +@@ -247,6 +247,11 @@ + This feature only works if you have configured a form-based authentication module. +- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): Allow the use of the + :ref:`Client Credentials Grant ` by this client. ++ - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``): ++ which URLs may be called by the portal to fetch the request object (see ++ `request_uri ++ <https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter>`__ ++ in OIDC specifications). These URLs may use wildcards (``https://app.example.com/*``). +- **Authentication level**: Required authentication level to access this application +- **Access rule**: Lets you specify a :doc:`Perl rule` to restrict access to this client + +--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm +@@ -4656,6 +4656,7 @@ + oidcRPMetaDataOptionsComment => { type => 'longtext' }, + oidcRPMetaDataOptionsOfflineSessionExpiration => { type => 'int' }, + oidcRPMetaDataOptionsRedirectUris => { type => 'text', }, ++oidcRPMetaDataOptionsRequestUris => { type => 'text', }, + oidcRPMetaDataOptionsExtraClaims => { + type=> 'keyTextContainer', + keyTest => qr/^[\x21\x23-\x5B\x5D-\x7E]+$/, +--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm b/lemonldap-ng-manager/lib/Lemon
Bug#1052428: node-minimatch: please update to 9.x
On 9/22/23 00:10, Jérémy Lal wrote: Package: node-minimatch Version: 5.1.1+~5.1.2-1 Severity: normal Hi, nodejs 18.18.0 depends on node-minimatch 9.0.3. It'd be nice if someone could update that module. Regards, Jérémy Hi, I'm going to push version 9.0.3 to experimental (breaking changes) Cheers, Yadd
Bug#1052301: ITP: node-stdlib -- Standard library for JavaScript and Node.js
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-stdlib Version : 0.0.96 Upstream Contact: The Stdlib Authors <https://github.com/stdlib-js/stdlib/graphs/contributors> * URL : https://github.com/stdlib-js/stdlib * License : Apache-2.0 Programming Lang: JavaScript Description : Standard library for JavaScript and Node.js node-stdlib is a standard library for JavaScript and Node.js, with an emphasis on numerical and scientific computing applications. The library provides a collection of robust, high performance libraries for mathematics, statistics, data processing, streams, and more and includes many utilities expected from a standard library. node-stdlib is a build dependency of node-jupyterlab. Will be maintained under JS Team umbrella.
Bug#1052246: ITP: node-vdom-to-html -- Node.js library to turn virtual-dom nodes into HTML
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-vdom-to-html Version : 2.3.1 Upstream Contact: Nathan Tran * URL : https://github.com/nthtran/vdom-to-html * License : Expat Programming Lang: JavaScript Description : Node.js library to turn virtual-dom nodes into HTML node-vdom-to-html turn virtual-dom nodes into HTML. virtual-dom is a collection of modules designed to provide a declarative way of representing the DOM. This is a dependency of node-stdlib which is needed to build node-jupyterlab. Will be maintained under JS Team umbrella.
Bug#1052170: ITP: node-playwright -- JavaScript framework for Web Testing and Automation
On 9/18/23 21:26, Jérémy Lal wrote: Le lun. 18 sept. 2023 à 19:15, Yadd <mailto:y...@debian.org>> a écrit : Package: wnpp Severity: wishlist Owner: Yadd mailto:y...@debian.org>> X-Debbugs-Cc: debian-de...@lists.debian.org <mailto:debian-de...@lists.debian.org> * Package name : node-playwright Version : 1.38.0 Upstream Contact: Microsoft Corporation <https://github.com/Microsoft/playwright/issues <https://github.com/Microsoft/playwright/issues>> * URL : https://github.com/Microsoft/playwright <https://github.com/Microsoft/playwright> * License : Apache-2.0 Programming Lang: JavaScript Description : JavaScript framework for Web Testing and Automation node-playwright is a framework for Web Testing and Automation. It allows testing Chromium, Firefox and WebKit with a single API. Playwright is built to enable cross-browser web automation that is ever-green, capable, reliable and fast. Hi, I am a heavy user of node-playwright, so this interests me. Note that latest version of playwright stopped downloading automatically the needed browser, which is a good thing. Playwright is also able to use system-installed chromium, but maybe not firefox, and I'm pretty sure it won't work out of the box with webkitgtk. Cheers, Jérémy Hi, happy to help you ! You can test my work, available on salsa. Best regards, Yadd
Bug#1052170: ITP: node-playwright -- JavaScript framework for Web Testing and Automation
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-playwright Version : 1.38.0 Upstream Contact: Microsoft Corporation <https://github.com/Microsoft/playwright/issues> * URL : https://github.com/Microsoft/playwright * License : Apache-2.0 Programming Lang: JavaScript Description : JavaScript framework for Web Testing and Automation node-playwright is a framework for Web Testing and Automation. It allows testing Chromium, Firefox and WebKit with a single API. Playwright is built to enable cross-browser web automation that is ever-green, capable, reliable and fast. Another node-jupyterlab dependency, will be maintained under JS Team umbrella.
Bug#1052147: ITP: node-source-map-loader -- Node.js library to extract source maps
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-source-map-loader Version : 4.0.1 Upstream Contact: JS Founadation <https://github.com/webpack-contrib/source-map-loader/issues> * URL : https://github.com/webpack-contrib/source-map-loader * License : Expat Programming Lang: JavaScript Description : Node.js library to extract source maps node-source-map-loader is a JS library to extracts source maps from existing source files. Can be used in a node-webpack rule. It's a build dependency of node-jupyterlab, will be maintained under JS Team umbrella.
Bug#1052143: ITP: node-html-loader -- Node module that exports HTML as string
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-html-loader Version : 4.2.0 Upstream Contact: JS Foundation <https://github.com/webpack-contrib/html-loader/issues> * URL : https://github.com/webpack-contrib/html-loader * License : Expat Programming Lang: JavaScript Description : Node module that exports HTML as string node-html-loader exports HTML as string. HTML is minimized when the compiler demands. It is typically used as node-webpack plugin. node-html-loader is a dependency of node-jupyterlab and will be maintained under JS Team umbrella
Bug#1052140: ITP: node-html-webpack-plugin -- node-webpack plugin to create HTML files
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-html-webpack-plugin Version : 5.5.3 Upstream Contact: JS Foundation <https://github.com/jantimon/html-webpack-plugin/issues> * URL : https://github.com/jantimon/html-webpack-plugin * License : JavaScript Programming Lang: Expat Description : node-webpack plugin to create HTML files node-html-webpack-plugin is a node-webpack plugin that simplifies creation of HTML files to serve a node-webpack bundle.This is especially useful for bundles that include a hash in the filename which changes every compilations It's a build dependency of node-jupyterlab. Will be maintained under JS Team umbrella.
Bug#1052076: ITP: node-mathjax-full -- JavaScript library to display math in browsers
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-mathjax-full Version : 3.2.2 Upstream Contact: The MathJax Consortium <https://github.com/mathjax/Mathjax-src/issues> * URL : https://github.com/mathjax/Mathjax-src * License : Apache-2.0 Programming Lang: JavaScript Description : JavaScript library to display math in browsers MathJax is an open-source JavaScript display engine for LaTeX, MathML, and AsciiMath notation that works in all modern browsers. It was designed with the goal of consolidating the recent advances in web technologies into a single, definitive, math-on-the-web platform supporting the major browsers and operating systems. It requires no setup on the part of the user (no plugins to download or software to install), so the page author can write web documents that include mathematics and be confident that users will be able to view it naturally and easily. Simply include MathJax and some mathematics in a web page, and MathJax does the rest. node-mathjax-full is a dependency of node-jupyterlab. It will be maintained under JS Team umbrella.
Bug#1052075: ITP: node-speech-rule-engine -- NodeJS version of the ChromeVox speech rule engine
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-speech-rule-engine Version : 3.2.2 Upstream Contact: Volker Sorge * URL : https://github.com/zorkow/speech-rule-engine * License : Apache-2.0 Programming Lang: JavaScript Description : NodeJS version of the ChromeVox speech rule engine node-speech-rule-engine (SRE) can translate XML expressions into speech strings according to rules that can be specified in a syntax using Xpath expressions. It's a dependnecy of node-mathjax-full, needed to build node-jupyterlab. Will be maintained under JS Team upbrella.
Bug#1052054: ITP: node-sort-package-json -- Node.js library to sort package.json
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-sort-package-json Version : 2.5.1 Upstream Contact: Keith Cirkel * URL : https://github.com/fisker/git-hooks-list * License : Expat Programming Lang: JavaScript Description : Node.js library to sort package.json node-sort-package-json is a small library useful to sort package.json files of Node.js modules, not in alphabetic order but in logical order (starting by name and version). It's a dependency of node-jupyterlab and will be maintained under JS Team umbrella.
Bug#1051991: ITP: node-sixel -- Node.js library to manage Sixel images
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-sixel Version : 0.16.0 Upstream Contact: Joerg Breitbart * URL : https://github.com/jerch/node-sixel/ * License : Expat Programming Lang: JavaScript Description : Node.js library to manage Sixel images node-sixel is a image decoding / encoding library for node and the browser. It is a build dependency of node-xterm 5 which is required for node-jupyterlab. Will be maintained under JS Team umbrella.
Bug#1051974: ITP: inwasm -- Inline WebAssembly for Typescript
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: inwasm Version : 0.0.13 Upstream Contact: Joerg Breitbart * URL : https://github.com/jerch/inwasm * License : Expat Programming Lang: JavaScript Description : Inline WebAssembly for Typescript InWasm is a small bundler for inline standalone wasm libraries (Web Assembly). It compiles and bundles the wasm source code inplace, using either clang, wabt and/or emscripten. inwasm is a build dependency needed to build node-xterm-wasm-parts, which is required by node-xterm 5 which update is needed to build node-jupyterlab. Will be maintained under JS Team umbrella.
Bug#1051930: ITP: node-node-pty -- Node.js library to allow one to fork processes with pseudoterminal file descriptors
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-node-pty Version : 1.0.0 Upstream Contact: node-pty authors <https://github.com/microsoft/node-pty/issues> * URL : https://github.com/microsoft/node-pty/issues * License : Expat Programming Lang: JavaScript Description : Node.js library to allow one to fork processes with pseudoterminal file descriptors node-node-pty provides forkpty bindings for node.js. This allows one to fork processes with pseudoterminal file descriptors. It returns a terminal object which allows reads and writes. This is useful for: * Writing a terminal emulator * Getting certain programs to think they are in a terminal node-node-pty is a dependency of node-xterm 5 which is needed to build node-jupyterlab. Will be maintained under JS Team umbrella.
Bug#1051823: ITP: libjs-simulate-event -- JavaScript library to trigger DOM events on any element
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: libjs-simulate-event Version : 1.4.0 Upstream Contact: Blake Embrey * URL : https://github.com/blakeembrey/simulate-event * License : Expat Programming Lang: JavaScript Description : JavaScript library to trigger DOM events on any element libjs-simulate-event provide a simple way to trigger DOM events on any element: * simulateEvent.simulate(document.body, 'click') It's a build dependency of node-jupyterlab and will be maintaied under JS Team umbrella
Bug#1051705: ITP: node-vega-embed -- Node.js library to easily embed vega views
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-vega-embed Version : 6.22.2 Upstream Contact: University of Washington Interactive Data Lab <https://github.com/vega/vega-embed/issues> * URL : https://github.com/vega/vega-embed/issues * License : BSD-3-Clause Programming Lang: $jAVAsCRIPT Description : Node.js library to easily embed vega views node-vega-embed makes it easy to embed interactive node-vega and node-vega-lite views into web pages. It's another dependency needed to build node-jupyterlab. Will be maintained under JS Team umbrella
Bug#1051694: ITP: node-vega-themes -- Themes for stylized Vega and Vega-Lite visualizations
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-vega-themes Version : 2.14.0 Upstream Contact: University of Washington Interactive Data Lab <https://github.com/vega/vega-themes/issues> * URL : https://github.com/vega/vega-themes/issues * License : BSD-3-Clause Programming Lang: JavaScript Description : Themes for stylized Vega and Vega-Lite visualizations A Vega *theme* is a configuration object with default settings for a variety of visual properties such as colors, typefaces, line widths and spacing. This module exports a set of named themes, which can be passed as input to the node-vega or node-vega-lite with node-vega-embed or directly as a configuration object to the Vega parser. This package is a dependency of node-vega-embed which is needed to build node-jupyterlab. Will be maintained under JS Team umbrella.
Bug#1051660: ITP: node-vega-lite -- Node.js library that provides a higher-level grammar for visual analysis for node-vega
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-vega-lite Version : 5.14.1 Upstream Contact: University of Washington Interactive Data Lab <https://github.com/vega/vega-lite/issues> * URL : https://github.com/vega/vega-lite/issues * License : BSD-3-Clause Programming Lang: JavaScript Description : Node.js library that provides a higher-level grammar for visual analysis for node-vega node-vega-lite provides a higher-level grammar for visual analysis that generates complete Vega specifications. More details available on https://vega.github.io/vega-lite/docs/. Try available also on line: https://vega.github.io/editor/#/custom/vega-lite This library is a dependency of node-vega-embed, needed to build node-jupyterlab. Will be maintained under JS Team umbrella
Bug#1051628: ITP: node-d3-delaunay -- Node.js fast library for computing the Voronoi diagram
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-d3-delaunay Version : 6.0.4 Upstream Contact: Observable, Inc. <https://github.com/d3/d3-delaunay/issues> * URL : https://github.com/d3/d3-delaunay * License : ISC Programming Lang: JavaScript Description : Node.js fast library for computing the Voronoi diagram node-d3-delaunay is a fast library for computing the Voronoi diagram of a set of two-dimensional points. It is based on included node-delaunator, a fast library for computing the Delaunay triangulation using sweep algorithms. The Voronoi diagram is constructed by connecting the circumcenters of adjacent triangles in the Delaunay triangulation. It's a missing dependency of node-vega, needed to build node-jupyterlab
Bug#1051608: ITP: node-d3-geo-projection -- Extended geographic projections for node-d3-geo
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-d3-geo-projection Version : 4.0.0 Upstream Contact: Mike Bostock <https://bost.ocks.org/mike> * URL : https://d3js.org/d3-geo-projection/ * License : ISC Programming Lang: JavaScript Description : Extended geographic projections for node-d3-geo node-d3-geo-projection provides extended geographic projections for node-d3-geo. It's a dependency of node-vega-lite, needed to build node-jupyterlab. It will be maintained under JS Team umbrella.
Bug#1051601: ITP: node-geojson -- Node.js library to convert geo data into GeoJSON
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-geojson Version : 0.5.0 Upstream Contact: Casey Cesari <https://github.com/caseycesari/geojson.js/issues> * URL : https://github.com/caseycesari/geojson.js * License : Expat Programming Lang: JavaScript Description : Node.js library to convert geo data into GeoJSON node-geojson is a dependency of node-vega-lite and a TS dependency of node-d3. It will be maintained under JS Team umbrella.
Bug#1051591: ITP: node-vega-tooltip -- Tooltip for node-vega and node-vega-lite
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-vega-tooltip Version : 0.33.0 Upstream Contact: https://github.com/vega/vega-tooltip/issues * URL : https://github.com/vega/vega-tooltip * License : BSD-3-Clause Programming Lang: JavaScript Description : Tooltip for node-vega and node-vega-lite node-vega-tooltip is a tooltip plugin for Vega and Vega-Lite visualizations. This plugin implements a custom tooltip handler for Vega that uses custom HTML tooltips instead of the HTML title attribute. This is a dependency of node-jupyterlab. It will be maintained under JS Team umbrella.
Bug#1051583: ITP: node-fast-json-patch -- Node.js implementation of JSON-Patch
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-fast-json-patch Version : 3.1.1 Upstream Contact: Joachim Wester * URL : https://github.com/Starcounter-Jack/JSON-Patch * License : Expat Programming Lang: JavaScript Description : Node.js implementation of JSON-Patch node-fast-json-patch is a leaner and meaner implementation of JSON-Patch. Small footprint. High performance. It can: * apply patches (arrays) and single operations on JS object * validate a sequence of patches * observe for changes and generate patches when a change is detected * compare two objects to obtain the difference node-fast-json-patch is a dependency of node-vega-embed, needed for node-jupyterlab.
Bug#1051550: node-rollup-plugin-terser: Please update (or embed) to @rollup/plugin-terser
Package: node-rollup-plugin-terser Version: 7.0.2+~5.0.1-8 Severity: wishlist Hi, rollup-plugin-terser is going to be replaced by @rollup/plugin-terser. Could you update this package or embed both during transition ? Cheers, Yadd
Bug#1051549: ITP: node-jsan -- JavaScript "All The Things" Notation
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-jsan Version : 3.1.14 Upstream Contact: Moshe Kolodny <https://github.com/kolodny/jsan/issues> * URL : https://github.com/kolodny/jsan * License : Expat Programming Lang: JavasCRIPT Description : JavaScript "All The Things" Notation node-jsan Easily stringify and parse any object including objects with circular references, self references, dates, regexes, `undefined`, errors, and even functions. node-jsan is a dependency of node-redux-devtools which is needed by node-jupyterlab. This package will be maintained under JS Team umbrella.
Bug#1050997: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] Version 2.17.0 of lemonldap-ng fixes two low-level security issues: * the "login" security regex wasn't applied when using AuthSlave * lemonldap-ng portal can be used as open-redirection due to incorrect escape handling This proposal includes these 2 patches for Bookworm [ Impact ] Low security issues [ Tests ] Test updated, passed both with autopkgtest and build [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * check if login value respects the config when login comes from AuthSlave * Sanitize URLs used in redirections * Tests Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 8de0d083f..268c0d993 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.16.1+ds-deb12u1) UNRELEASED; urgency=medium + + * Apply login control to auth-slave requests + * Fix open redirection due to incorrect escape handling + + -- Yadd Fri, 01 Sep 2023 10:11:50 +0400 + lemonldap-ng (2.16.1+ds-2) unstable; urgency=medium * Fix incorrect parsing of OP-provided acr diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml index 33c3a640d..756ccd252 100644 --- a/debian/gitlab-ci.yml +++ b/debian/gitlab-ci.yml @@ -1,4 +1,6 @@ --- +variables: + RELEASE: 'bookworm' include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml diff --git a/debian/patches/apply-user-control-to-authslave.patch b/debian/patches/apply-user-control-to-authslave.patch new file mode 100644 index 0..df0ceca39 --- /dev/null +++ b/debian/patches/apply-user-control-to-authslave.patch @@ -0,0 +1,83 @@ +Description: [Security] apply user-control to authSlave +Author: Christophe Maudoux +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351/diffs +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2946 +Forwarded: not-needed +Applied-Upstream: 2.17.0, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351 +Reviewed-By: Yadd +Last-Update: 2023-09-01 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm +@@ -8,6 +8,7 @@ + PE_OK + PE_FORBIDDENIP + PE_USERNOTFOUND ++ PE_MALFORMEDUSER + ); + + our $VERSION = '2.0.12'; +@@ -37,11 +38,15 @@ + $user_header = 'HTTP_' . uc($user_header); + $user_header =~ s/\-/_/g; + +-unless ( $req->{user} = $req->env->{$user_header} ) { ++unless ( $req->env->{$user_header} ) { + $self->userLogger->error( + "No header " . $self->conf->{slaveUserHeader} . " found" ); + return PE_USERNOTFOUND; + } ++return PE_MALFORMEDUSER ++ unless ( $req->env->{$user_header} =~ /$self->{conf}->{userControl}/o ); ++ ++$req->{user} = $req->env->{$user_header}; + return PE_OK; + } + +--- a/lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t b/lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t +@@ -2,7 +2,7 @@ + use Test::More; + use strict; + use JSON; +-use Lemonldap::NG::Portal::Main::Constants qw(PE_FORBIDDENIP PE_USERNOTFOUND); ++use Lemonldap::NG::Portal::Main::Constants qw(PE_FORBIDDENIP PE_USERNOTFOUND PE_MALFORMEDUSER); + + require 't/test-lib.pm'; + +@@ -17,6 +17,7 @@ + securedCookie => 3, + authentication => 'Slave', + userDB => 'Same', ++userControl=> '^\w{4}$', + slaveUserHeader=> 'My-Test', + slaveHeaderName=> 'Check-Slave', + slaveHeaderContent => 'Password', +@@ -91,6 +92,27 @@ + or explain( $json, "error => 4" ); + count(4); + ++# Good credentials with an unauthorized login ++ok( ++$res = $client->_get( ++'/', ++ip => '127.0.0.1', ++custom => { ++HTTP_MY_TEST => 'dwhoo', ++HTTP_NAME=> 'Dr Who', ++HTTP_CHECK_SLAVE => 'Password', ++} ++ ++), ++'Auth query' ++); ++ok( $res->[0] == 401, 'Get 401' ) or explain( $res->[0], 401 ); ++ok( $json = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' ) ++ or print STDERR "$@\n" . Dumper($res); ++ok( $json->{error} == PE_MALFORMEDUSER, 'Response is PE_MALFORMEDUSER' ) ++ or explain( $json, "error => 40" ); ++count(4); ++ + # Good credentials with acredited IP + ok( + $
Bug#1050730: bookworm-pu: package cyrus-imapd/3.6.1-4+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: cyrus-im...@packages.debian.org Control: affects -1 + src:cyrus-imapd [ Reason ] I entered a patch some months ago in Bullseye to permits migration to Cyrus-Imapd 3.6 (Bookworm): without this patch, mailboxes maybe corrupted. I added also a postinst check to refuse upgrades if previous version wasn't > 3.2.6-2+deb11u2. However, I did a mistake in this patch and migrations are not blocked. So user that didn't follow Bullseye upgrades are loosing their mailboxes during Bopokworm upgrades (see #1037346). [ Impact ] Data loose risk for users that didn't migrate from 3.2.6-2+deb11u2. [ Risks ] No risk here, it just fixes the major risk on upgrades [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * fix dpkg --compare-versions use * update doc to replace minimal 3.2.10 by 3.2.6-2+deb11u2 Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index a6d3c31a..56cfb114 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +cyrus-imapd (3.6.1-4+deb12u1) UNRELEASED; urgency=medium + + * Doc: add patch to fix minimal version needed before upgrade +(see #1037346) + * Fix postint version check (see #1037346) + + -- Yadd Sat, 26 Aug 2023 07:06:45 +0400 + cyrus-imapd (3.6.1-4) unstable; urgency=medium * Update copyright diff --git a/debian/cyrus-common.postinst b/debian/cyrus-common.postinst index 86eb6f0a..10a36946 100755 --- a/debian/cyrus-common.postinst +++ b/debian/cyrus-common.postinst @@ -60,7 +60,7 @@ upgradesieve () { case "$1" in configure) # Refuse to update if previous version is lower than 3.2.6-2+deb11u2~ - if [ -z "$1" ] || $(dpkg --compare-versions $1 lt '3.2.6-2+deb11u2~'); then + if [ -z "$2" ] || $(dpkg --compare-versions $2 lt '3.2.6-2+deb11u2~'); then echo "You must update cyrus-imapd to at least version 3.2.6-2+deb11u2~" >&2 echo "before updating it to version 3.6.x and run it, else your mailboxes" >&2 echo "may be corrupted" >&2 diff --git a/debian/patches/fix-upgrade-versions.patch b/debian/patches/fix-upgrade-versions.patch new file mode 100644 index ..9d0bb2f9 --- /dev/null +++ b/debian/patches/fix-upgrade-versions.patch @@ -0,0 +1,37 @@ +Description: fix the minimal version needed to update +Author: Yadd +Bug-Debian: https://bugs.debian.org/1037346 +Forwarded: not-needed +Last-Update: 2023-07-19 + +--- a/doc/html/_sources/imap/download/upgrade.rst.txt b/doc/html/_sources/imap/download/upgrade.rst.txt +@@ -25,10 +25,9 @@ + Versions to upgrade from + + +-Before upgrading to 3.6, your deployment should be running either: ++Before upgrading to 3.6, your deployment should be running: + +-* 3.2.10 (or later), or +-* 3.4.4 (or later) ++* 3.2.6-2+deb11u2 (or later) + + If your existing deployment predates these releases, you should first upgrade + to one of these versions, let it run for a while, resolve any issues that +--- a/doc/text/imap/download/upgrade.txt b/doc/text/imap/download/upgrade.txt +@@ -59,11 +59,9 @@ + Versions to upgrade from + + +-Before upgrading to 3.6, your deployment should be running either: ++Before upgrading to 3.6, your deployment should be running: + +-* 3.2.10 (or later), or +- +-* 3.4.4 (or later) ++* 3.2.6-2+deb11u2 (or later) + + If your existing deployment predates these releases, you should first + upgrade to one of these versions, let it run for a while, resolve any diff --git a/debian/patches/series b/debian/patches/series index b33e49ac..353fb72b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ 0018-increase-test-timeout.patch #0019-propagate-XXFLAGS.patch 0020_fix-cyr_cd-shebang.patch +fix-upgrade-versions.patch diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml index 33c3a640..6a91c217 100644 --- a/debian/salsa-ci.yml +++ b/debian/salsa-ci.yml @@ -1,4 +1,7 @@ --- +variables: + RELEASE: 'bookworm' + include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
Bug#1037346: cyrus-imapd: Stable should have gone from Cyrus 3.2.6 to 3.2.10 first
On 8/25/23 16:13, Petr Jurášek wrote: Hi, we had the same problem. After upgrade was created only mailboxes, which had uniqueid in database. We can check it in dump: /usr/lib/cyrus/bin/cvt_cyrusdb /var/lib/cyrus/mailboxes.db twoskip /tmp/aaa.txt flat; folder without uniqueid doesn't have "I" in dump /tmp/aaa.txt. It can be repaired _before_ upgrade with: /usr/lib/cyrus/bin/reconstruct -I ... pokus.cz!test: update uniqueid from header (null) => 7f54216e52e02e7c ... I hope, that this repaired mailboxes.db can be upgraded without problem and will check it in few days. I copy mailboxes.db without "reconstruct -I" to test bookworm system and run "/usr/lib/cyrus/bin/ctl_cyrusdb -r". After that: /usr/lib/cyrus/bin/ctl_mboxlist -d | wc -l 458 I run "reconstruct -I" on test source system and copy to test bookworm system, and run "/usr/lib/cyrus/bin/ctl_cyrusdb -r". After that: /usr/lib/cyrus/bin/ctl_mboxlist -d | wc -l 2280 And there is typo in postinst in cyrus-common package (you must test zero size and compare version in variable $2, not $1): === case "$1" in configure) # Refuse to update if previous version is lower than 3.2.6-2+deb11u2~ if [ -z "$1" ] || $(dpkg --compare-versions $1 lt '3.2.6-2+deb11u2~'); then echo "You must update cyrus-imapd to at least version 3.2.6-2+deb11u2~" >&2 echo "before updating it to version 3.6.x and run it, else your mailboxes" >&2 echo "may be corrupted" >&2 exit 1 fi === Regards, Petr Jurasek Hi, thanks for the fix. Did you get this issue when upgrading from 3.2.6-2+deb11u2 or upgrading from 3.2.6-2 ?
Bug#1042455: golang-github-evanw-esbuild: Please build node-esbuild on armel
Source: golang-github-evanw-esbuild Version: 0.14.8-2 Severity: normal Tags: patch Hi, starting from version 0.14.8-2, node-esbuild isn't built for armel hurd-i386 powerpc riscv64 architectures. Since Nodejs 18.7.0+dfsg-2, armel is now supported by Node.js. The Merge request !3 in your salsa repository fixes this issue. Best regards, Yadd
Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1
Control: tags -1 - moreinfo On 7/25/23 11:40, Jonathan Wiltshire wrote: Control: tag -1 = bullseye moreinfo On Mon, Jul 24, 2023 at 09:37:58PM +0100, Adam D. Barratt wrote: On Mon, 2023-07-24 at 21:27 +0100, Jonathan Wiltshire wrote: Control: tag -1 confirmed On Sun, Jul 09, 2023 at 09:11:26AM +0400, Yadd wrote: [ Reason ] node-dottie is vulnerable to prototype pollution (#1040592, CVE-2023-26132) By all means go ahead, but it can't be accepted until the situation in testing is fixed up (unless we propogate the version from bookworm-proposed-updates to testing). The provided diff appears to be against the package in bookworm. bullseye has 2.0.2-1. Euf, right - sorry (too many releases started 'b'...) Please revise the debdiff. Thanks, Sorry, here is the new debdiffdiff --git a/debian/changelog b/debian/changelog index d790b40..59ef133 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-dottie (2.0.2-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1040592, CVE-2023-26132) + + -- Yadd Sun, 09 Jul 2023 08:46:31 +0400 + node-dottie (2.0.2-1) unstable; urgency=medium * New upstream version 2.0.2 diff --git a/debian/patches/CVE-2023-26132.patch b/debian/patches/CVE-2023-26132.patch new file mode 100644 index 000..5186407 --- /dev/null +++ b/debian/patches/CVE-2023-26132.patch @@ -0,0 +1,76 @@ +Description: rudimentary __proto__ guarding +Author: Mick Hansen +Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c +Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 +Bug-Debian: https://bugs.debian.org/1040592 +Forwarded: not-needed +Applied-Upstream: 2.0.6, commit:7d3aee1c +Reviewed-By: Yadd +Last-Update: 2023-07-09 + +--- a/README.md b/README.md +@@ -42,6 +42,8 @@ + }); + ``` + ++If you accept arbitrary/user-defined paths to `set` you should call `Object.preventExtensions(values)` first to guard against potential pollution. ++ + ### Transform object + Transform object from keys with dottie notation to nested objects + +--- a/dottie.js b/dottie.js +@@ -72,6 +72,7 @@ + // Set nested value + Dottie.set = function(object, path, value, options) { + var pieces = Array.isArray(path) ? path : path.split('.'), current = object, piece, length = pieces.length; ++if (pieces[0] === '__proto__') return; + + if (typeof current !== 'object') { + throw new Error('Parent is not an object.'); +@@ -137,6 +138,9 @@ + + if (key.indexOf(options.delimiter) !== -1) { + pieces = key.split(options.delimiter); ++ ++if (pieces[0] === '__proto__') break; ++ + piecesLength = pieces.length; + current = transformed; + +--- a/test/set.test.js b/test/set.test.js +@@ -45,4 +45,12 @@ + }); + expect(data.foo.bar.baz).to.equal('someValue'); + }); ++ ++ it('should not attempt to set __proto__', function () { ++var data = {}; ++ ++dottie.set(data, '__proto__.pollution', 'polluted'); ++ ++expect(data.__proto__.pollution).to.be.undefined; ++ }); + }); +\ No newline at end of file +--- a/test/transform.test.js b/test/transform.test.js +@@ -145,4 +145,16 @@ + expect(transformed.user.location.city).to.equal('Zanzibar City'); + expect(transformed.project.title).to.equal('dottie'); + }); ++ ++ it("should guard against prototype pollution", function () { ++var values = { ++ 'user.name': 'John Doe', ++ '__proto__.pollution': 'pollution' ++}; ++ ++var transformed = dottie.transform(values); ++expect(transformed.user).not.to.equal(undefined); ++expect(transformed.user.name).to.equal('John Doe'); ++expect(transformed.__proto__.pollution).to.be.undefined; ++ }); + }); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..e86da5e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-26132.patch diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto new file mode 100644 index 000..e69de29
Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1
Control: tags -1 - moreinfo On 7/25/23 21:02, Jonathan Wiltshire wrote: Control: tag -1 moreinfo On Fri, Apr 21, 2023 at 11:36:54AM +0400, Yadd wrote: diff --git a/debian/changelog b/debian/changelog index 628f69a..106d13b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-xml2js (0.2.8-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842) + + -- Yadd Fri, 21 Apr 2023 11:33:31 +0400 + node-xml2js (0.2.8-1) unstable; urgency=low * Upstream update bullseye has 0.2.8-1.1, please ensure you base the proposed debdiff off that. Remove the moreinfo tag when you are ready for further review. Thanks, Hi, here is the new debdiff Best regards, Yadddiff --git a/debian/changelog b/debian/changelog index fa373bf..22806aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-xml2js (0.2.8-1.1+deb11u1) bullseye; urgency=medium + + * Team upload + * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842) + + -- Yadd Wed, 26 Jul 2023 08:27:13 +0400 + node-xml2js (0.2.8-1.1) unstable; urgency=medium * Non maintainer upload by the Reproducible Builds team. diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch new file mode 100644 index 000..cd03e08 --- /dev/null +++ b/debian/patches/CVE-2023-0842.patch @@ -0,0 +1,46 @@ +Description: use Object.create(null) to create all parsed objects + (prevent prototype replacement) +Author: James Crosby +Origin: upstream, commit:581b19a6 +Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc +Bug-Debian: https://bugs.debian.org/1034148 +Forwarded: not-needed +Applied-Upstream: 0.5.0, commit:581b19a6 +Reviewed-By: Yadd +Last-Update: 2023-04-21 + +--- a/src/xml2js.coffee b/src/xml2js.coffee +@@ -105,12 +105,12 @@ + charkey = @options.charkey + + @saxParser.onopentag = (node) => +- obj = {} ++ obj = Object.create(null) + obj[charkey] = "" + unless @options.ignoreAttrs + for own key of node.attributes + if attrkey not of obj and not @options.mergeAttrs +-obj[attrkey] = {} ++obj[attrkey] = Object.create(null) + if @options.mergeAttrs + obj[key] = node.attributes[key] + else +@@ -158,7 +158,7 @@ + + # put children into property and unfold chars if necessary + if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object' +-node = {} ++node = Object.create(null) + # separate attributes + if @options.attrkey of obj + node[@options.attrkey] = obj[@options.attrkey] +@@ -193,7 +193,7 @@ + if @options.explicitRoot + # avoid circular references + old = obj +- obj = {} ++ obj = Object.create(null) + obj[nodeName] = old + + @resultObject = obj diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..6b5589b --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-0842.patch
Bug#1037346: cyrus-imapd: Stable should have gone from Cyrus 3.2.6 to 3.2.10 first
On 7/18/23 22:24, Gijs Hillenius wrote: Package: cyrus-imapd Version: 3.6.1-4 Followup-For: Bug #1037346 Dear Maintainers The documentation https://www.cyrusimap.org/3.6/imap/download/upgrade.html#versions-to-upgrade-from tells me that we should have upgraded from Cyrus 3.2.6 to 3.2.10 before going to 3.6.x. Bullseye stable didn't take us that way, and perhaps neither did Bullseye-backports. Perhaps a check should be made, and stop Cyrus 3.2 from being upgraded? Best wishes, Hi, the patch needed to update to 3.6 is included in version 3.2.6-2+deb11u2. So the doc should be updated to explain that "we should have upgraded from Cyrus 3.2.6-2 to 3.2.6-2+deb11u2 before going to 3.6.x" Regards, Yadd
Bug#1041010: [Pkg-javascript-devel] Bug#1041010: Bug#1041010: Please include nbconvert-css
On 7/17/23 17:06, Yadd wrote: On 7/17/23 16:39, Julian Gilbey wrote: On Sun, Jul 16, 2023 at 03:04:26PM +0100, Julian Gilbey wrote: For some reason, nbconvert-css is excluded from the package. Might it be possible to include it? Best wishes, Hi, I put node-jupyterlab into experimental because it's still WIP. For now I'm not able to build all @jupyterlab/* components due to missing dependencies. I'll continue this during autumn. Hi Yadd, Thanks for the info! I'm taking a further look at this now and will report back when I have more information (hopefully soon). [...] Quick update: I managed to build @jupyterlab/nbconvert-css using just a small patch to the node-jupyterlab repo on salsa. But I'm not sure if my code is "correct" (though it produces identical output to upstream) - I've filed an issue upstream about this. (https://github.com/webpack/webpack.js.org/issues/6969) When I'm happy that I've done the "right" thing, I'll file a PR against jupyterlab to drop the deprecated null-loader dependency. Are you then happy for me to push the patch directly to the salsa node-jupyterlab repo? Hi, sure you can, thanks ! I just pushed a new version with @jupyterlab/nbconvert-css (the problem isn't in webpack but in schema-utils transition)
Bug#1041010: [Pkg-javascript-devel] Bug#1041010: Bug#1041010: Please include nbconvert-css
On 7/17/23 16:39, Julian Gilbey wrote: On Sun, Jul 16, 2023 at 03:04:26PM +0100, Julian Gilbey wrote: For some reason, nbconvert-css is excluded from the package. Might it be possible to include it? Best wishes, Hi, I put node-jupyterlab into experimental because it's still WIP. For now I'm not able to build all @jupyterlab/* components due to missing dependencies. I'll continue this during autumn. Hi Yadd, Thanks for the info! I'm taking a further look at this now and will report back when I have more information (hopefully soon). [...] Quick update: I managed to build @jupyterlab/nbconvert-css using just a small patch to the node-jupyterlab repo on salsa. But I'm not sure if my code is "correct" (though it produces identical output to upstream) - I've filed an issue upstream about this. (https://github.com/webpack/webpack.js.org/issues/6969) When I'm happy that I've done the "right" thing, I'll file a PR against jupyterlab to drop the deprecated null-loader dependency. Are you then happy for me to push the patch directly to the salsa node-jupyterlab repo? Hi, sure you can, thanks !
Bug#1041220: src:libgitlab-api-v4-perl: fails to migrate to testing for too long: triggers autopkgtest regression in devscripts
On 7/15/23 22:46, Paul Gevers wrote: Source: libgitlab-api-v4-perl Version: 0.26-3 Severity: serious Control: close -1 0.27-1 Tags: sid trixie User: release.debian@packages.debian.org Usertags: out-of-sync Control: block -1 by 1038486 Dear maintainer(s), The Release Team considers packages that are out-of-sync between testing and unstable for more than 30 days as having a Release Critical bug in testing [1]. Your package src:libgitlab-api-v4-perl has been trying to migrate for 32 days [2]. Hence, I am filing this bug. The package in unstable triggers an autopkgtest issue in devscripts, which is reported in bug 1038486. If a package is out of sync between unstable and testing for a longer period, this usually means that bugs in the package in testing cannot be fixed via unstable. Additionally, blocked packages can have impact on other packages, which makes preparing for the release more difficult. Finally, it often exposes issues with the package and/or its (reverse-)dependencies. We expect maintainers to fix issues that hamper the migration of their package in a timely manner. This bug will trigger auto-removal when appropriate. As with all new bugs, there will be at least 30 days before the package is auto-removed. I have immediately closed this bug with the version in unstable, so if that version or a later version migrates, this bug will no longer affect testing. I have also tagged this bug to only affect sid and trixie, so it doesn't affect (old-)stable. If you believe your package is unable to migrate to testing due to issues beyond your control, don't hesitate to contact the Release Team. Paul Hi, the error looks to be: 55s t/salsa-config.t .. ok 56s Undefined subroutine ::to_json called at ./t/salsa.pm line 49. 56s # Tests were run but no plan was declared and done_testing() was not seen. 56s # Looks like your test exited with 255 just after 1. 56s t/salsa.t . Gitlab::API::v4 uses JSON::MaybeXS which may use a different JSON stack. I just added a "use JSON" in t/salsa.pm. Maybe this is enough to fix this issue https://salsa.debian.org/debian/devscripts/-/commit/5bbc8778 Regards, Yadd
Bug#1041010: [Pkg-javascript-devel] Bug#1041010: Please include nbconvert-css
On 7/14/23 01:40, Julian Gilbey wrote: Package: node-jupyterlab Version: 4.0.0~rc1+ds1+~1.0.2-1 Severity: wishlist Hi Yadd! Thanks for building this package! I'm in the process of trying to upgrade (python3-)nbconvert (it's a dependency of Spyder), and the new version tries to use https://unpkg.com/@jupyterlab/nbconvert-css@3.6.1/style/index.css during the build process. I obviously need to replace this by a local file, so the node-jupyterlab is the obvious place to look. For some reason, nbconvert-css is excluded from the package. Might it be possible to include it? Best wishes, Hi, I put node-jupyterlab into experimental because it's still WIP. For now I'm not able to build all @jupyterlab/* components due to missing dependencies. I'll continue this during autumn. Regards, Yadd
Bug#1040563: bookworm-pu: package node-tough-cookie/4.0.0-2+deb12u1
On 7/7/23 21:43, Jonathan Wiltshire wrote: Control: tag -1 moreinfo On Fri, Jul 07, 2023 at 09:01:40PM +0400, Yadd wrote: [ Reason ] node-tough-cookie is vulnerable to prototype pollution How has this been fixed in unstable? You'll need an upload there anyway for version ordering. Thanks, Hi, upload already done in unstable Cheers,
Bug#1040683: bookworm-pu: package node-webpack/5.75.0+dfsg+~cs17.16.14-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-webp...@packages.debian.org Control: affects -1 + src:node-webpack [ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154). [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Regards, Yadd diff --git a/debian/changelog b/debian/changelog index 0053d7ee..a07dd9d4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium + + * Team upload + * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154) + + -- Yadd Mon, 29 May 2023 07:53:16 +0400 + node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch new file mode 100644 index ..2f651167 --- /dev/null +++ b/debian/patches/CVE-2023-28154.patch @@ -0,0 +1,80 @@ +Description: avoid cross-realm objects +Author: Jack Works +Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb +Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154 +Bug-Debian: https://bugs.debian.org/1032904 +Forwarded: not-needed +Applied-Upstream: 5.76.1, commit:4b4ca3bb +Reviewed-By: Yadd +Last-Update: 2023-05-29 + +--- a/lib/dependencies/ImportParserPlugin.js b/lib/dependencies/ImportParserPlugin.js +@@ -137,7 +137,7 @@ + if (importOptions.webpackInclude !== undefined) { + if ( + !importOptions.webpackInclude || +- importOptions.webpackInclude.constructor.name !== "RegExp" ++ !(importOptions.webpackInclude instanceof RegExp) + ) { + parser.state.module.addWarning( + new UnsupportedFeatureWarning( +@@ -146,13 +146,13 @@ + ) + ); + } else { +- include = new RegExp(importOptions.webpackInclude); ++ include = importOptions.webpackInclude; + } + } + if (importOptions.webpackExclude !== undefined) { + if ( + !importOptions.webpackExclude || +- importOptions.webpackExclude.constructor.name !== "RegExp" ++ !(importOptions.webpackExclude instanceof RegExp) + ) { + parser.state.module.addWarning( + new UnsupportedFeatureWarning( +@@ -161,7 +161,7 @@ + ) + ); + } else { +- exclude = new RegExp(importOptions.webpackExclude); ++ exclude = importOptions.webpackExclude; + } + } + if (importOptions.webpackExports !== undefined) { +--- a/lib/javascript/JavascriptParser.js b/lib/javascript/JavascriptParser.js +@@ -3635,17 +3635,27 @@ + return EMPTY_COMMENT_OPTIONS; + } + let options = {}; ++ /** @type {unknown[]} */ + let errors = []; + for (const comment of comments) { + const { value } = comment; + if (value && webpackCommentRegExp.test(value)) { + // try compile only if webpack options comment is present + try { +- const val = vm.runInNewContext(`(function(){return {${value}};})()`); +- Object.assign(options, val); ++ for (let [key, val] of Object.entries( ++ vm.runInNewContext(
Bug#1040680: bookworm-pu: package node-openpgp-seek-bzip/1.0.5-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-openpgp-seek-b...@packages.debian.org Control: affects -1 + src:node-openpgp-seek-bzip [ Reason ] src:node-openpgp-seek-bzip provides: * a Node.js module (node-openpgp-seek-bzip) * command-line scripts (seek-bzip) This second package is unusable due to missing files and broken links. [ Impact ] /usr/bin/seek-bunzip and /usr/bin/seek-table are unusable [ Tests ] No changes [ Risks ] No risk, this just fix install [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Install missing /usr/share/nodejs/seek-bzip/bin files and fix links in /usr/bin Regards, Yadd diff --git a/debian/changelog b/debian/changelog index daa35de..20dc0b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-openpgp-seek-bzip (1.0.5-2+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix seek-bzip install (Closes: #1040584) + + -- Yadd Sun, 09 Jul 2023 09:29:47 +0400 + node-openpgp-seek-bzip (1.0.5-2) unstable; urgency=medium * Team upload diff --git a/debian/nodejs/links b/debian/nodejs/links index 0ff514c..6c89a6e 100644 --- a/debian/nodejs/links +++ b/debian/nodejs/links @@ -1,2 +1,2 @@ -@openpgp/seek-bzip/bin/seek-bunzip /usr/bin/seek-bunzip -@openpgp/seek-bzip/bin/seek-bzip-table /usr/bin/seek-table +seek-bzip/bin/seek-bunzip /usr/bin/seek-bunzip +seek-bzip/bin/seek-bzip-table /usr/bin/seek-table diff --git a/debian/seek-bzip.install b/debian/seek-bzip.install index e772481..8bbbe8d 100644 --- a/debian/seek-bzip.install +++ b/debian/seek-bzip.install @@ -1 +1,2 @@ usr/bin +usr/share/nodejs/seek-bzip/bin