Processed: severity of 900821 is serious

2018-06-12 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> severity 900821 serious
Bug #900821 [src:linux] linux-image-4.9.0-6-amd64: apache reads wrong data over 
cifs filesystems served by samba
Severity set to 'serious' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
900821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900821
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#901136: can't remove if install fails

2018-06-12 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 +help
Bug #901136 [sysuser-helper,sreview-common] sysuser-helper fails in terrible 
ways if users exist through NSS modules that are not libnss-unix
Added tag(s) help.

-- 
901136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901136
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901136: can't remove if install fails

2018-06-12 Thread KAction 


control: tag -1 +help

> Control: reassign -1 sysuser-helper,sreview-common
> Control: retitle -1 sysuser-helper fails in terrible ways if users exist 
> through NSS modules that are not libnss-unix

> On Sat, Jun 09, 2018 at 09:53:53AM +, Peter Palfrader wrote:
> > Package: sreview-common
> > Version: 0.3.0-1~bpo.1
> > Severity: grave
> > User: debian-ad...@lists.debian.org
> > Usertags: needed-by-DSA-Team
> > 
> > 
> > sreview-common failed to configure.
> > 
> > | Setting up sreview-common (0.3.0-1~bpo.1) ...
> > | usermod: user 'sreview' does not exist in /etc/passwd
[...]

Bad, bad. Oblivious workaround would be create user manually, but let us
dig into the root of problem.

I never worked with NSS, but how did it happen, that useradd {in postinst}
created user in a way, that userdel {in prerm} could not find?

Processed: severity of 901148 is important

2018-06-12 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> # definitely not RC, sorry.
> severity 901148 important
Bug #901148 [timidity] timidity: upgrading to 2.14.0-2 broke sound in KDE plasma
Severity set to 'important' from 'grave'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
901148: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901148
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: bug 900912 is forwarded to http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8204862

2018-06-12 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> forwarded 900912 
> http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8204862
Bug #900912 [src:openjdk-10] openjdk-10: Accessibility does not get loaded
Set Bug forwarded-to-address to 
'http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8204862'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
900912: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900912
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-12 Thread Axel Beckert 
Hi Sebastian,

Sebastian Andrzej Siewior wrote:
> > I don't think so unless a future upload of OpenSSL to unstable fixes
> > this. The recent one to unstable didn't.
> 
> forwarded https://github.com/openssl/openssl/issues/6475
> 
> Just a little question: The missing certificates:
> |rehash: error: skipping Swisscom_Root_CA_1.pem, cannot open file
> |rehash: error: skipping Swisscom_Root_CA_2.pem, cannot open file
> |rehash: error: skipping GeoTrust_Global_CA_2.pem, cannot open file
> |rehash: error: skipping Swisscom_Root_EV_CA_2.pem, cannot open file
> 
> where are they from?

From the ca-certificates package I assume. At least those errors go
away if I downgrade to 20170717 again and they reappear as soon as I
upgrade to 20180409 on that machine. At least the file names are the
same as in my mail from 12th of April[1] (just in different order).

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895482#10

I just checked: All four CAs are CAs I've chosen to be enabled. But
they're by far not the only CAs which are enabled from ca-certificates
on that machine. So I have no idea what makes those four special.

From debconf-get-selections:

ca-certificates ca-certificates/enable_crts multiselect 
CAcert/class3.crt, CAcert/root.crt, 
mozilla/COMODO_RSA_Certification_Authority.crt, 
mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Global_Root_CA.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DST_Root_CA_X3.crt, 
mozilla/GeoTrust_Global_CA_2.crt, mozilla/GeoTrust_Global_CA.crt, 
mozilla/GeoTrust_Primary_Certification_Authority.crt, 
mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt, 
mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt, 
mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, 
mozilla/IdenTrust_Commercial_Root_CA_1.crt, 
mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, 
mozilla/QuoVadis_Root_CA_1_G3.crt, mozilla/QuoVadis_Root_CA_2.crt, 
mozilla/QuoVadis_Root_CA_2_G3.crt, mozilla/QuoVadis_Root_CA_3.crt, 
mozilla/QuoVadis_Root_CA_3_G3.crt, mozilla/QuoVadis_Root_CA.crt, 
mozilla/Swisscom_Root_CA_1.crt, mozilla/Swisscom_Root_CA_2.crt, 
mozilla/Swisscom_Root_EV_CA_2.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, 
mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/thawte_Primary_Root_CA.crt, 
mozilla/thawte_Primary_Root_CA_-_G2.crt, 
mozilla/thawte_Primary_Root_CA_-_G3.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt, 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, 
mozilla/VeriSign_Universal_Root_Certification_Authority.crt,

> Is there something specific you did to get those
> symlinks which now don't belong to a real file?

No. As mentioned in the initial report, I have ca-certificates to ask
me every time on new CAs if I want to enable them or not. And I'm
rather conservative with enabling CAs. I also do this on most of my
machines, usually with slight differences in the list of enabled CAs.
Nevertheless this only happened on two of my machines.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#901088: marked as done (gnupg1: CVE-2018-12020: filename sanitization problem in GnuPG)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 22:03:32 +
with message-id 
and subject line Bug#901088: fixed in gnupg1 1.4.21-4+deb9u1
has caused the Debian Bug report #901088,
regarding gnupg1: CVE-2018-12020: filename sanitization problem in GnuPG
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
901088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901088
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gnupg1
Version: 1.4.21-4
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://dev.gnupg.org/T4012

Hi,

The following vulnerability was published for gnupg1. I'm aware this
is only the legacy packages, the issue though is present there and not
having the fix in buster will later on represent a regression from
updates from stretch. Thus the RC severity as well as reasoning.

CVE-2018-12020[0]:
filename sanitization problem in GnuPG

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-12020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
[1] https://dev.gnupg.org/T4012

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gnupg1
Source-Version: 1.4.21-4+deb9u1

We believe that the bug you reported is fixed in the latest version of
gnupg1, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 901...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated gnupg1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 08 Jun 2018 22:19:01 +0200
Source: gnupg1
Binary: gnupg1 gnupg1-curl gpgv1 gpgv1.4-udeb gnupg1-l10n
Architecture: source
Version: 1.4.21-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian GnuPG-Maintainers 
Changed-By: Salvatore Bonaccorso 
Closes: 901088
Description: 
 gnupg1 - GNU privacy guard - a PGP implementation (deprecated "classic" ve
 gnupg1-curl - GNU privacy guard (cURL helpers for deprecated "classic" version)
 gnupg1-l10n - GNU privacy guard "classic" - localization files (deprecated)
 gpgv1  - GNU privacy guard - signature verification tool (deprecated "clas
 gpgv1.4-udeb - minimal signature verification tool (deprecated "classic" 
version (udeb)
Changes:
 gnupg1 (1.4.21-4+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * gpg: Sanitize diagnostic with the original file name (CVE-2018-12020)
 (Closes: #901088)
Checksums-Sha1: 
 ca693ea397d2efe3cf63e97d89bed483fdd27953 2503 gnupg1_1.4.21-4+deb9u1.dsc
 e3bdb585026f752ae91360f45c28e76e4a15d338 3689305 gnupg1_1.4.21.orig.tar.bz2
 7b58d94b49c821fbc8498b9ddda42aa0900e30ef 35592 
gnupg1_1.4.21-4+deb9u1.debian.tar.xz
Checksums-Sha256: 
 2afaa8fd8edf1def53d08f4b8d22eb8f466932bf40abf774f55ac26a28ae2735 2503 
gnupg1_1.4.21-4+deb9u1.dsc
 6b47a3100c857dcab3c60e6152e56a997f2c7862c1b8b2b25adf3884a1ae2276 3689305 
gnupg1_1.4.21.orig.tar.bz2
 40da2728c370b52e86508e2f52d8f551c57871cb3860129497896b9d9a2b2e71 35592 
gnupg1_1.4.21-4+deb9u1.debian.tar.xz
Files: 
 e04161b2064f5141f82f21e7a0c0bef2 2503 utils extra gnupg1_1.4.21-4+deb9u1.dsc
 9bdeabf3c0f87ff21cb3f9216efdd01d 3689305 utils extra gnupg1_1.4.21.orig.tar.bz2
 2cc611eb3f471d6a0e36bc109e30983f 35592 utils extra 
gnupg1_1.4.21-4+deb9u1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa581fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EV+YP/jW2ALE1mJVubwbSLB6OuQHUJlENSfbA
qxekQaCV4c3ZCqW4WhcSiI6GpjxITJUo9ANqvgjJCMrYjg9lpP7N/KAc/WH12Pag
xt/Z1O83m8VaDuHcqwlsJesiAqEGtpMW0aNZiVaj9t+ESY4rgxGEEsxDHFHudR+4
nkdOwJrD5eAvgKAO/pSWNJ1YYDlu59NcBI9PDytUa/TZek1mtirhCcOlurOaQdlL
ujMNZDZEMH3xrqdvtARVXV0GSONmZvtW8zmbFT3yBUr716YgeVe035yYDa4ohZ+S
eeB+qRh2yHjK2U1XvR6DOEagMtTN13ndgGfNTFKHyno5LTWjAKlJUhVb/BwZCMv/
qgUQMtMCNfvtytZOhNosGlKXStGfM1fjOy42XEY7F6PiW3cv+ySDYwafU2C15Z+j

Bug#899509: marked as done (firefox-esr: Invalid maintainer address pkg-mozilla-maintain...@lists.alioth.debian.org)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 22:02:59 +
with message-id 
and subject line Bug#899509: fixed in firefox-esr 52.8.1esr-1~deb9u1
has caused the Debian Bug report #899509,
regarding firefox-esr: Invalid maintainer address 
pkg-mozilla-maintain...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899509
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:firefox-esr
Version: 52.8.0esr-1
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of firefox-esr,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package firefox-esr since the list address
pkg-mozilla-maintain...@lists.alioth.debian.org used in the Maintainer:
field was not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
pkg-mozilla-maintain...@lists.alioth.debian.org is 2.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: firefox-esr
Source-Version: 52.8.1esr-1~deb9u1

We believe that the bug you reported is fixed in the latest version of
firefox-esr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey  (supplier of updated firefox-esr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 08 Jun 2018 16:38:21 +0900
Source: firefox-esr
Binary: firefox-esr iceweasel firefox-esr-dev iceweasel-dev 
firefox-esr-l10n-all iceweasel-l10n-all firefox-esr-l10n-ach iceweasel-l10n-ach 
firefox-esr-l10n-af iceweasel-l10n-af firefox-esr-l10n-an iceweasel-l10n-an 
firefox-esr-l10n-ar iceweasel-l10n-ar firefox-esr-l10n-as iceweasel-l10n-as 
firefox-esr-l10n-ast iceweasel-l10n-ast firefox-esr-l10n-az iceweasel-l10n-az 
firefox-esr-l10n-bg iceweasel-l10n-bg firefox-esr-l10n-bn-bd 
iceweasel-l10n-bn-bd firefox-esr-l10n-bn-in iceweasel-l10n-bn-in 
firefox-esr-l10n-br iceweasel-l10n-br firefox-esr-l10n-bs iceweasel-l10n-bs 
firefox-esr-l10n-ca iceweasel-l10n-ca firefox-esr-l10n-cak iceweasel-l10n-cak 
firefox-esr-l10n-cs iceweasel-l10n-cs firefox-esr-l10n-cy iceweasel-l10n-cy 
firefox-esr-l10n-da iceweasel-l10n-da firefox-esr-l10n-de iceweasel-l10n-de 
firefox-esr-l10n-dsb iceweasel-l10n-dsb firefox-esr-l10n-el iceweasel-l10n-el 
firefox-esr-l10n-en-gb iceweasel-l10n-en-gb firefox-esr-l10n-en-za 
iceweasel-l10n-en-za firefox-esr-l10n-eo
 iceweasel-l10n-eo firefox-esr-l10n-es-ar iceweasel-l10n-es-ar 
firefox-esr-l10n-es-cl iceweasel-l10n-es-cl firefox-esr-l10n-es-es

Bug#900834: marked as done (perl: CVE-2018-12015: Archive::Tar: directory traversal)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 22:04:09 +
with message-id 
and subject line Bug#900834: fixed in perl 5.24.1-3+deb9u4
has caused the Debian Bug report #900834,
regarding perl: CVE-2018-12015: Archive::Tar: directory traversal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Source: perl
Version: 5.26.2-5
Tags: security

By default, the Archive::Tar module doesn't allow extracting files 
outside the current working directory. However, you can bypass this 
secure extraction mode easily by putting a symlink and a regular file 
with the same name into the tarball.


I've attached proof of concept tarball, which makes Archive::Tar create 
/tmp/moo, regardless of what the current working directory is:


  $ tar -tvvf traversal.tar.gz
  lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo
  -rw-r--r-- root/root 4 2018-06-05 18:55 moo

  $ pwd
  /home/jwilk

  $ ls /tmp/moo
  ls: cannot access '/tmp/moo': No such file or directory

  $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'

  $ ls /tmp/moo
  /tmp/moo

--
Jakub Wilk


traversal.tar.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.24.1-3+deb9u4

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves  (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 10 Jun 2018 18:37:28 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.24 libperl-dev perl-modules-5.24 
perl
Architecture: all amd64 source
Version: 5.24.1-3+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Niko Tyni 
Changed-By: Dominic Hargreaves 
Closes: 900834
Description: 
 libperl5.24 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl   - Larry Wall's Practical Extraction and Report Language
 perl-modules-5.24 - Core Perl modules
Changes:
 perl (5.24.1-3+deb9u4) stretch-security; urgency=high
 .
   * [SECURITY] CVE-2018-12015: fix directory traversal vulnerability
 in Archive-Tar (Closes: #900834)
Checksums-Sha1: 
 af207347626b1c7c67cfe3694c41500627f82f2c 2393 perl_5.24.1-3+deb9u4.dsc
 8b880f01eb868807f669bbc37306b435aeb0fcae 179936 
perl_5.24.1-3+deb9u4.debian.tar.xz
 efad4d938b9da447909ada8dba9cb509365b69e2 5148 
perl_5.24.1-3+deb9u4_source.buildinfo
 9d1bcc0c28b32f4e876951a9f0cd08246b5aa5b5 2755282 
libperl-dev_5.24.1-3+deb9u4_amd64.deb
 735e87412d5cdf6927b302a7245aff00c53b1a62 352 
libperl5.24_5.24.1-3+deb9u4_amd64.deb
 32d7f11f6b90ff202e9a708bda4a7189b39432c7 1344606 
perl-base_5.24.1-3+deb9u4_amd64.deb
 3eaa55757469bf8d8568391950eb552cd88e8521 6654658 
perl-debug_5.24.1-3+deb9u4_amd64.deb
 632d982fcdda3d6e65991a75a9fcab4512305c95 7145986 
perl-doc_5.24.1-3+deb9u4_all.deb
 6daa8b346fdc5377af1b34ba2a221fc756939fe4 2723830 
perl-modules-5.24_5.24.1-3+deb9u4_all.deb
 a36604cb1399c2afddc5a34f502c9e7eca0b 5787 
perl_5.24.1-3+deb9u4_amd64.buildinfo
 26714cb0a97ff01c13b3802f2ec86ce44163dac7 218478 perl_5.24.1-3+deb9u4_amd64.deb
Checksums-Sha256: 
 439fd400e8f7659679acac82bb6178c33e1c7cea161210c5051f8c78c2df004b 2393 
perl_5.24.1-3+deb9u4.dsc
 96b1e96a4ac72bb937f53079806fe0d6127da8fbf40d113d618a240aa378745c 179936 
perl_5.24.1-3+deb9u4.debian.tar.xz
 3395fefebdc09d87a3b0a5ac5b4b0039ff803d43fd686fa19ba7473688e099fe 5148 
perl_5.24.1-3+deb9u4_source.buildinfo
 0321c89a988bb0f1430a92943fa1c83e907c74e86b81021b422af34a24a7212c 2755282 
libperl-dev_5.24.1-3+deb9u4_amd64.deb
 e010ab8e7178c2271033aa199f925f1c2fd46e879d222462eaad35d1f7eaedea 352 
libperl5.24_5.24.1-3+deb9u4_amd64.deb
 914985af488a14268b911de8b06e082165f362e3d3c6a52581aa2619d557e1ea 1344606 
perl-base_5.24.1-3+deb9u4_amd64.deb

Bug#894404: marked as done (memcached: CVE-2018-1000127)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 22:04:04 +
with message-id 
and subject line Bug#894404: fixed in memcached 1.4.33-1+deb9u1
has caused the Debian Bug report #894404,
regarding memcached: CVE-2018-1000127
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
894404: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894404
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: memcached
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for memcached:

CVE-2018-1000127[0]:
| memcached version prior to 1.4.37 contains an Integer Overflow
| vulnerability in items.c:item_free() that can result in data
| corruption and deadlocks due to items existing in hash table being
| reused from free list. This attack appear to be exploitable via
| network connectivity to the memcached service. This vulnerability
| appears to have been fixed in 1.4.37 and later.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000127

Please adjust the affected versions in the BTS as needed.


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: memcached
Source-Version: 1.4.33-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 894...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 11:37:55 +0200
Source: memcached
Binary: memcached
Architecture: source
Version: 1.4.33-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: David Martínez Moreno 
Changed-By: Salvatore Bonaccorso 
Closes: 868701 894404
Description: 
 memcached  - high-performance memory object caching system
Changes:
 memcached (1.4.33-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
 .
   [ Guillaume Delacour ]
   * Fix CVE-2017-9951 by checking the integer length of commands that adds or
 replaces key/value pair (Closes: #868701)
   * Fix CVE-2018-1000115
 + debian/patches/10_CVE-2018-1000115.patch disable listening on UDP port
   by default (from Ubuntu)
 + debian/NEWS add explanation and document how to re-enable UDP if
   necessary.
 .
   [ Salvatore Bonaccorso ]
   * Don't overflow item refcount on get (CVE-2018-1000127) (Closes: #894404)
Checksums-Sha1: 
 dcf4313a69410c9c2f911e96dfe3c250480cdd1a 2203 memcached_1.4.33-1+deb9u1.dsc
 e343530c55946ccbdd78c488355b02eaf90b3b46 389813 memcached_1.4.33.orig.tar.gz
 b47209f2fe7cf3421c7c8af47fdd8b285fff25d9 15924 
memcached_1.4.33-1+deb9u1.debian.tar.xz
Checksums-Sha256: 
 a739f2e38eb01c38108da37febf9958aac020ea090db83c4fc1a37e43cb25356 2203 
memcached_1.4.33-1+deb9u1.dsc
 83726c8d68258c56712373072abb25a449c257398075a39ec0867fd8ba69771d 389813 
memcached_1.4.33.orig.tar.gz
 9f15cacc3a2b7cbbb73aa681325e078e4de066cc65c07c4b572ab43132b67171 15924 
memcached_1.4.33-1+deb9u1.debian.tar.xz
Files: 
 9e5331a297dc4771f5e45d410d26a04c 2203 web optional 
memcached_1.4.33-1+deb9u1.dsc
 2d7f6476283cd36e21e521d901d37a8f 389813 web optional 
memcached_1.4.33.orig.tar.gz
 d36d194545c3cfcd799411fa0e2ec0a9 15924 web optional 
memcached_1.4.33-1+deb9u1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsTwqpfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E9j8P/jLrczwmr72EyXHcAoK+eFS29cnOGcTd
ta2PFh0bktqfNYUR2uP8BNekQkds1S/dI/Dlo4+qrQyuyLTbEXV00NgMCOm7vh+M
8dLa4uWBZYJtnbMDQ0kwL/ExSbPKL7xKzlZ82/eRBsmTA0aIUbCgSe33azPjwSaW
cHdrqWzlyv+C5ClzatyFXHY9kqLQbszU35P2I59IcHo2mqR6x4AsKYH0iDSIc3lj
+2TKZf3HcUg4s0zpwwEs/41LyYWU1LcToyXwynHAElTEtDQl5YO6yrKkgd+ZB2We

Bug#895778: marked as done (jruby: Several security vulnerabilities)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 22:03:57 +
with message-id 
and subject line Bug#895778: fixed in jruby 1.7.26-1+deb9u1
has caused the Debian Bug report #895778,
regarding jruby: Several security vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
895778: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: jruby
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for jruby. Apparently
rubygems is embedded into jruby which makes it vulnerable to.

CVE-2018-179[0]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Directory Traversal vulnerability in gem installation that can result
| in the gem could write to arbitrary filesystem locations during
| installation. This attack appear to be exploitable via the victim must
| install a malicious gem. This vulnerability appears to have been fixed
| in 2.7.6.

CVE-2018-178[1]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Cross Site Scripting (XSS) vulnerability in gem server display of
| homepage attribute that can result in XSS. This attack appear to be
| exploitable via the victim must browse to a malicious gem on a
| vulnerable gem server. This vulnerability appears to have been fixed
| in 2.7.6.

CVE-2018-177[2]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Improper Input Validation vulnerability in ruby gems specification
| homepage attribute that can result in a malicious gem could set an
| invalid homepage URL. This vulnerability appears to have been fixed in
| 2.7.6.

CVE-2018-176[3]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Improper Verification of Cryptographic Signature vulnerability in
| package.rb that can result in a mis-signed gem could be installed, as
| the tarball would contain multiple gem signatures.. This vulnerability
| appears to have been fixed in 2.7.6.

CVE-2018-175[4]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| infinite loop caused by negative size vulnerability in ruby gem
| package tar header that can result in a negative size could cause an
| infinite loop.. This vulnerability appears to have been fixed in
| 2.7.6.

CVE-2018-174[5]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Deserialization of Untrusted Data vulnerability in owner command that
| can result in code execution. This attack appear to be exploitable via
| victim must run the `gem owner` command on a gem with a specially
| crafted YAML file. This vulnerability appears to have been fixed in
| 2.7.6.

CVE-2018-173[6]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Directory Traversal vulnerability in install_location function of
| package.rb that can result in path traversal when writing to a
| symlinked basedir outside of the root. This vulnerability appears to
| have been fixed in 2.7.6.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-179
[1] https://security-tracker.debian.org/tracker/CVE-2018-178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-178
[2] https://security-tracker.debian.org/tracker/CVE-2018-177

Bug#886367: marked as done (intel-microcode: spectre microcode updates)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 22:03:55 +
with message-id 
and subject line Bug#886367: fixed in intel-microcode 3.20180425.1~deb9u1
has caused the Debian Bug report #886367,
regarding intel-microcode: spectre microcode updates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
886367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: intel-microcode
Version: 3.20171117.1
Severity: grave

It's been rumored that Intel will be releasing microcode updates to 
(partially?) mitigate some of the effects of meltdown and spectre. It 
appears that the latest version on the website is still 20171117.


Any news of what this will be and when it will happen?

Thanks,

--
Matt Taggart
tagg...@debian.org
--- End Message ---
--- Begin Message ---
Source: intel-microcode
Source-Version: 3.20180425.1~deb9u1

We believe that the bug you reported is fixed in the latest version of
intel-microcode, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 886...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh  (supplier of updated 
intel-microcode package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 18 May 2018 09:15:59 -0300
Source: intel-microcode
Binary: intel-microcode
Architecture: amd64 i386 source
Version: 3.20180425.1~deb9u1
Distribution: stretch
Urgency: critical
Maintainer: Henrique de Moraes Holschuh 
Changed-By: Henrique de Moraes Holschuh 
Closes: 886367 886368 886998 895878 897443
Description: 
 intel-microcode - Processor microcode firmware for Intel CPUs
Changes:
 intel-microcode (3.20180425.1~deb9u1) stretch; urgency=medium
 .
   * Upload to Debian stretch (no changes)
   * RELEASE MANAGER INFORMATION: This update deploys the microcode side fix
 for CVE-2017-5715 (Spectre v2).  On the more recent processors, it also
 fixes other unspecified errata.  This microcode update pack has been
 extensively tested in Debian unstable, testing, strech-backports and
 jessie-backports.  It has been extensively deployed by other distributions
 to their stable branches without causing any issues, with one notable
 exception (a distro-specific kernel bug, already fixed by that distro).
 .
 intel-microcode (3.20180425.1) unstable; urgency=medium
 .
   * New upstream microcode data file 20180425 (closes: #897443, #895878)
 + Updated Microcodes:
   sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb2c, size 27648
   sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation
 + Note that sig 0x000604f1 has been blacklisted from late-loading
   since Debian release 3.20171117.1.
   * source: remove undesired list files from microcode directories
   * source: switch to microcode-.d/ since Intel dropped .dat
 support.
 .
 intel-microcode (3.20180312.1) unstable; urgency=medium
 .
   * New upstream microcode data file 20180312 (closes: #886367)
 + New Microcodes:
   sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720
   sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe09, size 18432
 + Updated Microcodes:
   sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288
   sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432
   sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456
   sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312
   sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552
   sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432
   sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360
   sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384
   sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792
   sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408
   sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504
   sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600
   sig 0x00040671,

Bug#894045: marked as done (libvncserver: CVE-2018-7225)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 22:03:58 +
with message-id 
and subject line Bug#894045: fixed in libvncserver 0.9.11+dfsg-1+deb9u1
has caused the Debian Bug report #894045,
regarding libvncserver: CVE-2018-7225
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
894045: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894045
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libvncserver
Version: 0.9.11+dfsg-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/LibVNC/libvncserver/issues/218

Hi,

the following vulnerability was published for libvncserver.

CVE-2018-7225[0]:
| An issue was discovered in LibVNCServer through 0.9.11.
| rfbProcessClientNormalMessage() in rfbserver.c does not sanitize
| msg.cct.length, leading to access to uninitialized and potentially
| sensitive data or possibly unspecified other impact (e.g., an integer
| overflow) via specially crafted VNC packets.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225
[1] https://github.com/LibVNC/libvncserver/issues/218

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libvncserver
Source-Version: 0.9.11+dfsg-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
libvncserver, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 894...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated libvncserver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 05 Jun 2018 14:43:47 +0200
Source: libvncserver
Binary: libvncclient1 libvncserver1 libvncserver-dev libvncserver-config 
libvncclient1-dbg libvncserver1-dbg
Architecture: source amd64
Version: 0.9.11+dfsg-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Peter Spiess-Knafl 
Changed-By: Markus Koschany 
Description:
 libvncclient1 - API to write one's own VNC server - client library
 libvncclient1-dbg - debugging symbols for libvncclient
 libvncserver-config - API to write one's own VNC server - library utility
 libvncserver-dev - API to write one's own VNC server - development files
 libvncserver1 - API to write one's own VNC server
 libvncserver1-dbg - debugging symbols for libvncserver
Closes: 894045
Changes:
 libvncserver (0.9.11+dfsg-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be
 accessed by remote attackers because the msg.cct.length in rfbserver.c was
 not sanitized. (Closes: #894045)
Checksums-Sha1:
 d61561702a566a06def1535ad2ed988bff1fb082 2577 
libvncserver_0.9.11+dfsg-1+deb9u1.dsc
 bd42abab1860bd92890b580453d9865fc9d8e229 525748 
libvncserver_0.9.11+dfsg.orig.tar.gz
 cf342155af44b53cfaa65900b1875fac872c63c7 13460 
libvncserver_0.9.11+dfsg-1+deb9u1.debian.tar.xz
 b4c9dfb2d4d263ee019e86c05a05a6f14d4ba408 219782 
libvncclient1-dbg_0.9.11+dfsg-1+deb9u1_amd64.deb
 6b0f2390f9e7f6cbd08d254251c7f3fac1082b46 140254 
libvncclient1_0.9.11+dfsg-1+deb9u1_amd64.deb
 5131495416fedb99b0a3b6f14480aa667826deff 108338 
libvncserver-config_0.9.11+dfsg-1+deb9u1_amd64.deb
 4b8b71bb4d0649bc0187565bf1f0d0c5d86d7f7b 295712 
libvncserver-dev_0.9.11+dfsg-1+deb9u1_amd64.deb
 7b071ff1b253193942763407204d124bc72915cb 459548 
libvncserver1-dbg_0.9.11+dfsg-1+deb9u1_amd64.deb
 205d12f4aee741eaceeffd706671ef00f92a2511 208712 
libvncserver1_0.9.11+dfsg-1+deb9u1_amd64.deb
 1a5f4a99e566052c29a0299d8584f03f8f0ce382 8384 
libvncserver_0.9.11+dfsg-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
 d7dbcf9b7ed0711880cc24ecc1a434052d704f0459c2cd81284b21c869599248 2577 
libvncserver_0.9.11+dfsg-1+deb9u1.dsc
 ea27be2b923cc5e89fb2d93415fdc2373c90cdd2379cf9c671fa234482c69509 525748 
libvncserver_0.9.11+dfsg.orig.tar.gz
 aaec034b52b96969178f843602ad0e9133ba63a55ae8a8fa6f6be887ff39719b

Bug#887856: marked as done (intel-microcode: spectre microcode updates)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 22:03:55 +
with message-id 
and subject line Bug#886367: fixed in intel-microcode 3.20180425.1~deb9u1
has caused the Debian Bug report #886367,
regarding intel-microcode: spectre microcode updates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
886367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: intel-microcode
Version: 3.20171117.1~bpo9+1
Severity: critical
Tags: security
Justification: root security hole

Hi,

As of now intel-microcode of stretch is still set to 20170707 (20171117
through
bpo) which lets users vulnerable to Spectre attack CVE-2017-5715. Could you
please bring quickly the microcode update to stretch, at least on bpo ?

Thanks a lot



-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages intel-microcode depends on:
ii  iucode-tool  2.1.1-1

Versions of packages intel-microcode recommends:
ii  initramfs-tools  0.130

intel-microcode suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: intel-microcode
Source-Version: 3.20180425.1~deb9u1

We believe that the bug you reported is fixed in the latest version of
intel-microcode, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 886...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh  (supplier of updated 
intel-microcode package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 18 May 2018 09:15:59 -0300
Source: intel-microcode
Binary: intel-microcode
Architecture: amd64 i386 source
Version: 3.20180425.1~deb9u1
Distribution: stretch
Urgency: critical
Maintainer: Henrique de Moraes Holschuh 
Changed-By: Henrique de Moraes Holschuh 
Closes: 886367 886368 886998 895878 897443
Description: 
 intel-microcode - Processor microcode firmware for Intel CPUs
Changes:
 intel-microcode (3.20180425.1~deb9u1) stretch; urgency=medium
 .
   * Upload to Debian stretch (no changes)
   * RELEASE MANAGER INFORMATION: This update deploys the microcode side fix
 for CVE-2017-5715 (Spectre v2).  On the more recent processors, it also
 fixes other unspecified errata.  This microcode update pack has been
 extensively tested in Debian unstable, testing, strech-backports and
 jessie-backports.  It has been extensively deployed by other distributions
 to their stable branches without causing any issues, with one notable
 exception (a distro-specific kernel bug, already fixed by that distro).
 .
 intel-microcode (3.20180425.1) unstable; urgency=medium
 .
   * New upstream microcode data file 20180425 (closes: #897443, #895878)
 + Updated Microcodes:
   sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb2c, size 27648
   sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation
 + Note that sig 0x000604f1 has been blacklisted from late-loading
   since Debian release 3.20171117.1.
   * source: remove undesired list files from microcode directories
   * source: switch to microcode-.d/ since Intel dropped .dat
 support.
 .
 intel-microcode (3.20180312.1) unstable; urgency=medium
 .
   * New upstream microcode data file 20180312 (closes: #886367)
 + New Microcodes:
   sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720
   sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe09, size 18432
 + Updated Microcodes:
   sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288
   sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432
   sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456
   sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-12 Thread Sebastian Andrzej Siewior 
On 2018-06-12 22:29:42 [+0200], Axel Beckert wrote:
> Shall I try the version from Experimental, too?
no.

> > (Should some Breaks be added, Depends made stricter?)
> 
> I don't think so unless a future upload of OpenSSL to unstable fixes
> this. The recent one to unstable didn't.

forwarded https://github.com/openssl/openssl/issues/6475

Just a little question: The missing certificates:
|rehash: error: skipping Swisscom_Root_CA_1.pem, cannot open file
|rehash: error: skipping Swisscom_Root_CA_2.pem, cannot open file
|rehash: error: skipping GeoTrust_Global_CA_2.pem, cannot open file
|rehash: error: skipping Swisscom_Root_EV_CA_2.pem, cannot open file

where are they from? Is there something specific you did to get those
symlinks which now don't belong to a real file?

>   Regards, Axel

Sebastian

Bug#900843: marked as done (bouncycastle: CVE-2018-1000180)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 21:19:31 +
with message-id 
and subject line Bug#900843: fixed in bouncycastle 1.59-2
has caused the Debian Bug report #900843,
regarding bouncycastle: CVE-2018-1000180
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900843
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: bouncycastle
Version: 1.54-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://www.bouncycastle.org/jira/browse/BJA-694

Hi,

The following vulnerability was published for bouncycastle.

CVE-2018-1000180[0]:
| Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier
| have a flaw in the Low-level interface to RSA key pair generator,
| specifically RSA Key Pairs generated in low-level API with added
| certainty may have less M-R tests than expected. This appears to be
| fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180
[1] https://www.bouncycastle.org/jira/browse/BJA-694

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: bouncycastle
Source-Version: 1.59-2

We believe that the bug you reported is fixed in the latest version of
bouncycastle, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated bouncycastle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 12 Jun 2018 22:38:03 +0200
Source: bouncycastle
Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc 
libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc
Architecture: source
Version: 1.59-2
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS
 libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS 
(Documenta
 libbcpg-java - Bouncy Castle generators/processors for OpenPGP
 libbcpg-java-doc - Bouncy Castle generators/processors for OpenPGP 
(Documentation)
 libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, 
CMP,
 libbcpkix-java-doc - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... 
(Document
 libbcprov-java - Bouncy Castle Java Cryptographic Service Provider
 libbcprov-java-doc - Bouncy Castle Java Cryptographic Service Provider 
(Documentation)
Closes: 900843
Changes:
 bouncycastle (1.59-2) unstable; urgency=high
 .
   * Team upload.
   * Fix CVE-2018-1000180.
 Thanks to Salvatore Bonaccorso for the report. (Closes: #900843)
   * Declare compliance with Debian Policy 4.1.4.
Checksums-Sha1:
 8479b54fad0a1916d37f5b8ed952853234841beb 2689 bouncycastle_1.59-2.dsc
 928453e2f446dac242b23edf2cd5c9cf1a20389d 10916 
bouncycastle_1.59-2.debian.tar.xz
 9be9f1a5aab757fe6a58c2fba657618a635fea71 13517 
bouncycastle_1.59-2_amd64.buildinfo
Checksums-Sha256:
 b0af99556e6d342bae59a1005e3fd870af15bc3d597c85e24df813a179084c44 2689 
bouncycastle_1.59-2.dsc
 22e3958b04ffba849634487a6ee31e86e60ab68e38c24070164d2f024c1b6597 10916 
bouncycastle_1.59-2.debian.tar.xz
 69811561c4c1521bddd726643c491098768fd89590ae425b335f95573d63b336 13517 
bouncycastle_1.59-2_amd64.buildinfo
Files:
 e1980be2e327015622f0b17fc915a79f 2689 java optional bouncycastle_1.59-2.dsc
 bf181d023e6f46b63bc488cf79ff00bb 10916 java optional 
bouncycastle_1.59-2.debian.tar.xz
 906cfe0313b8f226d2056bbee2d3802c 13517 java optional 
bouncycastle_1.59-2_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsgMzJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp

Bug#897528: marked as done (sqlalchemy: FTBFS: ImportError: cannot import name 'Directive')

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 23:05:59 +0200
with message-id <20180612210559.jmpbhphd2gg7c...@sar0.p1otr.com>
and subject line fixed in zzzeeksphinx 1.0.20-2
has caused the Debian Bug report #897528,
regarding sqlalchemy: FTBFS: ImportError: cannot import name 'Directive'
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
897528: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897528
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: sqlalchemy
Version: 1.2.5+ds1-1
Severity: serious
Tags: buster sid
User: debian...@lists.debian.org
Usertags: qa-ftbfs-20180502 qa-ftbfs
Justification: FTBFS on amd64

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64.

Relevant part (hopefully):
>  fakeroot debian/rules binary
> python2.7 ./setup.py install --skip-build \
>   --root /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy 
> --install-layout=deb
> running install
> running install_lib
> creating /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy
> creating /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr
> creating /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib
> creating 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7
> creating 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages
> creating 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy
> copying build/lib.linux-x86_64-2.7/sqlalchemy/schema.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy
> creating 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/databases
> copying build/lib.linux-x86_64-2.7/sqlalchemy/databases/__init__.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/databases
> copying build/lib.linux-x86_64-2.7/sqlalchemy/events.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy
> copying build/lib.linux-x86_64-2.7/sqlalchemy/cresultproxy.so -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy
> copying build/lib.linux-x86_64-2.7/sqlalchemy/processors.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy
> creating 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/connectors
> copying build/lib.linux-x86_64-2.7/sqlalchemy/connectors/mxodbc.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/connectors
> copying build/lib.linux-x86_64-2.7/sqlalchemy/connectors/__init__.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/connectors
> copying build/lib.linux-x86_64-2.7/sqlalchemy/connectors/zxJDBC.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/connectors
> copying build/lib.linux-x86_64-2.7/sqlalchemy/connectors/pyodbc.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/connectors
> copying build/lib.linux-x86_64-2.7/sqlalchemy/cutils.so -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy
> creating 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/orm
> copying build/lib.linux-x86_64-2.7/sqlalchemy/orm/strategy_options.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/orm
> copying build/lib.linux-x86_64-2.7/sqlalchemy/orm/events.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/orm
> copying build/lib.linux-x86_64-2.7/sqlalchemy/orm/strategies.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/orm
> copying build/lib.linux-x86_64-2.7/sqlalchemy/orm/interfaces.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/orm
> copying build/lib.linux-x86_64-2.7/sqlalchemy/orm/relationships.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/orm
> copying build/lib.linux-x86_64-2.7/sqlalchemy/orm/scoping.py -> 
> /<>/sqlalchemy-1.2.5+ds1/debian/python-sqlalchemy/usr/lib/python2.7/dist-packages/sqlalchemy/orm
> copying build/lib.linux-x86_64-2.7/sqlalchemy/orm/deprecated_interfaces.py -> 
>

Processed: Bug #900843 in bouncycastle marked as pending

2018-06-12 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 pending
Bug #900843 [src:bouncycastle] bouncycastle: CVE-2018-1000180
Added tag(s) pending.

-- 
900843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900843
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900843: Bug #900843 in bouncycastle marked as pending

2018-06-12 Thread apo 
Control: tag -1 pending

Hello,

Bug #900843 in bouncycastle reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/java-team/bouncycastle/commit/6affe8490f67c57e78e03b92964f7bd47ca12bad


Fix CVE-2018-1000180.

Closes: #900843
Thanks: Salvatore Bonaccorso for the report.



(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/900843

Bug#886367: marked as done (intel-microcode: spectre microcode updates)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 20:43:55 +
with message-id 
and subject line Bug#886367: fixed in intel-microcode 3.20180425.1~deb8u1
has caused the Debian Bug report #886367,
regarding intel-microcode: spectre microcode updates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
886367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: intel-microcode
Version: 3.20171117.1
Severity: grave

It's been rumored that Intel will be releasing microcode updates to 
(partially?) mitigate some of the effects of meltdown and spectre. It 
appears that the latest version on the website is still 20171117.


Any news of what this will be and when it will happen?

Thanks,

--
Matt Taggart
tagg...@debian.org
--- End Message ---
--- Begin Message ---
Source: intel-microcode
Source-Version: 3.20180425.1~deb8u1

We believe that the bug you reported is fixed in the latest version of
intel-microcode, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 886...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh  (supplier of updated 
intel-microcode package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 18 May 2018 09:38:22 -0300
Source: intel-microcode
Binary: intel-microcode
Architecture: amd64 i386 source
Version: 3.20180425.1~deb8u1
Distribution: jessie
Urgency: critical
Maintainer: Henrique de Moraes Holschuh 
Changed-By: Henrique de Moraes Holschuh 
Closes: 886367 886368 886998 895878 897443
Description: 
 intel-microcode - Processor microcode firmware for Intel CPUs
Changes:
 intel-microcode (3.20180425.1~deb8u1) jessie; urgency=medium
 .
   * Upload to Debian jessie (no changes)
   * RELEASE MANAGER INFORMATION: This update deploys the microcode side fix
 for CVE-2017-5715 (Spectre v2).  On the more recent processors, it also
 fixes other unspecified errata.  This microcode update pack has been
 extensively tested in Debian unstable, testing, strech-backports and
 jessie-backports.  It has been extensively deployed by other distributions
 to their stable branches without causing any issues, with one notable
 exception (a distro-specific kernel bug, already fixed by that distro).
 .
 intel-microcode (3.20180425.1) unstable; urgency=medium
 .
   * New upstream microcode data file 20180425 (closes: #897443, #895878)
 + Updated Microcodes:
   sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb2c, size 27648
   sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation
 + Note that sig 0x000604f1 has been blacklisted from late-loading
   since Debian release 3.20171117.1.
   * source: remove undesired list files from microcode directories
   * source: switch to microcode-.d/ since Intel dropped .dat
 support.
 .
 intel-microcode (3.20180312.1) unstable; urgency=medium
 .
   * New upstream microcode data file 20180312 (closes: #886367)
 + New Microcodes:
   sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720
   sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe09, size 18432
 + Updated Microcodes:
   sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288
   sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432
   sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456
   sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312
   sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552
   sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432
   sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360
   sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384
   sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792
   sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408
   sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504
   sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600
   sig 0x00040671,

Bug#894993: marked as done (patch: CVE-2018-1000156: input validation vulnerability when processing patch files)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 20:43:56 +
with message-id 
and subject line Bug#894993: fixed in patch 2.7.5-1+deb8u1
has caused the Debian Bug report #894993,
regarding patch: CVE-2018-1000156: input validation vulnerability when 
processing patch files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
894993: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894993
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: patchutils
Version: 0.3.4-2
Severity: normal
Tags: security

As mentioned at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667
and https://rachelbythebay.com/w/2018/04/05/bangpatch/, it's possible
for someone to create an ed diff that contains arbitrary commands, which
patch will then dutifully execute.  This behavior, which FreeBSD and
OpenBSD have issued security advisories for, is surprising and not
likely to be appreciated by users.

POSIX 1003.1-2008[0] restricts the valid commands in an ed diff to a, c,
d, i, and s.  patch should ensure any input it sends to ed contains only
those commands and abort if it does not.

[0] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/diff.html

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-rc6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages patchutils depends on:
ii  debianutils  4.8.4
ii  libc62.27-3
ii  patch2.7.6-1
ii  perl 5.26.1-5

patchutils recommends no packages.

patchutils suggests no packages.

-- no debconf information

-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: patch
Source-Version: 2.7.5-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
patch, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 894...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS)  (supplier of updated patch package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 16 Apr 2018 20:48:14 +
Source: patch
Binary: patch
Architecture: source amd64
Version: 2.7.5-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) 
Changed-By: Laszlo Boszormenyi (GCS) 
Description:
 patch  - Apply a diff file to an original
Closes: 894993
Changes:
 patch (2.7.5-1+deb8u1) jessie; urgency=medium
 .
   * Fix CVE-2018-1000156: arbitrary command execution in ed-style patches
   (closes: #894993).
Checksums-Sha1:
 954ea3a8c7b27197753a1cb792cb2a31b91c6943 1860 patch_2.7.5-1+deb8u1.dsc
 728fbaf17eb53ea67ac79568f44604a14607af44 10612 
patch_2.7.5-1+deb8u1.debian.tar.xz
 ec7b15aba558d48ec91225bce13cde00664f0baa 109460 patch_2.7.5-1+deb8u1_amd64.deb
Checksums-Sha256:
 5cf36254ba67fa20973387617c4d22c9ffb4774aab29cb80424344921a875c1f 1860 
patch_2.7.5-1+deb8u1.dsc
 4b0158c62f63e24b42d7bcfbd6f7268176f9b29b2150c0d3633234e82c3b0d20 10612 
patch_2.7.5-1+deb8u1.debian.tar.xz
 5272a26273fd799ec1ec74db0e01df5883abbdf8b7e343ad28227295f660c35d 109460 
patch_2.7.5-1+deb8u1_amd64.deb
Files:
 ca5b826b4b4659a1d4dc454ef72ae3d6 1860 vcs standard patch_2.7.5-1+deb8u1.dsc
 3476fe99dafd2b8432997eae12ac89d9 10612 vcs standard 
patch_2.7.5-1+deb8u1.debian.tar.xz
 a6f7056a5bbe6bc41f64882f07b7c787 109460 vcs standard 
patch_2.7.5-1+deb8u1_amd64.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlsezWcACgkQ3OMQ54ZM
yL+zrhAAmyAgTTmNymeEY/1veJdMy4U5+iZKPSBXUotSiDznv+s+dIy29TqSUSGp
NvQR/MoDzUK3bbxQJjo1HI6MgJB4Iwb9xYaWdyPFGFP2Ph6oBYsaSwwUI8RvDzqv
S+siR9kaPWb2q4F7wzWZdRCYvBk3tzDMpgFbql1+Wm+HJojUgXfQl0hmJ2WEXSBX
PoMFiH6HCO+7u+5IE6ktyPbNIThttpARP14mj1xldr8E6Kd0tuuVw6YOPCCYsSqq

Bug#887856: marked as done (intel-microcode: spectre microcode updates)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 20:43:55 +
with message-id 
and subject line Bug#886367: fixed in intel-microcode 3.20180425.1~deb8u1
has caused the Debian Bug report #886367,
regarding intel-microcode: spectre microcode updates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
886367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: intel-microcode
Version: 3.20171117.1~bpo9+1
Severity: critical
Tags: security
Justification: root security hole

Hi,

As of now intel-microcode of stretch is still set to 20170707 (20171117
through
bpo) which lets users vulnerable to Spectre attack CVE-2017-5715. Could you
please bring quickly the microcode update to stretch, at least on bpo ?

Thanks a lot



-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages intel-microcode depends on:
ii  iucode-tool  2.1.1-1

Versions of packages intel-microcode recommends:
ii  initramfs-tools  0.130

intel-microcode suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: intel-microcode
Source-Version: 3.20180425.1~deb8u1

We believe that the bug you reported is fixed in the latest version of
intel-microcode, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 886...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh  (supplier of updated 
intel-microcode package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 18 May 2018 09:38:22 -0300
Source: intel-microcode
Binary: intel-microcode
Architecture: amd64 i386 source
Version: 3.20180425.1~deb8u1
Distribution: jessie
Urgency: critical
Maintainer: Henrique de Moraes Holschuh 
Changed-By: Henrique de Moraes Holschuh 
Closes: 886367 886368 886998 895878 897443
Description: 
 intel-microcode - Processor microcode firmware for Intel CPUs
Changes:
 intel-microcode (3.20180425.1~deb8u1) jessie; urgency=medium
 .
   * Upload to Debian jessie (no changes)
   * RELEASE MANAGER INFORMATION: This update deploys the microcode side fix
 for CVE-2017-5715 (Spectre v2).  On the more recent processors, it also
 fixes other unspecified errata.  This microcode update pack has been
 extensively tested in Debian unstable, testing, strech-backports and
 jessie-backports.  It has been extensively deployed by other distributions
 to their stable branches without causing any issues, with one notable
 exception (a distro-specific kernel bug, already fixed by that distro).
 .
 intel-microcode (3.20180425.1) unstable; urgency=medium
 .
   * New upstream microcode data file 20180425 (closes: #897443, #895878)
 + Updated Microcodes:
   sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb2c, size 27648
   sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation
 + Note that sig 0x000604f1 has been blacklisted from late-loading
   since Debian release 3.20171117.1.
   * source: remove undesired list files from microcode directories
   * source: switch to microcode-.d/ since Intel dropped .dat
 support.
 .
 intel-microcode (3.20180312.1) unstable; urgency=medium
 .
   * New upstream microcode data file 20180312 (closes: #886367)
 + New Microcodes:
   sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720
   sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe09, size 18432
 + Updated Microcodes:
   sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288
   sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432
   sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456
   sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f,

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-12 Thread Axel Beckert 
Hi Kurt,

Kurt Roeckx wrote:
> > > Given that this openssl update is now in testing, should we close or at
> > > least downgrade this bug so ca-certificates can migrate?
> > 
> > I just unhold ca-certificates 20170717 and upgraded it to 20180409 on
> > one of my affected machines (the i386 one) and unfortunately, the
> > issue (at least mine, which is #895482 with exit status 4, so only
> > Cc'ing that bug report) doesn't seem to fixed:
> 
> Which openssl version do you have installed?

Valid question. I should have mentioned that explicitly.

It's the current version from unstable/testing:

104/0/0 root@loadrunner:pts/3 22:16:35 [~] # apt-cache policy openssl
openssl:
  Installed: 1.1.0h-4
  Candidate: 1.1.0h-4
  Version table:
 1.1.1~~pre7-1 110
110 https://debian.ethz.ch/debian experimental/main i386 Packages
 *** 1.1.0h-4 990
990 https://debian.ethz.ch/debian sid/main i386 Packages
500 https://debian.ethz.ch/debian testing/main i386 Packages
100 /var/lib/dpkg/status
105/0/0 root@loadrunner:pts/3 22:26:00 [~] # 

Shall I try the version from Experimental, too?

> (Should some Breaks be added, Depends made stricter?)

I don't think so unless a future upload of OpenSSL to unstable fixes
this. The recent one to unstable didn't.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#901413: mnemosyne: Mnemosyne 2.6 does not find cheroot module

2018-06-12 Thread Felix Gruber 
Package: mnemosyne
Version: 2.6+ds-1
Severity: serious
Justification: Policy 3.5

Dear Maintainer,

when starting Mnemosyne 2.6 it immediately exits with the following
error message:

---8<8<8<8<---
Log body An unexpected error has occurred.
Please forward the following info to the developers:

Traceback (innermost last):
  File "/usr/bin/mnemosyne", line 262, in 
debug_file=options.debug_file)
  File "/usr/lib/python3/dist-packages/mnemosyne/libmnemosyne/__init__.py",
line 200, in initialise
self.activate_components()
  File "/usr/lib/python3/dist-packages/mnemosyne/libmnemosyne/__init__.py",
line 296, in activate_components
sync_server.activate()
  File "/usr/lib/python3/dist-packages/mnemosyne/pyqt_ui/qt_sync_server.py",
line 196, in activate
component_manager=self.component_manager)
  File "/usr/lib/python3/dist-packages/mnemosyne/pyqt_ui/qt_sync_server.py",
line 67, in __init__
super().__init__(ui=self, **kwds)
  File
"/usr/lib/python3/dist-packages/mnemosyne/libmnemosyne/sync_server.py",
line 31, in __init__
port=config["sync_server_port"], **kwds)
  File "/usr/lib/python3/dist-packages/mnemosyne/libmnemosyne/component.py",
line 57, in __init__
super().__init__(**kwds)  # For parent classes other than 'Object'.
  File "/usr/lib/python3/dist-packages/openSM2sync/server.py", line 98,
in __init__
from cheroot import wsgi
 ModuleNotFoundError: No module named 'cheroot'

An unexpected error has occurred.
Please forward the following info to the developers:

Traceback (innermost last):
  File "/usr/bin/mnemosyne", line 262, in 
debug_file=options.debug_file)
  File "/usr/lib/python3/dist-packages/mnemosyne/libmnemosyne/__init__.py",
line 200, in initialise
self.activate_components()
  File "/usr/lib/python3/dist-packages/mnemosyne/libmnemosyne/__init__.py",
line 296, in activate_components
sync_server.activate()
  File "/usr/lib/python3/dist-packages/mnemosyne/pyqt_ui/qt_sync_server.py",
line 196, in activate
component_manager=self.component_manager)
  File "/usr/lib/python3/dist-packages/mnemosyne/pyqt_ui/qt_sync_server.py",
line 67, in __init__
super().__init__(ui=self, **kwds)
  File
"/usr/lib/python3/dist-packages/mnemosyne/libmnemosyne/sync_server.py",
line 31, in __init__
port=config["sync_server_port"], **kwds)
  File "/usr/lib/python3/dist-packages/mnemosyne/libmnemosyne/component.py",
line 57, in __init__
super().__init__(**kwds)  # For parent classes other than 'Object'.
  File "/usr/lib/python3/dist-packages/openSM2sync/server.py", line 98,
in __init__
from cheroot import wsgi
 ModuleNotFoundError: No module named 'cheroot'
--->8>8>8>8---

This is doe to the missing cheroot Python package.
See also this discussion upstream:
https://groups.google.com/d/topic/mnemosyne-proj-users/mcuTpPIH61k/discussion

Currently, we do not have packaged cheroot in Debian.
To resolve this bug, we need to create a python3-cheroot package in
Debian and make mnemosyne depend on it. Cheroot can be obtained from
https://pypi.org/project/Cheroot/

Best regards,
Felix



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (100, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.16.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mnemosyne depends on:
ii  libjs-sphinxdoc 1.7.4-1
ii  libqt5sql5-sqlite   5.10.1+dfsg-7
ii  python3 3.6.5-3
ii  python3-cherrypy3   8.9.1-2
ii  python3-matplotlib  2.2.2-4
ii  python3-pyqt5   5.10.1+dfsg-2
ii  python3-pyqt5.qtsql 5.10.1+dfsg-2
ii  python3-pyqt5.qtwebchannel  5.10.1+dfsg-2
ii  python3-pyqt5.qtwebengine   5.10.1+dfsg-2
ii  python3-webob   1:1.7.3-2

mnemosyne recommends no packages.

mnemosyne suggests no packages.

-- no debconf information

Bug#896726: gedit-source-code-browser-plugin: diff for NMU version 3.0.3-5.1

2018-06-12 Thread Pietro Battiston 
Dear Adrian,

Il giorno dom, 10/06/2018 alle 16.44 +0300, Adrian Bunk ha scritto:
> I've prepared an NMU for gedit-source-code-browser-plugin (versioned
> as 
> 3.0.3-5.1) and uploaded it to DELAYED/15. 

Thanks, this is much appreciated.

Pietro

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-12 Thread Kurt Roeckx 
On Tue, Jun 12, 2018 at 09:57:56PM +0200, Axel Beckert wrote:
> Hi,
> 
> Thijs Kinkhorst wrote:
> > >> I've read about this bug (and the other one) on d-devel. I uploaded
> > >> recently a new version of openssl to unstable (1.1.0h-3)which changes
> > >> the exit code of "openssl rehash" to zero in case of a duplicate or if a
> > >> certificate can no be open.
> > >> I left this bug open in case the maintainer of this package wants to
> > >> investigate why there are duplicates or non-existing certificates.
> > >
> > > Thanks for the update, Sebastian.
> > >
> > > OpenSSL commit for my own reference and for others, if interested:
> > > https://github.com/openssl/openssl/commit/e6a833cb97ed762408b57ea3efa83bd10c1d2a78
> > 
> > Given that this openssl update is now in testing, should we close or at
> > least downgrade this bug so ca-certificates can migrate?
> 
> I just unhold ca-certificates 20170717 and upgraded it to 20180409 on
> one of my affected machines (the i386 one) and unfortunately, the
> issue (at least mine, which is #895482 with exit status 4, so only
> Cc'ing that bug report) doesn't seem to fixed:

Which openssl version do you have installed?

(Should some Breaks be added, Depends made stricter?)


Kurt

Processed: severity of 895482 is serious

2018-06-12 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> # Raising the severity again to RC since then mentioned OpenSSL fix doesn't 
> seem to have helped in this case.
> severity 895482 serious
Bug #895482 [ca-certificates] Fails to upgrade: installed ca-certificates 
package post-installation script subprocess returned error exit status 4
Severity set to 'serious' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
895482: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895482
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#784476: marked as done ([kchmviewer] Qt4's WebKit removal)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 19:49:48 +
with message-id 
and subject line Bug#784476: fixed in kchmviewer 7.7-1
has caused the Debian Bug report #784476,
regarding [kchmviewer] Qt4's WebKit removal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
784476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784476
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: kchmviewer
Version: 6.0-1
Severity: wishlist
User: debian-qt-...@lists.debian.org
Usertags: qt4webkit-removal

Dear Debian KDE Extras Team ,

As you might know we the Qt/KDE team are preparing to remove Qt4's WebKit
as announced in [announce].

[announce] 


Basically we are about to get the latest Qt4 point release and upstream is
migrating from WebKit to Bing in the Qt5 series, so we won't have much upstream
support for maintaining Qt4's WebKit.

In order to make this move, all packages directly or indirectly depending on
the Qt4's WebKit library have to either get ported to Qt5 or eventually get
removed from the Debian repositories.

Therefore, please take the time and:
- contact your upstream (if existing) and ask about the state of a Qt5
port of your application
- if there are no activities regarding porting, investigate whether there are
suitable alternatives for your users
- if there is a Qt5 port that is not yet packaged, consider packaging it
- if both the Qt4 and the Qt5 versions already coexist in the Debian
archives, consider removing the Qt4 version

= Porting =

Some of us where involved in various Qt4 to Qt5 migrations [migration] and we
know for sure that porting stuff from Qt4 to Qt5 is much much easier and less
painful than it was from Qt3 to Qt4.

We also understand that there is still a lot of software still using Qt4. In
order to ease the transition time we have provided Wheezy backports for Qt5.

Don't forget to take a look at the C++ API changes page [apichanges] whenever
you start porting your application.

[migration] http://pkg-kde.alioth.debian.org/packagingqtstuff.html
[apichanges] http://doc.qt.io/qt-5/sourcebreaks.html

For any questions and issues, do not hesitate to contact the Debian Qt/KDE
team at debian-qt-...@lists.debian.org

Ana,
on behalf of the Qt4 maintainers
--- End Message ---
--- Begin Message ---
Source: kchmviewer
Source-Version: 7.7-1

We believe that the bug you reported is fixed in the latest version of
kchmviewer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 784...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian KDE Extras Team  (supplier of 
updated kchmviewer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 13 Jun 2018 00:25:19 +0500
Source: kchmviewer
Binary: kchmviewer
Architecture: source
Version: 7.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian KDE Extras Team 
Changed-By: Debian KDE Extras Team 
Description:
 kchmviewer - CHM viewer for KDE
Closes: 784476 838076 874936 879300
Changes:
 kchmviewer (7.7-1) unstable; urgency=medium
 .
   [ Pino Toscano ]
   * New upstream release.
   * Switch the build to Qt5: (Closes: #784476, #874936).
 - remove the cmake, pkg-kde-tools, kdelibs5-dev, and libqtwebkit-dev build
   dependencies
 - add the qtbase5-dev, and libqt5webkit5-dev build dependencies
 - drop the usage of the kde dh addon
 - force the use of the qmake build system
 - export QT_SELECT=5 to make sure to use Qt5
   * Update the patches:
 - disable_check_new_version.patch: refresh
 - link-x11.diff: drop, cmake is no more used
   * Force the usage of QtWebKit, no matter the Qt5 version; patch
 force_qtwebkit.diff.
 .
   [ Andrey Rahmatullin ]
   * Adopt the package (Closes: #879300), add myself to Uploaders.
   * Remove Jose Luis Tallon from Uploaders (Closes: #838076).
   * Switch to the debhelper compat level 11, adjust debhelper B-D accordingly,
 remove explicit --parallel.
   * Fix building with --as-needed (fix_lib_order.patch added).
   * Install files manually as the qmake build system doesn't support
 installing.
   *

Bug#900834: marked as done (perl: CVE-2018-12015: Archive::Tar: directory traversal)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 19:33:56 +
with message-id 
and subject line Bug#900834: fixed in perl 5.20.2-3+deb8u11
has caused the Debian Bug report #900834,
regarding perl: CVE-2018-12015: Archive::Tar: directory traversal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Source: perl
Version: 5.26.2-5
Tags: security

By default, the Archive::Tar module doesn't allow extracting files 
outside the current working directory. However, you can bypass this 
secure extraction mode easily by putting a symlink and a regular file 
with the same name into the tarball.


I've attached proof of concept tarball, which makes Archive::Tar create 
/tmp/moo, regardless of what the current working directory is:


  $ tar -tvvf traversal.tar.gz
  lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo
  -rw-r--r-- root/root 4 2018-06-05 18:55 moo

  $ pwd
  /home/jwilk

  $ ls /tmp/moo
  ls: cannot access '/tmp/moo': No such file or directory

  $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'

  $ ls /tmp/moo
  /tmp/moo

--
Jakub Wilk


traversal.tar.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.20.2-3+deb8u11

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves  (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 10 Jun 2018 18:40:37 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: all amd64 source
Version: 5.20.2-3+deb8u11
Distribution: jessie-security
Urgency: high
Maintainer: Niko Tyni 
Changed-By: Dominic Hargreaves 
Closes: 900834
Description: 
 libperl5.20 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl   - Larry Wall's Practical Extraction and Report Language
 perl-modules - Core Perl modules
Changes:
 perl (5.20.2-3+deb8u11) jessie-security; urgency=high
 .
   * [SECURITY] CVE-2018-12015: fix directory traversal vulnerability
 in Archive-Tar (Closes: #900834)
Checksums-Sha1: 
 260b78682d66f64ff569e4e6822e1454b4a60bd8 2377 perl_5.20.2-3+deb8u11.dsc
 4348cadb494865efac6dcd7389cccb6d5f4d33e8 157516 
perl_5.20.2-3+deb8u11.debian.tar.xz
 72c32508e322dfd1555013ce3ffba23ac418a3f2 5147 
perl_5.20.2-3+deb8u11_source.buildinfo
 0aeb49c28f19258d17f7a4f963b80fc98f5c6990 7346632 
perl-doc_5.20.2-3+deb8u11_all.deb
 fae1d268e75a3d4dbc4c2e6c50991db67f11ec88 2547456 
perl-modules_5.20.2-3+deb8u11_all.deb
 3010976f133222abbb1e08880bf72bd8620f97ec 1229672 
perl-base_5.20.2-3+deb8u11_amd64.deb
 a92d835f7a7bee9a800907b060f00c354ec7690e 4481682 
perl-debug_5.20.2-3+deb8u11_amd64.deb
 7a7b712bf3abcf5755bcb6faf462bed874bcd010 1362 
libperl5.20_5.20.2-3+deb8u11_amd64.deb
 94a97f170fc73b83cf9dfbd6ae9d0741fea2c95b 2147888 
libperl-dev_5.20.2-3+deb8u11_amd64.deb
 6db1773b7a6edcf6c0c9dbc54ba8921a4ec468cc 2642044 
perl_5.20.2-3+deb8u11_amd64.deb
Checksums-Sha256: 
 b58df3f05201f9a474157fbf3ede9d4b08beb8b3b69a882bb2c3f14eb70c1a40 2377 
perl_5.20.2-3+deb8u11.dsc
 53e0ccd3ed238614fbcd8eb577159392892bcf82c7821f94f6ef379e8ae3a7c1 157516 
perl_5.20.2-3+deb8u11.debian.tar.xz
 c03a8c7af62d41cf1da5dd33c0dc109697a20900b7110a6fb4492f5bba20b2ac 5147 
perl_5.20.2-3+deb8u11_source.buildinfo
 c7e958ce7fb35fcb17792a130db54e21d4ea29e173eae2b509f899633d23e704 7346632 
perl-doc_5.20.2-3+deb8u11_all.deb
 22cb948fe3a60ff0bfdfc24aeebbf47fb0fee34fd3c68b9d10e4af76bb331ec9 2547456 
perl-modules_5.20.2-3+deb8u11_all.deb
 dcc2bcb06313ab37fc3ed9da253d39a516bf48245e60426eee4023ee1961e7e9 1229672 
perl-base_5.20.2-3+deb8u11_amd64.deb
 67196a8a0fa2be987f874d9c8e43b81d69c244a6d7f1170bb0c2a58c031453e0 4481682 
perl-debug_5.20.2-3+deb8u11_amd64.deb

Bug#899509: marked as done (firefox-esr: Invalid maintainer address pkg-mozilla-maintain...@lists.alioth.debian.org)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 19:33:28 +
with message-id 
and subject line Bug#899509: fixed in firefox-esr 52.8.1esr-1~deb8u1
has caused the Debian Bug report #899509,
regarding firefox-esr: Invalid maintainer address 
pkg-mozilla-maintain...@lists.alioth.debian.org
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899509
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:firefox-esr
Version: 52.8.0esr-1
Severity: serious
User: ad...@alioth-lists.debian.net
Usertag: alioth-lists-maintainer

Dear uploader of firefox-esr,

as you've probably heard, Debian's alioth services are shutting down.
This affects your package firefox-esr since the list address
pkg-mozilla-maintain...@lists.alioth.debian.org used in the Maintainer:
field was not transferred to the alioth-lists service that provides a
continuation for the lists in the @lists.alioth.debian.org domain.

Addresses that were not migrated have been disabled some time  ago. As
a result your package is now in violation of a "must" in the Debian
policy (3.3, working email address), making it unfit for release.

Please fix this before long. Among other reasons, keep in mind bug
reports and important notifications about your package might not reach
you.

Your options:

* Upload another version with a new maintainer address of your choice,

* Migrate the list to the new system. This is still possible,
  please appoint a Debian developer as a list owner first, then
  contact the alioth lists migration team 
  and provide all the necessary information.

  More information about the new service can be found here:
  

* More options, even if imperfect, can be found at
  


The first option is probably suitable only if the address was used just
in a small number of packages since this requires an upload for each of
them. To our knowledge, the usage count of
pkg-mozilla-maintain...@lists.alioth.debian.org is 2.

The second option is available for a limited time only, by end of
May 2018 the most. So if you're interested in going this way, start the
process as soon as possible.

Note, as mails to the maintainer address will not get through, this
bugreport is Cc'ed (X-Debbugs-CC:) to all uploaders of the package.

Regards,

Christoph and some alioth-lists maintainers


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: firefox-esr
Source-Version: 52.8.1esr-1~deb8u1

We believe that the bug you reported is fixed in the latest version of
firefox-esr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey  (supplier of updated firefox-esr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 08 Jun 2018 16:38:21 +0900
Source: firefox-esr
Binary: firefox-esr iceweasel firefox-esr-dbg iceweasel-dbg firefox-esr-dev 
iceweasel-dev firefox-esr-l10n-all iceweasel-l10n-all firefox-esr-l10n-ach 
iceweasel-l10n-ach firefox-esr-l10n-af iceweasel-l10n-af firefox-esr-l10n-an 
iceweasel-l10n-an firefox-esr-l10n-ar iceweasel-l10n-ar firefox-esr-l10n-as 
iceweasel-l10n-as firefox-esr-l10n-ast iceweasel-l10n-ast firefox-esr-l10n-az 
iceweasel-l10n-az firefox-esr-l10n-bg iceweasel-l10n-bg firefox-esr-l10n-bn-bd 
iceweasel-l10n-bn-bd firefox-esr-l10n-bn-in iceweasel-l10n-bn-in 
firefox-esr-l10n-br iceweasel-l10n-br firefox-esr-l10n-bs iceweasel-l10n-bs 
firefox-esr-l10n-ca iceweasel-l10n-ca firefox-esr-l10n-cak iceweasel-l10n-cak 
firefox-esr-l10n-cs iceweasel-l10n-cs firefox-esr-l10n-cy iceweasel-l10n-cy 
firefox-esr-l10n-da iceweasel-l10n-da firefox-esr-l10n-de iceweasel-l10n-de 
firefox-esr-l10n-dsb iceweasel-l10n-dsb firefox-esr-l10n-el iceweasel-l10n-el 
firefox-esr-l10n-en-gb iceweasel-l10n-en-gb firefox-esr-l10n-en-za
 iceweasel-l10n-en-za firefox-esr-l10n-eo iceweasel-l10n-eo 
firefox-esr-l10n-es-ar iceweasel-l10n-es-ar firefox-esr-l10n-es-cl 
iceweasel-l10n-es-cl

Bug#894045: marked as done (libvncserver: CVE-2018-7225)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 19:33:49 +
with message-id 
and subject line Bug#894045: fixed in libvncserver 0.9.9+dfsg2-6.1+deb8u3
has caused the Debian Bug report #894045,
regarding libvncserver: CVE-2018-7225
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
894045: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894045
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libvncserver
Version: 0.9.11+dfsg-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/LibVNC/libvncserver/issues/218

Hi,

the following vulnerability was published for libvncserver.

CVE-2018-7225[0]:
| An issue was discovered in LibVNCServer through 0.9.11.
| rfbProcessClientNormalMessage() in rfbserver.c does not sanitize
| msg.cct.length, leading to access to uninitialized and potentially
| sensitive data or possibly unspecified other impact (e.g., an integer
| overflow) via specially crafted VNC packets.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225
[1] https://github.com/LibVNC/libvncserver/issues/218

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libvncserver
Source-Version: 0.9.9+dfsg2-6.1+deb8u3

We believe that the bug you reported is fixed in the latest version of
libvncserver, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 894...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated libvncserver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 05 Jun 2018 14:05:57 +0200
Source: libvncserver
Binary: libvncclient0 libvncserver0 libvncserver-dev libvncserver-config 
libvncclient0-dbg libvncserver0-dbg linuxvnc
Architecture: source amd64
Version: 0.9.9+dfsg2-6.1+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Peter Spiess-Knafl 
Changed-By: Markus Koschany 
Description:
 libvncclient0 - API to write one's own vnc server - client library
 libvncclient0-dbg - debugging symbols for libvncclient
 libvncserver-config - API to write one's own vnc server - library utility
 libvncserver-dev - API to write one's own vnc server - development files
 libvncserver0 - API to write one's own vnc server
 libvncserver0-dbg - debugging symbols for libvncserver
 linuxvnc   - VNC server to allow remote access to a tty
Closes: 894045
Changes:
 libvncserver (0.9.9+dfsg2-6.1+deb8u3) jessie-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be
 accessed by remote attackers because the msg.cct.length in rfbserver.c was
 not sanitized. (Closes: #894045)
Checksums-Sha1:
 6d4ae6933c4b18f0772aec7ba16676a9e3e4c901 2608 
libvncserver_0.9.9+dfsg2-6.1+deb8u3.dsc
 ef8496e2cf383b68f8efd5fa750c1e27976c7c39 29728 
libvncserver_0.9.9+dfsg2-6.1+deb8u3.debian.tar.xz
 dd766d0af8da81a374bb1be035a978a8b376e6bf 124750 
libvncclient0_0.9.9+dfsg2-6.1+deb8u3_amd64.deb
 0b7c73c2543d024a5dc9a3068f40f762623fd124 191294 
libvncserver0_0.9.9+dfsg2-6.1+deb8u3_amd64.deb
 18ed0bd2f7f516aa6403e3d3d5273335b0872d3b 275334 
libvncserver-dev_0.9.9+dfsg2-6.1+deb8u3_amd64.deb
 7ac5249ba135d9ada787b574830f7cbdb6debb8f 90362 
libvncserver-config_0.9.9+dfsg2-6.1+deb8u3_amd64.deb
 db527abc9e165e99c55ff05c95d90a1d08759771 182880 
libvncclient0-dbg_0.9.9+dfsg2-6.1+deb8u3_amd64.deb
 96fe5e791a01e053f7056ff6aaf812792d7e5306 382346 
libvncserver0-dbg_0.9.9+dfsg2-6.1+deb8u3_amd64.deb
 a0469a91e496846e3bd2ce64fcd4374847100ded 86418 
linuxvnc_0.9.9+dfsg2-6.1+deb8u3_amd64.deb
Checksums-Sha256:
 77466babd306534a118f47e6fa5900bcfdd856991391868d452e3e412027682b 2608 
libvncserver_0.9.9+dfsg2-6.1+deb8u3.dsc
 0387a9bc2d70ac8068203e05c15452c510534610be765d0bcf715b702a0ea552 29728 
libvncserver_0.9.9+dfsg2-6.1+deb8u3.debian.tar.xz

Bug#860952: marked as done (Statically linked to glibc, in breach of policy and copyright)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 19:34:02 +
with message-id 
and subject line Bug#860952: fixed in rar 2:4.2.0+dfsg.1-0.1
has caused the Debian Bug report #860952,
regarding Statically linked to glibc, in breach of policy and copyright
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
860952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860952
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rar
Version: 2:5.4.0-1
Severity: serious

Policy forbids executables statically linked to glibc (though other
C libraries such as dietlibc are allowed).

This is also a copyright violation.  Proprietary programs can
generally be dynamically linked with glibc and distributed under the
terms of LGPL 2.1 section 6, but a statically linked binary does not
comply - there are no object files for the rest of rar, and we don't
even know which version of glibc to provide source for.

Ben.

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: rar
Source-Version: 2:4.2.0+dfsg.1-0.1

We believe that the bug you reported is fixed in the latest version of
rar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings  (supplier of updated rar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 10 Jun 2018 00:38:24 +0100
Source: rar
Binary: rar
Architecture: amd64 i386 source
Version: 2:4.2.0+dfsg.1-0.1
Distribution: jessie
Urgency: medium
Maintainer: Martin Meredith 
Changed-By: Ben Hutchings 
Closes: 693396 860952
Description: 
 rar- Archiver for .rar files
Changes:
 rar (2:4.2.0+dfsg.1-0.1) jessie; urgency=medium
 .
   * Non-maintainer upload
   * Repacked orig tarball excludes statically linked rar
 (Closes: #693396, #860952)
   * Install dynamically linked rar and remove the lintian override for it
 being static
   * Remove lintian override for default.sfx being static, which it hasn't
 been for a long time
Checksums-Sha1: 
 68e20a21b993dcb074b5761df3d2e0084f9e00ce 2015 rar_4.2.0+dfsg.1-0.1.dsc
 44e2581add56f089222e40769ea3e7f97ef31c5f 421248 
rar_4.2.0+dfsg.1.orig-amd64.tar.gz
 fde69eeea47a84c521d9a0f8ea685cfcced9cb97 426821 rar_4.2.0+dfsg.1.orig.tar.gz
 5ab0d15ddbc5e02949ef6a549aa1e1615740c275 9092 
rar_4.2.0+dfsg.1-0.1.debian.tar.xz
 095a11971e6c0da996473e4a9bada27d233129c1 239624 rar_4.2.0+dfsg.1-0.1_amd64.deb
 2b595b7338475f1b949275e7b48c9607ef678778 242944 rar_4.2.0+dfsg.1-0.1_i386.deb
Checksums-Sha256: 
 44fe5272a971b5644532b69e3f18107e64e225fad08f18de237350ae7c994a82 2015 
rar_4.2.0+dfsg.1-0.1.dsc
 f8cbe830e53d9c862f5cf3a14b2db387047fb7e08ea4d58933b99a121c556df4 421248 
rar_4.2.0+dfsg.1.orig-amd64.tar.gz
 4052f857ed6164ab08f29cc4d20c093f51a855d6b0ca1a70f488cddb04c66b9a 426821 
rar_4.2.0+dfsg.1.orig.tar.gz
 fecd9d4f07101fc64dd6db6c305de31c5434d8681a0c48e515f73bd600eabe05 9092 
rar_4.2.0+dfsg.1-0.1.debian.tar.xz
 d07a644024f08bb14b67c384df9515231c88d446e317a0441c149d138e039013 239624 
rar_4.2.0+dfsg.1-0.1_amd64.deb
 df8ae421f8ef3ce965572f6d36c11bc5395e6a1a40ca303fc0596c37ef01deef 242944 
rar_4.2.0+dfsg.1-0.1_i386.deb
Files: 
 76ac51b28579dd0b9cb9d7eb978c 2015 non-free/utils optional 
rar_4.2.0+dfsg.1-0.1.dsc
 7914c4f595e46fc1e043eba0c46ea0c6 421248 non-free/utils optional 
rar_4.2.0+dfsg.1.orig-amd64.tar.gz
 fa192a8c0a32d4f342818eae6554aced 426821 non-free/utils optional 
rar_4.2.0+dfsg.1.orig.tar.gz
 2dd6b139a08fd40e45dd29211367de28 9092 non-free/utils optional 
rar_4.2.0+dfsg.1-0.1.debian.tar.xz
 7f14773efb82c9759266300385fdfdc4 239624 non-free/utils optional 
rar_4.2.0+dfsg.1-0.1_amd64.deb
 d5ab16e234baed8d409d579cae38c8ab 242944 non-free/utils optional

Bug#879034: pdfshuffler: port to gir1.2-poppler-0.18

2018-06-12 Thread Andrey Rahmatullin 
On Wed, Oct 18, 2017 at 06:43:07PM +0200, Emilio Pozuelo Monfort wrote:
> In fact, there is a port at https://github.com/jeromerobert/pdfshuffler,
> using new poppler and gtk bindings, and python3. It'd be nice to get
> an updated package.
I wanted to try packaging this and I cannot find the upstream source.
- https://github.com/jeromerobert/pdfshuffler, especially
https://github.com/jeromerobert/pdfshuffler/issues/9, say this is an
unofficial mirror, and it seems the porting work is not specific to that
repo.
- the "old" official repo is at https://gna.org/projects/pdfshuffler/
which is dead.
- the current official project seems to be
https://savannah.nongnu.org/projects/pdfshuffler/ (see issue #9 above and
https://sourceforge.net/p/pdfshuffler/feature-requests/36/ linked there).
- but that seems to not contain any kind of source repo, the builtin SVN
repo is empty.
I've just found https://sourceforge.net/p/pdfshuffler/feature-requests/37/
mentioning all of that and it seems the only surviving repo is actually
that unofficial mirror. Maybe I should just package its HEAD.

-- 
WBR, wRAR


signature.asc
Description: PGP signature

Bug#901406: haskell-cipher-aes: unaligned access on arm64 kernel (armhf binary) segfauts during testsuite

2018-06-12 Thread Gianfranco Costamagna 
Source: haskell-cipher-aes
Version: 0.2.11-6
Severity: serious
Forwarded: https://github.com/vincenthz/hs-cipher-aes/issues/38

(copy-pasting from upstream ticket)
Hello, I see a bus error with ghc 8.2.2 but not with the previous ghc 8.0
https://launchpad.net/ubuntu/+source/haskell-cipher-aes/0.2.11-6/+build/14904327
Do you have any advice for me?
it seems some misaligment during aes_generic_encrypt_cbc function exit, but I 
can't find it.
to reproduce, just run testsuite on armhf target with arm64 kernel.
(this affects both Debian and Ubuntu, unfortunately debian runs armhf on 32bit 
kernel and user-space)


thanks

Gianfranco

Bug#898705: marked as done (android-platform-libcore FTBFS with debhelper v11)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 15:34:38 +
with message-id 
and subject line Bug#898705: fixed in android-platform-libcore 8.1.0+r23-1
has caused the Debian Bug report #898705,
regarding android-platform-libcore FTBFS with debhelper v11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
898705: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898705
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: android-platform-libcore
Version: android-platform-libcore 7.0.0+r33-1
Severity: important

Dear Maintainer,

I was trying to update this package to android 8.1.0-r23 but it failed to build 
from source with debhelper v11. I had previously installed debhelper v11 from 
outside the software channel
(my system is in debian stretch) along with dh-autoreconf_17_all for some other 
package. so when I tried to build from the source package it failed giving me 
the following error.


dh_auto_clean
"find . -wholename .*build/tmp | xargs echo | sed -e 
's^build/tmp^build^g' | xargs rm -Rf"
Can't exec "find . -wholename .*build/tmp | xargs echo | sed -e 
's^build/tmp^build^g' | xargs rm -Rf": No such file or directory at 
/usr/share/perl5/Debian/Debhelper/Dh_Lib.pm line 356.
dh_auto_clean: "find . -wholename .*build/tmp | xargs echo | sed -e 
's^build/tmp^build^g' | xargs rm -Rf" failed to execute: No child processes
dh_auto_clean: "find . -wholename .*build/tmp | xargs echo | sed -e 
's^build/tmp^build^g' | xargs rm -Rf" returned exit code 10

I think it can't find /usr/share/perl5/Debian/Debhelper/Dh_Lib.pm

so I searched for the file using apt-file and found its in dehelper and 
reinstall debhelper 10 from software channel and it built successfully.
contact me at saif...@cse.mrt.ac.lk if you need. cheers :)

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: android-platform-libcore
Source-Version: 8.1.0+r23-1

We believe that the bug you reported is fixed in the latest version of
android-platform-libcore, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 898...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Saif Abdul Cassim  (supplier of updated 
android-platform-libcore package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 30 May 2018 14:15:35 +0530
Source: android-platform-libcore
Binary: libandroid-json-java android-platform-libcore-headers
Architecture: source
Version: 8.1.0+r23-1
Distribution: experimental
Urgency: medium
Maintainer: Android Tools Maintainers 

Changed-By: Saif Abdul Cassim 
Description:
 android-platform-libcore-headers - Header files in AOSP repository 
platform/libcore
 libandroid-json-java - Android rewrite of the evil licensed json.org
Closes: 883894 898705
Changes:
 android-platform-libcore (8.1.0+r23-1) experimental; urgency=medium
 .
   * New upstream release (Closes: #883894, #898705)
   * Remove the Javadoc package due to low popcon
 .
   [ 殷啟聰 | Kai-Chung Yan ]
   * Upgrade to debhelper 11
   * Install the `NOTICE` file in every package
   * Remove `libandroid-dex-java`: Sources are moved to 
`android-platform-dalvik`
Checksums-Sha1:
 59940db88e2fb8aa1aa16491c576a60ac3769dac 2384 
android-platform-libcore_8.1.0+r23-1.dsc
 ee8f24d1fbf37736d9c482451fa1daf57fe7d974 13394060 
android-platform-libcore_8.1.0+r23.orig.tar.xz
 3486f8ccfd90c4a85114b77ecc20740aacb9e2d7 22280 
android-platform-libcore_8.1.0+r23-1.debian.tar.xz
 9ab80c73629792fc2468b3e2ee55e30d75dc90fb 15161 
android-platform-libcore_8.1.0+r23-1_source.buildinfo
Checksums-Sha256:
 f291e0990a1cdaa94c3f4bd2e1d08339a358f47c243164048d7c6ebfd54b3afe 2384 
android-platform-libcore_8.1.0+r23-1.dsc
 335c8fb7cb6639cc744266ba1d89a8f8e4db49bc25866a8dcb394793f22f63de 13394060 
android-platform-libcore_8.1.0+r23.orig.tar.xz

Bug#891088: marked as done (miniupnpd: modifies conffiles (policy 10.7.3): /etc/default/miniupnpd)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 15:19:48 +
with message-id 
and subject line Bug#891088: fixed in miniupnpd 2.1-1
has caused the Debian Bug report #891088,
regarding miniupnpd: modifies conffiles (policy 10.7.3): /etc/default/miniupnpd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
891088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891088
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: miniupnpd
Version: 2.0.20171212-2
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package modifies conffiles.
This is forbidden by the policy, see
https://www.debian.org/doc/debian-policy/#configuration-files

10.7.3: "[...] The easy way to achieve this behavior is to make the
configuration file a conffile. [...] This implies that the default
version will be part of the package distribution, and must not be
modified by the maintainer scripts during installation (or at any
other time)."

Note that once a package ships a modified version of that conffile,
dpkg will prompt the user for an action how to handle the upgrade of
this modified conffile (that was not modified by the user).

Further in 10.7.3: "[...] must not ask unnecessary questions
(particularly during upgrades) [...]"

If a configuration file is customized by a maintainer script after
having asked some debconf questions, it may not be marked as a
conffile. Instead a template could be installed in /usr/share and used
by the postinst script to fill in the custom values and create (or
update) the configuration file (preserving any user modifications!).
This file must be removed during postrm purge.
ucf(1) may help with these tasks.
See also https://wiki.debian.org/DpkgConffileHandling

In https://lists.debian.org/debian-devel/2012/09/msg00412.html and
followups it has been agreed that these bugs are to be filed with
severity serious.

debsums reports modification of the following files,
from the attached log (scroll to the bottom...):

  /etc/default/miniupnpd


cheers,

Andreas


miniupnpd_2.0.20171212-2.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: miniupnpd
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
miniupnpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yangfl  (supplier of updated miniupnpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 12 Jun 2018 11:39:08 +0800
Source: miniupnpd
Binary: miniupnpd
Architecture: source amd64
Version: 2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Thomas Goirand 
Changed-By: Yangfl 
Description:
 miniupnpd  - UPnP and NAT-PMP daemon for gateway routers
Closes: 891088 891168 899025
Changes:
 miniupnpd (2.1-1) unstable; urgency=medium
 .
   * New upstream release.
   * Disable hurd-any due to lack of rt_msghdr and RTM_*.
   * Add --igd2 back, since 'force_igd_desc_v1' is now available.
   * Deprecate MiniUPnPd_EXTERNAL_INTERFACE and MiniUPnPd_LISTENING_IP in
 /etc/default/miniupnpd (Closes: #891088).
   * Add systemd service file.
   * Add Debconf translations, with thanks to:
 - Brazilian Portuguese, Adriano Rafael Gomes (Closes: #891168).
 - Dutch, Frans Spiesschaert (Closes: #899025).
   * Update patch file.
   * Bump Standards-Version to 4.1.4.
   * debian/watch: Check for PGP signature.
   * debian/watch: Only watch for release versions.
Checksums-Sha1:
 0b9f0a79fe90dc0ff48576775a316e5fa5fbd766 1935 miniupnpd_2.1-1.dsc
 861f8e30a02ef6a5928fb8950a1f5a76e6393ba9 225458 miniupnpd_2.1.orig.tar.gz
 685bf064601a7a6e1310a411e0839d3624b028b6 19708 miniupnpd_2.1-1.debian.tar.xz
 160f91039a3672fe321610d84f7106e745b29cfc 202348 
miniupnpd-dbgsym_2.1-1_amd64.deb
 7f81f09d80d9d705ba7a8a67be9f2e034d7a0809 6062 miniupnpd_2.1-1_amd64.buildinfo
 bd8a63b652537cca3ed04e59c523ed43119f15c8 99436 miniupnpd_2.1-1_amd64.deb
Checksums-Sha256:
 c917634d7b3dc3b1d1dac2d0d2451af8d09cfe8b5989f8a95c5cc642fbed5918 1935 
miniupnpd_2.1-1.dsc

Processed (with 1 error): Gcc ICE on compiling chromium 68 [arm64 armhf]

2018-06-12 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> reassign 901290 gcc-6
Bug #901290 [src:chromium-browser] chromium: version 68 arm build causes 
internal compiler error
Bug reassigned from package 'src:chromium-browser' to 'gcc-6'.
No longer marked as found in versions chromium-browser/68.0.3440.7-1.
Ignoring request to alter fixed versions of bug #901290 to the same values 
previously set
> notfound 901290 68.0.3440.7-1
Bug #901290 [gcc-6] chromium: version 68 arm build causes internal compiler 
error
There is no source info for the package 'gcc-6' at version '68.0.3440.7-1' with 
architecture ''
Unable to make a source version for version '68.0.3440.7-1'
Ignoring request to alter found versions of bug #901290 to the same values 
previously set
> found 6.4.0-17
Unknown command or malformed arguments to command.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
901290: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901290
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901290: Gcc ICE on compiling chromium 68 [arm64 armhf]

2018-06-12 Thread Riku Voipio 
reassign 901290 gcc-6
notfound 901290 68.0.3440.7-1
found 6.4.0-17
thanks

Compiling chrome 68 with results an gcc ICE. This affects both arm64[1] and
armhf[2]. Filing against gcc-6 as this what buildd used, but this affects 
other versions too:

+---+---+---+---+
|   | gcc-6 | gcc-7 | gcc-8 |
+---+---+---+---+
| armhf | ICE   | ICE   | ICE   |
| arm64 | ICE   | works | works |
+---+---+---+---+

gcc-6 -MMD -MF obj/skia/skcms/Transform.o.d -DV8_DEPRECATION_WARNINGS 
-DUSE_UDEV -DUSE_AURA=1 -DUSE_GLIB=1 -DUSE_NSS_CERTS=1 -DUSE_X11=1 
-DNO_TCMALLOC -DFULL_SAFE_BROWSING -DSAFE_BROWSING_CSD -DSAFE_BROWSING_DB_LOCAL 
-DCHROMIUM_BUILD -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE 
-D_LARGEFILE64_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS 
-D_FORTIFY_SOURCE=2 -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 
-I../.. -Igen -I../../third_party/skia/third_party/skcms -w -std=c11 
-fno-strict-aliasing --param=ssp-buffer-size=4 -fstack-protector 
-Wno-builtin-macro-redefined -D__DATE__= -D__TIME__= -D__TIMESTAMP__= 
-funwind-tables -fPIC -pipe -pthread -march=armv7-a -mfloat-abi=hard 
-mtune=generic-armv7-a -mfpu=vfpv3-d16 -mthumb -Wall -Wno-psabi 
-Wno-unused-local-typedefs -Wno-maybe-uninitialized 
-Wno-deprecated-declarations -fno-delete-null-pointer-checks -Wno-comments 
-Wno-missing-field-initializers -Wno-unused-parameter -Os -fno-ident 
-fdata-sections -ffunction-sections -fno-omit-frame-pointer -g0 
-fvisibility=hidden -std=gnu11 -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 
-fdebug-prefix-map=/<>=. -fstack-protector-strong -Wformat 
-Werror=format-security -c 
../../third_party/skia/third_party/skcms/src/Transform.c -o 
obj/skia/skcms/Transform.o
In file included from 
../../third_party/skia/third_party/skcms/src/Transform.c:176:0:
../../third_party/skia/third_party/skcms/src/Transform_inl.h: In function 
'exec_ops':
../../third_party/skia/third_party/skcms/src/Transform_inl.h:159:20: internal 
compiler error: in store_constructor, at expr.c:6565
 *rgba = (*rgba & 0x00ff00ff00ff00ff) << 8
 ~~~^
Please submit a full bug report,
with preprocessed source if appropriate.
See  for instructions.
Preprocessed source stored into /tmp/ccLLjPon.out file, please attach this to 
your bugreport.

[1] 
https://buildd.debian.org/status/fetch.php?pkg=chromium-browser=arm64=68.0.3440.7-1=1528688783=1
[2] 
https://buildd.debian.org/status/fetch.php?pkg=chromium-browser=armhf=68.0.3440.7-1=1528694705=1
// === BEGIN GCC DUMP ===
// Target: arm-linux-gnueabihf
// Configured with: ../src/configure -v --with-pkgversion='Debian 6.4.0-17' 
--with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs 
--enable-languages=c,ada,c++,go,d,fortran,objc,obj-c++ --prefix=/usr 
--with-as=/usr/bin/arm-linux-gnueabihf-as 
--with-ld=/usr/bin/arm-linux-gnueabihf-ld --program-suffix=-6 
--program-prefix=arm-linux-gnueabihf- --enable-shared --enable-linker-build-id 
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix 
--libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu 
--enable-libstdcxx-debug --enable-libstdcxx-time=yes 
--with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-libitm 
--disable-libquadmath --enable-plugin --enable-default-pie --with-system-zlib 
--with-target-system-zlib --enable-objc-gc=auto --enable-multiarch 
--disable-sjlj-exceptions --with-arch=armv7-a --with-fpu=vfpv3-d16 
--with-float=hard --with-mode=thumb --enable-checking=release 
--build=arm-linux-gnueabihf --host=arm-linux-gnueabihf 
--target=arm-linux-gnueabihf
// Thread model: posix
// gcc version 6.4.0 20180424 (Debian 6.4.0-17) 
// 
// In file included from 
../../third_party/skia/third_party/skcms/src/Transform.c:176:0:
// ../../third_party/skia/third_party/skcms/src/Transform_inl.h: In function 
'exec_ops':
// ../../third_party/skia/third_party/skcms/src/Transform_inl.h:159:20: 
internal compiler error: in store_constructor, at expr.c:6565
//  *rgba = (*rgba & 0x00ff00ff00ff00ff) << 8
//  ~~~^
// Please submit a full bug report,
// with preprocessed source if appropriate.
// See  for instructions.

// /usr/lib/gcc/arm-linux-gnueabihf/6/cc1 -quiet -I ../.. -I gen -I 
../../third_party/skia/third_party/skcms -imultilib . -imultiarch 
arm-linux-gnueabihf -MMD obj/skia/skcms/Transform.d -MF 
obj/skia/skcms/Transform.o.d -MQ obj/skia/skcms/Transform.o -D_REENTRANT -D 
V8_DEPRECATION_WARNINGS -D USE_UDEV -D USE_AURA=1 -D USE_GLIB=1 -D 
USE_NSS_CERTS=1 -D USE_X11=1 -D NO_TCMALLOC -D FULL_SAFE_BROWSING -D 
SAFE_BROWSING_CSD -D SAFE_BROWSING_DB_LOCAL -D CHROMIUM_BUILD -D 
_FILE_OFFSET_BITS=64 -D _LARGEFILE_SOURCE -D _LARGEFILE64_SOURCE -D 
__STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D _FORTIFY_SOURCE=2 -D NDEBUG 
-D NVALGRIND -D DYNAMIC_ANNOTATIONS_ENABLED=0 -D __DATE__= -D __TIME__= -D 
__TIMESTAMP__= -D _FORTIFY_SOURCE=2 
../../third_party/skia/third_party/skcms/src/Transform.c -quiet

Bug#897514: marked as done (haskell-trifecta: FTBFS: Could not find module `Build_doctests')

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 12:49:27 +
with message-id 
and subject line Bug#897514: fixed in haskell-trifecta 1.7.1.1-3
has caused the Debian Bug report #897514,
regarding haskell-trifecta: FTBFS: Could not find module `Build_doctests'
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
897514: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897514
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: haskell-trifecta
Version: 1.7.1.1-2
Severity: serious
Tags: buster sid
User: debian...@lists.debian.org
Usertags: qa-ftbfs-20180502 qa-ftbfs
Justification: FTBFS on amd64

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64.

Relevant part (hopefully):
>  debian/rules build
> test -x debian/rules
> mkdir -p "."
> CDBS WARNING:DEB_DH_STRIP_ARGS is deprecated since 0.4.85
> CDBS WARNING:DEB_COMPRESS_EXCLUDE is deprecated since 0.4.85
> . /usr/share/haskell-devscripts/Dh_Haskell.sh && \
> make_setup_recipe
> Running ghc --make Setup.lhs -o debian/hlibrary.setup
> [1 of 2] Compiling Warning  ( Warning.hs, Warning.o )
> [2 of 2] Compiling Main ( Setup.lhs, Setup.o )
> 
> Setup.lhs:24:1: warning: [-Wdeprecations]
> Module `Warning':
>   You are configuring this package without cabal-doctest installed.
>   The doctests test-suite will not work as a result.
>   To fix this, install cabal-doctest before configuring.
>|
> 24 | import Warning ()
>| ^
> Linking debian/hlibrary.setup ...
> . /usr/share/haskell-devscripts/Dh_Haskell.sh && \
> configure_recipe
> Running debian/hlibrary.setup configure --ghc -v2 
> --package-db=/var/lib/ghc/package.conf.d --prefix=/usr 
> --libdir=/usr/lib/haskell-packages/ghc/lib --libexecdir=/usr/lib 
> --builddir=dist-ghc --ghc-option=-optl-Wl\,-z\,relro 
> --haddockdir=/usr/lib/ghc-doc/haddock/trifecta-1.7.1.1/ --datasubdir=trifecta 
> --htmldir=/usr/share/doc/libghc-trifecta-doc/html/ --enable-library-profiling 
> --enable-tests
> Configuring trifecta-1.7.1.1...
> Dependency QuickCheck -any: using QuickCheck-2.10.1
> Dependency ansi-terminal >=0.6 && <0.9: using ansi-terminal-0.8.0.2
> Dependency ansi-wl-pprint >=0.6.6 && <0.7: using ansi-wl-pprint-0.6.8.2
> Dependency array >=0.3.0.2 && <0.6: using array-0.5.2.0
> Dependency base >=4.4 && <5: using base-4.10.1.0
> Dependency blaze-builder >=0.3.0.1 && <0.5: using blaze-builder-0.4.1.0
> Dependency blaze-html >=0.5 && <0.10: using blaze-html-0.9.0.1
> Dependency blaze-markup >=0.5 && <0.9: using blaze-markup-0.8.2.0
> Dependency bytestring >=0.9.1 && <0.11: using bytestring-0.10.8.2
> Dependency charset >=0.3.5.1 && <1: using charset-0.3.7.1
> Dependency comonad >=4 && <6: using comonad-5.0.3
> Dependency containers >=0.3 && <0.6: using containers-0.5.10.2
> Dependency deepseq >=1.2.0.1 && <1.5: using deepseq-1.4.3.0
> Dependency doctest >=0.11.1 && <0.16: using doctest-0.13.0
> Dependency fingertree ==0.1.*: using fingertree-0.1.4.1
> Dependency ghc-prim -any: using ghc-prim-0.5.1.1
> Dependency hashable >=1.2.1 && <1.3: using hashable-1.2.7.0
> Dependency lens >=4.0 && <5: using lens-4.16.1
> Dependency mtl >=2.0.1 && <2.3: using mtl-2.2.2
> Dependency parsers >=0.12.1 && <1: using parsers-0.12.8
> Dependency profunctors >=4.0 && <6: using profunctors-5.2.2
> Dependency reducers >=3.10 && <4: using reducers-3.12.2
> Dependency semigroups >=0.8.3.1 && <1: using semigroups-0.18.4
> Dependency transformers >=0.2 && <0.6: using transformers-0.5.2.0
> Dependency trifecta -any: using trifecta-1.7.1.1
> Dependency unordered-containers >=0.2.1 && <0.3: using
> unordered-containers-0.2.9.0
> Dependency utf8-string >=0.3.6 && <1.1: using utf8-string-1.0.1.1
> Source component graph:
> component lib
> component test:doctests dependency lib
> component test:quickcheck dependency lib
> Configured component graph:
> component trifecta-1.7.1.1-9W2PVQWQQoY1f9vh62VSuf
> include ansi-wl-pprint-0.6.8.2-AFBJQxTmzbt6P0JlYhXs8j
> include ansi-terminal-0.8.0.2-IpPwz0rbeQT9XeWFhl38AU
> include array-0.5.2.0
> include base-4.10.1.0
> include blaze-builder-0.4.1.0-BFOenXCaiVr8U0JVhwUfLi
> include blaze-html-0.9.0.1-5AcOQZrDS7ZICcVO2Mlh1o
> include blaze-markup-0.8.2.0-3Og4KhhzYQh3DwyYmgPVQT
> include bytestring-0.10.8.2
> include charset-0.3.7.1-C5WjCuLqRrrD2ImtyaO4kO
> include comonad-5.0.3-GF0GkkV4YUZ7zwnyot6FWY
> include containers-0.5.10.2
> include deepseq-1.4.3.0
> include

Bug#897239: What about new upstream version of relion?

2018-06-12 Thread Roland Fehrenbacher 
> "A" == Andreas Tille  writes:

A> Hi Roland, On Tue, Jun 12, 2018 at 10:40:18AM +0200, Roland
A> Fehrenbacher wrote: Hi folks, when I tried to fix this bug I
A> realised that new upstream versions are out.  I downloaded the
A> latest one and imported it into Git[1].  Since I don't know the
A> software I would like to ask you about your reasons you might
A> have to stick to version 1.4.  There are some patches to fix and
A> may be some tests to do which I can't.  So may be if I do not
A> hear from you I'd probably only go with the restriction of
A> architectures to amd64/i386 to fix #897239.
>>
>> please restrict again to amd64/i386 for now.

A> OK, so I will do this for the currently available version in
A> Debian.

Fine.

>> I hope I will get around building the new version in time before
>> the next freeze.

A> This would be really nice.  At least I'll upload with a working
A> watch file which will remember us that some work needs to be
A> done.

That's a good idea. Now that the source code is on Github, this has
become feasible (wasn't at the time I originally created it).

>> The big advantage of the newer versions 2.x + is support for
>> GPUs. To support that will be quite a lot of effort though.

A> I can not be of any help here since I have no idea about this
A> program.  I'd be very happy if you (or one of the other
A> Uploaders) would take over this effort.  It would be a shame if
A> we would ship outdated software with Buster.

Agreed. I'll try hard to get this in ...

>> Given that we'll have to build against the non-free nvidia stuff
>> for GPU support, will this require the package to move to
>> non-free as well (at least the GPU variants)?

A> Packages with free softeare depending from packages in non-free
A> need to go to contrib.  It would be great if those parts that do
A> not need the non-free components could stay in main, thought.

Good, thanks for the pointer. Will make sure that the free stuff stays
in main.

Best,

Roland

---
http://www.q-leap.com / http://qlustar.com
  --- HPC / Storage / Cloud Linux Cluster OS ---

Processed: Breaks kde audio (via minuet package dependency) because breaks pulseaudio

2018-06-12 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> severity 901148 grave
Bug #901148 [timidity] timidity: upgrading to 2.14.0-2 broke sound in KDE plasma
Severity set to 'grave' from 'normal'
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
901148: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901148
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#784524: [robojournal] Qt4's WebKit removal

2018-06-12 Thread Boyuan Yang 
X-Debbugs-CC: r...@debian.org p...@debian.org

On Sat, 10 Mar 2018 10:35:37 +0100 Pino Toscano  wrote:
> Hi,
> 
> In data sabato 10 marzo 2018 10:21:16 CET, Boyuan Yang ha scritto:
> > We really want to remove Qt4 Webkit from the archive in Debian Buster.
> 
> "we" who? I don't see you as part of the Qt/KDE team, nor I don't see
> any email from you about this on the team mailing list.
> 
> > [1] As a result, I'm wondering if we could remove package robojournal
> > from Debian Archive soon.
> 
> Because of this bug, robojournal is already out of testing, so a
> QtWebKit removal is not blocked by this bug.
> 
> > Please feel free to tell me about your idea torwards this package.
> 
> Unless Ritesh says otherwise, leave this package as it is.
> Also, for what it matters, please leave also QtWebKit as it is, since
> it is under the Qt/KDE team wing, and removing it requires more work
> than occasional people (like this email) think about.
> 
> Thanks,
> -- 
> Pino Toscano

Hi Pino, Ritesh,

Three months have passed and I would kindly invite you to re-evaluate the 
status of robojournal in Debian.

It is clear that upstream didn't show any activity in the last 3 months and 
that rrs didn't make uploads in Debian as well. The Vcs repositories (on 
Alioth) is now defunct too.

With no sign of improvement, I still suggest that this package be removed from 
Debian sooner or later.

Thank you for all your work and I will keep monitoring it.
--
Regards,
Boyuan Yang

signature.asc
Description: This is a digitally signed message part.

Bug#896298: marked as done (python-cluster: cluster fails to import)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 11:34:59 +
with message-id 
and subject line Bug#896298: fixed in python-cluster 1.3.3-1.1
has caused the Debian Bug report #896298,
regarding python-cluster: cluster fails to import
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
896298: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896298
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-cluster
Version: 1.3.3-1
Severity: serious
User: helm...@debian.org
Usertags: python-import

After installing python-cluster importing the module cluster
into a python interpreter fails with the following error:

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python2.7/dist-packages/cluster/__init__.py", line 19, in 

from pkg_resources import resource_string
ImportError: No module named pkg_resources

The vast majority of import failures is attributed to missing dependencies.
Often times that manifests as an ImportError or ModuleNotFoundError.
Typically, dependencies should be inserted by dh-python via ${python:Depends}
or ${python3:Depends}. Thus a missing dependency can be caused by incomplete
install_requires in setup.py. Sometimes a missing dependency of a dependency
is the cause, in such cases this bug should be reassigned.

Helmut
--- End Message ---
--- Begin Message ---
Source: python-cluster
Source-Version: 1.3.3-1.1

We believe that the bug you reported is fixed in the latest version of
python-cluster, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 896...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk  (supplier of updated python-cluster package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 10 Jun 2018 14:01:42 +0300
Source: python-cluster
Binary: python-cluster
Architecture: source
Version: 1.3.3-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team 

Changed-By: Adrian Bunk 
Description:
 python-cluster - allows grouping a list of arbitrary objects into related 
groups (
Closes: 896298
Changes:
 python-cluster (1.3.3-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add the missing dependency on python-pkg-resources.
 (Closes: #896298)
Checksums-Sha1:
 ce7206bd9211a12949c239848ba80de3247171d5 2125 python-cluster_1.3.3-1.1.dsc
 b5a9e44afd5bb983fd486b811cff8b62d433b187 2604 
python-cluster_1.3.3-1.1.debian.tar.xz
Checksums-Sha256:
 c7bd8fe09663d161f7bee54abe289182ecb05c96749228a14946855ae54fc90a 2125 
python-cluster_1.3.3-1.1.dsc
 c30e36edbeaac689017157eaa7513f37893a0a0dd5d23f846ace1a1dbd754efd 2604 
python-cluster_1.3.3-1.1.debian.tar.xz
Files:
 1f4853384aec8c9bfaf2e16074620673 2125 python optional 
python-cluster_1.3.3-1.1.dsc
 f8e8aa2751a6c491c6ca8689e3a50938 2604 python optional 
python-cluster_1.3.3-1.1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAlsdBpkACgkQiNJCh6LY
mLFIBA/+IKkZNqpWK7/k3zpbugmyoQcQdYZy++hmyfJe77Nzb+FtYNLlGhUF3Bqp
NPjS4TtcqucziVP67IHg6EVtkQy5G+aLDAK55sCrpGTRNo0KRNncP0v4tbzeLkLY
47Y4JFnO/3FXH+Mca0gRIQmPl1JIQ6p1okNcp4Yx/NsgaZriZV7M10EbOMZ9aHj4
NPNwumD7rybn8D5jnU20aZxw+fXEicY9FXbjPDvHl2hCu0L7HEoGXZWpu5IHByKc
zJFJLJVb1AnYuDpMrj9XoXKgH2PA3OIaKL8t7JDE+ivSFMOyTEB8vyToTuS2h9ak
BnQV5dJbhtZiyHS79pw/3AuXuk0X5MoL6yvwV0CcbthM9A2+bEf78wU7HglCOx/S
p+D3xtXv3fbnFKMDZiEiHWOXdtZQtiwd6el5dyTFm2scEDku2np+7jDWt2gLFmsS
/5mYo+CLAFdQY7jTbM5+VEk9kBKYUjv3/8cmaWinIOABxNIHTr0dA4fmvLl8pXJ3
1Ib2e0bHURRBgz6fGKSF57lLkmet/RkVZapR3Ub+1JHyHvFZ1yBcFCdkhQ6HXA/t
U8zoHd5lfOYPKEIXe/cn+08M+pXMeM7S2NBGMvurfNN5KPsEuys1A0zYbaDHmGBW
M8MS9diJhQ8fOFNXm8wxwa9i4ps2vT9JY1Rc07pD2VNzPOR+5Qc=
=WWLX
-END PGP SIGNATURE End Message ---

Bug#901383: whalebuilder is broken after the ruby upgrade

2018-06-12 Thread Lumin 
Package: whalebuilder
Version: 0.6
Severity: serious
Justification: functionality totally broken

~/p/skimage.pkg ❯❯❯ whalebuilder build debdev ./skimage_0.13.1-3.dsc
Traceback (most recent call last):
13: from /usr/bin/whalebuilder:331:in `'
12: from /usr/lib/ruby/2.5.0/tmpdir.rb:89:in `mktmpdir'
11: from /usr/bin/whalebuilder:338:in `block in '
10: from /usr/lib/ruby/vendor_ruby/gpgme/crypto.rb:311:in `verify'
 9: from /usr/lib/ruby/vendor_ruby/gpgme/ctx.rb:79:in `new'
 8: from /usr/lib/ruby/vendor_ruby/gpgme/crypto.rb:313:in `block in 
verify'
 7: from /usr/lib/ruby/vendor_ruby/gpgme/crypto.rb:313:in `each'
 6: from /usr/lib/ruby/vendor_ruby/gpgme/crypto.rb:314:in `block (2 
levels) in verify'
 5: from /usr/bin/whalebuilder:339:in `block (2 levels) in '
 4: from /usr/lib/ruby/vendor_ruby/gpgme/signature.rb:81:in `to_s'
 3: from /usr/lib/ruby/vendor_ruby/gpgme/signature.rb:42:in `from'
 2: from /usr/lib/ruby/vendor_ruby/gpgme/ctx.rb:79:in `new'
 1: from /usr/lib/ruby/vendor_ruby/gpgme/signature.rb:43:in `block in 
from'
/usr/lib/ruby/vendor_ruby/gpgme/ctx.rb:333:in `get_key': EOFError (EOFError)



ruby/unstable,unstable,now 1:2.5.1 amd64 [installed,automatic]
ruby-gpgme/unstable,unstable,now 2.0.16-1+b1 amd64 [installed,automatic]

Bug#896208: marked as done (python-surfer: surfer fails to import)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 11:20:58 +
with message-id 
and subject line Bug#896208: fixed in pysurfer 0.7-2.1
has caused the Debian Bug report #896208,
regarding python-surfer: surfer fails to import
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
896208: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896208
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-surfer
Version: 0.7-2
Severity: serious
User: helm...@debian.org
Usertags: python-import

After installing python-surfer importing the module surfer
into a python interpreter fails with the following error:

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python2.7/dist-packages/surfer/__init__.py", line 1, in 

from .viz import Brain, TimeViewer  # noqa
  File "/usr/lib/python2.7/dist-packages/surfer/viz.py", line 9, in 
from matplotlib.colors import colorConverter
ImportError: No module named matplotlib.colors

The vast majority of import failures is attributed to missing dependencies.
Often times that manifests as an ImportError or ModuleNotFoundError.
Typically, dependencies should be inserted by dh-python via ${python:Depends}
or ${python3:Depends}. Thus a missing dependency can be caused by incomplete
install_requires in setup.py. Sometimes a missing dependency of a dependency
is the cause, in such cases this bug should be reassigned.

Helmut
--- End Message ---
--- Begin Message ---
Source: pysurfer
Source-Version: 0.7-2.1

We believe that the bug you reported is fixed in the latest version of
pysurfer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 896...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk  (supplier of updated pysurfer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 10 Jun 2018 12:41:23 +0300
Source: pysurfer
Binary: python-surfer
Architecture: source
Version: 0.7-2.1
Distribution: unstable
Urgency: high
Maintainer: NeuroDebian Team 
Changed-By: Adrian Bunk 
Description:
 python-surfer - visualize Freesurfer's data in Python
Closes: 896208
Changes:
 pysurfer (0.7-2.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add the missing dependency on python-matplotlib. (Closes: #896208)
Checksums-Sha1:
 90d1bfa4369edfd52facf5f9d52c033f423bc89e 2095 pysurfer_0.7-2.1.dsc
 99ad0bd2477e3329aeafa3c68ed0d15e87d9dba6 3848 pysurfer_0.7-2.1.debian.tar.xz
Checksums-Sha256:
 80de7b6aecff272dc9f004a744a192aabbaf8616f8bfa21a2ea6fd7d308931e7 2095 
pysurfer_0.7-2.1.dsc
 dc45320054771fa82bf8cf0aabdceae7d2b573b52ea7ad16dcb7e4a10956fba4 3848 
pysurfer_0.7-2.1.debian.tar.xz
Files:
 14a2bbdbfc74fd2f21cad0dbbc349739 2095 python extra pysurfer_0.7-2.1.dsc
 dce6545f583dded46a2e546f900e8771 3848 python extra 
pysurfer_0.7-2.1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAlsdA/YACgkQiNJCh6LY
mLEEZw//eyrMUm26IjtTDxzTVRhneiPRMnJ0vlrjEgRAVjwYJnnVemZUwF0yVT9A
gW0WQl0v0F1wZOC3CUVhHvsFoHwF18x3p+dFPddBm1RLGybfCZTg4cNuw+Ixxrym
jADdpgZPPH/rdooswIKoVWPUTMLF6Snf+AlEEiP/SUoVgsgPSLu3U358UIJcQbqL
8z1OXtM3FjjU3C7O7nKiYLeEUNLnRqwh/N69SaiaOWvwmLFyPYbVTgV0AblKz1EU
rYf6A99PSaetxDoQgdBPahkXgyL8lc7Hoc+Hy7uBRL+VHohg9N6nHdUdsMom2qTh
h8rnft0C7IopwUo7pTCBqeTChHieGSnocqYliRhYOCEg53dntQptjqjn+rMYX/8w
lN0TJJ7nqNZ86nWMD+vIXDyWEWTKprf8X9RBwYZn+Gw3J/IwSwZz6u2lHQpFHGf1
V7vUJgaz3oGB44sac2GeB8OCOLwgRToPbOSeaLbieF5/GnANBLkcKtSvrYcjc9cr
HSzGwjtgpCM0zndpJm1XqrlughoRPO0wZbdskikWdHk6b4rcClJYeIJaoShUB+ds
L9kK1UI+6nd3jqMkRl15FzgAiHM4h7Vy+qTr0F9QHxyESqoM/jCvFIBwRrVT1ult
4vBrAz9lZ7RhMq0Nxrj9X8qFUda2a4qbDmKC3L4eHY/5oYEEbXo=
=Clka
-END PGP SIGNATURE End Message ---

Bug#897239: What about new upstream version of relion?

2018-06-12 Thread Andreas Tille 
Hi Roland,

On Tue, Jun 12, 2018 at 10:40:18AM +0200, Roland Fehrenbacher wrote:
> A> Hi folks, when I tried to fix this bug I realised that new
> A> upstream versions are out.  I downloaded the latest one and
> A> imported it into Git[1].  Since I don't know the software I would
> A> like to ask you about your reasons you might have to stick to
> A> version 1.4.  There are some patches to fix and may be some tests
> A> to do which I can't.  So may be if I do not hear from you I'd
> A> probably only go with the restriction of architectures to
> A> amd64/i386 to fix #897239.
> 
> please restrict again to amd64/i386 for now.

OK, so I will do this for the currently available version in Debian.

> I hope I will get around
> building the new version in time before the next freeze.

This would be really nice.  At least I'll upload with a working watch
file which will remember us that some work needs to be done.

> The big
> advantage of the newer versions 2.x + is support for GPUs. To support
> that will be quite a lot of effort though.

I can not be of any help here since I have no idea about this program.
I'd be very happy if you (or one of the other Uploaders) would take over
this effort.  It would be a shame if we would ship outdated software
with Buster.

> Given that we'll have to
> build against the non-free nvidia stuff for GPU support, will this
> require the package to move to non-free as well (at least the GPU variants)?

Packages with free softeare depending from packages in non-free need
to go to contrib.  It would be great if those parts that do not need
the non-free components could stay in main, thought.
 
Kind regards

 Andreas. 

-- 
http://fam-tille.de

Bug#901382: node-katex: must build binary packages fonts-katex and libjs-katex

2018-06-12 Thread Jonas Smedegaard 
Package: node-katex
Version: 0.8.3+dfsg-1
Severity: serious
Justification: Policy 11.8.5

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Binary package node-katex includes fonts and browser-optimized Javascript code.

The former must instead be packaged as binary package fonts-katex,
and the latter should instead be packaged as libjs-katex.

 - Jonas

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlsfnYwACgkQLHwxRsGg
ASEfug//fe0w61RWi35dsyGtaBRNH0vX0Y/zjSSZFfQ6rNRYACjRcP0sq6PuZ7zj
3rzEfXN/Au1q2TjTPWwrQ06Mc8KX1ieCkK9uuaaQosWy+0pn0EqzKD19XPhTkBc9
CVuyOg43g1eGCD3Z/XktAD7EHcijTGjwtutaFBXbNOVGUHlWAxe0zgpLZxlEl9gu
W+LZAUfaCzXjwEtedww4J8DC3HZUdMCDk/gTnV1up9knZ78WvNImih+c4G75fPTk
VG5le7CLl6SyofvxjR+d6YcTjIaTrArEd6kLqZjk5h8DuZ6BNDYPdMzOVmXgRMPB
X7GGxjQ5T8a3vUtRxOpMm6m50Ug/Kcb+xWz3/f15g8Hp2P8ZkYQI5OgL+RpKUE7X
/MFyRdTz8t/2J1+BC4/CFV28LS/5Kt0Xy/Jrpr9jA9j5Qq5FpQGEoUpjtwo4H8PW
doMI/da6ogYAtUPt81DwCu69vLA46zqpJRzMfqGTahSKb2QZXA2FEcpHWbOHNEp8
idMMwGCUi9+9CSJY7iN1Ez6k/0ahMz93amBs8KBMASbLVVC4mZQR/as1n93gtus4
auOj739hpEBQ0bjvekBR7KsSHBgrh7rW9jCxFg3k7tOIQpLiIOBVwv1zvyyYDjIf
X4D0nx6+o/gFGUmIjxecPRYPZVnh6bfCcj2gVd9qZAbj6FFhEVM=
=YqwT
-END PGP SIGNATURE-

Processed: Re: Bug#901136: can't remove if install fails

2018-06-12 Thread Debian Bug Tracking System 
Processing control commands:

> reassign -1 sysuser-helper,sreview-common
Bug #901136 [sreview-common] can't remove if install fails
Bug reassigned from package 'sreview-common' to 'sysuser-helper,sreview-common'.
No longer marked as found in versions sreview/0.3.0-1~bpo.1.
Ignoring request to alter fixed versions of bug #901136 to the same values 
previously set
> retitle -1 sysuser-helper fails in terrible ways if users exist through NSS 
> modules that are not libnss-unix
Bug #901136 [sysuser-helper,sreview-common] can't remove if install fails
Changed Bug title to 'sysuser-helper fails in terrible ways if users exist 
through NSS modules that are not libnss-unix' from 'can't remove if install 
fails'.

-- 
901136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901136
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901136: can't remove if install fails

2018-06-12 Thread Wouter Verhelst 
Control: reassign -1 sysuser-helper,sreview-common
Control: retitle -1 sysuser-helper fails in terrible ways if users exist 
through NSS modules that are not libnss-unix

On Sat, Jun 09, 2018 at 09:53:53AM +, Peter Palfrader wrote:
> Package: sreview-common
> Version: 0.3.0-1~bpo.1
> Severity: grave
> User: debian-ad...@lists.debian.org
> Usertags: needed-by-DSA-Team
> 
> 
> sreview-common failed to configure.
> 
> | Setting up sreview-common (0.3.0-1~bpo.1) ...
> | usermod: user 'sreview' does not exist in /etc/passwd
> | dpkg: error processing package sreview-common (--configure):
> |  subprocess installed post-installation script returned error exit status 6
> | dpkg: dependency problems prevent configuration of sreview-encoder:
> |  sreview-encoder depends on sreview-common; however:
> |   Package sreview-common is not configured yet.
> | 
> | dpkg: error processing package sreview-encoder (--configure):
> 
> 
> Now we can't get rid of it anymore
> | vittoria:~# apt-get purge sreview-detect sreview-master sreview-encoder 
> sreview-web sreview-common
> | 
> | [..]
> | After this operation, 165 kB disk space will be freed.
> | Do you want to continue? [Y/n] 
> | (Reading database ... 77344 files and directories currently installed.)
> | Removing sreview-common (0.3.0-1~bpo.1) ...
> | passwd: user 'sreview' does not exist in /etc/passwd
> | dpkg: error processing package sreview-common (--remove):
> |  subprocess installed pre-removal script returned error exit status 1
> | usermod: user 'sreview' does not exist in /etc/passwd
> | dpkg: error while cleaning up:
> |  subprocess installed post-installation script returned error exit status 6
> | Errors were encountered while processing:
> |  sreview-common
> | E: Sub-process /usr/bin/dpkg returned an error code (1)

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
 Hacklab

Processed: Re: Bug#901136: can't remove if install fails

2018-06-12 Thread Debian Bug Tracking System 
Processing control commands:

> reassign -1 sysuser-helper,sreview-common
Bug #901136 [sysuser-helper,sreview-common] sysuser-helper fails in terrible 
ways if users exist through NSS modules that are not libnss-unix
Ignoring request to reassign bug #901136 to the same package
> retitle -1 sysuser-helper fails in terrible ways if users exist through NSS 
> modules that are not libnss-unix
Bug #901136 [sysuser-helper,sreview-common] sysuser-helper fails in terrible 
ways if users exist through NSS modules that are not libnss-unix
Ignoring request to change the title of bug#901136 to the same title

-- 
901136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901136
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: block 865807 with 879551

2018-06-12 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> block 865807 with 879551
Bug #865807 [src:golang-github-coreos-go-oidc] golang-github-coreos-go-oidc 
FTBFS: FAIL github.com/coreos/go-oidc/http
865807 was not blocked by any bugs.
865807 was not blocking any bugs.
Added blocking bug(s) of 865807: 879551
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
865807: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865807
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901375: marked as done (elpa-ghub+: does not install in experimental)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 06:46:53 -0300
with message-id <87sh5se3qq@tethera.net>
and subject line Re: Bug#901375: Acknowledgement (does not install in 
experimental)
has caused the Debian Bug report #901375,
regarding elpa-ghub+: does not install in experimental
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
901375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901375
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: elpa-ghub+
Version: 0.3-1
Severity: serious


(experimental-amd64-sbuild)root@zancas:~# apt install elpa-ghub+
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following NEW packages will be installed:
  elpa-ghub+
0 upgraded, 1 newly installed, 0 to remove and 16 not upgraded.
Need to get 0 B/12.9 kB of archives.
After this operation, 70.7 kB of additional disk space will be used.
debconf: delaying package configuration, since apt-utils is not installed
dpkg: unrecoverable fatal error, aborting:
 unknown group 'ilisp' in statoverride file
E: Sub-process /usr/bin/dpkg returned an error code (2)

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages elpa-ghub+ depends on:
pn  elpa-apiwrap
pn  elpa-ghub   
ii  emacsen-common  3.0.0

Versions of packages elpa-ghub+ recommends:
ii  emacs  1:25.2+1-7
ii  emacs-gtk [emacs]  1:25.2+1-7

elpa-ghub+ suggests no packages.
--- End Message ---
--- Begin Message ---
"Debian Bug Tracking System"  writes:

> Thank you for filing a new Bug report with Debian.
>
> You can follow progress on this Bug here: 901375: 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901375.
>
> This is an automatically generated reply to let you know your message
> has been received.
>

That seems to have been a corrupted chroot caused by a power
failure. After re-installing ilisp, elpa-ghub+ is installing ok

d--- End Message ---

Bug#901290: version 68 arm build causes internal compiler error

2018-06-12 Thread Riku Voipio 
Verified this affects gcc6, gcc7 and gcc8. I'll file a bug against GCC once I 
get a reduced testcase.

Compile with clang6 works.

Riku

Bug#901377: skimage: FTBFS and Debci failure with NumPy 1.14

2018-06-12 Thread Graham Inggs 

Source: skimage
Version: 0.13.1-3
Severity: serious
Tags: ftbfs
User: debian...@lists.debian.org
Usertags: needs-update

Hi Maintainer

Since the recent upload of python-numpy on 2018-05-05, skimage has been 
failing its autopkgtests [1] and has now also started to FTBFS in 
unstable [2] with several errors similar to the following:


==
ERROR: skimage.io.tests.test_mpl_imshow.test_uint8
--
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/nose/case.py", line 197, in 
runTest

self.test(*self.arg)
  File 
"/build/1st/skimage-0.13.1/debian/tmp/usr/lib/python2.7/dist-packages/skimage/io/tests/test_mpl_imshow.py", 
line 48, in test_uint8

ax_im = io.imshow(im8)
  File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
self.gen.next()
  File 
"/build/1st/skimage-0.13.1/debian/tmp/usr/lib/python2.7/dist-packages/skimage/_shared/_warnings.py", 
line 121, in expected_warnings

raise ValueError('Unexpected warning: %s' % str(warn.message))
ValueError: Unexpected warning: Conversion of the second argument of 
issubdtype from `float` to `np.floating` is deprecated. In future, it 
will be treated as `np.float64 == np.dtype(float).type`.

 >> begin captured logging << 
matplotlib.font_manager: DEBUG: findfont: Matching 
:family=sans-serif:style=normal:variant=normal:weight=normal:stretch=normal:size=10.0 
to DejaVu Sans 
(u'/usr/share/matplotlib/mpl-data/fonts/ttf/DejaVuSans.ttf') with score 
of 0.05

- >> end captured logging << -

Regards
Graham


[1] https://ci.debian.net/packages/s/skimage/unstable/amd64/
[2] 
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/skimage.html

Processed: retitle 901375 to elpa-ghub+: does not install in experimental

2018-06-12 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> retitle 901375 elpa-ghub+: does not install in experimental
Bug #901375 [elpa-ghub+] does not install in experimental
Changed Bug title to 'elpa-ghub+: does not install in experimental' from 'does 
not install in experimental'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
901375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901375
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901375: does not install in experimental

2018-06-12 Thread David Bremner 
Package: elpa-ghub+
Version: 0.3-1
Severity: serious


(experimental-amd64-sbuild)root@zancas:~# apt install elpa-ghub+
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following NEW packages will be installed:
  elpa-ghub+
0 upgraded, 1 newly installed, 0 to remove and 16 not upgraded.
Need to get 0 B/12.9 kB of archives.
After this operation, 70.7 kB of additional disk space will be used.
debconf: delaying package configuration, since apt-utils is not installed
dpkg: unrecoverable fatal error, aborting:
 unknown group 'ilisp' in statoverride file
E: Sub-process /usr/bin/dpkg returned an error code (2)

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages elpa-ghub+ depends on:
pn  elpa-apiwrap
pn  elpa-ghub   
ii  emacsen-common  3.0.0

Versions of packages elpa-ghub+ recommends:
ii  emacs  1:25.2+1-7
ii  emacs-gtk [emacs]  1:25.2+1-7

elpa-ghub+ suggests no packages.

Bug#892175: marked as done (pycryptodome FTBFS on 32bit big endian: src/montgomery.c:245: mont_mult: Assertion `t[2*abn_words] <= 1' failed)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 08:49:39 +
with message-id 
and subject line Bug#892175: fixed in pycryptodome 3.6.1-1
has caused the Debian Bug report #892175,
regarding pycryptodome FTBFS on 32bit big endian: src/montgomery.c:245: 
mont_mult: Assertion `t[2*abn_words] <= 1' failed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
892175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892175
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pycryptodome
Version: 3.4.11-1
Severity: serious

https://buildd.debian.org/status/package.php?p=pycryptodome=sid

...
   debian/rules override_dh_auto_test
make[1]: Entering directory '/<>'
PYBUILD_SYSTEM=custom \
PYBUILD_TEST_ARGS="python{version} -m Cryptodome.SelfTest {build_dir}/" 
dh_auto_test
I: pybuild base:184: python2.7 -m Cryptodome.SelfTest 
/<>/.pybuild/pythonX.Y_2.7/build/
Skipping AESNI tests
python2.7: src/montgomery.c:245: mont_mult: Assertion `t[2*abn_words] <= 1' 
failed.
Aborted
E: pybuild pybuild:283: test: plugin custom failed with: exit code=134: 
python2.7 -m Cryptodome.SelfTest /<>/.pybuild/pythonX.Y_2.7/build/
dh_auto_test: pybuild --test -i python{version} -p 2.7 returned exit code 13
make[1]: *** [debian/rules:14: override_dh_auto_test] Error 25
--- End Message ---
--- Begin Message ---
Source: pycryptodome
Source-Version: 3.6.1-1

We believe that the bug you reported is fixed in the latest version of
pycryptodome, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 892...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen  (supplier of updated pycryptodome package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 12 Jun 2018 08:22:26 +
Source: pycryptodome
Binary: python-pycryptodome python3-pycryptodome python-pycryptodome-doc
Architecture: source amd64 all
Version: 3.6.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team 

Changed-By: Petter Reinholdtsen 
Description:
 python-pycryptodome - cryptographic Python library (Python 2)
 python-pycryptodome-doc - cryptographic Python library (documentation)
 python3-pycryptodome - cryptographic Python library (Python 3)
Closes: 892175
Changes:
 pycryptodome (3.6.1-1) unstable; urgency=medium
 .
   [ Ondřej Nový ]
   * d/tests: Use AUTOPKGTEST_TMP instead of ADTTMP
 .
   [ Petter Reinholdtsen ]
   * New upstream release 3.6.1.
 - Solve build problem on 32 bits big endian archs (Closes: #892175).
   * Ran wrap-and-sort.
   * Add d/gbp.conf to enforce the use of pristine-tar.
   * Added 2000-backport-to-stretch.patch documenting a way to backport
 to Debian Stretch.
Checksums-Sha1:
 cfbdec1fb110e018d7aba23bda7cceddfc17e38b 2333 pycryptodome_3.6.1-1.dsc
 07a84b4345f475a442c83b29ce01e6cbeac1c5ce 7167199 pycryptodome_3.6.1.orig.tar.gz
 a116e673c66c4a308c9fa6ff6e4675039bfe0d4f 9828 
pycryptodome_3.6.1-1.debian.tar.xz
 9665adba085b9f4b5f3f498829177716802aa2be 10068 
pycryptodome_3.6.1-1_amd64.buildinfo
 99d696bb130a9503888e488cf64d6e55daa39f78 170024 
python-pycryptodome-dbgsym_3.6.1-1_amd64.deb
 e293d72a73e3c61e953e1414dde827673ab6ebf7 308740 
python-pycryptodome-doc_3.6.1-1_all.deb
 9006acadd9247349414f064cb040957f9bddc57f 5129052 
python-pycryptodome_3.6.1-1_amd64.deb
 43f8abad5cb85727399094629249520fcb71c127 169804 
python3-pycryptodome-dbgsym_3.6.1-1_amd64.deb
 2d9fd193470cc8d90c87e8ec1c611413e42d 5110868 
python3-pycryptodome_3.6.1-1_amd64.deb
Checksums-Sha256:
 2e166cbebeed8a375e3a7e9d7d8cc6267dad65ddf189d351b1896ed1a7fecef0 2333 
pycryptodome_3.6.1-1.dsc
 15013007e393d0cc0e69f4329a47c4c8597b7f3d02c12c03f805405542f70c71 7167199 
pycryptodome_3.6.1.orig.tar.gz
 90d7e63fa9f27ec6fcfe557c64f57ef5a8f7ae3017c3b44ff62d037dc0e9036d 9828 
pycryptodome_3.6.1-1.debian.tar.xz
 bd5f089daa67b4bea3ad74bf2ab2aacb1b484df3d6603cd8445c692be6dcd2ef 10068 
pycryptodome_3.6.1-1_amd64.buildinfo
 4a33f7061f4fc6acff6fead121c7fea9379ceadd703f141460974be7d0323f06 170024 
python-pycryptodome-dbgsym_3.6.1-1_amd64.deb
 dac902a99061278a6ac8295d8b6ed05f52be4c5f13a24fc2bc19778cc9707637 308740 
python-pycryptodome-doc_3.6.1-1_all.deb

Bug#897239: What about new upstream version of relion?

2018-06-12 Thread Roland Fehrenbacher 
> "A" == Andreas Tille  writes:

Hi Andreas,

A> Hi folks, when I tried to fix this bug I realised that new
A> upstream versions are out.  I downloaded the latest one and
A> imported it into Git[1].  Since I don't know the software I would
A> like to ask you about your reasons you might have to stick to
A> version 1.4.  There are some patches to fix and may be some tests
A> to do which I can't.  So may be if I do not hear from you I'd
A> probably only go with the restriction of architectures to
A> amd64/i386 to fix #897239.

please restrict again to amd64/i386 for now. I hope I will get around
building the new version in time before the next freeze. The big
advantage of the newer versions 2.x + is support for GPUs. To support
that will be quite a lot of effort though. Given that we'll have to
build against the non-free nvidia stuff for GPU support, will this
require the package to move to non-free as well (at least the GPU variants)?

Best,

Roland

---
http://www.q-leap.com / http://qlustar.com
  --- HPC / Storage / Cloud Linux Cluster OS ---

Bug#894757: libmypaint-common: file conflict with mypaint-data

2018-06-12 Thread Bernhard Schmidt 
On Tue, Apr 03, 2018 at 05:43:10PM -0400, Jeremy Bicha wrote:

Hi Jeremy,

> Package: libmypaint-common
> Version: 1.3.0-1
> Severity: serious
> Forwarded: https://github.com/mypaint/mypaint/issues/918
> 
> libmypaint-common ships some of the same file names as mypaint-data
> (the libmypaint.mo files).
> 
> I'm going to go ahead and add "Conflicts: mypaint-data" now. The way
> forward is to have mypaint use libmypaint. When that happens, we can
> add "Replaces: mypaint-data" too and close this bug.

This bug is still open and preventing the migration of libmypaint and
GIMP 2.10 to testing. As far as I can see you worked around this issue
in 1.3.0-2, right? Setting this version as fixed would allow the stack
to migrate.

Bernhard

Bug#901306: pandoc: FTBFS on armhf: ghc: panic

2018-06-12 Thread Emilio Pozuelo Monfort 
Control: forwarded -1 https://ghc.haskell.org/trac/ghc/ticket/15221

On 11/06/18 17:32, John MacFarlane wrote:
> 
> It would be worth reporting this as a bug to the ghc
> tracker, as requested in the message.

This is already reported there. Marking as such.

Emilio

Processed: Closing bug by mpfit

2018-06-12 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> Reassign 895119 src:mpfit 1.85+2017.01.03-1
Bug #895119 {Done: Ole Streicher } [gnudatalanguage] mpfit: 
FTBFS and Debci failure
Bug reassigned from package 'gnudatalanguage' to 'src:mpfit'.
No longer marked as found in versions gnudatalanguage/0.9.8-2.
No longer marked as fixed in versions mpfit/1.85+2017.01.03-2.
Bug #895119 {Done: Ole Streicher } [src:mpfit] mpfit: FTBFS 
and Debci failure
Marked as found in versions mpfit/1.85+2017.01.03-1.
> Thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
895119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895119
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#901306: pandoc: FTBFS on armhf: ghc: panic

2018-06-12 Thread Debian Bug Tracking System 
Processing control commands:

> forwarded -1 https://ghc.haskell.org/trac/ghc/ticket/15221
Bug #901306 [src:pandoc] pandoc: FTBFS on armhf: ghc: panic
Set Bug forwarded-to-address to 'https://ghc.haskell.org/trac/ghc/ticket/15221'.

-- 
901306: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901306
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901368: chromium-browser: build-depends on GCC 6

2018-06-12 Thread Emilio Pozuelo Monfort 
Source: chromium-browser
Version: 66.0.3359.26-2
Severity: serious
Tags: sid buster
User: debian-...@lists.debian.org
Usertags: gcc-6-rm

Hi,

chromium build-depends on GCC 6. We now have GCC 7 (default) and GCC 8
in the archive, so please make your package build with a newer
compiler (preferably the default one) again, since we'd like to
remove GCC 6 from testing before the buster release.

Cheers,
Emilio

Bug#897319: marked as done (please remove (build) dependencies on OpenJDK 9)

2018-06-12 Thread Debian Bug Tracking System 
Your message dated Tue, 12 Jun 2018 08:16:02 +0200
with message-id 

and subject line please remove (build) dependencies on OpenJDK 9
has caused the Debian Bug report #897319,
regarding please remove (build) dependencies on OpenJDK 9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
897319: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897319
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:r-base
Version: 3.4.4-1
Severity: serious
Tags: sid buster

please remove (build) dependencies on OpenJDK 9, which is end of live now and
should be removed from the archive as soon as possible.
--- End Message ---
--- Begin Message ---
Version: 3.5.0-2


r-base (3.5.0-2) experimental; urgency=medium

  * debian/control: Set Build-Depends: to openjdk-10-jdk (Closes: #897319)

 -- Dirk Eddelbuettel   Tue, 01 May 2018 08:10:06 -0500--- End Message ---