Bug#934802: ruby-nokogiri: CVE-2019-5477: command injection vulnerability

2019-08-14 Thread Salvatore Bonaccorso 
Source: ruby-nokogiri
Version: 1.10.3+dfsg1-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/sparklemotion/nokogiri/issues/1915

Hi,

The following vulnerability was published for ruby-nokogiri.

CVE-2019-5477[0]:
Command Injection Vulnerability

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-5477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477
[1] https://github.com/sparklemotion/nokogiri/issues/1915

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#934801: kubernetes: CVE-2019-11250

2019-08-14 Thread Salvatore Bonaccorso 
Source: kubernetes
Version: 1.7.16+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/kubernetes/kubernetes/issues/81114

Hi,

The following vulnerability was published for kubernetes.

CVE-2019-11250[0]:
Bearer tokens are revealed in logs

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11250
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11250
[1] https://github.com/kubernetes/kubernetes/issues/81114

Regards,
Salvatore

Processed: Re: Bug#934758: DKMS module fails to build for linux 5.2.0-2

2019-08-14 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> severity 934758 important
Bug #934758 [openafs-modules-dkms] DKMS module fails to build for linux 5.2.0-2
Severity set to 'important' from 'grave'
> tags 934758 + fixed-upstream pending
Bug #934758 [openafs-modules-dkms] DKMS module fails to build for linux 5.2.0-2
Added tag(s) fixed-upstream and pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
934758: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934758
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934758: DKMS module fails to build for linux 5.2.0-2

2019-08-14 Thread Benjamin Kaduk 
severity 934758 important
tags 934758 + fixed-upstream pending
thanks

On Wed, Aug 14, 2019 at 09:53:40AM -0400, Ryan Kavanagh wrote:
> Package: openafs-modules-dkms
> Version: 1.8.2-1
> Severity: grave
> Justification: renders package unusable
> 
> The openafs DKMS module fails to build for Linux kernel 5.2.0-2.
> This renders openafs unusable. I have attached the build log containing
> the error messages, in particular, it seems to have something to do
> with:

Yes, the fast-moving Linux KPIs have changed interfaces used by OpenAFS and
the 1.8.2 in Debian is stale.  I plan to package 1.8.4pre1 this week, which
should take care of this.

Thanks,

Ben

P.S. The 5.2.0 kernel is pretty unusable on my machine for other reasons,
mostly graphics-related, and I had to boot into 4.19.

Bug#934799: supertuxkart FTBFS (armel, mips, mipsel, m68k, powerpc, sh4): undefined reference to symbol '__atomic_load_8@@LIBATOMIC_1.0'

2019-08-14 Thread Helmut Grohne 
Source: supertuxkart
Version: 1.0-2
Severity: serious
Tags: ftbfs

supertuxkart currently fails to build from source on armel, mips,
mipsel, m68k, powerpc and sh4 with the following error during final
linking:

| /usr/bin/ld: CMakeFiles/supertuxkart.dir/src/graphics/irr_driver.cpp.o: 
undefined reference to symbol '__atomic_load_8@@LIBATOMIC_1.0'

Possibly, -latomic is missing here.

Helmut

Bug#933757: Firefox-esr FTBFS "failed to open: /sbuild-nonexistent/.cargo/.package-cache"

2019-08-14 Thread Mike Hommey 
On Thu, Aug 15, 2019 at 03:16:20AM +0100, peter green wrote:
> So the libvpx transition prompted me to take a look at this, I added some 
> code to debian/rules to create a fake homedir, use it for the build and 
> remove it in the clean target.

https://salsa.debian.org/mozilla-team/firefox/commit/c5bcfb20fde52a1f659270210e4cd40f5f1e8d59

> Unfortunately I then ran into another failure.
> 
> > /firefox-esr/media/webrtc/trunk/webrtc/modules/video_coding/codecs/vp9/vp9_impl.cc:858:17:
> >  error: âstruct vpx_svc_ref_frame_configâ has no member named âframe_flagsâ
> >  sf_conf.frame_flags[layer_idx] = layer_flags;
> 
> I have no idea what to make of this. My google searches aren't turning up 
> anything useful.

libvpx's API changed.

https://salsa.debian.org/mozilla-team/firefox/commit/f26d0387eea70b2ebceabeb86ec728227199f302

Mike

Bug#933757: Firefox-esr FTBFS "failed to open: /sbuild-nonexistent/.cargo/.package-cache"

2019-08-14 Thread peter green 

So the libvpx transition prompted me to take a look at this, I added some code 
to debian/rules to create a fake homedir, use it for the build and remove it in 
the clean target.

Unfortunately I then ran into another failure.


/firefox-esr/media/webrtc/trunk/webrtc/modules/video_coding/codecs/vp9/vp9_impl.cc:858:17:
 error: âstruct vpx_svc_ref_frame_configâ has no member named âframe_flagsâ
 sf_conf.frame_flags[layer_idx] = layer_flags;


I have no idea what to make of this. My google searches aren't turning up 
anything useful.

Bug#931970: marked as done (gphoto2: autopkgtest failure block readline migration)

2019-08-14 Thread Debian Bug Tracking System 
Your message dated Wed, 14 Aug 2019 19:11:54 -0500
with message-id <2057837.3Le9lR8jrT@riemann>
and subject line Re: gphoto2: autopkgtest failure block readline migration
has caused the Debian Bug report #931970,
regarding gphoto2: autopkgtest failure block readline migration
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
931970: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931970
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gphoto2
Version: 2.5.20-3
Severity: serious
Justification: makes the package in question unusable or mostly so

Dear Maintainer,

The autopkgtest failures for gphoto2 are blocking the testing migration
of readline and its reverse dependencies.

Please fix the tests in your package or remove them.

Kind Regards,

Bas
--- End Message ---
--- Begin Message ---
On Sat, 13 Jul 2019 07:49:23 +0200 Bas Couwenberg  wrote:
> Source: gphoto2
> Version: 2.5.20-3

The tests in version 2.5.23-1.1 all pass, so this bug is done.

Thanks,
-Steve--- End Message ---

Bug#934788: gst-plugins-good1.0 non-buildd binaries

2019-08-14 Thread peter green 

Package: gst-plugins-good1.0
Version: 1.16.0-2
Severity: serious

The release team have decreed that non-buildd binaries can no longer migrate to 
testing, please make a source-only upload so your package can migrate.

Bug#934034: monkeysphere: FTBFS in stretch

2019-08-14 Thread Chris Lamb 
Dear Niels,

>  1) The current bug metadata suggests it affects sid.  Please ensure the
> bug is resolved in sid (by fixing it in sid or correcting bug
> metadata as appropriate).

I cannot reproduce in buster, sid or experimental and have thus
adjusting the metadata of #934034 to match.

>  2) File an opu (and a separate pu bug if it also affects buster) with
> the full debdiff (including changelog). This ensures that the stable
> release team will get have a look at the issue.

I've filed this as #934775 and further I completely understand the
underlying reasons for insisting on such a process.

> Thanks for considering to fix bugs in stretch.

No problem; thank you for your advice and patient guidance.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org 🍥 chris-lamb.co.uk
   `-

Processed: re: New upstream version 0.8 available, compatible with python3

2019-08-14 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> Severity 929949 serious
Bug #929949 [duplicity] New upstream version 0.8 available, compatible with 
python3
Severity set to 'serious' from 'minor'
> Thanks.
Stopping processing here.

Please contact me if you need assistance.
-- 
929949: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929949
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934783: mongodb: CVE-2019-2386

2019-08-14 Thread Salvatore Bonaccorso 
Source: mongodb
Version: 1:3.4.18-2
Severity: grave
Tags: security upstream
Forwarded: https://jira.mongodb.org/browse/SERVER-38984

Hi,

The following vulnerability was published for mongodb.

CVE-2019-2386[0]:
| After user deletion in MongoDB Server the improper invalidation of
| authorization sessions allows an authenticated user's session to
| persist and become conflated with new accounts, if those accounts
| reuse the names of deleted ones. This issue affects: MongoDB Inc.
| MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to
| 3.6.13; v3.4 versions prior to 3.4.22.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-2386
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2386
[1] https://jira.mongodb.org/browse/SERVER-38984
[2] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829

Regards,
Salvatore

Bug#934026: marked as done (python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235)

2019-08-14 Thread Debian Bug Tracking System 
Your message dated Wed, 14 Aug 2019 18:47:47 +
with message-id 
and subject line Bug#934026: fixed in python-django 1:1.10.7-2+deb9u6
has caused the Debian Bug report #934026,
regarding python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 
CVE-2019-14235
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
934026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934026
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-django
Version: 1.7.11-1+deb8u6
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for python-django.

CVE-2019-14232[0]:
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before
| 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's
| chars() and words() methods were passed the html=True argument, they
| were extremely slow to evaluate certain inputs due to a catastrophic
| backtracking vulnerability in a regular expression. The chars() and
| words() methods are used to implement the truncatechars_html and
| truncatewords_html template filters, which were thus vulnerable.


CVE-2019-14233[1]:
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before
| 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying
| HTMLParser, django.utils.html.strip_tags would be extremely slow to
| evaluate certain inputs containing large sequences of nested
| incomplete HTML entities.


CVE-2019-14234[2]:
SQL injection possibility in key and index lookups for JSONField/HStoreField

CVE-2019-14235[3]:
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before
| 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs,
| django.utils.encoding.uri_to_iri could lead to significant memory
| usage due to a recursion when repercent-encoding invalid UTF-8 octet
| sequences.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-14232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
[1] https://security-tracker.debian.org/tracker/CVE-2019-14233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233
[2] https://security-tracker.debian.org/tracker/CVE-2019-14234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234
[3] https://security-tracker.debian.org/tracker/CVE-2019-14235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 1:1.10.7-2+deb9u6

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 934...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb  (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 08 Aug 2019 10:42:49 +0100
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1:1.10.7-2+deb9u6
Distribution: stretch-security
Urgency: high
Maintainer: Debian Python Modules Team 

Changed-By: Chris Lamb 
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 934026
Changes:
 python-django (1:1.10.7-2+deb9u6) stretch-security; urgency=high
 .
   * Backport four security patches from upstream. (Closes: #934026)
 
 .
 - CVE-2019-14232: Denial-of-service possibility in
   django.utils.text.Truncator
 .
   If django.utils.text.Truncator's chars() and words() methods wer

Bug#933143: FTBFS, not Django 2.2 ready

2019-08-14 Thread Antonio Terceiro 
On Fri, Jul 26, 2019 at 11:24:50PM +0200, Thomas Goirand wrote:
> Package: python-django-mptt
> Version: 0.8.7-1
> Severity: serious
> Tags: patch
> 
> Hi,
> 
> Please find attached patch to do the Python 2 removal.
> After this patch, your package continues to FTBFS. Please
> get a fix for it.

Thanks for the patch.

The new upstream version works fine with Django 2, but requires a new
dependency (python3-django-js-asset) that was just uploaded to NEW. Once
that hits the archive, a new upstream version will be uploaded.


signature.asc
Description: PGP signature

Bug#934747: /usr/bin/rtorrent: rtorrent crashes with error "Could not create download: Info hash already used by another torrent."

2019-08-14 Thread Bernhard Übelacker 
Control: reassign -1 libcurl4 7.65.1-1
Control: affects -1 + rtorrent
Control: tags -1 + upstream fixed-upstream
Control: fixed -1 7.65.3-1


Dear Maintainer,
I just tried to find some more information from the given backtrace.

That I guess would translate to something like below [1],
if it would have been done with a debugger and debug symbols.

These stack looks in the last frames similar to these shown in [2] and [3].
And these seem to get fixed upstream in commit [4]
that is in curl-7_65_2 and above.

So in theory the libcurl4 7.65.3-1 from unstable
might not show these segfaults.

Kind regards,
Bernhard


[1]
rtorrent(+0x11e59) [0x4afe59]  
| 0x00411e54 0x00411e59 in do_panic(int) at main.cc:596:   int stackSize = 
backtrace(stackPtrs, 20);
linux-gate.so.1(__kernel_sigreturn+0) [0xb7f92d7c] 
|0xb7fd4d7c <__kernel_sigreturn>
libcurl.so.4(+0x31640) [0xb7e69640]
|0xb7eab640 in sh_delentry at multi.c:253: dta->sh_entry = 
NULL;
libcurl.so.4(+0x328f2) [0xb7e6a8f2]
| 0xb7eac8ed 0xb7eac8f2 in Curl_multi_closed at multi.c:2397
libcurl.so.4(+0x2f7f7) [0xb7e677f7]
| 0xb7ea97f2 0xb7ea97f7 in Curl_closesocket at connect.c:1347
libcurl.so.4(+0x30612) [0xb7e68612]
| 0xb7eaa60d 0xb7eaa612 in trynextip at connect.c:606
libcurl.so.4(+0x30951) [0xb7e68951]
| 0xb7eaa94c 0xb7eaa951 in Curl_is_connected at connect.c:861
libcurl.so.4(+0x33d5c) [0xb7e6bd5c]
| 0xb7eadd57 0xb7eadd5c in multi_runsingle at multi.c:1509
libcurl.so.4(+0x35205) [0xb7e6d205]
| 0xb7eaf200 0xb7eaf205 in multi_socket at multi.c:2564
libcurl.so.4(curl_multi_socket_action+0x2f) [0xb7e6d3af]   
| 0xb7eaf3aa 0xb7eaf3af in curl_multi_socket_action at multi.c:2677
rtorrent(+0xda370) [0x578370]  
| 0x004da36b 0x004da370 in core::CurlStack::receive_action(core::CurlSocket*, 
int) at curl_stack.cc:95
rtorrent(+0xda68c) [0x57868c]  
| 0x004da687 0x004da68c in core::CurlStack::receive_timeout() at 
curl_stack.cc:171
rtorrent(+0x1341b) [0x4b141b]  
| 0x00413418 0x0041341b in std::function::operator()() const at 
/usr/include/c++/7/bits/std_function.h:706
libtorrent.so.20(_ZN7torrent11thread_base10event_loopEPS0_+0x229) [0xb7d8ec89] 
| 0xb7dd0c83 0xb7dd0c89 in std::function::operator()() const at 
/usr/include/c++/7/bits/std_function.h:706
rtorrent(+0x10b7b) [0x4aeb7b]  
| 0x00410b76 0x00410b7b in main(int, char**) at main.cc:480: 
torrent::thread_base::event_loop(torrent::main_thread());
libc.so.6(__libc_start_main+0xf1) [0xb77e7b41] 
| 0xb7829b3d 0xb7829b41 in __libc_start_main at ../csu/libc-start.c:308
rtorrent(+0x1173b) [0x4af73b]  
| 0x00411736 0x0041173b <_start+44>


[2] https://github.com/curl/curl/issues/3995
[3] https://github.com/curl/curl/issues/4057
[4] https://github.com/curl/curl/commit/4981fae7f158152fca01bddb042231f9f8343d58

# Bullseye/testing i386 qemu VM 2019-08-14


apt update
apt dist-upgrade


apt install systemd-coredump gdb mc rtorrent rtorrent-dbgsym 
libtorrent20-dbgsym libcurl4-dbgsym
apt build-dep rtorrent



mkdir /home/benutzer/source/rtorrent/orig -p
cd/home/benutzer/source/rtorrent/orig
apt source rtorrent
cd

mkdir /home/benutzer/source/libcurl4/orig -p
cd/home/benutzer/source/libcurl4/orig
apt source libcurl4
cd



gdb -q --args /usr/bin/rtorrent

set width 0
set pagination off
directory /home/benutzer/source/rtorrent/orig/rtorrent-0.9.7/src
set backtrace past-main
display/i $pc
tb main
run
generate-core-file /tmp/core1



gdb -q /usr/bin/rtorrent --core /tmp/core1

set width 0
set pagination off
directory /home/benutzer/source/rtorrent/orig/rtorrent-0.9.7/src
directory /home/benutzer/source/libcurl4/orig/curl-7.65.1/lib
set backtrace past-main
display/i $pc

b * _start+44
b * __libc_start_main+237
b * main+3654
b * _ZN7torrent11thread_base10event_loopEPS0_+0x223
b * client_perform+280
b * core::CurlStack::receive_timeout+39
b * core::CurlStack::receive_action(core::CurlSocket*, int)+91
b * curl_multi_socket_action+42
b * multi_socket+624
b * multi_runsingle+2103
b * Curl_is_connected+748
b * trynextip+189
b * Curl_closesocket+66
b * Curl_multi_closed+125
b * sh_delentry+48
b * __kernel_sigreturn+0
b * do_panic(int)+164





# From submitter:
rtorrent(+0x11e59) [0x4afe59]  
| 0x00411e54 0x00411e59 in do_panic(int) at main.cc:596:   int stackSize = 
ba

Processed: Re: Bug#934747: /usr/bin/rtorrent: rtorrent crashes with error "Could not create download: Info hash already used by another torrent."

2019-08-14 Thread Debian Bug Tracking System 
Processing control commands:

> reassign -1 libcurl4 7.65.1-1
Bug #934747 [rtorrent] /usr/bin/rtorrent: rtorrent crashes with error "Could 
not create download: Info hash already used by another torrent."
Bug reassigned from package 'rtorrent' to 'libcurl4'.
No longer marked as found in versions rtorrent/0.9.7-1.
Ignoring request to alter fixed versions of bug #934747 to the same values 
previously set
Bug #934747 [libcurl4] /usr/bin/rtorrent: rtorrent crashes with error "Could 
not create download: Info hash already used by another torrent."
Marked as found in versions curl/7.65.1-1.
> affects -1 + rtorrent
Bug #934747 [libcurl4] /usr/bin/rtorrent: rtorrent crashes with error "Could 
not create download: Info hash already used by another torrent."
Added indication that 934747 affects rtorrent
> tags -1 + upstream fixed-upstream
Bug #934747 [libcurl4] /usr/bin/rtorrent: rtorrent crashes with error "Could 
not create download: Info hash already used by another torrent."
Added tag(s) fixed-upstream.
> fixed -1 7.65.3-1
Bug #934747 [libcurl4] /usr/bin/rtorrent: rtorrent crashes with error "Could 
not create download: Info hash already used by another torrent."
Marked as fixed in versions curl/7.65.3-1.

-- 
934747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934747
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: monkeysphere: FTBFS in stretch (failing tests)

2019-08-14 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> notfound 934034 0.43-3
Bug #934034 [src:monkeysphere] monkeysphere: FTBFS in stretch (failing tests)
Ignoring request to alter found versions of bug #934034 to the same values 
previously set
> notfound 934034 0.44-1
Bug #934034 [src:monkeysphere] monkeysphere: FTBFS in stretch (failing tests)
Ignoring request to alter found versions of bug #934034 to the same values 
previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
934034: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934034
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933035: dmtcp: Should this package be removed?

2019-08-14 Thread Moritz Mühlenhoff 
On Tue, Aug 13, 2019 at 08:29:23PM +, Cooperman, Gene wrote:
> Hi Moritz,
> I'm sorry for the delayed reply.  We are about to release DMTCP version 
> 2.6.0, and we are including a Debian package.  We have verified with Yaroslav 
> Halchenko that our proposed Debian package will pass.  We should be 
> submitting it this week.  Also, we are replacing Kapil Arya by Paul Grosu 
> (pgr...@gmail.com) as the new maintainer for DMTCP.

Sounds good!

Cheers,
Moritz

Bug#934766: libexosip2: CVE-2014-10375

2019-08-14 Thread Salvatore Bonaccorso 
Source: libexosip2
Version: 4.1.0-2.1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for libexosip2.

CVE-2014-10375[0]:
| handle_messages in eXtl_tls.c in eXosip before 5.0.0 mishandles a
| negative value in a content-length header.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-10375
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10375
[1] 
http://git.savannah.nongnu.org/cgit/exosip.git/commit/?id=2549e421c14aff886629b8482c14af800f411070

Regards,
Salvatore

Processed: Re: prctl: probably shouldn't be in testing/stable

2019-08-14 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 moreinfo
Bug #934482 [prctl] prctl: probably shouldn't be in testing/stable
Added tag(s) moreinfo.

-- 
934482: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934482
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934758: DKMS module fails to build for linux 5.2.0-2

2019-08-14 Thread Ryan Kavanagh 
Package: openafs-modules-dkms
Version: 1.8.2-1
Severity: grave
Justification: renders package unusable

The openafs DKMS module fails to build for Linux kernel 5.2.0-2.
This renders openafs unusable. I have attached the build log containing
the error messages, in particular, it seems to have something to do
with:

/var/lib/dkms/openafs/1.8.2/build/src/crypto/hcrypto/kernel/config.h: In 
function ‘gettimeofday’:
/var/lib/dkms/openafs/1.8.2/build/src/afs/LINUX/osi_machdep.h:85:22: error: 
‘xtime’ undeclared (first use in this function); did you mean ‘vtime’?
 # define osi_Time() (xtime.tv_sec)
  ^

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_CA.UTF-8), LANGUAGE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_CA.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openafs-modules-dkms depends on:
ii  dkms   2.7.1-2
ii  libc6-dev  2.28-10
ii  perl   5.28.1-6

Versions of packages openafs-modules-dkms recommends:
ii  openafs-client  1.8.2-1

openafs-modules-dkms suggests no packages.

-- no debconf information

-- 
|)|/  Ryan Kavanagh  | GPG: 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac |  BD95 8F7B F8FC 4A11 C97A
DKMS make.log for openafs-1.8.2 for kernel 5.2.0-2-amd64 (x86_64)
Wed Aug 14 09:45:20 EDT 2019
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
/bin/bash: /var/lib/dkms/openafs/1.8.2/build/build-tools/missing: No such file 
or directory
configure: WARNING: 'missing' script is too old or missing
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... none
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... -lfl
checking whether yytext is a pointer... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for libxslt... no
checking for saxon... no
checking for xalan-j... no
checking for xsltproc... xsltproc
checking for fop... no
checking for dblatex... no
checking for docbook2pdf... no
configure: WARNING: Docbook stylesheets not found; some documentation can't be 
built
checking for kindlegen... no
checking for doxygen... no
checking for dot... dot
checking for library containing strerror... none required
checking for pid_t... yes
checking for size_t... yes
checking whether ln -s works... yes
checking for ranlib... ranlib
checking for bison... bison -y
checking if lex is flex... yes
checking whether byte order is known at compile time... yes
checking whether byte ordering is bigendian... no
checking whether printf understands the %z length modifier... yes
checking your OS... linux
checking for ranlib... (cached) ranlib
checking for as... as
checking for ar... ar
checking for mv... mv
checking for rm... rm
checking for ld... ld
checking for cp... cp
checking for strip... strip
checking for gencat... gencat
checking if gcc accepts -march=pentium... no
checking if gcc needs -fno-strength-reduce... yes
checking if gcc needs -fno-strict-aliasing... yes
checking if gcc supports -fno-common... yes
checking if gcc supports -pipe... yes
checking if linux kbuild requires EXTRA_CFLAGS... no
checking if linux kernel module build works... yes
checking operation follow_link in inode_operations...

Bug#934482: prctl: probably shouldn't be in testing/stable

2019-08-14 Thread Andreas Beckmann 
Control: tag -1 moreinfo

On Sun, 11 Aug 2019 15:09:15 +0200 Ivo De Decker  wrote:
> The buildd 'Packages-arch-specific' configuration has this line for prct:
> 
> %prctl: hppa ia64 alpha powerpc # 
> ANAIS based on syscall availability
> 
> https://buildd.debian.org/quinn-diff/sid/Packages-arch-specific
> 
> As can be seen from the buildd page, this means that it will never be built
> for any release architecture:
> 
> https://buildd.debian.org/status/package.php?p=prctl
> 
> However, prctl has a binary on am64. Either the Packages-arch-specific is
> wrong, or the package is unusable there and should be removed.
> 
> If it doens't have a working binary on any release architecture, it shouldn't
> be in a release.

The package builds for me on amd64, i386, armhf (pbuilder chroots, armhf
via qemu). The existing amd64 binary works, i.e. I was able to query and
change the mcekill setting. (More settings are not supported, maybe
architecture/kernel/cpu dependent).

So maybe the packages-arch-specific setting is wrong.


Andreas

Bug#934708: marked as done (gitlab: CVE-2019-14942 CVE-2019-14944 (GitLab Critical Security Release: 12.1.6, 12.0.6, and 11.11.8))

2019-08-14 Thread Debian Bug Tracking System 
Your message dated Wed, 14 Aug 2019 12:05:22 +
with message-id 
and subject line Bug#934708: fixed in gitlab 11.11.8+dfsg-1
has caused the Debian Bug report #934708,
regarding gitlab: CVE-2019-14942 CVE-2019-14944 (GitLab Critical Security 
Release: 12.1.6, 12.0.6, and 11.11.8)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
934708: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934708
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gitlab
Version: 11.8.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerabilities were published for gitlab, another round
of gitlab issues. Where this time only two CVE are affecting the
versions present in Debian.

CVE-2019-14942[0]:
Insecure Cookie Handling on GitLab Pages

CVE-2019-14944[1]:
Multiple Command-Line Flag Injection Vulnerabilities

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-14942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14942
[1] https://security-tracker.debian.org/tracker/CVE-2019-14944
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14944
[2] 
https://about.gitlab.com/2019/08/12/critical-security-release-gitlab-12-dot-1-dot-6-released/

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gitlab
Source-Version: 11.11.8+dfsg-1

We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 934...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sruthi Chandran  (supplier of updated gitlab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 14 Aug 2019 17:14:06 +0530
Source: gitlab
Architecture: source
Version: 11.11.8+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 

Changed-By: Sruthi Chandran 
Closes: 934708
Changes:
 gitlab (11.11.8+dfsg-1) experimental; urgency=medium
 .
   * New upstream security release 11.11.8+dfsg (Closes: #934708)
 (Fixes: CVE-2019-14942 CVE-2019-14944)
   * Remove embedded jaeger-client, opentracing and thrift
Checksums-Sha1:
 f5c42e0077144b10f41f030a09d9b3ea4eebfef8 2353 gitlab_11.11.8+dfsg-1.dsc
 5398a8533b135c8c458bf053493051f07d01efd9 68196380 
gitlab_11.11.8+dfsg.orig.tar.xz
 c07826748142dab954853b6a85cfdd4bc9ba7d12 1174776 
gitlab_11.11.8+dfsg-1.debian.tar.xz
 3ab13702442c1f2c52a419210e8f04493ad5b612 11640 
gitlab_11.11.8+dfsg-1_source.buildinfo
Checksums-Sha256:
 9bfdc29c414ce6064248da8ff895daed6a25b262440777bd8b06c550159164d7 2353 
gitlab_11.11.8+dfsg-1.dsc
 6849f6906f76e13b1c93f105e87601b4e5d9d6e5a1d4b08e7f7126ea47f934eb 68196380 
gitlab_11.11.8+dfsg.orig.tar.xz
 7344227d4b5b76d19a226cdcd157c1938c27a4c0b46dd22e0fcf5ec99c7b0e38 1174776 
gitlab_11.11.8+dfsg-1.debian.tar.xz
 857f30574cf706e44cd3c5f2a42609c6cc56babcd808db0c0e7b8b9069cf6ea9 11640 
gitlab_11.11.8+dfsg-1_source.buildinfo
Files:
 006a6a8e00cdf953b6830e8448566486 2353 net optional gitlab_11.11.8+dfsg-1.dsc
 8dae1c64b68b4c2740a8235b7b3dc6ea 68196380 net optional 
gitlab_11.11.8+dfsg.orig.tar.xz
 5b48f36175c28d65d20e4ac3ae17354d 1174776 net optional 
gitlab_11.11.8+dfsg-1.debian.tar.xz
 f7cdceafe815c6d956d425518279abfe 11640 net optional 
gitlab_11.11.8+dfsg-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEsclPZxif+sAmSPvz1N6yL8C5bhUFAl1T9cUACgkQ1N6yL8C5
bhVChw//dmUmyN+NBrInI3UNCCGJU0lQCzGAVMn62gzhOUftAYScAk3Se4NECEU/
sPtwDEoqLlNT+JO9xcfGFRHPr/A7iT3Ndo65uQyWLTq9mcgiZSYKAdrTnHRdKoer
ak+jXbO1IEWEJU3AqCHV/kQeNjmUNEe7P1GXTj8GerCfvROhR5zSl2x86XLIxvQC
o4H9OnjPIz/f+8BGljQTFcMspsccJYs9fs18tZxWuu2+x8DUcbOvLkE494cSF+h8
59Oh1Q09/HVlvEAyrFJ8e7wBv1zvEwjW91wEg0dokj688E6auQ/y46Eg1IRUDtD9
wEJRLqKgzWAhYeKq+7TSfmQzQFMuc6Ee71C33/n4/wry9wFpE64MwveOKc3Xkwb5
H19A7FGCA0LVudJUY/vHekTv3WtUvq3zQCYPHfnzJkQpO7J4skh+sJ6j3lOIsTwq
3Go9jKKMUCG25LxpiMkhEkTubLFX8PJvAA6nDO77CUioc5F27Ho/dITrl9JlB7dv
vsl6IEsPdb+JDpGTNo5orc4hpwEmWkMFvDUQwxG+kW4RSk2UrgIqHKwTQsbxXwDW

Bug#933742: marked as done (slirp4netns: CVE-2019-14378: heap buffer overflow during packet reassembly)

2019-08-14 Thread Debian Bug Tracking System 
Your message dated Wed, 14 Aug 2019 11:49:41 +
with message-id 
and subject line Bug#933742: fixed in slirp4netns 0.3.2-1
has caused the Debian Bug report #933742,
regarding slirp4netns: CVE-2019-14378: heap buffer overflow during packet 
reassembly
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
933742: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933742
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: qemu
Version: 1:3.1+dfsg-8
Severity: grave
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:slirp4netns 0.3.1-1
Control: retitle -2 slirp4netns: CVE-2019-14459: heap buffer overflow during 
packet reassembly

Hi,

The following vulnerability was published for qemu (respective the
SLiRP networking implemenatation which is as well forked in
slirp4netns).

CVE-2019-14378[0]:
| ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer
| overflow via a large packet because it mishandles a case involving the
| first fragment.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-14378
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14378
[1] 
https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210
[2] https://www.openwall.com/lists/oss-security/2019/08/01/2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: slirp4netns
Source-Version: 0.3.2-1

We believe that the bug you reported is fixed in the latest version of
slirp4netns, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 933...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler  (supplier of updated slirp4netns package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 14 Aug 2019 07:33:02 -0400
Source: slirp4netns
Architecture: source
Version: 0.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Reinhard Tartler 
Changed-By: Reinhard Tartler 
Closes: 933742
Changes:
 slirp4netns (0.3.2-1) unstable; urgency=medium
 .
   * New Upstream release:
- vendor freedresktop slirp (upstream pull/130)
   * Bug fix: "CVE-2019-14378: heap buffer overflow during packet
 reassembly", thanks to Salvatore Bonaccorso (Closes: #933742).
Checksums-Sha1:
 a2fd209cf479798f64701045b9d269aec4d0e4dc 2103 slirp4netns_0.3.2-1.dsc
 6083e7c6191031cf3b98216846bfafcd5702c847 162136 slirp4netns_0.3.2.orig.tar.gz
 1d253cfeb4e1a49d3f9baae840ad79cf411928fa 4212 slirp4netns_0.3.2-1.debian.tar.xz
Checksums-Sha256:
 ad9178cd37e68721722fd32aebea0872b2409d9c4297ea938b9071b295f0d0f6 2103 
slirp4netns_0.3.2-1.dsc
 fe400337e857cee668a0c9161e2997af9c5c8cbaf4cbec12b32b458064eec380 162136 
slirp4netns_0.3.2.orig.tar.gz
 72a743708728a3e07bb6b90042d141caf5b4fb9e6ecdbdec08e1820bc6ab9448 4212 
slirp4netns_0.3.2-1.debian.tar.xz
Files:
 a3c8ebf282ae47bdbe97d4c068341223 2103 misc optional slirp4netns_0.3.2-1.dsc
 ed6d5c35ad4c1fa303728d27fec1abda 162136 misc optional 
slirp4netns_0.3.2.orig.tar.gz
 4a2d6824524bcacae01fcfcf6f3a9930 4212 misc optional 
slirp4netns_0.3.2-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQJIBAEBCgAyFiEE6n5rckvJ+/LRcetya3IL6cXPbZ4FAl1T8hQUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQa3IL6cXPbZ6dVBAA0Vl+FF827RFcO6PUKgF5nojOC2VZ
Os2TGBJvKK6Ny4S9j6iK/MTTvP7PlZgIBg5d+UPUYvB7bNs2dv6l8QkPcmY3IiJ2
M/0Kkl4hi/G9pIeYoo/SXfohA9YQL8N8n6guUVNC+tJdTkbhSrDvQt1DRq1Mr1XN
B24qTtFBk/D+Fhu0qfjsVYsMQL17L895S1tbc4CWC4+UN45Gdu5w2Ls2X94GrijL
EK7xu/Gukc+nmgHaBGeHmLft6ife+nh00HJrNZ8/MQhx58kcRW8EEDi4q1WTanJk
Z/MzNls92qgw2JHDfzVCfRjYKpbQlSfyKWBu3bEb8agAP9uWngI6YkPcCKudPaS5
UlVllLZn6SOLmrChKYoO2K08meh376Rsw06q5ZtzCpHaCDXfoGqWur5utUII3OBe
q/MC/aYB1jvSJsk21Iy/a+26Vd45YEHpOVQU4AScOskTptnk+ZuvRWXiBkEQ1i8Q
1D335Utuw1WNFkLV+M4FYWoxCMODRsZC7bX3nd8FZq2t+VT64wYpelQtk97as5hW
GdnCiVTuftYyXKzEhf/HrRxadX9dO24LO69drlr8nqQNXQzij+2Lhg+u/Sh0NG/H
1TdIZ/F+1cEmATl09RnHUbx1VLw0G8nzdIkfuCYJycxFFBVxuNJ6LcptNaHXqjtJ
zu2YmubqC1TbdMs=
=vEcO
-END PGP SIGNATURE End Messa

Bug#934747: /usr/bin/rtorrent: rtorrent crashes with error "Could not create download: Info hash already used by another torrent."

2019-08-14 Thread Thomas Nemeth 
Package: rtorrent
Version: 0.9.7-1
Severity: grave
File: /usr/bin/rtorrent
Tags: upstream
Justification: renders package unusable

Hi,

for several weeks now, rtorrent crashes when I start it (no changes have
been made to either its configuration nor its torrents list for many
month).

Here is the log it produces:

8<8<8<8<8<
1565781738 N rtorrent main: Starting thread.
1565781738 N rtorrent scgi: Starting thread.
1565781747 E Could not create download: Info hash already used by another 
torrent.
1565781747 E Could not create download: Info hash already used by another 
torrent.
1565781747 E Could not create download: Info hash already used by another 
torrent.
1565781747 E Could not create download: Info hash already used by another 
torrent.
1565781747 E Could not create download: Info hash already used by another 
torrent.
1565781747 E Could not create download: Info hash already used by another 
torrent.
1565781747 E Could not create download: Info hash already used by another 
torrent.
1565781747 E Could not create download: Info hash already used by another 
torrent.
1565781747 E Could not create download: Info hash already used by another 
torrent.
1565781771 C Caught signal: 'Erreur de segmentation.
---DUMP---
Caught Segmentation fault, dumping stack:
rtorrent(+0x11e59) [0x4afe59]
linux-gate.so.1(__kernel_sigreturn+0) [0xb7f92d7c]
/usr/lib/i386-linux-gnu/libcurl.so.4(+0x31640) [0xb7e69640]
/usr/lib/i386-linux-gnu/libcurl.so.4(+0x328f2) [0xb7e6a8f2]
/usr/lib/i386-linux-gnu/libcurl.so.4(+0x2f7f7) [0xb7e677f7]
/usr/lib/i386-linux-gnu/libcurl.so.4(+0x30612) [0xb7e68612]
/usr/lib/i386-linux-gnu/libcurl.so.4(+0x30951) [0xb7e68951]
/usr/lib/i386-linux-gnu/libcurl.so.4(+0x33d5c) [0xb7e6bd5c]
/usr/lib/i386-linux-gnu/libcurl.so.4(+0x35205) [0xb7e6d205]
/usr/lib/i386-linux-gnu/libcurl.so.4(curl_multi_socket_action+0x2f) [0xb7e6d3af]
rtorrent(+0xda370) [0x578370]
rtorrent(+0xda68c) [0x57868c]
rtorrent(+0x1341b) [0x4b141b]
/usr/lib/i386-linux-gnu/libtorrent.so.20(_ZN7torrent11thread_base10event_loopEPS0_+0x229)
 [0xb7d8ec89]
rtorrent(+0x10b7b) [0x4aeb7b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf1) [0xb77e7b41]
rtorrent(+0x1173b) [0x4af73b]

---END---
8<8<8<8<8<

I can't figure which torrent causes that message but it should not make
the program to segfault...


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.19.0-5-686-pae (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages rtorrent depends on:
ii  libc6  2.28-10
ii  libcppunit-1.14-0  1.14.0-4
ii  libcurl4   7.65.1-1
ii  libgcc11:9.1.0-10
ii  libncursesw6   6.1+20190803-1
ii  libstdc++6 9.1.0-10
ii  libtinfo6  6.1+20190803-1
ii  libtorrent20   0.13.7-1
ii  libxmlrpc-core-c3  1.33.14-8+b1

rtorrent recommends no packages.

Versions of packages rtorrent suggests:
pn  screen | dtach  

-- no debconf information

Processed: reassign 934390 to totem, fixed 934390 in 3.32.0-2, tagging 904660, found 934281 in 1.24.1-1 ...

2019-08-14 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> reassign 934390 totem 3.30.0-4
Bug #934390 {Done: Simon McVittie } [totem,nautilus] totem, 
nautilus: not co-installable in unstable
Bug reassigned from package 'totem,nautilus' to 'totem'.
Ignoring request to alter found versions of bug #934390 to the same values 
previously set
No longer marked as fixed in versions totem/3.32.0-2.
Bug #934390 {Done: Simon McVittie } [totem] totem, nautilus: 
not co-installable in unstable
Marked as found in versions totem/3.30.0-4.
> fixed 934390 3.32.0-2
Bug #934390 {Done: Simon McVittie } [totem] totem, nautilus: 
not co-installable in unstable
Marked as fixed in versions totem/3.32.0-2.
> tags 904660 + sid bullseye
Bug #904660 {Done: Gianfranco Costamagna } 
[src:opensips] opensips FTBFS with json-c 0.13.1
Added tag(s) bullseye and sid.
> found 934281 1.24.1-1
Bug #934281 [r-bioc-metagenomeseq] r-bioc-metagenomeseq: Should not migrate to 
testing
Marked as found in versions r-bioc-metagenomeseq/1.24.1-1.
> tags 934281 + sid bullseye
Bug #934281 [r-bioc-metagenomeseq] r-bioc-metagenomeseq: Should not migrate to 
testing
Added tag(s) bullseye and sid.
> tags 934340 + sid bullseye
Bug #934340 [src:zeroinstall-injector] Please remove the dependency on obus and 
camlp4
Added tag(s) bullseye and sid.
> tags 934484 + sid bullseye
Bug #934484 [src:python-pytest-asyncio] python-pytest-asyncio: "Cannot import 
name 'transfer_markers'" with current pytest
Added tag(s) sid and bullseye.
> tags 934600 + sid bullseye
Bug #934600 [cufflinks,gffread] cufflinks,gffread: both ship /usr/bin/gffread
Added tag(s) sid and bullseye.
> tags 934344 + sid bullseye
Bug #934344 {Done: Andreas Beckmann } [nvidia-kernel-dkms] 
nvidia-kernel-dkms: nvidia kernel driver does not build with linux-5.2
Added tag(s) sid and bullseye.
> tags 934673 + sid bullseye experimental
Bug #934673 [libgit2-glib] libgit2-glib ftbfs with meson.build:148:2: ERROR: 
Assert failed: libgit2 ssh support was requested, but not found. Use 
-Dssh=false to build without it
Added tag(s) bullseye, sid, and experimental.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
904660: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904660
934281: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934281
934340: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934340
934344: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934344
934390: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934390
934484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934484
934600: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934600
934673: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934673
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#891532: marked as done (captagent FTBFS with shared libfl)

2019-08-14 Thread Debian Bug Tracking System 
Your message dated Wed, 14 Aug 2019 08:45:00 +
with message-id 
and subject line Bug#891532: fixed in captagent 6.1.0.20-3.1
has caused the Debian Bug report #891532,
regarding captagent FTBFS with shared libfl
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
891532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: captagent
Version: 6.1.0.20-3
Severity: serious
Tags: buster sid

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/captagent.html

...
checking whether make sets $(MAKE)... (cached) yes
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... -lfl
checking whether yytext is a pointer... yes
checking for bison... bison -y
checking for pthread_create in -lpthread... yes
checking for dlopen in -ldl... yes
checking for XML_ParserCreate in -lexpat... yes
checking for pcap_open_live in -lpcap... yes
checking for json_object_get in -ljson... no
checking for json_object_get in -ljson-c... yes
checking for yywrap in -lfl... no
configure: error: captagent requires but cannot find libfl


Fix attached.
Description: AC_CHECK_LIB(fl, yywrap) doesn't work with shared libfl
Author: Adrian Bunk 

--- captagent-6.1.0.20.orig/configure.ac
+++ captagent-6.1.0.20/configure.ac
@@ -153,6 +153,10 @@ AC_PROG_LEX
 if test "$LEX" != "flex"; then
AC_MSG_ERROR([flex not found. Please install flex])
 fi
+if test "x$LEXLIB" = "x"; then
+   AC_MSG_ERROR([captagent requires but cannot find libfl])
+fi
+
 
 if test -z "`echo %%|$LEX -t|grep yypop_buffer_state`"; then
AC_MSG_ERROR([flex missing yypop_buffer_state - upgrade to version 
2.5.33 or later])
@@ -181,8 +185,6 @@ echo "If it is in a different di
 echo "the LDFLAGS to set its proper path.";
 AC_MSG_ERROR([Fatal:  libjson not found.])])])
 
-AC_CHECK_LIB(fl, yywrap, [ FLEX_LIBS="-lfl" ] , [AC_MSG_ERROR([captagent 
requires but cannot find libfl])])
-
 AC_SUBST(PTHREAD_LIBS)
 AC_SUBST(DL_LIBS)
 AC_SUBST(EXPAT_LIBS)
--- captagent-6.1.0.20.orig/src/Makefile.am
+++ captagent-6.1.0.20/src/Makefile.am
@@ -19,6 +19,6 @@ AM_CPPFLAGS = -DSYSCONFDIR='"$(sysconfdi
 BUILT_SOURCES = capplan.tab.h
 noinst_HEADERS = md5.h captagent.h conf_function.h
 captagent_SOURCES = captagent.c conf_function.c log.c md5.c modules.c 
xmlread.c capplan.l capplan.tab.y
-captagent_LDADD = ${PTHREAD_LIBS} ${EXPAT_LIBS} ${DL_LIBS} ${FLEX_LIBS}
+captagent_LDADD = ${PTHREAD_LIBS} ${EXPAT_LIBS} ${DL_LIBS} ${LEXLIB}
 captagentconfdir = $(sysconfdir)/$(bin_PROGRAMS)
 captagentconf_DATA = $(top_srcdir)/conf/$(bin_PROGRAMS).xml
--- End Message ---
--- Begin Message ---
Source: captagent
Source-Version: 6.1.0.20-3.1

We believe that the bug you reported is fixed in the latest version of
captagent, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gianfranco Costamagna  (supplier of updated captagent 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 14 Aug 2019 09:59:44 +0200
Source: captagent
Binary: captagent
Architecture: source
Version: 6.1.0.20-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team 
Changed-By: Gianfranco Costamagna 
Description:
 captagent  - HOMER SIP capture agent
Closes: 891532
Changes:
 captagent (6.1.0.20-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload
   * debian/patches/shared-libfl.patch:
 - find shared libfl (Closes: #891532)
Checksums-Sha1:
 66ab4226affbb24bc05f386f511fe4707c8dc4c6 2143 captagent_6.1.0.20-3.1.dsc
 4506d9f9d69aeaf4c47c8e37e231144354e05046 5517 
captagent_6.1.0.20-3.1.debian.tar.gz
 1a304ad0b0d3c32b45c0c70463979c98b78ba032 7588 
captagent_6.1.0.20-3.1_source.buildinfo
Checksums-Sha256:
 1a773290d7caa1650e056b4f96c0a23827e982991525d1b642f8625d8beb1b50 2143 
captagent_6.1.0.20-3.1.dsc
 cd941c8a0d39ef1900c285f6c60c2d76bd3acafedc5570daca3296097a43ca94 5517 
captagent_6.1.0.20-3.1.debian.tar.gz
 a42554aa2075305479984a28815af4c6fd3066edaccdf082f7cc796b3b1b80cd 7588 
captagent_6.1.0.20-3.1_source.buildinfo
Files:
 da8145

Processed: Re: ndpi 2.2-1: FTBFS, alignment problem

2019-08-14 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 important
Bug #917238 [src:ndpi] ndpi 2.2-1: FTBFS, alignment problem
Severity set to 'important' from 'serious'

-- 
917238: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917238
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934740: nftables: broken on BE

2019-08-14 Thread Gianfranco Costamagna 
Source: nftables
Version: 0.9.1-2
Severity: serious
Tags patch

Hello, after trying to understand why firewalld was completely broken on s390x, 
and discussing with nftables upstream, they found that a particular commit: 
142350f154c7
broke Big Endian machines.

this is the set of patches:
https://marc.info/?l=netfilter-devel&m=156572714605196&w=2


Also, please add docbook-xsl build dependency, on some systems, it might be not 
installed and then the build fail because of missing schema

e.g.

make[3]: Entering directory '/<>/doc'
a2x -L --doctype manpage --format manpage -D . nft.txt
a2x -L --doctype manpage --format manpage -D . libnftables-json.adoc
a2x -L --doctype manpage --format manpage -D . libnftables.adoc
a2x: ERROR: "xsltproc"  --stringparam callout.graphics 0 --stringparam 
navig.graphics 0 --stringparam admon.textlabel 1 --stringparam admon.graphics 0 
 "/etc/asciidoc/docbook-xsl/manpage.xsl" "/<>/doc/libnftables.xml" 
returned non-zero exit status 5
make[3]: *** [Makefile:648: libnftables.3] Error 1
make[3]: *** Waiting for unfinished jobs
a2x: ERROR: "xsltproc"  --stringparam callout.graphics 0 --stringparam 
navig.graphics 0 --stringparam admon.textlabel 1 --stringparam admon.graphics 0 
 "/etc/asciidoc/docbook-xsl/manpage.xsl" 
"/<>/doc/libnftables-json.xml" returned non-zero exit status 5
make[3]: *** [Makefile:651: libnftables-json.5] Error 1
a2x: ERROR: "xsltproc"  --stringparam callout.graphics 0 --stringparam 
navig.graphics 0 --stringparam admon.textlabel 1 --stringparam admon.graphics 0 
 "/etc/asciidoc/docbook-xsl/manpage.xsl" "/<>/doc/nft.xml" 
returned non-zero exit status 5
make[3]: *** [Makefile:645: nft.8] Error 1
make[3]: Leaving directory '/<>/doc'
make[2]: *** [Makefile:484: all-recursive] Error 1
make[2]: Leaving directory '/<>'
make[1]: *** [Makefile:393: all] Error 2
make[1]: Leaving directory '/<>'
dh_auto_build: make -j4 returned exit code 2
make: *** [debian/rules:15: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2



You can grab patches from my Ubuntu upload
https://launchpad.net/ubuntu/+source/nftables/0.9.1-2ubuntu3

including the missing schema fix.

thanks
(I'm still testing them, but I prefer to open the RC bug in advance, I'll 
update in case something else is needed)

Gianfranco

Bug#917238: ndpi 2.2-1: FTBFS, alignment problem

2019-08-14 Thread Gianfranco Costamagna 
control: severity -1 important

I asked to remove the package on armhf, to avoid this bug being RC.

G.

On Mon, 12 Aug 2019 16:27:47 +0200 Gianfranco Costamagna 
 wrote:
> control: forwarded -1 https://github.com/ntop/nDPI/issues/763
> 
> 
> updating forwarded tag.
> 
> G.
> 
>

Bug#891532: captagent FTBFS with shared libfl

2019-08-14 Thread Gianfranco Costamagna 
control: tags -1 patch pending
On Mon, 26 Feb 2018 15:22:58 +0200 Adrian Bunk  wrote:
> Source: captagent
> Version: 6.1.0.20-3
> Severity: serious
> Tags: buster sid
> 
> https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/captagent.html
> 
> ...
> checking whether make sets $(MAKE)... (cached) yes
> checking for flex... flex
> checking lex output file root... lex.yy
> checking lex library... -lfl
> checking whether yytext is a pointer... yes
> checking for bison... bison -y
> checking for pthread_create in -lpthread... yes
> checking for dlopen in -ldl... yes
> checking for XML_ParserCreate in -lexpat... yes
> checking for pcap_open_live in -lpcap... yes
> checking for json_object_get in -ljson... no
> checking for json_object_get in -ljson-c... yes
> checking for yywrap in -lfl... no
> configure: error: captagent requires but cannot find libfl
> 
> 
> Fix attached.

uploaded as NMU.

G.

Bug#891532: captagent FTBFS with shared libfl

2019-08-14 Thread Gianfranco Costamagna 
and attached.
diff -Nru captagent-6.1.0.20/debian/changelog 
captagent-6.1.0.20/debian/changelog
--- captagent-6.1.0.20/debian/changelog 2017-01-15 21:09:31.0 +0100
+++ captagent-6.1.0.20/debian/changelog 2019-08-14 09:59:44.0 +0200
@@ -1,3 +1,11 @@
+captagent (6.1.0.20-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload
+  * debian/patches/shared-libfl.patch:
+- find shared libfl (Closes: #891532)
+
+ -- Gianfranco Costamagna   Wed, 14 Aug 2019 
09:59:44 +0200
+
 captagent (6.1.0.20-3) unstable; urgency=high
 
   * Update Build-Deps for default-libmysqlclient-dev. (Closes: #845827)
diff -Nru captagent-6.1.0.20/debian/patches/series 
captagent-6.1.0.20/debian/patches/series
--- captagent-6.1.0.20/debian/patches/series1970-01-01 01:00:00.0 
+0100
+++ captagent-6.1.0.20/debian/patches/series2019-08-14 09:59:43.0 
+0200
@@ -0,0 +1 @@
+shared-libfl.patch
diff -Nru captagent-6.1.0.20/debian/patches/shared-libfl.patch 
captagent-6.1.0.20/debian/patches/shared-libfl.patch
--- captagent-6.1.0.20/debian/patches/shared-libfl.patch1970-01-01 
01:00:00.0 +0100
+++ captagent-6.1.0.20/debian/patches/shared-libfl.patch2019-08-14 
09:59:44.0 +0200
@@ -0,0 +1,36 @@
+Description: AC_CHECK_LIB(fl, yywrap) doesn't work with shared libfl
+Author: Adrian Bunk 
+Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891532
+
+--- captagent-6.1.0.20.orig/configure.ac
 captagent-6.1.0.20/configure.ac
+@@ -153,6 +153,10 @@ AC_PROG_LEX
+ if test "$LEX" != "flex"; then
+   AC_MSG_ERROR([flex not found. Please install flex])
+ fi
++if test "x$LEXLIB" = "x"; then
++  AC_MSG_ERROR([captagent requires but cannot find libfl])
++fi
++
+ 
+ if test -z "`echo %%|$LEX -t|grep yypop_buffer_state`"; then
+   AC_MSG_ERROR([flex missing yypop_buffer_state - upgrade to version 
2.5.33 or later])
+@@ -181,8 +185,6 @@ echo "If it is in a different di
+ echo "the LDFLAGS to set its proper path.";
+ AC_MSG_ERROR([Fatal:  libjson not found.])])])
+ 
+-AC_CHECK_LIB(fl, yywrap, [ FLEX_LIBS="-lfl" ] , [AC_MSG_ERROR([captagent 
requires but cannot find libfl])])
+-
+ AC_SUBST(PTHREAD_LIBS)
+ AC_SUBST(DL_LIBS)
+ AC_SUBST(EXPAT_LIBS)
+--- captagent-6.1.0.20.orig/src/Makefile.am
 captagent-6.1.0.20/src/Makefile.am
+@@ -19,6 +19,6 @@ AM_CPPFLAGS = -DSYSCONFDIR='"$(sysconfdi
+ BUILT_SOURCES = capplan.tab.h
+ noinst_HEADERS = md5.h captagent.h conf_function.h
+ captagent_SOURCES = captagent.c conf_function.c log.c md5.c modules.c 
xmlread.c capplan.l capplan.tab.y
+-captagent_LDADD = ${PTHREAD_LIBS} ${EXPAT_LIBS} ${DL_LIBS} ${FLEX_LIBS}
++captagent_LDADD = ${PTHREAD_LIBS} ${EXPAT_LIBS} ${DL_LIBS} ${LEXLIB}
+ captagentconfdir = $(sysconfdir)/$(bin_PROGRAMS)
+ captagentconf_DATA = $(top_srcdir)/conf/$(bin_PROGRAMS).xml

Processed: Re: captagent FTBFS with shared libfl

2019-08-14 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 patch pending
Bug #891532 [src:captagent] captagent FTBFS with shared libfl
Added tag(s) pending.

-- 
891532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934674: marked as done (python-os-win: (build-)depends on cruft package.)

2019-08-14 Thread Debian Bug Tracking System 
Your message dated Wed, 14 Aug 2019 09:02:36 +0200
with message-id <95192aea-4c7a-36a9-fe07-f41639ff5...@debian.org>
and subject line Re: Bug#934674: python-os-win: (build-)depends on cruft 
package.
has caused the Debian Bug report #934674,
regarding python-os-win: (build-)depends on cruft package.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
934674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934674
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: python-os-win
Version: 4.0.0-3
Severity: serious
Tags: bullseye

Python-os-win in testing (build-)depends on a number of python2 packages that 
are no longer built by the corresponding source packages.

This is already fixed in unstable, by dropping python 2 support, but the 
unstable version is currently unable to migrate due to 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928129
--- End Message ---
--- Begin Message ---
On 8/13/19 10:50 AM, peter green wrote:
> Package: python-os-win
> Version: 4.0.0-3
> Severity: serious
> Tags: bullseye
> 
> Python-os-win in testing (build-)depends on a number of python2 packages
> that are no longer built by the corresponding source packages.
> 
> This is already fixed in unstable, by dropping python 2 support, but the
> unstable version is currently unable to migrate due to
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928129

Hi,

I also believe that #928129 severity should only be important, not RC.
I've done that, and therefore, I believe I can close this bug. Let me
know if you believe I shouldn't.

Thanks for your valuable bug reports,
Cheers,

Thomas Goirand (zigo)--- End Message ---

Processed: severity 928129 important

2019-08-14 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> severity 928129 important
Bug #928129 [src:python-os-win] python-os-win: FTBFS on i386: 
ClusterPropertyListParsingError: Parsing a cluster property list failed.
Severity set to 'important' from 'serious'
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
928129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928129
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems