[SECURITY] [DLA 2344-1] mongodb security update
- Debian LTS Advisory DLA-2344-1debian-...@lists.debian.org https://www.debian.org/lts/security/ August 24, 2020 https://wiki.debian.org/LTS - Package: mongodb Version: 1:3.2.11-2+deb9u2 CVE ID : CVE-2020-7923 Debian Bug : A denial of service vulnerability was discovered in mongodb, an object/document-oriented database, whereby a user authorized to perform database queries may issue specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. For Debian 9 stretch, this problem has been fixed in version 1:3.2.11-2+deb9u2. We recommend that you upgrade your mongodb packages. For the detailed security status of mongodb please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mongodb Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted mongodb 1:3.2.11-2+deb9u2 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 24 Aug 2020 14:21:40 -0400 Source: mongodb Binary: mongodb mongodb-server mongodb-clients Architecture: source Version: 1:3.2.11-2+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Debian MongoDB Maintainers Changed-By: Roberto C. Sanchez Description: mongodb- object/document-oriented database (metapackage) mongodb-clients - object/document-oriented database (client apps) mongodb-server - object/document-oriented database (server package) Changes: mongodb (1:3.2.11-2+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the LTS Team. * Fix CVE-2020-7923: A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. Checksums-Sha1: 01e3c68a9229726a393b69b6a657c35c9f16dc9b 2697 mongodb_3.2.11-2+deb9u2.dsc 41309911fc18343ee8e8716d7b3f0f69c1f8983b 30179788 mongodb_3.2.11.orig.tar.gz 868cdb9ed01921717a89cbf901a7c23addb87d30 43424 mongodb_3.2.11-2+deb9u2.debian.tar.xz 45c1a9af35e260b74c0c13e2924f34d43cb01e79 9421 mongodb_3.2.11-2+deb9u2_amd64.buildinfo Checksums-Sha256: 219a5a14a1e3281d1560bca15094457109abe7e1eb1f1aa7b0f184bde5743cd1 2697 mongodb_3.2.11-2+deb9u2.dsc 61a2bb035e08124804efc70f959a894ab7910f663a4d3d8a7de1aecdf2062014 30179788 mongodb_3.2.11.orig.tar.gz 51f86852d96a627152b4cf025fb5c446f8cf2d0a74d33426318529403e1d1578 43424 mongodb_3.2.11-2+deb9u2.debian.tar.xz 0c5d80d4b6ff30830d229f1141b8a3e9e78fc3ef6c69214eb409f75809e27bbb 9421 mongodb_3.2.11-2+deb9u2_amd64.buildinfo Files: b4202d45740853a409e8cadf75e06cca 2697 database optional mongodb_3.2.11-2+deb9u2.dsc 7c06e856fa32e5461f9d88616bc6f36f 30179788 database optional mongodb_3.2.11.orig.tar.gz 9cedc98690b122e3528faa40168bc3bd 43424 database optional mongodb_3.2.11-2+deb9u2.debian.tar.xz 43b2b32e25630bd28aad66bbd1bbf3ab 9421 database optional mongodb_3.2.11-2+deb9u2_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl9EFBgACgkQLNd4Xt2n sg8TMw//Sj0bs2ODRvPRe3ClvkVGqXV669qxFSRIW/HJftQQox78pkpM64lVquwG N/X4qyhmAoJTnvo5z8kWADrxNh5/tjKNJX0/Sm5OJRkJ+0luA1JefD/WB2SIxdP3 x1eV+F2l88Jf2lUpnpKgecgyvHlGK6ZVNR/XTLj2GMBjfhq4gFKiXb8imi2YE0HB t2idnoDxn03FG9HZng7i+Ll8bRQYGGVTprdekiRviGWtTTLN9GvqOdR0+uFt4HnB dIOeU4rAzOYhN/VCPn2AYTzVZDpT8kZZjwOON733FjEaFS9E+BO9Pjajzt/vxyTm CFVuGv23BrmUmu+lTS4SAQMB9W5uy6ZRhzTzTvqgpsk56d09HWxi+TOxFCPtu+ce IiCUMsJfhKEKaQ24uapfC/EZ9BpvZA5+Ojjs2NWFWXkjCGhkuEv6mDCtzzCFw27d dQufsejPCIneQjc/BBCPrEQJBH7qYLjiMlVXJT9rxrBT/cXVLxvEY19Wj36LqFJu A4LE2JxEox2zQ6OneEj5Sli5Va+YUsxMoFIfKvOcGWt3iXqqdTpruslSO2o8X3FC dwO8vPrDd15qMow5Oc2fbZYjH31UTXFXhPdD/z3k4O1HTZjE27rTqGDj7JTdoHvw xMlvkdQsaHd9Zdk2piNPl9dYqOpPxt2pIWjikFgAcUzUfg9U1fY= =/BbI -END PGP SIGNATURE-
[SECURITY] [DLA 2343-1] icingaweb2 security update
- Debian LTS Advisory DLA-2343-1debian-...@lists.debian.org https://www.debian.org/lts/security/ August 24, 2020 https://wiki.debian.org/LTS - Package: icingaweb2 Version: 2.4.1-1+deb9u1 CVE ID : CVE-2020-24368 Debian Bug : 968833 A directory traversal vulnerability was discovered in Icinga Web 2, a web interface for Icinga, which could result in the disclosure of files readable by the process. For Debian 9 stretch, this problem has been fixed in version 2.4.1-1+deb9u1. We recommend that you upgrade your icingaweb2 packages. For the detailed security status of icingaweb2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/icingaweb2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted icingaweb2 2.4.1-1+deb9u1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 24 Aug 2020 14:43:20 -0400 Source: icingaweb2 Binary: icingaweb2 icingaweb2-common icingaweb2-module-monitoring icingaweb2-module-doc php-icinga icingacli Architecture: source Version: 2.4.1-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Nagios Maintainer Group Changed-By: Roberto C. Sanchez Description: icingacli - simple CLI tool for Icingaweb2 and its modules icingaweb2 - simple and responsive web interface for Icinga icingaweb2-common - simple and responsive web interface for Icinga - common files icingaweb2-module-doc - simple and responsive web interface for Icinga - documentation mo icingaweb2-module-monitoring - simple and responsive web interface for Icinga - monitoring modul php-icinga - PHP library to communicate with and use Icinga Closes: 968833 Changes: icingaweb2 (2.4.1-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the LTS Team. * Fix CVE-2020-24368: a Directory Traversal vulnerability allows an attacker to access arbitrary files that are readable by the process running icingaweb2. (Closes: #968833) Checksums-Sha1: 00437a7e48ce815f224c912a2072eb8d4ed12c4c 2414 icingaweb2_2.4.1-1+deb9u1.dsc 4fd287c90ed793deddf8f70210d498a0159e41a4 7176640 icingaweb2_2.4.1.orig.tar.gz b99a8184a517c25222f597633f2aafafc6b7ef84 12312 icingaweb2_2.4.1-1+deb9u1.debian.tar.xz dd7d4acbc3f00d9aec2bb33f2d419a6a5d11f622 9785 icingaweb2_2.4.1-1+deb9u1_amd64.buildinfo Checksums-Sha256: 096020df5e3626a6be41dc17858e288de809b5316fb33053f5e9828d3a3eff08 2414 icingaweb2_2.4.1-1+deb9u1.dsc 27150d96a2172d0fa0c77389970052a1bf7aa6553494e80837f6699e96e24bc6 7176640 icingaweb2_2.4.1.orig.tar.gz d90d4ace697169e2de34cd6a7454e1f1b11c28c09e47cc7e9b37360b988e6575 12312 icingaweb2_2.4.1-1+deb9u1.debian.tar.xz 0d7d4ff557cc091f7e8b5bc453000dd0c4557fe1d1fd2295e651be19aa0051d0 9785 icingaweb2_2.4.1-1+deb9u1_amd64.buildinfo Files: 00e256604d68219b7ab98e5be57f40ef 2414 admin extra icingaweb2_2.4.1-1+deb9u1.dsc d603099f529c9c0e318767350ed93e76 7176640 admin extra icingaweb2_2.4.1.orig.tar.gz c663c34ae01ac246c10b6a091e62b9ac 12312 admin extra icingaweb2_2.4.1-1+deb9u1.debian.tar.xz af10d7bac84ddcdb1c69a7f4990c7e2c 9785 admin extra icingaweb2_2.4.1-1+deb9u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl9EEToACgkQLNd4Xt2n sg9t+A//Q+z+4cxUzbm5HcsdSU0NsQ5Jgc/Svv6Fed4L1LH04nT0HJjcljlEBm8s orpczu1+MDIaoM6eynENAHwiQGPLjJVw6ORrzNX6+Og0xuZE9NkGghTqsQ1OBufd vsdS2ioAXh+x6m0bRYxUUsnGFR8y9p2p75fjhFlejd4UW5CJkiSLyFwPE1UWBCBY 3LMftzwBrtdmXBY7rWUkhxM/xRvcWFdbmjPM5Eied3tD7V8KrafpOz/luj3wBbk9 kcBrehQdicbV45WiafVkMJSXZhdApnEXm8gqfi/0Mxv/vonb2mw76BD2LnBqMh7R wvsDWbGLJvbti2qrCEfG2xZnNVzAWprZ+eM41ba/7nXUqyXAVUUKHjwXFPY91gP6 dhNTt8kYunzqEtLrvyXIk+yiR3958c9CDE9/MKfn3ViyG/IbevDvsB7HmfhvOMOR as6l/hmJ80RBG4CO78ScHnNWhTanJDW+fSm5PDDjZHCFqyYZyNpY6qc12EDQMIoO uOMM79oCqpyDHcqRcRsP1Z+NpzYbcmbAOKyl598XxoTCOc8qoGklCpRLXEF+c1Yz /z4b87mJBg6yNQ9t9jwqB+x6L6Mlw6lnkd7LZRnQn0J7JYszrfd69zs3tDoKOJE3 jV8djRTrJcGWz+gdL/uA4a47MtsoZ3+hWs4OrKYf+UpyGJh/ZOo= =v4yr -END PGP SIGNATURE-
Re: gb: ghostscript_9.26a~dfsg-0+deb9u7
On Mon, Aug 24, 2020 at 10:52:12AM +0200, Sylvain Beucler wrote: >... > On 24/08/2020 07:42, Adrian Bunk wrote: > > On Fri, Aug 21, 2020 at 02:08:44PM +0200, Sylvain Beucler wrote: >... > >> I cannot find an explanation for this error, and the package builds > >> fine on porterbox abel.debian.org (see > >> ~beuc/ghostscript_9.26a~dfsg-0+deb9u7_armhf.build), so I suppose a > >> transient buildd failure occurred. > >> ... > > Race conditions are rarely always reproducible. > > This statement sounds condescending and somewhat ruins what was a nice > e-mail so far :/ It was not intended this way. The difference between "condescending" and "useful information" is what level of knowledge you already have. Unless one knows the skills of the other person well, one always ends up explaining either too few or too much. And yes, I have gotten "but it did work when I tried" replies from DDs when discussing these kind of issues. > Cheers! > Sylvain cu Adrian
[SECURITY] [DLA 2342-1] libjackson-json-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2342-1debian-...@lists.debian.org https://www.debian.org/lts/security/ August 24, 2020 https://wiki.debian.org/LTS - - Package: libjackson-json-java Version: 1.9.2-8+deb9u1 CVE ID : CVE-2017-7525 CVE-2019-10172 Several vulnerabilities were fixed in libjackson-json-java, a Java JSON processor. CVE-2017-7525 Jackson Deserializer security vulnerability. CVE-2017-15095 Block more JDK types from polymorphic deserialization. CVE-2019-10172 XML external entity vulnerabilities. For Debian 9 stretch, these problems have been fixed in version 1.9.2-8+deb9u1. We recommend that you upgrade your libjackson-json-java packages. For the detailed security status of libjackson-json-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libjackson-json-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl9Dh7QACgkQiNJCh6LY mLEYvQ/9EZ5MYjNVVx71AqM8ft1utdXR/Mxd4pVN8Uo3+sqU1RWcdtmFE8cCtrVe luA63rXDV5OwpouZGCNi5phMtfvjUr00cIfYCuAQ/DiQjXhZCLjxnIafpIQZDbqk HkBG2LTDQeaCs3mwvYiDzpFJTsfyZ4hlKfyCfwnMqDAksbSRTgnC9x/yxBTnXTzU LgpZeKdJQmtUjFyzyazpd0/attSiBxM6/jhZJIj5Qjq89aTANg+/c7Jno+8je32/ mPSxNFBS5Ab1qgFF7fXrqp6ZVSAqCRC3nLpnQz43AmAe2c6Kx8osjU5LA+1+VzZJ 9u6t/4dpMONVtKI1XFEdvORVwdyLO0EuPVAQWmVZIAWfDvruXw6gA+HHXIzoxykJ nLnmqE5T1rdFVNlW/B/v4m7iTHBuMl58n8e/DR6iXqu/DQNxcKAk3EIKiCcF3iZ+ HOfNzkPFK+7f//TSWxn1D5klnGlZcZFufcGbzKWXTJptzYiYdKNaFsRvxWRsKXcX o8b+6pNpJ6z38KdH06qICCj6hupqiUlrMed53vtxSWOq17D81fxYaX2f3Fy9bSl7 eqc1Ha6h4lQUgZB7hW4FGyAEkE7h437B85Y7Me5q09RNWzZLPx6FAmTwNUmnStRn W039r0rrprfruTMZtq78hfyff5sJaJ5FL5omdGt2D0FPD/WD6Qo= =Jgzx -END PGP SIGNATURE-
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
hi, today one package was unclaimed each for LTS: - nss (Adrian Bunk) and ELTS: - apache2 (Utkarsh Gupta) Then, it seems the end of the month is near and 4 people probably claimed too many packages: Adrian Bunk: nss openexr qt4-x11 qtbase-opensource-src Mike Gabriel: freerdp gnome-shell guacamole-client jupyter-notebook libvncserver Thorsten Alteholz: bind9 curl ndpi yubico-piv-tool Utkarsh Gupta: asyncpg ruby-json-jwt ruby-kaminari ruby-rack-cors There are three DLAs which have been reserved but not yet been published on www.debian.org: - DLA 2342-1 (24 Aug 2020) (libjackson) - DLA 2341-1 (24 Aug 2020) (inetutils) - DLA 2333-1 (18 Aug 2020) (imagemagick) As usual, being mentioned here is just a sign that you've been working and some work is unfinished, so nothing bad, nothing to justify, just please continue your great work on (E)LTS. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
[SECURITY] [DLA 2341-1] inetutils security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2341-1debian-...@lists.debian.org https://www.debian.org/lts/security/ August 24, 2020 https://wiki.debian.org/LTS - - Package: inetutils Version: 2:1.9.4-2+deb9u1 CVE ID : CVE-2020-10188 Debian Bug : 956084 In inetutils-telnetd, an implementation of a telnet daemon, arbitrary remote code execution might have been possible via short writes or urgent data. For Debian 9 stretch, this problem has been fixed in version 2:1.9.4-2+deb9u1. We recommend that you upgrade your inetutils-telnetd packages. For the detailed security status of inetutils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/inetutils Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl9Dg/AACgkQiNJCh6LY mLG53RAAgyIgwLfGFaz7EvQEo20SaR7OOYaNXXfn+900GAMirADDU26O6rn3v0Ca Rbj3UisCyn+CvteSYLLnY1tVRyXhOhYgdYLTkVEjquau+LT4rFtYw4ONJDPa1VC6 f0QFT+/LDMvbDfSUG+qZHD0u9IUyrRtlrwoexDMj/HcECV7SDoTjljSSTN/yGkyf Mu0hbnhseDIxYqWBw0UWWryx192ZwZ7me2p3AMBXuQMWOctj6CTeUdT+wLzuXFPA JebqFkLnwguLktqKLWqq6W2LMnU6aPzqRl6IYTWG/wPwA15GW/5Th2Lf1Gnxhtc1 utTTPbwDre/5O9KEGmsnLEIAQUSOrHxz71LrShEgE8bUtnlDl+K/RcPuja/Qsprh nLCfMOv5HVjYeOxqw09DZq2X48FZ0J/y9M07xpPk+9Km7ZOj1dVz4S3jnb67YGlE Ss/QOkw7SDAI0t6pCOlwfL6GnaxjjKTNxfL/8U2xWRi6mPZ0XCum3PZQ+ZQWVe7K iNShr+dcKHZZ7HzoZrUV/kLahZeRMy2ZKIVahL7zDDI2lZtclLGnSKDKB3FULdAh S4KXGncXHgCVfiEmjukpLIFTJ5UJLyFFelQPjarMXVwp6/TAC5FL339Sm4g9fKlz 6Ivxi/vMqfpkPwRJzNpR19mtIDvSgtwWb5qb9mqrZfihy3kqh84= =Xdtm -END PGP SIGNATURE-
Accepted libjackson-json-java 1.9.2-8+deb9u1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 24 Aug 2020 11:22:38 +0300 Source: libjackson-json-java Binary: libjackson-json-java libjackson-json-java-doc Architecture: source Version: 1.9.2-8+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Debian Java Maintainers Changed-By: Adrian Bunk Description: libjackson-json-java - streaming fast powerful standard conformant json processor in jav libjackson-json-java-doc - standard conformant json processor in java - API documentation Changes: libjackson-json-java (1.9.2-8+deb9u1) stretch-security; urgency=medium . * Non-maintainer upload by the LTS team. * Backported security fixes including: - Jackson Deserializer security vulnerability. (CVE-2017-7525) - Block more JDK types from polymorphic deserialization. (CVE 2017-15095) - XXE vulnerability in XmlMapper. (CVE-2019-10172) Checksums-Sha1: 657cc209f0c70c9e10c1ddba0a69041a795c746d 2413 libjackson-json-java_1.9.2-8+deb9u1.dsc 21a0cc1fe25032d64d74031369e982c71dcb5657 1112971 libjackson-json-java_1.9.2.orig.tar.gz d79469623186a8f08138113b132999c109963137 8928 libjackson-json-java_1.9.2-8+deb9u1.debian.tar.xz Checksums-Sha256: 0dec2e97516d52d309c5f80f16807c5f42020482cd140f31f7c941b24aa6c9d9 2413 libjackson-json-java_1.9.2-8+deb9u1.dsc c384766381d06a8782cef33e8e9f3d296d62a68c6638d2080d1912842a1b9b16 1112971 libjackson-json-java_1.9.2.orig.tar.gz 3414567eb1cc193dbce1553cde3720de94ca841784e50c6a350a289f24f6bad5 8928 libjackson-json-java_1.9.2-8+deb9u1.debian.tar.xz Files: ad89ea226be996e2cb4a45b3accf16ae 2413 java optional libjackson-json-java_1.9.2-8+deb9u1.dsc 767a478ff56bd4e00640c8185abeff53 1112971 java optional libjackson-json-java_1.9.2.orig.tar.gz 3f107e778b30dd4edf28c74056f33536 8928 java optional libjackson-json-java_1.9.2-8+deb9u1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl9DfD4ACgkQiNJCh6LY mLHYDQ/+Pb2zMLCqCAi1+/cpwtVgVfq+JPtMn94brkQtXzPZUapi4etjlEpQKL5x 6hw4vMrz8XkaVQ2WmlaV5dILvJD/esoTFBrbYoNGKPBmPHMyZ45wR+ixR37BHSY8 g7B3pLzWEzc58qWpOx5zEFCMfA0hJcMpeFHOvoG4MPQglir/ogmgXmwIdss7mTN6 99DjvZu0cI5KCkm0V5TgM73gM+bYzMNlAlwOtO+9Mv/lLm4DBbq09h7DSxTSYith ZQ12gFXe4aD0zi46Cd5NVWDdE3x56EeT2Zc2MG7gRAj3HbWod+GZ4EOBqzYtuzTV PdpoVfwr50O5d42HtvuHCd5CA0w3/qyi/ftpLlfLWjW23UBbHSgwSjLhmeUrXpAK QQ/PDBQLgh3SCSpXk/Gp2ImTNhRVJA4BZEq71Cy58iWi3YuRw7CA3l9qxePUmo/A KT3N9BKudj2hXnJVhuC+9n/myONAQUQZYesclilfyKZqyaj8TTLJwoTFflf9V3+A oP9zvqLxpd/G/jJOkjmfCtgQ4XElozlaLsdvtVi4pBtDtMqV2KwyeheDB1OsmtBc k5JMLOg7cFdyW8k3bji0ALZUuxs57b62MNuD/QC1Oyani/u2vhwIf9dtw/dvqAKc MkaopBqECMCIfeDM1syK4eYI00N8lvhG47YsOoyfuj5+YeNS9MQ= =YXck -END PGP SIGNATURE-
Re: gb: ghostscript_9.26a~dfsg-0+deb9u7
Hi, On 24/08/2020 07:42, Adrian Bunk wrote: > On Fri, Aug 21, 2020 at 02:08:44PM +0200, Sylvain Beucler wrote: >> Hello, >> >> ghostscript failed to build on armhf for stretch-security: >> https://buildd.debian.org/status/fetch.php?pkg=ghostscript=armhf=9.26a%7Edfsg-0%2Bdeb9u7=1597941103=0 >> "./soobj/dxmainc.o: file not recognized: File truncated" > This is a typical parallel building bug, something is reading dxmainc.o > while something else hasn't yet finished writing it. There is a > dependency between these two missing somewhere in some Makefile. > > In buster this is workarounded with > https://sources.debian.org/src/ghostscript/9.52.1%7Edfsg-1/debian/rules/#L33-L36 Thanks for the info. I didn't think of a parallel error, and was too biased on blaming armhf (including when searching other occurrences of this error). >> I cannot find an explanation for this error, and the package builds >> fine on porterbox abel.debian.org (see >> ~beuc/ghostscript_9.26a~dfsg-0+deb9u7_armhf.build), so I suppose a >> transient buildd failure occurred. >> ... > Race conditions are rarely always reproducible. This statement sounds condescending and somewhat ruins what was a nice e-mail so far :/ Cheers! Sylvain
Accepted inetutils 2:1.9.4-2+deb9u1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 24 Aug 2020 10:20:27 +0300 Source: inetutils Binary: inetutils-ftp inetutils-ftpd inetutils-inetd inetutils-ping inetutils-traceroute inetutils-syslogd inetutils-talk inetutils-talkd inetutils-telnet inetutils-telnetd inetutils-tools Architecture: source Version: 2:1.9.4-2+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Guillem Jover Changed-By: Adrian Bunk Description: inetutils-ftp - File Transfer Protocol client inetutils-ftpd - File Transfer Protocol server inetutils-inetd - internet super server inetutils-ping - ICMP echo tool inetutils-syslogd - system logging daemon inetutils-talk - talk to another user inetutils-talkd - remote user communication server inetutils-telnet - telnet client inetutils-telnetd - telnet server inetutils-tools - base networking utilities (experimental package) inetutils-traceroute - trace the IPv4 route to another host Changes: inetutils (2:1.9.4-2+deb9u1) stretch-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2020-10188: Arbitrary remote code execution in telnetd via short writes or urgent data. Checksums-Sha1: d76eab7135e94c1e0bc2119ea9810e594ded00d3 2954 inetutils_1.9.4-2+deb9u1.dsc 5e515cc9da142cb73bb1beda137b4c2dcf2b528c 1364408 inetutils_1.9.4.orig.tar.xz c6512c1974fad1f7b03eef8baf0ecc05c6379b70 163 inetutils_1.9.4.orig.tar.xz.asc f65aff6fbef4df2af284aa1d79f8c0e690afd02e 78288 inetutils_1.9.4-2+deb9u1.debian.tar.xz Checksums-Sha256: 257d6a28e5fbaa39abc4a18c0f87a4e8e82cb6aeb1648fd897aecaa4561f10eb 2954 inetutils_1.9.4-2+deb9u1.dsc 849d96f136effdef69548a940e3e0ec0624fc0c81265296987986a0dd36ded37 1364408 inetutils_1.9.4.orig.tar.xz d570ff2369cf42238bcfd63cc1faacbc440652d753f4f0b62bb770ba7a497609 163 inetutils_1.9.4.orig.tar.xz.asc fa84bae0115cceddf251737957cb9c9cd654d5142fdadb5954d40f5751d68067 78288 inetutils_1.9.4-2+deb9u1.debian.tar.xz Files: 78c57b4bab5567f3db65d32361c35815 2954 net extra inetutils_1.9.4-2+deb9u1.dsc 87fef1fa3f603aef11c41dcc097af75e 1364408 net extra inetutils_1.9.4.orig.tar.xz 094681dc589bc04f918febd601a38fca 163 net extra inetutils_1.9.4.orig.tar.xz.asc fce7bca770ffd3f8cb737ab3f74c88e2 78288 net extra inetutils_1.9.4-2+deb9u1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl9DdXgACgkQiNJCh6LY mLEBzRAAu/Dk61YDt7BzLP7wibXaKnEdZOXD2cR+UZX9rnZf68r+vYnNnivpFkpY oyFyUhJ6Q1gH9nsq55j1mFDQQQrISb144uYz8KF2P8qgj0KtHAbg4N8ay91xodLh 2genWL2paUfbGSi0P0eXhfHdeIpjXGt4jGhk+fxrcMkwgEdchzG+zas2sN9JFZpC HDIVzOAN/mwC3uAb0M87V24M1usdC8vSoDDOG42rhz8LhyQVpDCKqnxxi3g/yaut kJFZv1StoeL63M05y33vQrGkzBZEkWZMEm0bo0/IOuce0hmjJIvLBteAr25kejfc JpvJVtJvz1JHfzzG6aAF7WT215MAf5gLHryKm8EepNWt8pODYxt6lM/uh78DoJ/+ zSrocLU/DFZnNtaIBsL6BlsBscdnKs7B78pg+Jcxc4PD1FWxVmnr1f94iU/PhlyS 11jRBHhHUI/tq3ZT8AQhHj/jAUtg+h4x2aM1nzUMLXdJYaD96l0cgZwBiN9ulLJt KPGsX27Enz2Ty+yWXdjkd2VCenFhWrcaXUcm8kmyxoF7c5uPxqUdsDcroztf6dHM 9PYqWMIu8t1/C7vfmHOt3o5n0+ttj/Tgr4ZB+NMAgZKUzN5he4+DEYgIYTvLNf0T 6imyS0SmpzyBTMYE3qKnAGvYqmkYn1p4p40EHEu5GNiHJnH0h0U= =dsCt -END PGP SIGNATURE-
Re: gb: ghostscript_9.26a~dfsg-0+deb9u7
On Fri, Aug 21, 2020 at 02:08:44PM +0200, Sylvain Beucler wrote: > Hello, > > ghostscript failed to build on armhf for stretch-security: > https://buildd.debian.org/status/fetch.php?pkg=ghostscript=armhf=9.26a%7Edfsg-0%2Bdeb9u7=1597941103=0 > "./soobj/dxmainc.o: file not recognized: File truncated" This is a typical parallel building bug, something is reading dxmainc.o while something else hasn't yet finished writing it. There is a dependency between these two missing somewhere in some Makefile. In buster this is workarounded with https://sources.debian.org/src/ghostscript/9.52.1%7Edfsg-1/debian/rules/#L33-L36 > I cannot find an explanation for this error, and the package builds > fine on porterbox abel.debian.org (see > ~beuc/ghostscript_9.26a~dfsg-0+deb9u7_armhf.build), so I suppose a > transient buildd failure occurred. >... Race conditions are rarely always reproducible. > Cheers! > Sylvain cu Adrian
