Bug#864233: unblock: linux/4.9.30-1

[Ben Hutchings]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package linux

This includes many important bug fixes, including security fixes.  It
adds support for system reset on Malta boards, additional GPUs on
ARM64 systems, and PL011 serial consoles on ARM64 systems.  It makes
the efivarfs module available in the installer, which is important for
supporting some x86 systems.

The debdiff would be too large for you to review, unfortunately.
Instead, here are the changelog entries:

linux (4.9.30-1) unstable; urgency=medium

  * New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.26
- [arm64] Revert "mmc: sdhci-msm: Enable few quirks"
- ping: implement proper locking
- [sparc64] kern_addr_valid regression
- [sparc64] Fix kernel panic due to erroneous #ifdef surrounding
  pmd_write()
- net: neigh: guard against NULL solicit() method
- net: phy: handle state correctly in phy_stop_machine
- bpf: improve verifier packet range checks
- net/mlx5: Avoid dereferencing uninitialized pointer
- l2tp: hold tunnel socket when handling control frames in l2tp_ip
  and l2tp_ip6
- l2tp: purge socket queues in the .destruct() callback
- net/packet: fix overflow in check for tp_frame_nr
- net/packet: fix overflow in check for tp_reserve
- l2tp: take reference on sessions being dumped
- l2tp: fix PPP pseudo-wire auto-loading
- net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
- sctp: listen on the sock only when it's state is listening or
  closed
- tcp: clear saved_syn in tcp_disconnect()
- ipv6: Fix idev->addr_list corruption
- net-timestamp: avoid use-after-free in ip_recv_error
- net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule
- dp83640: don't recieve time stamps twice
- gso: Validate assumption of frag_list segementation
- net: ipv6: RTF_PCPU should not be settable from userspace
- netpoll: Check for skb->queue_mapping
- ip6mr: fix notification device destruction
- net/mlx5: Fix driver load bad flow when having fw
  initializing timeout
- net/mlx5e: Fix small packet threshold
- net/mlx5e: Fix ETHTOOL_GRXCLSRLALL handling
- macvlan: Fix device ref leak when purging bc_queue
- net: ipv6: regenerate host route if moved to gc list
- net: phy: fix auto-negotiation stall due to unavailable interrupt
- ipv6: check skb->protocol before lookup for nexthop
- tcp: memset ca_priv data to 0 properly
- ipv6: check raw payload size correctly in ioctl
- ALSA: oxfw: fix regression to handle Stanton SCS.1m/1d
- ALSA: firewire-lib: fix inappropriate assignment between
  signed/unsigned type
- ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
- [mips*] KGDB: Use kernel context for sleeping threads
- [mips*] Avoid BUG warning in arch_check_elf
- p9_client_readdir() fix
- [x86] ASoC: intel: Fix PM and non-atomic crash in bytcr drivers
- Input: i8042 - add Clevo P650RS to the i8042 reset list
- nfsd: check for oversized NFSv2/v3 arguments
- nfsd4: minor NFSv2/v3 write decoding cleanup
- nfsd: stricter decoding of write-like NFSv2/v3 ops
- ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
- macsec: avoid heap overflow in skb_to_sgvec
- net: can: usb: gs_usb: Fix buffer on stack
- [x86] ftrace: Fix triple fault with graph tracing and suspend-to-ram
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.27
- timerfd: Protect the might cancel mechanism proper
- Handle mismatched open calls
- [x86] tpm_tis: use default timeout value if chip reports it as zero
- scsi: storvsc: Workaround for virtual DVD SCSI version
- [powerpc, x86] hwmon: (it87) Avoid registering the same chip on both SIO
  addresses
- 8250_pci: Fix potential use-after-free in error path
- ceph: try getting buffer capability for readahead/fadvise
- cpu/hotplug: Serialize callback invocations proper
- dm ioctl: prevent stack leak in dm ioctl call
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.28
- 9p: fix a potential acl leak
- hwmon: (it87) Fix pwm4 detection for IT8620 and IT8628
- [x86] tpm: fix RC value check in tpm2_seal_trusted
- [x86] tmp: use pdev for parent device in tpm_chip_alloc
- cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores
- [powerpc*] mm: Fixup wrong LPCR_VRMASD value
- [powerpc*] powernv: Fix opal_exit tracepoint opcode
- [powerpc*] Correctly disable latent entropy GCC plugin on
  prom_init.o
- [x86] perf/x86/intel/pt: Add format strings for PTWRITE and power
  event tracing
- [arm64] dts: r8a7795: Mark EthernetAVB device node disabled
- [arm64] dts: qcom: Fix ipq board clock rates
- [arm64] Improve detection of user/non-user mappings in
  set_pte(_at)
- 

Bug#864201: release.debian.org: jessie dblatex breaks jessie-stretch dist-upgrade

[Niels Thykier]

# control@ BCC'ed as well
clone 864201 -1
reassign -1 release-notes
retitle -1 release-notes: Document dblatex upgrade issue [stretch]
tags -1 - jessie moreinfo
thanks

Hi Andreas,

Thanks for filing this issue.  I have cloned a copy of it to the
release-notes as it is too late to fix in jessie before the stretch release.

Adam D. Barratt:
> [...]
> On 2017-06-05 9:08, Andreas Hoenen wrote:
>> Package: release.debian.org
>> Severity: important
>>
>> [...]
>> It has been reported that jessie-stretch dist-upgrades abort because
>> of the dblatex postrm script failing: it calls texlive-binaries
>> command mktexlsr which is unavailable at this very moment.
>>
>> The fix is simple, but needs to be applied to the jessie version of
>> dblatex.
> 
> The same issue appears to apply to the dblatex package in unstable,
> which means it needs fixing there first.
> 
> [...]
> 
> Regards,
> 
> Adam
> 

It would be great if this could be fixed in stretch for r0.  Else, we
will need the same cave in the release-notes for stretch -> buster as well.


Beyond that, what are the work arounds for this?

 * Remove dblatex, upgrade and then install it again?

 * [After the fix in jessie] Upgrade to latest jessie point release
   and then upgrade to stretch.

 * Any other?


Thanks,
~Niels

Processed: Re: Bug#864201: release.debian.org: jessie dblatex breaks jessie-stretch dist-upgrade

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # control@ BCC'ed as well
> clone 864201 -1
Bug #864201 [release.debian.org] jessie-pu: dblatex/0.3.5-2
Bug 864201 cloned as bug 864206
> reassign -1 release-notes
Bug #864206 [release.debian.org] jessie-pu: dblatex/0.3.5-2
Bug reassigned from package 'release.debian.org' to 'release-notes'.
Ignoring request to alter found versions of bug #864206 to the same values 
previously set
Ignoring request to alter fixed versions of bug #864206 to the same values 
previously set
> retitle -1 release-notes: Document dblatex upgrade issue [stretch]
Bug #864206 [release-notes] jessie-pu: dblatex/0.3.5-2
Changed Bug title to 'release-notes: Document dblatex upgrade issue [stretch]' 
from 'jessie-pu: dblatex/0.3.5-2'.
> tags -1 - jessie moreinfo
Bug #864206 [release-notes] release-notes: Document dblatex upgrade issue 
[stretch]
Removed tag(s) jessie and moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
864201: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864201
864206: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864206
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864228: unblock: python-django/1:1.10.7-2

[Raphaël Hertzog]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package python-django

We have fixed two bugs:
- #816435: a test failure that was triggered by the DEP-8 test (i.e. when
  running against an installed package)
  => we like to be able to run DEP-8 test on security updates to validate
  them before release so it's nice to have this fixed in stable
- #863267: a problem in the database migration code that refused to update
  the schema in some cases where the initial migration had to be "faked"
  because the database structure was already in place but the
  corresponding migration was not yet properly recorded in the database.
  This affected lava-server in Debian but could possibly affect
  end users too and it's nice to avoid them this problem.

unblock python-django/1:1.10.7-2

Note that we also got rid of git-dpm's metadata since we no longer use it.
This has no impact on the built package.

Here's the debdiff:
diff --git a/debian/.git-dpm b/debian/.git-dpm
deleted file mode 100644
index b6f8ad1788..00
--- a/debian/.git-dpm
+++ /dev/null
@@ -1,11 +0,0 @@
-# see git-dpm(1) from git-dpm package
-0e464e28dd41c3a8d8fc0f3317650ec4e029b8c5
-0e464e28dd41c3a8d8fc0f3317650ec4e029b8c5
-f18dfc589f0b4a909be9e0cdcf48b70b4f3a7e4e
-f18dfc589f0b4a909be9e0cdcf48b70b4f3a7e4e
-python-django_1.10.7.orig.tar.gz
-5edd13a642460c33cdaf8e8166eccf6b2a2555df
-7737654
-debianTag="debian/%e%%%v"
-patchedTag="debian/patches/%e%%%v"
-upstreamTag="upstream/%e%%%u"
diff --git a/debian/changelog b/debian/changelog
index c865858e3b..47d407c835 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+python-django (1:1.10.7-2) unstable; urgency=medium
+
+  * Accept again migrations depending on initial migrations that
+can be fake applied. Closes: #863267
+  * Add patch to fix DEP-8 test. Closes: #816435
+
+ -- Raphaël Hertzog   Mon, 29 May 2017 16:59:51 +0200
+
 python-django (1:1.10.7-1) unstable; urgency=medium
 
   * New upstream security release:
diff --git a/debian/patches/fix-migration-fake-initial-1.patch 
b/debian/patches/fix-migration-fake-initial-1.patch
new file mode 100644
index 00..63513b8bb5
--- /dev/null
+++ b/debian/patches/fix-migration-fake-initial-1.patch
@@ -0,0 +1,290 @@
+From c6d66195d7f816aeb47a77570bdd3836a99d4183 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= 
+Date: Mon, 29 May 2017 15:44:39 +0200
+Subject: [PATCH 1/2] Move detect_soft_applied() from
+ django.db.migrations.executor to .loader
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We want to be able to use that method in
+loader.check_consistent_history() to accept an history where the initial
+migration is going to be fake-applied. Since the executor has the
+knowledge of the loader (but not the opposite), it makes sens to move
+the code around.
+
+Signed-off-by: Raphaël Hertzog 
+Bug: https://code.djangoproject.com/ticket/28250
+Bug-Debian: https://bugs.debian.org/863267
+---
+ django/db/migrations/executor.py  | 83 +--
+ django/db/migrations/loader.py| 81 ++
+ tests/migrations/test_executor.py | 12 +++---
+ 3 files changed, 88 insertions(+), 88 deletions(-)
+
+--- a/django/db/migrations/executor.py
 b/django/db/migrations/executor.py
+@@ -1,8 +1,5 @@
+ from __future__ import unicode_literals
+ 
+-from django.apps.registry import apps as global_apps
+-from django.db import migrations, router
+-
+ from .exceptions import InvalidMigrationPlan
+ from .loader import MigrationLoader
+ from .recorder import MigrationRecorder
+@@ -235,7 +232,7 @@ class MigrationExecutor(object):
+ if not fake:
+ if fake_initial:
+ # Test to see if this is an already-applied initial migration
+-applied, state = self.detect_soft_applied(state, migration)
++applied, state = self.loader.detect_soft_applied(state, 
migration)
+ if applied:
+ fake = True
+ if not fake:
+@@ -290,81 +287,3 @@ class MigrationExecutor(object):
+ if all_applied and key not in applied:
+ self.recorder.record_applied(*key)
+ 
+-def detect_soft_applied(self, project_state, migration):
+-"""
+-Tests whether a migration has been implicitly applied - that the
+-tables or columns it would create exist. This is intended only for use
+-on initial migrations (as it only looks for CreateModel and AddField).
+-"""
+-def should_skip_detecting_model(migration, model):
+-"""
+-No need to detect tables for proxy models, unmanaged models, or
+-models that can't be migrated on the current database.
+-"""
+-return (
+-model._meta.proxy or not 

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

[Salvatore Bonaccorso]

Control: tags -1 - moreinfo

Hi Niels, hi Bdale,

On Mon, Jun 05, 2017 at 12:20:00PM +, Niels Thykier wrote:
> Control: tags -1 moreinfo
> 
> Salvatore Bonaccorso:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > 
> > Hi
> > 
> > Please unblock package sudo, actually a pre-approval request.
> > 
> > The upload addresses CVE-2017-1000368, Arbitrary terminal access,
> > which is #863897 in the BTS. See
> > 
> > http://www.openwall.com/lists/oss-security/2017/06/02/7
> > 
> > I'm including the generated debdiff against the current version in
> > stretch.
> > 
> > unblock sudo/1.8.19p1-2.1
> > 
> > Regards,
> > Salvatore
> > 
> 
> According to the BTS, #863897 affects and is unfixed in unstable.  Lets
> fix it in unstable first.

Yes that's true. Okay I have uploaded (without delay, and hope this is
fine with Bdale!) the NMU to sid.

> Otherwise, the diff look fine (feel free to include
> https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well).

Thanks, feel more confortable to follow upstream. Attached is a new
debdiff!

Regards,
Salvatore
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog  2017-05-31 06:35:01.0 +0200
+++ sudo-1.8.19p1/debian/changelog  2017-06-05 14:22:55.0 +0200
@@ -1,3 +1,11 @@
+sudo (1.8.19p1-2.1) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * Use /proc/self consistently on Linux
+  * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso   Mon, 05 Jun 2017 14:22:55 +0200
+
 sudo (1.8.19p1-2) stretch; urgency=high
 
   * patch from upstream to fix CVE-2017-1000367, closes: #863731
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff 
sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff  1970-01-01 
01:00:00.0 +0100
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff  2017-06-05 
14:22:55.0 +0200
@@ -0,0 +1,78 @@
+
+# HG changeset patch
+# User Todd C. Miller 
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent  6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF.  It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any.  With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+diff -r 6f3d9816541b -r 15a46f4007dd src/ttyname.c
+--- a/src/ttyname.cTue May 30 10:44:11 2017 -0600
 b/src/ttyname.cWed May 31 09:14:31 2017 -0600
+@@ -452,25 +452,37 @@
+ get_process_ttyname(char *name, size_t namelen)
+ {
+ const char path[] = "/proc/self/stat";
+-char *line = NULL;
++char *cp, buf[1024];
+ char *ret = NULL;
+-size_t linesize = 0;
+ int serrno = errno;
+-ssize_t len;
+-FILE *fp;
++ssize_t nread;
++int fd;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+ 
+-/* Try to determine the tty from tty_nr in /proc/self/stat. */
+-if ((fp = fopen(path, "r")) != NULL) {
+-  len = getline(, , fp);
+-  fclose(fp);
+-  if (len != -1) {
++/*
++ * Try to determine the tty from tty_nr in /proc/self/stat.
++ * Ignore /proc/self/stat if it contains embedded NUL bytes.
++ */
++if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++  cp = buf;
++  while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++  if (nread == -1) {
++  if (errno == EAGAIN || errno == EINTR)
++  continue;
++  break;
++  }
++  cp += nread;
++  if (cp >= buf + sizeof(buf))
++  break;
++  }
++  if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+   /*
+* Field 7 is the tty dev (0 if no tty).
+-   * Since the process name at field 2 "(comm)" may include spaces,
+-   * start at the last ')' found.
++   * Since the process name at field 2 "(comm)" may include
++   * whitespace (including newlines), start at the last ')' found.
+*/
+-  char *cp = strrchr(line, ')');
++  *cp = '\0';
++  cp = strrchr(buf, ')');
+   if (cp != NULL) {
+   char *ep = cp;
+   const char *errstr;
+@@ -501,7 +513,8 @@
+ errno = ENOENT;
+ 
+ done:
+-free(line);
++if (fd != -1)
++  close(fd);
+ if (ret == NULL)
+   sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+   "unable to resolve tty via %s", path);
+
diff -Nru sudo-1.8.19p1/debian/patches/series 
sudo-1.8.19p1/debian/patches/series
--- sudo-1.8.19p1/debian/patches/series 2017-05-31 06:35:01.0 +0200
+++ sudo-1.8.19p1/debian/patches/series 2017-06-05 14:22:55.0 +0200
@@ 

Bug#864201: release.debian.org: jessie dblatex breaks jessie-stretch dist-upgrade

[Andreas Beckmann]

On Mon, 05 Jun 2017 09:22:00 + Niels Thykier  wrote:
> Thanks for filing this issue.  I have cloned a copy of it to the
> release-notes as it is too late to fix in jessie before the stretch release.

I think I identified the underlying cause and that can be fixed
trivially: just changing a dependency from texlive-math-extra to
texlive-science (plus removing superfluous mktexlsr calls from the
maintainer scripts to avoid future breakage).
texlive-math-extra is a real package in jessie but a virtual package in
stretch, that gives apt a headache and it decides to remove dblatex (and
does it at the wrong time).
That fix should avoid updating the jessie package and avoid needing
something in the release notes :-)


Andreas

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

[Salvatore Bonaccorso]

Hi

On Mon, Jun 05, 2017 at 01:40:33PM +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package sudo, actually a pre-approval request.

One side note on the patch. If you allow me to I would rather as well
add https://www.sudo.ws/repos/sudo/rev/6f3d9816541b from 1.8.20p2 and
then rebase the patch on top of that. It would be more consistent on
what upstream has done to not diverge too much.

If you agree I can send a new debdiff for that.

Regards,
Salvatore

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

[Niels Thykier]

Control: tags -1 moreinfo

Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package sudo, actually a pre-approval request.
> 
> The upload addresses CVE-2017-1000368, Arbitrary terminal access,
> which is #863897 in the BTS. See
> 
> http://www.openwall.com/lists/oss-security/2017/06/02/7
> 
> I'm including the generated debdiff against the current version in
> stretch.
> 
> unblock sudo/1.8.19p1-2.1
> 
> Regards,
> Salvatore
> 

According to the BTS, #863897 affects and is unfixed in unstable.  Lets
fix it in unstable first.

Otherwise, the diff look fine (feel free to include
https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well).

Thanks,
~Niels

Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval 
request)
Added tag(s) moreinfo.

-- 
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

[Debian Bug Tracking System]

Processing control commands:

> tags -1 - moreinfo
Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval 
request)
Removed tag(s) moreinfo.

-- 
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed moreinfo
Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval 
request)
Added tag(s) moreinfo and confirmed.

-- 
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

[Niels Thykier]

Control: tags -1 confirmed moreinfo

Salvatore Bonaccorso:
> Control: tags -1 - moreinfo
> 
> Hi Niels, hi Bdale,
> 
> On Mon, Jun 05, 2017 at 12:20:00PM +, Niels Thykier wrote:
>> Control: tags -1 moreinfo
>>
>> [...]
>>
>> According to the BTS, #863897 affects and is unfixed in unstable.  Lets
>> fix it in unstable first.
> 
> Yes that's true. Okay I have uploaded (without delay, and hope this is
> fine with Bdale!) the NMU to sid.
> 
>> Otherwise, the diff look fine (feel free to include
>> https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well).
> 
> Thanks, feel more confortable to follow upstream. Attached is a new
> debdiff!
> 
> Regards,
> Salvatore
> 


Thanks, please go ahead with the tpu upload.

~Niels

Bug#863472: unblock: openssl/1.1.0f-1

[Cyril Brulebois]

Kurt Roeckx  (2017-06-05):
> On Mon, Jun 05, 2017 at 11:33:57AM +0200, Cyril Brulebois wrote:
> > Kurt Roeckx  (2017-06-04):
> > > So I've uploaded openssl 1.1.0f-2
> > 
> > Source debdiff lgtm from -1, and installation over https works fine,
> > ACK.
> 
> So I actually have a new version I want to upload: […]

Please don't, let's process stuff that's already been tested and ACKed
before considering further changes…


KiBi.


signature.asc
Description: Digital signature

Bug#863473: unblock: openssl1.0/1.0.2l-1

[Cyril Brulebois]

Niels Thykier  (2017-06-03):
> Fine by me.  CC'ing KiBi for a d-i ack assuming he is ok with this
> last minute change.

Just tested bare metal/WPA successfully with d-i built against
openssl1.0 1.0.2l-2 binaries, so fine with me.


KiBi.


signature.asc
Description: Digital signature

Bug#863915: unblock: webkit2gtk/2.16.3-2

[Moritz Mühlenhoff]

Adam wrote:

> I'm not entirely sure how you think p-u is better placed to do so, given 
> the amount of visible testing packages from it get before a point 
> release.

It's not necessarily for the additional testing done on p-u (although
I personally use it like that and probably others well), but there's
a number of technical features which make spu "suck less" which are
currently lacking in the security.debian.org infrastructure:
- Lack of visible apt source for people to test (#817286) (biggest blocker)
- Bottleneck of not being able to delegate allowing maintainers of webkit
  rdeps to release compatibility updates via security.debian.org (#817285)
- No possibility to trigger binNMUs of rdeps without a sourceful upload
  (not sure if that's necessary for the changes imposed by newer webkit
  releases, but it's also a serious problem for go-based apps

Especially the first two points are critical to address mid-term if we
want to ensure security support is sustainable in the years to come.
Either by finding new volunteers to work on that or by funding the
development of these features in some way.

Cheers,
Moritz
 

Re: [release-notes] The two last weeks up to the release

[Javier Fernandez-Sanguino]

Dear Niels,


El 5 jun. 2017 9:23 a. m., "Niels Thykier"  escribió:


I admit it is not a lot of time to finish.  But it should get us a lot
of the way while hopefully leaving enough time for everyone to do their
part.


Thank you for providing a plan for both proofreading, reviews and
translations. With my translator's hat own, I think It is really helpful to
have a plan like this in order to plan days of work.

Best regards,

Javier

Bug#864189: unblock: systemd/232-25

[Cyril Brulebois]

Niels Thykier  (2017-06-05):
> Michael Biebl:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > 
> > Hi,
> > 
> > please consider unblocking systemd.
> > 
> > The changes include two fixes for selinux, a fix for a dist-upgrade
> > failure and an important performance regression.
> > 
> > None of those should affect the udev/libudev1 udeb, i.e. the
> > installer.
> > 
> > That said, I've CCed debian-boot for a d-i/KiBi ack.
> > 
> > Here's an annotated changelog
> > 
> > 
> > [...]
> > 
> > Full debdiff is attached as well.
> > 
> > Regards,
> > Michael
> > 
> > unblock systemd/232-25
> > 
> > [...]
> 
> Ack from here.

Looks good to me, and tests are OK as well: ack.


KiBi.


signature.asc
Description: Digital signature

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi

Please unblock package sudo, actually a pre-approval request.

The upload addresses CVE-2017-1000368, Arbitrary terminal access,
which is #863897 in the BTS. See

http://www.openwall.com/lists/oss-security/2017/06/02/7

I'm including the generated debdiff against the current version in
stretch.

unblock sudo/1.8.19p1-2.1

Regards,
Salvatore
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog	2017-05-31 06:35:01.0 +0200
+++ sudo-1.8.19p1/debian/changelog	2017-06-05 06:19:37.0 +0200
@@ -1,3 +1,10 @@
+sudo (1.8.19p1-2.1) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso   Mon, 05 Jun 2017 06:19:37 +0200
+
 sudo (1.8.19p1-2) stretch; urgency=high
 
   * patch from upstream to fix CVE-2017-1000367, closes: #863731
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch	1970-01-01 01:00:00.0 +0100
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch	2017-06-05 06:19:37.0 +0200
@@ -0,0 +1,78 @@
+
+# HG changeset patch
+# User Todd C. Miller 
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent  6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF.  It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any.  With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+--- a/src/ttyname.c
 b/src/ttyname.c
+@@ -447,26 +447,39 @@ done:
+ char *
+ get_process_ttyname(char *name, size_t namelen)
+ {
+-char path[PATH_MAX], *line = NULL;
++char path[PATH_MAX];
++char *cp, buf[1024];
+ char *ret = NULL;
+-size_t linesize = 0;
+ int serrno = errno;
+-ssize_t len;
+-FILE *fp;
++ssize_t nread;
++int fd;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+ 
+-/* Try to determine the tty from tty_nr in /proc/pid/stat. */
++/*
++ * Try to determine the tty from tty_nr in /proc/pid/stat.
++ * Ignore /proc/pid/stat if it contains embedded NUL bytes.
++ */
+ snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
+-if ((fp = fopen(path, "r")) != NULL) {
+-	len = getline(, , fp);
+-	fclose(fp);
+-	if (len != -1) {
++if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++cp = buf;
++while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++if (nread == -1) {
++if (errno == EAGAIN || errno == EINTR)
++continue;
++break;
++}
++cp += nread;
++if (cp >= buf + sizeof(buf))
++break;
++}
++if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+ 	/*
+ 	 * Field 7 is the tty dev (0 if no tty).
+-	 * Since the process name at field 2 "(comm)" may include spaces,
+-	 * start at the last ')' found.
++	 * Since the process name at field 2 "(comm)" may include
++	 * whitespace (including newlines), start at the last ')' found.
+ 	 */
+-	char *cp = strrchr(line, ')');
++*cp = '\0';
++cp = strrchr(buf, ')');
+ 	if (cp != NULL) {
+ 		char *ep = cp;
+ 		const char *errstr;
+@@ -497,7 +510,8 @@ get_process_ttyname(char *name, size_t n
+ errno = ENOENT;
+ 
+ done:
+-free(line);
++if (fd != -1)
++	close(fd);
+ if (ret == NULL)
+ 	sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ 	"unable to resolve tty via %s", path);
diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series
--- sudo-1.8.19p1/debian/patches/series	2017-05-31 06:35:01.0 +0200
+++ sudo-1.8.19p1/debian/patches/series	2017-06-05 06:19:37.0 +0200
@@ -1,3 +1,4 @@
 typo-in-classic-insults.diff
 paths-in-samples.diff
 CVE-2017-1000367.patch
+CVE-2017-1000368.patch

Bug#863472: marked as done (unblock: openssl/1.1.0f-1)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 11:40:00 +
with message-id 
and subject line Re: Bug#863472: unblock: openssl/1.1.0f-1
has caused the Debian Bug report #863472,
regarding unblock: openssl/1.1.0f-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863472: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863472
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hi,

I've uploaded a new upstream version of openssl that contains bug
fixes. The Debian changelog says:
   * New upstream version
 - Fix regression in req -x509 (Closes: #839575)
 - Properly detect features on the AMD Ryzen processor
   (Closes: #861145)
 - Don't mention -tls1_3 in the manpage (Closes: #859191)
   * Update libssl1.1.symbols for new symbols
   * Update man-section.patch


Kurt
--- End Message ---
--- Begin Message ---
Cyril Brulebois:
> Kurt Roeckx  (2017-06-05):
>> On Mon, Jun 05, 2017 at 11:33:57AM +0200, Cyril Brulebois wrote:
>>> Kurt Roeckx  (2017-06-04):
 So I've uploaded openssl 1.1.0f-2
>>>
>>> Source debdiff lgtm from -1, and installation over https works fine,
>>> ACK.
>>
>> So I actually have a new version I want to upload:
>> Modified: openssl/branches/1.1.0/debian/changelog
>> ===
>> --- openssl/branches/1.1.0/debian/changelog 2017-06-04 17:21:11 UTC (rev 
>> 903)
>> +++ openssl/branches/1.1.0/debian/changelog 2017-06-05 09:42:35 UTC (rev 
>> 904)
>> @@ -1,3 +1,9 @@
>> +openssl (1.1.0f-3) unstable; urgency=medium
>> +
>> +  * Don't cleanup a thread-local key we didn't create (Closes: #863707)
>> +
>> + -- Kurt Roeckx   Mon, 05 Jun 2017 11:40:42 +0200
>> +
>>  openssl (1.1.0f-2) unstable; urgency=medium
>>
>>* Make the udeb use a versioned depends (Closes: #864080)
> 
> 1.1.0f-3 (built locally from the source package fetched from incoming)
> tested successfully with an https-based playbook: ack.
> 
> 
> KiBi.
> 

Excellent, I have unblocked -3. :)

Thanks,
~Niels--- End Message ---

Bug#863472: unblock: openssl/1.1.0f-1

[Cyril Brulebois]

Kurt Roeckx  (2017-06-04):
> So I've uploaded openssl 1.1.0f-2

Source debdiff lgtm from -1, and installation over https works fine,
ACK.

> and openssl1.0 1.0.2l-2

Bare metal check with WPA is next on my todo list.


KiBi.


signature.asc
Description: Digital signature

Bug#863472: unblock: openssl/1.1.0f-1

[Kurt Roeckx]

On Mon, Jun 05, 2017 at 11:33:57AM +0200, Cyril Brulebois wrote:
> Kurt Roeckx  (2017-06-04):
> > So I've uploaded openssl 1.1.0f-2
> 
> Source debdiff lgtm from -1, and installation over https works fine,
> ACK.

So I actually have a new version I want to upload:
Modified: openssl/branches/1.1.0/debian/changelog
===
--- openssl/branches/1.1.0/debian/changelog 2017-06-04 17:21:11 UTC (rev 
903)
+++ openssl/branches/1.1.0/debian/changelog 2017-06-05 09:42:35 UTC (rev 
904)
@@ -1,3 +1,9 @@
+openssl (1.1.0f-3) unstable; urgency=medium
+
+  * Don't cleanup a thread-local key we didn't create (Closes: #863707)
+
+ -- Kurt Roeckx   Mon, 05 Jun 2017 11:40:42 +0200
+
 openssl (1.1.0f-2) unstable; urgency=medium

   * Make the udeb use a versioned depends (Closes: #864080)

Added: 
openssl/branches/1.1.0/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch
===
--- 
openssl/branches/1.1.0/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch
 (rev 0)
+++ 
openssl/branches/1.1.0/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch
 2017-06-05 09:42:35 UTC (rev 904)
@@ -0,0 +1,47 @@
+From 73bc53708c386c1ea85941d345721e23dc61c05c Mon Sep 17 00:00:00 2001
+From: Rich Salz 
+Date: Wed, 31 May 2017 12:14:55 -0400
+Subject: [PATCH] Only release thread-local key if we created it.
+
+Thanks to Jan Alexander Steffens for finding the bug and confirming the
+fix.
+
+Reviewed-by: Richard Levitte 
+(Merged from https://github.com/openssl/openssl/pull/3592)
+---
+ crypto/err/err.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/err/err.c b/crypto/err/err.c
+index f866f2fdd0..c55f849590 100644
+--- a/crypto/err/err.c
 b/crypto/err/err.c
+@@ -122,6 +122,7 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
+ #endif
+
+ static CRYPTO_ONCE err_init = CRYPTO_ONCE_STATIC_INIT;
++static int set_err_thread_local;
+ static CRYPTO_THREAD_LOCAL err_thread_local;
+
+ static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT;
+@@ -260,7 +261,8 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
+
+ void err_cleanup(void)
+ {
+-CRYPTO_THREAD_cleanup_local(_thread_local);
++if (set_err_thread_local != 0)
++CRYPTO_THREAD_cleanup_local(_thread_local);
+ CRYPTO_THREAD_lock_free(err_string_lock);
+ err_string_lock = NULL;
+ }
+@@ -639,6 +641,7 @@ void ERR_remove_state(unsigned long pid)
+
+ DEFINE_RUN_ONCE_STATIC(err_do_init)
+ {
++set_err_thread_local = 1;
+ return CRYPTO_THREAD_init_local(_thread_local, NULL);
+ }
+
+--
+2.11.0
+

Modified: openssl/branches/1.1.0/debian/patches/series
===
--- openssl/branches/1.1.0/debian/patches/series2017-06-04 17:21:11 UTC 
(rev 903)
+++ openssl/branches/1.1.0/debian/patches/series2017-06-05 09:42:35 UTC 
(rev 904)
@@ -4,3 +4,4 @@
 pic.patch
 c_rehash-compat.patch
 #padlock_conf.patch
+0001-Only-release-thread-local-key-if-we-created-it.patch

Bug#863473: marked as done (unblock: openssl1.0/1.0.2l-1)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 11:19:00 +
with message-id 
and subject line Re: Bug#863473: unblock: openssl1.0/1.0.2l-1
has caused the Debian Bug report #863473,
regarding unblock: openssl1.0/1.0.2l-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863473: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863473
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hi,

I've uploaded a new upstream version of openssl1.0 that contains bug
fixes. The Debian changelog says:
   * New upstream release
 - Properly detect features on the AMD Ryzen processor
   (Closes: #861145)
   * Refresh valgrind.patch


Kurt
--- End Message ---
--- Begin Message ---
Cyril Brulebois:
> Niels Thykier  (2017-06-03):
>> Fine by me.  CC'ing KiBi for a d-i ack assuming he is ok with this
>> last minute change.
> 
> Just tested bare metal/WPA successfully with d-i built against
> openssl1.0 1.0.2l-2 binaries, so fine with me.
> 
> 
> KiBi.
> 

Unblocked, thanks.

~Niels--- End Message ---

Bug#863472: unblock: openssl/1.1.0f-1

[Cyril Brulebois]

Kurt Roeckx  (2017-06-05):
> On Mon, Jun 05, 2017 at 11:33:57AM +0200, Cyril Brulebois wrote:
> > Kurt Roeckx  (2017-06-04):
> > > So I've uploaded openssl 1.1.0f-2
> > 
> > Source debdiff lgtm from -1, and installation over https works fine,
> > ACK.
> 
> So I actually have a new version I want to upload:
> Modified: openssl/branches/1.1.0/debian/changelog
> ===
> --- openssl/branches/1.1.0/debian/changelog 2017-06-04 17:21:11 UTC (rev 
> 903)
> +++ openssl/branches/1.1.0/debian/changelog 2017-06-05 09:42:35 UTC (rev 
> 904)
> @@ -1,3 +1,9 @@
> +openssl (1.1.0f-3) unstable; urgency=medium
> +
> +  * Don't cleanup a thread-local key we didn't create (Closes: #863707)
> +
> + -- Kurt Roeckx   Mon, 05 Jun 2017 11:40:42 +0200
> +
>  openssl (1.1.0f-2) unstable; urgency=medium
> 
>* Make the udeb use a versioned depends (Closes: #864080)

1.1.0f-3 (built locally from the source package fetched from incoming)
tested successfully with an https-based playbook: ack.


KiBi.


signature.asc
Description: Digital signature

Bug#864189: marked as done (unblock: systemd/232-25)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 11:17:00 +
with message-id <40f858e4-c41b-a171-1583-7b38fa1ab...@thykier.net>
and subject line Re: Bug#864189: unblock: systemd/232-25
has caused the Debian Bug report #864189,
regarding unblock: systemd/232-25
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864189: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864189
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

please consider unblocking systemd.

The changes include two fixes for selinux, a fix for a dist-upgrade
failure and an important performance regression.

None of those should affect the udev/libudev1 udeb, i.e. the installer.

That said, I've CCed debian-boot for a d-i/KiBi ack.

Here's an annotated changelog


systemd (232-25) unstable; urgency=medium

  * hwdb: Use path_join() to generate the hwdb_bin path.
This ensures /lib/udev/hwdb.bin gets the correct SELinux context. Having
double slashes in the path makes selabel_lookup_raw() return the wrong
context. (Closes: #851933)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=16508bf

I was asked by the SELinux maintainers to fix this for stretch. In the
end, it turned out to be a bug in libselinux (#863854). But the fix for
libselinux is rather invasive so will likely not make it into stretch
and it's easy to avoid triggering the bug, so I've decided to fix/work
around this in systemd.

  * selinux: Enable labeling and access checks for unprivileged users.
Revert commit that inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running
as MANAGER_USER and instead deal with the auditd issue by checking for
the CAP_AUDIT_WRITE capability before opening an audit netlink socket.
(Closes: #863800)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=5088d0

Laurent Bigonville, one of the SELinux maintainers, asked me to pull
those fixes for stretch. He tested the patches and confirmed that they
work. The patches are from upstream.

  * Revert "systemd-sysv: Add Conflicts: systemd-shim"
Under certain conditions this confuses Jessies's apt which then tries to
remove systemd while being the active init system, resulting in a failed
dist-upgrade. While this turned out to be a bug in apt, avoid this
situation by dropping the Conflicts. (Closes: #854041)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=a99075

This is bug which imho is the most important one to get fixed for r0.
It was (sometimes) causing dist-upgrade failures, if prior to the upgrade
systemd-shim was installed. David Kalnischkies identified this as a bug
in apt, but since we can't retroactively fix apt in jessie, I decided to
drop this Conflicts again to avoid this situation.

  * link: Fix offload features initialization.
This fixes a regression introduced in v232 which caused TCP
segmentation offloads being disabled by default, resulting in
significant performance issues under certain conditions. (Closes: #864073)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=551b79

This seemed like a rather straightforward fix which was unfortuantely
only reported the other day. Otherwise I would have pulled it earlier.
The patch is from upstream.

Full debdiff is attached as well.

Regards,
Michael

unblock systemd/232-25

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), 
LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 68276b7..d3789db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,27 @@
+systemd (232-25) unstable; urgency=medium
+
+  * hwdb: Use path_join() to generate the hwdb_bin path.
+This ensures /lib/udev/hwdb.bin gets the correct SELinux context. Having
+double slashes in the path makes selabel_lookup_raw() return the wrong
+context. (Closes: #851933)
+  * selinux: Enable labeling and access checks for unprivileged users.
+Revert commit that inadvertently broke a lot of SELinux related
+functionality for both unprivileged users and systemd instances running
+as 

Bug#864220: unblock: imagemagick/8:6.9.7.4+dfsg-11

[Bastien Roucariès]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package imagemagick

change are self contained and security fixes. Will avoid a security release 
just after release.

* Fix minor security bugs:
+ CVE-2017-9409: Memory leak in the icon file coder.
  (Closes: #864087)
+ CVE-2017-9407: the ReadPALMImage function in palm.c
  allows attackers to cause a denial of service (memory leak)
  via a crafted file. (Closes: #864089).
+ CVE-2017-9409: the ReadMPCImage function in mpc.c
  allows attackers to cause a denial of service (memory leak)
  via a crafted file. (Closes: #864090).

So

unblock imagemagick/8:6.9.7.4+dfsg-11


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#864220: marked as done (unblock: imagemagick/8:6.9.7.4+dfsg-11)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 12:04:00 +
with message-id <2976c493-9b8d-7b72-1efe-ba0534468...@thykier.net>
and subject line Re: Bug#864220: unblock: imagemagick/8:6.9.7.4+dfsg-11
has caused the Debian Bug report #864220,
regarding unblock: imagemagick/8:6.9.7.4+dfsg-11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864220: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864220
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package imagemagick

change are self contained and security fixes. Will avoid a security release 
just after release.

* Fix minor security bugs:
+ CVE-2017-9409: Memory leak in the icon file coder.
  (Closes: #864087)
+ CVE-2017-9407: the ReadPALMImage function in palm.c
  allows attackers to cause a denial of service (memory leak)
  via a crafted file. (Closes: #864089).
+ CVE-2017-9409: the ReadMPCImage function in mpc.c
  allows attackers to cause a denial of service (memory leak)
  via a crafted file. (Closes: #864090).

So

unblock imagemagick/8:6.9.7.4+dfsg-11


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Bastien Roucariès:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package imagemagick
> 
> change are self contained and security fixes. Will avoid a security release 
> just after release.
> 
> * Fix minor security bugs:
> + CVE-2017-9409: Memory leak in the icon file coder.
>   (Closes: #864087)
> + CVE-2017-9407: the ReadPALMImage function in palm.c
>   allows attackers to cause a denial of service (memory leak)
>   via a crafted file. (Closes: #864089).
> + CVE-2017-9409: the ReadMPCImage function in mpc.c
>   allows attackers to cause a denial of service (memory leak)
>   via a crafted file. (Closes: #864090).
> 
> So
> 
> unblock imagemagick/8:6.9.7.4+dfsg-11
> 
> 
> [...]

Unblocked, thanks.

~Niels--- End Message ---

Bug#864236: unblock: wput/0.6.2+git20130413-5

[Stephen Kitt]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear release team,

Sorry for leaving this to the last minute, but I’m wondering if the
lack of TLS support due to a missing build-dep qualifies as a security
fix.  If it does, please unblock package wput; the diff against the
version in testing is

diff --git a/debian/changelog b/debian/changelog
index befb782..133714f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+wput (0.6.2+git20130413-5) unstable; urgency=medium
+
+  * Actually build with TLS support (LP: #1678463).
+
+ -- Stephen Kitt   Mon, 05 Jun 2017 16:39:05 +0200
+
 wput (0.6.2+git20130413-4) unstable; urgency=medium
 
   * Switch to https: VCS URIs (see #810378).
diff --git a/debian/control b/debian/control
index f03e232..bdcfcda 100644
--- a/debian/control
+++ b/debian/control
@@ -3,6 +3,7 @@ Maintainer: Stephen Kitt 
 Section: web
 Priority: optional
 Build-Depends: debhelper (>= 9),
+   libgcrypt20-dev,
libgnutls-openssl-dev,
autotools-dev
 Standards-Version: 3.9.8


unblock wput/0.6.2+git20130413-5

Regards,

Stephen

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing'), (500, 'stable'), (200, 
'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Re: Bug#862531: Bug#862530: aoetools: provide a systemd service to allow proper shutdown of AoE mounts

[Wouter Verhelst]

Control: tags -1 + help

On Thu, May 18, 2017 at 06:41:59PM +0200, Christoph Biedl wrote:
> (At least) AoE devices are handled properly if mounted with the _netdev
> mount option.

... but NBD devices are not. I'm not sure what changed, have been trying
to figure that out for the past week or so. With a line like the
following in fstab...

/dev/nbd0 /mnt _netdev 0 0

...the system will boot properly in jessie, but not in stretch. It used
to work properly in stretch too, at least during dc16 when I wrote the
systemd support.

Not sure what changed, but this is a serious regression from jessie, and
I'd like to see it resolved before the release.

-release: This bug is currently marked as Grave. Not sure whether that's
appropriate, but I do think that "serious" is. However, I don't think
it's my bug, since this used to work.

Anyone have any clue what's happening, or what has changed? I've got no
clue, and I don't think I'll be able to fix this today anymore...

-- 
Help me, off-by-one kenobi. You're my only nought.

Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

[Debian Bug Tracking System]

Processing control commands:

> tags -1 - moreinfo
Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval 
request)
Removed tag(s) moreinfo.

-- 
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

[Salvatore Bonaccorso]

Control: tags -1 - moreinfo

Hi Niels,

On Mon, Jun 05, 2017 at 02:05:00PM +, Niels Thykier wrote:
> Control: tags -1 confirmed moreinfo
> 
> Salvatore Bonaccorso:
> > Control: tags -1 - moreinfo
> > 
> > Hi Niels, hi Bdale,
> > 
> > On Mon, Jun 05, 2017 at 12:20:00PM +, Niels Thykier wrote:
> >> Control: tags -1 moreinfo
> >>
> >> [...]
> >>
> >> According to the BTS, #863897 affects and is unfixed in unstable.  Lets
> >> fix it in unstable first.
> > 
> > Yes that's true. Okay I have uploaded (without delay, and hope this is
> > fine with Bdale!) the NMU to sid.
> > 
> >> Otherwise, the diff look fine (feel free to include
> >> https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well).
> > 
> > Thanks, feel more confortable to follow upstream. Attached is a new
> > debdiff!
> > 
> > Regards,
> > Salvatore
> > 
> 
> 
> Thanks, please go ahead with the tpu upload.

Thank you, done!

Regards,
Salvatore

Bug#864233: unblock: linux/4.9.30-1

[Cyril Brulebois]

Hi,

Ben Hutchings  (2017-06-05):
> Please unblock package linux
> 
> This includes many important bug fixes, including security fixes.  It
> adds support for system reset on Malta boards, additional GPUs on
> ARM64 systems, and PL011 serial consoles on ARM64 systems.  It makes
> the efivarfs module available in the installer, which is important for
> supporting some x86 systems.

I'm currently running a few d-i run-time tests on amd64, but also
waiting for daily re-builds for some archs (armhf, mips64el, mipsel)
which built against the old linux packages since linux builds didn't
finish in time for the last daily build from cron. The linux build for
mips is still going on anyway…

Just going through extra precautions since a linux upload usually
involves a bit more resources/delay than other packages, so better be
safe.


KiBi.


signature.asc
Description: Digital signature

Bug#864245: unblock: seelablet/1.0.6-2

[Georges Khaznadar]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package seelablet

The package seelablet is currently blocked due to a
build-dependency on the package blockdiag. A workaround has
been found to get rid of this build-dependency, at the expense of one single
missing image in the HTML documentation
provided by the binary package seelablet-doc.

--8<--- here is the debdiff ---
diff -Nru seelablet-1.0.6/debian/changelog seelablet-1.0.6/debian/changelog
--- seelablet-1.0.6/debian/changelog2016-05-14 19:32:48.0 +0200
+++ seelablet-1.0.6/debian/changelog2017-06-05 17:35:20.0 +0200
@@ -1,3 +1,11 @@
+seelablet (1.0.6-2) unstable; urgency=medium
+
+  * dropped the build-dependency on blockdiag, in order to prevent removal
+from Stretch. Build-dependencies on python-sphinx and python-numpy
+have been added instead.
+
+ -- Georges Khaznadar   Mon, 05 Jun 2017 17:35:20 +0200
+
 seelablet (1.0.6-1) unstable; urgency=medium

   * New upstream release
diff -Nru seelablet-1.0.6/debian/control seelablet-1.0.6/debian/control
--- seelablet-1.0.6/debian/control  2016-05-14 19:31:47.0 +0200
+++ seelablet-1.0.6/debian/control  2017-06-05 17:35:20.0 +0200
@@ -4,7 +4,7 @@
 Maintainer: Georges Khaznadar 
 Build-Depends: debhelper (>= 9), python-all, python3-all,
  python-setuptools, python3-setuptools, dh-python,
- dvipng, python-sphinxcontrib.blockdiag,
+ dvipng, python-sphinx, python-numpy,
  python-serial
 Standards-Version: 3.9.8
 Homepage: https://pypi.python.org/pypi/seelablet

--8<---

unblock seelablet/1.0.6-2

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable'), (499, 'testing')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Bug#864247: unblock: wordpress/4.7.5+dfsg-2

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi

Please unblock package wordpress

It fixes #862053, CVE-2017-8295, which was addressed already in the
DSA for jessie (and would otherwise be a regression).

Changelog entry:

>wordpress (4.7.5+dfsg-2) unstable; urgency=medium
>
>  * Don't trust SERVER_NAME variable for emails
>CVE-2017-8295 Closes: #862053
>
> -- Craig Small   Mon, 05 Jun 2017 21:45:59 +1000

unblock wordpress/4.7.5+dfsg-2

I'm attaching the full debdiff against the current version in testing.
Note it as well adjust the older changelog entry to add the CVE
identiiers.

Regards,
Salvatore
diff -Nru wordpress-4.7.5+dfsg/debian/changelog 
wordpress-4.7.5+dfsg/debian/changelog
--- wordpress-4.7.5+dfsg/debian/changelog   2017-05-17 14:28:18.0 
+0200
+++ wordpress-4.7.5+dfsg/debian/changelog   2017-06-05 13:45:59.0 
+0200
@@ -1,20 +1,26 @@
+wordpress (4.7.5+dfsg-2) unstable; urgency=medium
+
+  * Don't trust SERVER_NAME variable for emails
+CVE-2017-8295 Closes: #862053
+
+ -- Craig Small   Mon, 05 Jun 2017 21:45:59 +1000
+
 wordpress (4.7.5+dfsg-1) unstable; urgency=high
 
   * New upstream release fixes 6 security issues Closes: #862816
-CVEs to be added once issued
-- CVE-2017-XXX
+- CVE-2017-9066
   Insufficient redirect validation in the HTTP class.
-- CVE-2017-XXX
+- CVE-2017-9062
   Improper handling of post meta data values in the XML-RPC API.
-- CVE-2017-XXX
+- CVE-2017-9065
   Lack of capability checks for post meta data in the XML-RPC API.
-- CVE-2017-XXX
+- CVE-2017-9064
   A Cross Site Request Forgery (CRSF) vulnerability was discovered
   in the filesystem credentials dialog.
-- CVE-2017-XXX
+- CVE-2017-9061
   A cross-site scripting (XSS) vulnerability was discovered when
   attempting to upload very large files.
-- CVE-2017-XXX
+- CVE-2017-9063
   A cross-site scripting (XSS) vulnerability was discovered related
   to the Customizer.
 
diff -Nru wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 
wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295
--- wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295   1970-01-01 
01:00:00.0 +0100
+++ wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295   2017-06-05 
13:45:59.0 +0200
@@ -0,0 +1,36 @@
+Description: Don't use SERVER_NAME for emails
+ WordPress uses the SERVER_NAME variable to generate the from address for
+ password resets. This variable can be set by the hostname sent by the
+ client, which means it can be spoofed.
+
+ This patch fixes CVE-2017-8295
+Author: Maarten de Boer
+Origin: upstream, 
https://core.trac.wordpress.org/attachment/ticket/25239/CVE-2017-8295.patch
+Bug: https://core.trac.wordpress.org/ticket/25239
+Bug-Debian: https://bugs.debian.org/862053
+Reviewed-by: Craig Small 
+--- a/wp-includes/pluggable.php
 b/wp-includes/pluggable.php
+@@ -323,11 +323,8 @@
+ 
+   if ( !isset( $from_email ) ) {
+   // Get the site domain and get rid of www.
+-  $sitename = strtolower( $_SERVER['SERVER_NAME'] );
+-  if ( substr( $sitename, 0, 4 ) == 'www.' ) {
+-  $sitename = substr( $sitename, 4 );
+-  }
+-
++  $sitename = parse_url( network_home_url(), PHP_URL_HOST );
++  
+   $from_email = 'wordpress@' . $sitename;
+   }
+ 
+@@ -1491,7 +1488,7 @@
+   $notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( 
"comment.php?action=spam={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
+   }
+ 
+-  $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', 
strtolower($_SERVER['SERVER_NAME']));
++  $wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST);
+ 
+   if ( '' == $comment->comment_author ) {
+   $from = "From: \"$blogname\" <$wp_email>";
diff -Nru wordpress-4.7.5+dfsg/debian/patches/series 
wordpress-4.7.5+dfsg/debian/patches/series
--- wordpress-4.7.5+dfsg/debian/patches/series  2017-05-17 14:28:18.0 
+0200
+++ wordpress-4.7.5+dfsg/debian/patches/series  2017-06-05 13:45:59.0 
+0200
@@ -3,3 +3,4 @@
 003installer.patch
 010disabling_update_note.patch
 #011support-symlinks-for-plugins.patch
+CVE-2017-8295

Bug#864249: unblock: pycorrfit/0.9.9+dfsg-2

[Andreas Tille]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package pycorrfit

Recommends: s/texlive-math-extra/texlive-science/
Closes: #864226

unblock pycorrfit/0.9.9+dfsg-2

-- System Information:
Debian Release: 8.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru pycorrfit-0.9.9+dfsg/debian/changelog pycorrfit-0.9.9+dfsg/debian/changelog
--- pycorrfit-0.9.9+dfsg/debian/changelog	2016-07-22 16:18:11.0 +0200
+++ pycorrfit-0.9.9+dfsg/debian/changelog	2017-06-05 18:24:28.0 +0200
@@ -1,3 +1,10 @@
+pycorrfit (0.9.9+dfsg-2) unstable; urgency=medium
+
+  * Recommends: s/texlive-math-extra/texlive-science/
+Closes: #864226
+
+ -- Andreas Tille   Mon, 05 Jun 2017 18:24:28 +0200
+
 pycorrfit (0.9.9+dfsg-1) unstable; urgency=medium
 
   * Drop get-orig-source target
diff -Nru pycorrfit-0.9.9+dfsg/debian/control pycorrfit-0.9.9+dfsg/debian/control
--- pycorrfit-0.9.9+dfsg/debian/control	2016-07-22 16:18:11.0 +0200
+++ pycorrfit-0.9.9+dfsg/debian/control	2017-06-05 18:24:28.0 +0200
@@ -40,7 +40,7 @@
  ${misc:Depends},
  ${python:Depends},
  ${shlibs:Depends}
-Recommends: dvipng, python-sympy, texlive-latex-base, texlive-math-extra
+Recommends: dvipng, python-sympy, texlive-latex-base, texlive-science
 Description: tool for fitting correlation curves on a logarithmic plot
  PyCorrFit is a general-purpose FCS evaluation software that,
  amongst other formats, supports the established Zeiss ConfoCor3 ~.fcs

Bug#864247: marked as done (unblock: wordpress/4.7.5+dfsg-2)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 17:58:24 +
with message-id 
and subject line unblock wordpress
has caused the Debian Bug report #864247,
regarding unblock: wordpress/4.7.5+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864247
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi

Please unblock package wordpress

It fixes #862053, CVE-2017-8295, which was addressed already in the
DSA for jessie (and would otherwise be a regression).

Changelog entry:

>wordpress (4.7.5+dfsg-2) unstable; urgency=medium
>
>  * Don't trust SERVER_NAME variable for emails
>CVE-2017-8295 Closes: #862053
>
> -- Craig Small   Mon, 05 Jun 2017 21:45:59 +1000

unblock wordpress/4.7.5+dfsg-2

I'm attaching the full debdiff against the current version in testing.
Note it as well adjust the older changelog entry to add the CVE
identiiers.

Regards,
Salvatore
diff -Nru wordpress-4.7.5+dfsg/debian/changelog 
wordpress-4.7.5+dfsg/debian/changelog
--- wordpress-4.7.5+dfsg/debian/changelog   2017-05-17 14:28:18.0 
+0200
+++ wordpress-4.7.5+dfsg/debian/changelog   2017-06-05 13:45:59.0 
+0200
@@ -1,20 +1,26 @@
+wordpress (4.7.5+dfsg-2) unstable; urgency=medium
+
+  * Don't trust SERVER_NAME variable for emails
+CVE-2017-8295 Closes: #862053
+
+ -- Craig Small   Mon, 05 Jun 2017 21:45:59 +1000
+
 wordpress (4.7.5+dfsg-1) unstable; urgency=high
 
   * New upstream release fixes 6 security issues Closes: #862816
-CVEs to be added once issued
-- CVE-2017-XXX
+- CVE-2017-9066
   Insufficient redirect validation in the HTTP class.
-- CVE-2017-XXX
+- CVE-2017-9062
   Improper handling of post meta data values in the XML-RPC API.
-- CVE-2017-XXX
+- CVE-2017-9065
   Lack of capability checks for post meta data in the XML-RPC API.
-- CVE-2017-XXX
+- CVE-2017-9064
   A Cross Site Request Forgery (CRSF) vulnerability was discovered
   in the filesystem credentials dialog.
-- CVE-2017-XXX
+- CVE-2017-9061
   A cross-site scripting (XSS) vulnerability was discovered when
   attempting to upload very large files.
-- CVE-2017-XXX
+- CVE-2017-9063
   A cross-site scripting (XSS) vulnerability was discovered related
   to the Customizer.
 
diff -Nru wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295 
wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295
--- wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295   1970-01-01 
01:00:00.0 +0100
+++ wordpress-4.7.5+dfsg/debian/patches/CVE-2017-8295   2017-06-05 
13:45:59.0 +0200
@@ -0,0 +1,36 @@
+Description: Don't use SERVER_NAME for emails
+ WordPress uses the SERVER_NAME variable to generate the from address for
+ password resets. This variable can be set by the hostname sent by the
+ client, which means it can be spoofed.
+
+ This patch fixes CVE-2017-8295
+Author: Maarten de Boer
+Origin: upstream, 
https://core.trac.wordpress.org/attachment/ticket/25239/CVE-2017-8295.patch
+Bug: https://core.trac.wordpress.org/ticket/25239
+Bug-Debian: https://bugs.debian.org/862053
+Reviewed-by: Craig Small 
+--- a/wp-includes/pluggable.php
 b/wp-includes/pluggable.php
+@@ -323,11 +323,8 @@
+ 
+   if ( !isset( $from_email ) ) {
+   // Get the site domain and get rid of www.
+-  $sitename = strtolower( $_SERVER['SERVER_NAME'] );
+-  if ( substr( $sitename, 0, 4 ) == 'www.' ) {
+-  $sitename = substr( $sitename, 4 );
+-  }
+-
++  $sitename = parse_url( network_home_url(), PHP_URL_HOST );
++  
+   $from_email = 'wordpress@' . $sitename;
+   }
+ 
+@@ -1491,7 +1488,7 @@
+   $notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( 
"comment.php?action=spam={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
+   }
+ 
+-  $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', 
strtolower($_SERVER['SERVER_NAME']));
++  $wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST);
+ 
+   if ( '' == $comment->comment_author ) {
+   $from = "From: \"$blogname\" <$wp_email>";
diff -Nru wordpress-4.7.5+dfsg/debian/patches/series 
wordpress-4.7.5+dfsg/debian/patches/series
--- wordpress-4.7.5+dfsg/debian/patches/series  2017-05-17 14:28:18.0 

Re: Bug#852962: ycmd FTBFS on mipsel: test failures

[Christoph Biedl]

James Cowgill wrote...

> On Thu, 1 Jun 2017 00:15:28 +0200 Christoph Biedl

> > Did so, but failed to reproduce the issue on the mipsel porter box.
> > However, the bug seems to manifest when building in a qemu-static
> > chroot. In that scenario however, diagnostic tools like strace
> > fail.
> > 
> > Updates will follow as I get them.
> 
> I've tried this on various mips hardware and I can only seems to fail on
> Loongsons (where is reliably fails 100% of the time). Blacklisting it on
> those machines could be an option given how close to the release we are.

Thanks for looking into this, James. Personally, if such a blacklisting
was acceptable for the release team (Cc:'ed), I was happy to spend the
remaining time on other issues in stretch. Since I still haven't figured
out what actually goes wrong during the test suite, I'd just like to
avoid this package (and its reverse dependencies) fall out of stretch.

Christoph


signature.asc
Description: Digital signature

Bug#864249: marked as done (unblock: pycorrfit/0.9.9+dfsg-2)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 17:49:04 +
with message-id 
and subject line unblock pycorrfit
has caused the Debian Bug report #864249,
regarding unblock: pycorrfit/0.9.9+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864249: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864249
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package pycorrfit

Recommends: s/texlive-math-extra/texlive-science/
Closes: #864226

unblock pycorrfit/0.9.9+dfsg-2

-- System Information:
Debian Release: 8.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru pycorrfit-0.9.9+dfsg/debian/changelog pycorrfit-0.9.9+dfsg/debian/changelog
--- pycorrfit-0.9.9+dfsg/debian/changelog	2016-07-22 16:18:11.0 +0200
+++ pycorrfit-0.9.9+dfsg/debian/changelog	2017-06-05 18:24:28.0 +0200
@@ -1,3 +1,10 @@
+pycorrfit (0.9.9+dfsg-2) unstable; urgency=medium
+
+  * Recommends: s/texlive-math-extra/texlive-science/
+Closes: #864226
+
+ -- Andreas Tille   Mon, 05 Jun 2017 18:24:28 +0200
+
 pycorrfit (0.9.9+dfsg-1) unstable; urgency=medium
 
   * Drop get-orig-source target
diff -Nru pycorrfit-0.9.9+dfsg/debian/control pycorrfit-0.9.9+dfsg/debian/control
--- pycorrfit-0.9.9+dfsg/debian/control	2016-07-22 16:18:11.0 +0200
+++ pycorrfit-0.9.9+dfsg/debian/control	2017-06-05 18:24:28.0 +0200
@@ -40,7 +40,7 @@
  ${misc:Depends},
  ${python:Depends},
  ${shlibs:Depends}
-Recommends: dvipng, python-sympy, texlive-latex-base, texlive-math-extra
+Recommends: dvipng, python-sympy, texlive-latex-base, texlive-science
 Description: tool for fitting correlation curves on a logarithmic plot
  PyCorrFit is a general-purpose FCS evaluation software that,
  amongst other formats, supports the established Zeiss ConfoCor3 ~.fcs
--- End Message ---
--- Begin Message ---
Unblocked pycorrfit.--- End Message ---

Bug#864262: marked as done (unblock: espeak-ng/1.49.0+dfsg-11)

[Debian Bug Tracking System]

Your message dated Tue, 06 Jun 2017 05:19:00 +
with message-id <4279ec93-5d50-a439-0c2b-23b347f62...@thykier.net>
and subject line Re: Bug#864262: unblock: espeak-ng/1.49.0+dfsg-11
has caused the Debian Bug report #864262,
regarding unblock: espeak-ng/1.49.0+dfsg-11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864262: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864262
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hello,

espeak-ng used to have overlapping speech synthesis issues (#848016):
e.g. while moving fast in a list of items, the speech of each item would
get mixed with the previous one, making it difficult or impossible to
hear. We reduced the buffer size of espeak-ng from 200ms to 50ms to
considerably reduce the issue.

However, the modified buffer size happened to break the use of mbrola
voices (#860891), so we raised it a bit, from 50ms to 60ms, like
upstream did, to fix that.

However, that brought back some of the overlapping issues, making it
tedious to use...
(https://lists.debian.org/debian-accessibility/2017/06/msg2.html)

I have thus uploaded a version -11 of espeak-ng (attached debdiff) which
reduces it to 49ms, which avoids the overlapping regression, and which I
have tested as working with all mbrola voices.

unblock espeak-ng/1.49.0+dfsg-11

This contains udebs, so Cc-ing KiBi for the udeb ack.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 
'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Samuel
 ya(ka|ma|to)* ca existe une fois sur 2 au japon, c'est facile ;-)
 -+- #ens-mim au japon -+-
diff -Nru espeak-ng-1.49.0+dfsg/debian/changelog 
espeak-ng-1.49.0+dfsg/debian/changelog
--- espeak-ng-1.49.0+dfsg/debian/changelog  2017-04-29 16:32:54.0 
+0200
+++ espeak-ng-1.49.0+dfsg/debian/changelog  2017-06-05 22:04:57.0 
+0200
@@ -1,3 +1,11 @@
+espeak-ng (1.49.0+dfsg-11) unstable; urgency=medium
+
+  * patches/bufsize: Increasing the buffersize to 60ms brought back some
+overlapping. Revert this to 49ms, which both avoids overlapping, and
+was tested to work fine with all MBROLA voices.
+
+ -- Samuel Thibault   Mon, 05 Jun 2017 22:04:57 +0200
+
 espeak-ng (1.49.0+dfsg-10) unstable; urgency=medium
 
   * patches/bufsize: Increase buffersize to 60ms like upstream did, to fix 
using
diff -Nru espeak-ng-1.49.0+dfsg/debian/patches/bufsize 
espeak-ng-1.49.0+dfsg/debian/patches/bufsize
--- espeak-ng-1.49.0+dfsg/debian/patches/bufsize2017-04-29 
16:32:54.0 +0200
+++ espeak-ng-1.49.0+dfsg/debian/patches/bufsize2017-06-05 
22:04:57.0 +0200
@@ -5,7 +5,7 @@
// buflength is in mS, allocate 2 bytes per sample
if ((buffer_length == 0) || (output_mode & ENOUTPUT_MODE_SPEAK_AUDIO))
 -  buffer_length = 200;
-+  buffer_length = 60;
++  buffer_length = 49;
  
outbuf_size = (buffer_length * samplerate)/500;
out_start = (unsigned char *)realloc(outbuf, outbuf_size);
--- End Message ---
--- Begin Message ---
Cyril Brulebois:
> Hi,
> 
> Samuel Thibault  (2017-06-05):
>> espeak-ng used to have overlapping speech synthesis issues (#848016):
>> e.g. while moving fast in a list of items, the speech of each item would
>> get mixed with the previous one, making it difficult or impossible to
>> hear. We reduced the buffer size of espeak-ng from 200ms to 50ms to
>> considerably reduce the issue.
>>
>> However, the modified buffer size happened to break the use of mbrola
>> voices (#860891), so we raised it a bit, from 50ms to 60ms, like
>> upstream did, to fix that.
>>
>> However, that brought back some of the overlapping issues, making it
>> tedious to use...
>> (https://lists.debian.org/debian-accessibility/2017/06/msg2.html)
>>
>> I have thus uploaded a version -11 of espeak-ng (attached debdiff) which
>> reduces it to 49ms, which avoids the overlapping regression, and which I
>> have tested as working with all mbrola voices.
>>
>> unblock 

Bug#864256: marked as done (unblock: lhs2tex/1.19-5)

[Debian Bug Tracking System]

Your message dated Tue, 06 Jun 2017 05:24:00 +
with message-id <7a5882d4-40b6-d77b-2d81-38f43e701...@thykier.net>
and subject line Re: Bug#864256: unblock: lhs2tex/1.19-5
has caused the Debian Bug report #864256,
regarding unblock: lhs2tex/1.19-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864256: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864256
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package lhs2tex

it fixes the seroius bug #864225

unblock lhs2tex/1.19-5

Patch below:

diff -Nru lhs2tex-1.19/debian/changelog lhs2tex-1.19/debian/changelog
--- lhs2tex-1.19/debian/changelog   2016-10-27 18:37:21.0 -0400
+++ lhs2tex-1.19/debian/changelog   2017-06-05 12:29:08.0 -0400
@@ -1,3 +1,9 @@
+lhs2tex (1.19-5) unstable; urgency=high
+
+  * Depend on texlive-science (closes: #864225)
+
+ -- Joachim Breitner   Mon, 05 Jun 2017 12:28:59 -0400
+
 lhs2tex (1.19-4) unstable; urgency=medium
 
   * Upload to unstable as part of GHC 8 transition.
diff -Nru lhs2tex-1.19/debian/control lhs2tex-1.19/debian/control
--- lhs2tex-1.19/debian/control 2016-10-27 18:37:21.0 -0400
+++ lhs2tex-1.19/debian/control 2017-06-05 14:01:10.0 -0400
@@ -21,7 +21,7 @@
 Multi-Arch: foreign
 Depends:
  texlive-latex-base,
- texlive-math-extra,
+ texlive-science,
  ${misc:Depends},
  ${shlibs:Depends},
 Description: Generates LaTeX code from literate Haskell sources


Thanks,
Joachim


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Joachim Breitner:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package lhs2tex
> 
> it fixes the seroius bug #864225
> 
> unblock lhs2tex/1.19-5
> 
> Patch below:
> 
> [...]
> 
> Thanks,
> Joachim
> 
> 
> [...]

Unblocked, thanks.

~Niels--- End Message ---

Bug#864256: unblock: lhs2tex/1.19-5

[Joachim Breitner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package lhs2tex

it fixes the seroius bug #864225

unblock lhs2tex/1.19-5

Patch below:

diff -Nru lhs2tex-1.19/debian/changelog lhs2tex-1.19/debian/changelog
--- lhs2tex-1.19/debian/changelog   2016-10-27 18:37:21.0 -0400
+++ lhs2tex-1.19/debian/changelog   2017-06-05 12:29:08.0 -0400
@@ -1,3 +1,9 @@
+lhs2tex (1.19-5) unstable; urgency=high
+
+  * Depend on texlive-science (closes: #864225)
+
+ -- Joachim Breitner   Mon, 05 Jun 2017 12:28:59 -0400
+
 lhs2tex (1.19-4) unstable; urgency=medium
 
   * Upload to unstable as part of GHC 8 transition.
diff -Nru lhs2tex-1.19/debian/control lhs2tex-1.19/debian/control
--- lhs2tex-1.19/debian/control 2016-10-27 18:37:21.0 -0400
+++ lhs2tex-1.19/debian/control 2017-06-05 14:01:10.0 -0400
@@ -21,7 +21,7 @@
 Multi-Arch: foreign
 Depends:
  texlive-latex-base,
- texlive-math-extra,
+ texlive-science,
  ${misc:Depends},
  ${shlibs:Depends},
 Description: Generates LaTeX code from literate Haskell sources


Thanks,
Joachim


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#864193: marked as done (unblock: chromium-browser/58.0.3029.96-1)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 06:43:00 +
with message-id <2ae282a9-b602-7a3d-25b5-fff0fb8f2...@thykier.net>
and subject line Re: Bug#864193: unblock: chromium-browser/58.0.3029.96-1
has caused the Debian Bug report #864193,
regarding unblock: chromium-browser/58.0.3029.96-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864193: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864193
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: release.debian.org
user: release.debian@packages.debian.org
usertags: unblock

Please consider unblocking chromium ahead of the stretch window
closing.  This updates corrects a single security issue that could
lead to remote code execution by visiting a malicious web page.

Best wishes,
Mike

unblock chromium-browser/58.0.3029.96-1
--- End Message ---
--- Begin Message ---
Michael Gilbert:
> package: release.debian.org
> user: release.debian@packages.debian.org
> usertags: unblock
> 
> Please consider unblocking chromium ahead of the stretch window
> closing.  This updates corrects a single security issue that could
> lead to remote code execution by visiting a malicious web page.
> 
> Best wishes,
> Mike
> 
> unblock chromium-browser/58.0.3029.96-1
> 

Unblocked, thanks.

~Niels--- End Message ---

Bug#864189: unblock: systemd/232-25

[Niels Thykier]

Michael Biebl:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi,
> 
> please consider unblocking systemd.
> 
> The changes include two fixes for selinux, a fix for a dist-upgrade
> failure and an important performance regression.
> 
> None of those should affect the udev/libudev1 udeb, i.e. the installer.
> 
> That said, I've CCed debian-boot for a d-i/KiBi ack.
> 
> Here's an annotated changelog
> 
> 
> [...]
> 
> Full debdiff is attached as well.
> 
> Regards,
> Michael
> 
> unblock systemd/232-25
> 
> [...]

Ack from here.

Thanks,
~Niels

Bug#864198: unblock: upx-ucl/3.91-4

[Robert Luberda]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock version 3.91-4 of package upx-ucl.

This version fixes crashes occurring while executing compressed i386 
position-indpendent executables, for example the following commands 
on i386 system:
  cp /usr/bin/vim .; upx ./vim; ./vim
  cp /usr/bin/mutt .; upx ./mutt; ./mutt
end with segmentation faults in stretch, while they work as expected 
in jessie. This is related to some changes in binutils output.  (Also 
note that vim is PIE in both jessie and stretch, while mutt wasn't
PIE in jessie).

This is the issue I wrote about a week ago in #863537 while requesting 
unblock for previous upload that addressed crashes of amd64 executables,
and it has been fixed in a pretty same way as the amd64 one.


Comparing upx-ucl_3.91-3.dsc upx-ucl_3.91-4.dsc
diff -Nru upx-ucl-3.91/debian/changelog upx-ucl-3.91/debian/changelog
--- upx-ucl-3.91/debian/changelog   2017-05-20 09:16:37.0 +0200
+++ upx-ucl-3.91/debian/changelog   2017-05-31 21:50:25.0 +0200
@@ -1,3 +1,12 @@
+upx-ucl (3.91-4) unstable; urgency=medium
+
+  * Introduce Check-DT_REL-i386.patch to fix segmentation faults occurring
+while executing upx-compressed i386 position-independent binaries. The
+patch is strongly based on the one added previously for amd64 binaries,
+and was reported to upstream in https://github.com/upx/upx/issues/106.
+
+ -- Robert Luberda   Wed, 31 May 2017 21:50:25 +0200
+
 upx-ucl (3.91-3) unstable; urgency=medium
 
   * Add Check-DT_RELA.patch based on upstream's commit d688a05ac7 to
diff -Nru upx-ucl-3.91/debian/patches/Check-DT_REL-i386.patch 
upx-ucl-3.91/debian/patches/Check-DT_REL-i386.patch
--- upx-ucl-3.91/debian/patches/Check-DT_REL-i386.patch 1970-01-01 
01:00:00.0 +0100
+++ upx-ucl-3.91/debian/patches/Check-DT_REL-i386.patch 2017-05-31 
21:50:25.0 +0200
@@ -0,0 +1,66 @@
+From: Robert Luberda 
+Date: Sun, 28 May 2017 12:27:11 +0200
+Subject: DT_JMPREL is missing on i386 as well; check DT_REL
+
+Apply the changes from commit d688a05ac78517bcba09bae0f60bc76f3aa51ddb
+to PackLinuxElf32::canPack(), however check DT_REL instread of DT_RELA.
+This fixes crashes while running position independent i386 executables
+compressed with upx.
+
+The patch was sent to upstream in https://github.com/upx/upx/issues/106,
+and eventually got applied in a sligthly modified form in commit
+https://github.com/upx/upx/commit/ee18fe9bbab4955191e68a0982196f1b6f3e5c7d
+(the differences include extractions of duplicated code into functions,
+and introduction of DT_1_PIE checks that depend on  code not yet
+available in upx 3.91).
+---
+ src/p_elf_enum.h |  1 +
+ src/p_lx_elf.cpp | 16 
+ 2 files changed, 17 insertions(+)
+
+diff --git a/src/p_elf_enum.h b/src/p_elf_enum.h
+index 5a4f602..121d04d 100644
+--- a/src/p_elf_enum.h
 b/src/p_elf_enum.h
+@@ -150,6 +150,7 @@
+ DT_RELAENT  =  9,   /* Size of one RELA relocation */
+ DT_INIT = 12,   /* Address of init function */
+ DT_REL  = 17,   /* Relocations which contain no addend */
++DT_RELSZ   =  18,   /* Total size of Rel relocs */
+ DT_RELENT   = 19,   /* Size of one Rel relocation */
+ DT_STRSZ= 10,   /* Sizeof string table */
+ DT_PLTREL   = 20,   /* Type of reloc in PLT */
+diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
+index 6f95c0b..ab00666 100644
+--- a/src/p_lx_elf.cpp
 b/src/p_lx_elf.cpp
+@@ -1359,6 +1359,8 @@ bool PackLinuxElf32::canPack()
+ // defined symbols, and there might be no DT_HASH.
+ 
+ Elf32_Rel const *
++rel= (Elf32_Rel const *)elf_find_dynamic(Elf32_Dyn::DT_REL);
++Elf32_Rel const *
+ jmprel= (Elf32_Rel const *)elf_find_dynamic(Elf32_Dyn::DT_JMPREL);
+ for (   int sz = elf_unsigned_dynamic(Elf32_Dyn::DT_PLTRELSZ);
+ 0 < sz;
+@@ -1372,6 +1374,20 @@ bool PackLinuxElf32::canPack()
+ goto proceed;
+ }
+ 
++// 2017-05-28 DT_JMPREL is no more (binutils-2.26.1)?
++// Check the general case, too.
++for (   int sz = elf_unsigned_dynamic(Elf32_Dyn::DT_RELSZ);
++0 < sz;
++(sz -= sizeof(Elf32_Rel)), ++rel
++) {
++unsigned const symnum = get_te32(>r_info) >> 8;
++char const *const symnam = get_te32([symnum].st_name) + 
dynstr;
++if (0==strcmp(symnam, "__libc_start_main")
++||  0==strcmp(symnam, "__uClibc_main")
++||  0==strcmp(symnam, "__uClibc_start_main"))
++goto proceed;
++}
++
+ // Heuristic HACK for shared libraries (compare Darwin (MacOS) Dylib.)
+ // If there is an existing DT_INIT, and if everything that the dynamic
+ // linker ld-linux needs to perform relocations before calling DT_INIT
diff -Nru 

Bug#864085: unblock: dnsmasq/2.76-5

[Ondřej Surý]

Hi Jonathan,

On Sun, Jun 4, 2017, at 17:36, Jonathan Wiltshire wrote:
> However, I wonder if that format change in dns-root-data risks problems
> in other packages. Ondřej, is there any advantage to reverting that (keeping
> the RC fix for parse-root-anchors.sh)?

Unfortunately not. The Root Zone KSK Rollover is going to happen this
summer and reverting this would only postpone the problem.

And we will need the same update to happen in jessie (+ update for every
package not using dns-root-data), so the one thing I can do is to test
all reverse (Build-)Depends in jessie and stretch to make sure nothing
else obvious breaks.

Cheers,
-- 
Ondřej Surý 
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver

Bug#864085: unblock: dnsmasq/2.76-5

[Ondřej Surý]

Simon,

please let me know what would be the fixed version number and I'll issue
an update to dns-root-data to have "Breaks: dnsmasq (<<
)".

Cheers,
-- 
Ondřej Surý 
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver

On Sun, Jun 4, 2017, at 19:54, Simon Kelley wrote:
> 
> 
> On 04/06/17 16:36, Jonathan Wiltshire wrote:
> > Control: tag -1 moreinfo
> > 
> > On Sun, Jun 04, 2017 at 09:58:44AM +0100, ? wrote:
> >> The dnsmasq package in testing has a serious problem when dns-root-data is
> >> installed, due to changes in the format of the dns-root-data files.
> >> The effect is to render dnsmasq unusable.
> > 
> > Bother.
> > 
> >> There are several serious bugs filed to this effect, but they should
> >> really be release-critical, eg 863896
> >>
> >> There are also several bugs in the DNSSEC validation code, which are fixed
> >> upstream, and really should be in stretch.
> >>
> >> Therefore, if we can get dnsmasq-2.77-1, currently in unstable, into 
> >> Stretch,
> >> that would be a Good Thing. If not, it will need a point release.
> > 
> > The delta from testing to unstable right now is not really suitable this
> > late in the process. I would prefer a targetted fix through t-p-u.
> 
> I understand.
> 
> > 
> > However, I wonder if that format change in dns-root-data risks problems in
> > other packages. Ondřej, is there any advantage to reverting that (keeping
> > the RC fix for parse-root-anchors.sh)?
> > 
> 
> The patch to fix this in dnsmasq is at :
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=44eb875a5ab2e3b862a6b2bc9fbbb919475d2107
> 
> (that regexp handles both old and new formats.)
> 
> Cheers,
> 
> Simon.
> 
> 

Bug#864199: unblock: resource-agents/1:4.0.0~rc1-4

[Christoph Berg]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package resource-agents. The new version fixes a
regression from jessie [*]. In PostgreSQL 9.6 synchronous replication
setups, setting the synchronous replication target failed if the
hostnames contained dashes ("pg-node-1"). The new version cherry-picks
changes from upstream.

[*] Strictly speaking, pacemaker is not in jessie, but it is in
jessie-backports and wheezy (no backports), so sync rep users would be
affected anyway.

Problem verified as existing in 1:4.0.0~rc1-3 and fixed in
1:4.0.0~rc1-4 in a manual test setup. (Hard to test automatically
because it needs two corosync nodes.)


diff -Nru resource-agents-4.0.0~rc1/debian/changelog 
resource-agents-4.0.0~rc1/debian/changelog
--- resource-agents-4.0.0~rc1/debian/changelog  2017-03-14 08:36:06.0 
+0100
+++ resource-agents-4.0.0~rc1/debian/changelog  2017-06-04 09:30:30.0 
+0200
@@ -1,3 +1,10 @@
+resource-agents (1:4.0.0~rc1-4) unstable; urgency=medium
+
+  * pgsql: postgresql-9.6 treats the contents of synchronous_standby_names as
+SQL identifiers, they need to be quoted for dashes etc. (Closes: #862719)
+
+ -- Christoph Berg   Sun, 04 Jun 2017 09:30:30 +0200
+
 resource-agents (1:4.0.0~rc1-3) unstable; urgency=medium
 
   * debian/control: add net-tools to Recommends (Closes: #857368)
diff -Nru resource-agents-4.0.0~rc1/debian/patches/pgsql-9.6 
resource-agents-4.0.0~rc1/debian/patches/pgsql-9.6
--- resource-agents-4.0.0~rc1/debian/patches/pgsql-9.6  1970-01-01 
01:00:00.0 +0100
+++ resource-agents-4.0.0~rc1/debian/patches/pgsql-9.6  2017-06-04 
09:28:07.0 +0200
@@ -0,0 +1,47 @@
+commit 6e91193f0e4d3f72d22564e1fe393e7391691f9d
+Author: Andreas Ntaflos 
+Date:   Mon Dec 12 14:43:59 2016 +0100
+
+Double-quote value of synchronous_standby_names in rep_mode.conf
+
+PostgreSQL 9.6 introduced a new syntax for specifying
+synchronous_standby_names. The old syntax, used by the pgsql RA, is
+still valid but PostgreSQL now treats the standby-names in
+synchronous_standby_names as SQL identifiers. This means such values
+need to be double-quoted since they can easily contain dashes or other
+characters that are not valid in a bare SQL identifier.
+
+See the docs for synchronous_standby_names in
+https://www.postgresql.org/docs/9.6/static/runtime-config-replication.html
+for confirmation and
+https://www.postgresql.org/message-id/21183.1481253534%40sss.pgh.pa.us
+for a short discussion.
+
+commit 6ad25cf64e00cebe5d90ec96430d94a38b240d31
+Author: Gianluca De Cicco 
+Date:   Thu Mar 23 15:12:24 2017 +0100
+
+fix regex in set async mode
+
+Index: resource-agents/heartbeat/pgsql
+===
+--- resource-agents.orig/heartbeat/pgsql
 resource-agents/heartbeat/pgsql
+@@ -1474,7 +1474,7 @@ set_async_mode_all() {
+ }
+ 
+ set_async_mode() {
+-cat $REP_MODE_CONF |  grep -q -e "[,' ]$1[,' ]"
++cat $REP_MODE_CONF |  grep -q -E "(\"$1\")|([,' ]$1[,' ])"
+ if [ $? -eq 0 ]; then
+ ocf_log info "Setup $1 into async mode."
+ runasowner -q err "echo \"synchronous_standby_names = ''\" > 
\"$REP_MODE_CONF\""
+@@ -1493,7 +1493,7 @@ set_sync_mode() {
+ ocf_log debug "$sync_node_in_conf is already sync mode."
+ else
+ ocf_log info "Setup $1 into sync mode."
+-runasowner -q err "echo \"synchronous_standby_names = '$1'\" > 
\"$REP_MODE_CONF\""
++runasowner -q err "echo \"synchronous_standby_names = '\\\"$1\\\"'\" 
> \"$REP_MODE_CONF\""
+ [ "$RE_CONTROL_SLAVE" = "false" ] && RE_CONTROL_SLAVE="true"
+ exec_with_retry 0 reload_conf
+ fi
diff -Nru resource-agents-4.0.0~rc1/debian/patches/series 
resource-agents-4.0.0~rc1/debian/patches/series
--- resource-agents-4.0.0~rc1/debian/patches/series 2017-01-18 
14:38:11.0 +0100
+++ resource-agents-4.0.0~rc1/debian/patches/series 2017-06-04 
09:28:07.0 +0200
@@ -5,3 +5,4 @@
 ipv6-linux-only
 850787-fix-typo
 ocft-configs.patch
+pgsql-9.6


unblock resource-agents/1:4.0.0~rc1-4


Thanks,
Christoph


signature.asc
Description: PGP signature

[release-notes] The two last weeks up to the release

[Niels Thykier]

Hi,

Sorry for being a late with this.

The release notes are not quite done yet.  Lets summaries this as:

Still opening:
==

We still expect changes to these chapters (in order of expected
frequencies of changes)

 * chapter 5
 * chapter 2

Probably done:
==

List of chapters that seem to be done or not have any outstanding change
requests (except possible English review):

 * chapter 1
 * chapter 3 (?)
 * chapter 4
 * chapter 6
 * chapter A
 * chapter B

Let me know if you disagree with any of these.

English review done:


There has been some review already, but I don't think any of the
chapters have been declared "done".

Timeline:
=

We need some time to finish the release notes, l10n-english some time to
review it and the translators even more time to translate it.  I imagine
we split the time something like this:

Content + English review:

 * Today - 2017-06-09: Updates to chapter 2+5 + English review
 * 2017-06-10 - 2017-06-11: Content freeze of chapters, English review
   does a final run though
 * 2017-06-12 - 2017-06-17: Release notes is frozen except for critical
   issues.

 * After 2017-06-18: Release notes are open again as we get reports of
   changes or undocumented issues.

Translators:

 * Today - 2017-06-09: Finish the "Probably done" chapters.  If time
   and energy permits, start on chapter 2 and then chapter 5.
 * 2017-06-10 - 2017-06-11: Start on the remaining (NB: English review
   ongoing - noise may occur)
 * 2017-06-12 - 2017-06-17: (Hopefully) no disturbances to your
   translations

I admit it is not a lot of time to finish.  But it should get us a lot
of the way while hopefully leaving enough time for everyone to do their
part.


Thanks,
~Niels

Bug#864198: marked as done (unblock: upx-ucl/3.91-4)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 07:28:00 +
with message-id <9ff4668b-d724-bc82-72a2-46c6cdd9e...@thykier.net>
and subject line Re: Bug#864198: unblock: upx-ucl/3.91-4
has caused the Debian Bug report #864198,
regarding unblock: upx-ucl/3.91-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864198: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864198
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock version 3.91-4 of package upx-ucl.

This version fixes crashes occurring while executing compressed i386 
position-indpendent executables, for example the following commands 
on i386 system:
  cp /usr/bin/vim .; upx ./vim; ./vim
  cp /usr/bin/mutt .; upx ./mutt; ./mutt
end with segmentation faults in stretch, while they work as expected 
in jessie. This is related to some changes in binutils output.  (Also 
note that vim is PIE in both jessie and stretch, while mutt wasn't
PIE in jessie).

This is the issue I wrote about a week ago in #863537 while requesting 
unblock for previous upload that addressed crashes of amd64 executables,
and it has been fixed in a pretty same way as the amd64 one.


Comparing upx-ucl_3.91-3.dsc upx-ucl_3.91-4.dsc
diff -Nru upx-ucl-3.91/debian/changelog upx-ucl-3.91/debian/changelog
--- upx-ucl-3.91/debian/changelog   2017-05-20 09:16:37.0 +0200
+++ upx-ucl-3.91/debian/changelog   2017-05-31 21:50:25.0 +0200
@@ -1,3 +1,12 @@
+upx-ucl (3.91-4) unstable; urgency=medium
+
+  * Introduce Check-DT_REL-i386.patch to fix segmentation faults occurring
+while executing upx-compressed i386 position-independent binaries. The
+patch is strongly based on the one added previously for amd64 binaries,
+and was reported to upstream in https://github.com/upx/upx/issues/106.
+
+ -- Robert Luberda   Wed, 31 May 2017 21:50:25 +0200
+
 upx-ucl (3.91-3) unstable; urgency=medium
 
   * Add Check-DT_RELA.patch based on upstream's commit d688a05ac7 to
diff -Nru upx-ucl-3.91/debian/patches/Check-DT_REL-i386.patch 
upx-ucl-3.91/debian/patches/Check-DT_REL-i386.patch
--- upx-ucl-3.91/debian/patches/Check-DT_REL-i386.patch 1970-01-01 
01:00:00.0 +0100
+++ upx-ucl-3.91/debian/patches/Check-DT_REL-i386.patch 2017-05-31 
21:50:25.0 +0200
@@ -0,0 +1,66 @@
+From: Robert Luberda 
+Date: Sun, 28 May 2017 12:27:11 +0200
+Subject: DT_JMPREL is missing on i386 as well; check DT_REL
+
+Apply the changes from commit d688a05ac78517bcba09bae0f60bc76f3aa51ddb
+to PackLinuxElf32::canPack(), however check DT_REL instread of DT_RELA.
+This fixes crashes while running position independent i386 executables
+compressed with upx.
+
+The patch was sent to upstream in https://github.com/upx/upx/issues/106,
+and eventually got applied in a sligthly modified form in commit
+https://github.com/upx/upx/commit/ee18fe9bbab4955191e68a0982196f1b6f3e5c7d
+(the differences include extractions of duplicated code into functions,
+and introduction of DT_1_PIE checks that depend on  code not yet
+available in upx 3.91).
+---
+ src/p_elf_enum.h |  1 +
+ src/p_lx_elf.cpp | 16 
+ 2 files changed, 17 insertions(+)
+
+diff --git a/src/p_elf_enum.h b/src/p_elf_enum.h
+index 5a4f602..121d04d 100644
+--- a/src/p_elf_enum.h
 b/src/p_elf_enum.h
+@@ -150,6 +150,7 @@
+ DT_RELAENT  =  9,   /* Size of one RELA relocation */
+ DT_INIT = 12,   /* Address of init function */
+ DT_REL  = 17,   /* Relocations which contain no addend */
++DT_RELSZ   =  18,   /* Total size of Rel relocs */
+ DT_RELENT   = 19,   /* Size of one Rel relocation */
+ DT_STRSZ= 10,   /* Sizeof string table */
+ DT_PLTREL   = 20,   /* Type of reloc in PLT */
+diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
+index 6f95c0b..ab00666 100644
+--- a/src/p_lx_elf.cpp
 b/src/p_lx_elf.cpp
+@@ -1359,6 +1359,8 @@ bool PackLinuxElf32::canPack()
+ // defined symbols, and there might be no DT_HASH.
+ 
+ Elf32_Rel const *
++rel= (Elf32_Rel const *)elf_find_dynamic(Elf32_Dyn::DT_REL);
++Elf32_Rel const *
+ jmprel= (Elf32_Rel const *)elf_find_dynamic(Elf32_Dyn::DT_JMPREL);
+ for (   int sz = elf_unsigned_dynamic(Elf32_Dyn::DT_PLTRELSZ);
+ 0 < sz;
+@@ -1372,6 +1374,20 @@ bool PackLinuxElf32::canPack()
+ goto proceed;
+ }
+ 
++// 2017-05-28 DT_JMPREL is no 

Bug#864085: unblock: dnsmasq/2.76-5

[Ondřej Surý]

> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=44eb875a5ab2e3b862a6b2bc9fbbb919475d2107

Oh, and I would strongly recommend using [[:space:]] instead of [\t ] in
the sed expression, something like this:


Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver

Bug#864199: marked as done (unblock: resource-agents/1:4.0.0~rc1-4)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 07:29:00 +
with message-id 
and subject line Re: Bug#864199: unblock: resource-agents/1:4.0.0~rc1-4
has caused the Debian Bug report #864199,
regarding unblock: resource-agents/1:4.0.0~rc1-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864199: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864199
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package resource-agents. The new version fixes a
regression from jessie [*]. In PostgreSQL 9.6 synchronous replication
setups, setting the synchronous replication target failed if the
hostnames contained dashes ("pg-node-1"). The new version cherry-picks
changes from upstream.

[*] Strictly speaking, pacemaker is not in jessie, but it is in
jessie-backports and wheezy (no backports), so sync rep users would be
affected anyway.

Problem verified as existing in 1:4.0.0~rc1-3 and fixed in
1:4.0.0~rc1-4 in a manual test setup. (Hard to test automatically
because it needs two corosync nodes.)


diff -Nru resource-agents-4.0.0~rc1/debian/changelog 
resource-agents-4.0.0~rc1/debian/changelog
--- resource-agents-4.0.0~rc1/debian/changelog  2017-03-14 08:36:06.0 
+0100
+++ resource-agents-4.0.0~rc1/debian/changelog  2017-06-04 09:30:30.0 
+0200
@@ -1,3 +1,10 @@
+resource-agents (1:4.0.0~rc1-4) unstable; urgency=medium
+
+  * pgsql: postgresql-9.6 treats the contents of synchronous_standby_names as
+SQL identifiers, they need to be quoted for dashes etc. (Closes: #862719)
+
+ -- Christoph Berg   Sun, 04 Jun 2017 09:30:30 +0200
+
 resource-agents (1:4.0.0~rc1-3) unstable; urgency=medium
 
   * debian/control: add net-tools to Recommends (Closes: #857368)
diff -Nru resource-agents-4.0.0~rc1/debian/patches/pgsql-9.6 
resource-agents-4.0.0~rc1/debian/patches/pgsql-9.6
--- resource-agents-4.0.0~rc1/debian/patches/pgsql-9.6  1970-01-01 
01:00:00.0 +0100
+++ resource-agents-4.0.0~rc1/debian/patches/pgsql-9.6  2017-06-04 
09:28:07.0 +0200
@@ -0,0 +1,47 @@
+commit 6e91193f0e4d3f72d22564e1fe393e7391691f9d
+Author: Andreas Ntaflos 
+Date:   Mon Dec 12 14:43:59 2016 +0100
+
+Double-quote value of synchronous_standby_names in rep_mode.conf
+
+PostgreSQL 9.6 introduced a new syntax for specifying
+synchronous_standby_names. The old syntax, used by the pgsql RA, is
+still valid but PostgreSQL now treats the standby-names in
+synchronous_standby_names as SQL identifiers. This means such values
+need to be double-quoted since they can easily contain dashes or other
+characters that are not valid in a bare SQL identifier.
+
+See the docs for synchronous_standby_names in
+https://www.postgresql.org/docs/9.6/static/runtime-config-replication.html
+for confirmation and
+https://www.postgresql.org/message-id/21183.1481253534%40sss.pgh.pa.us
+for a short discussion.
+
+commit 6ad25cf64e00cebe5d90ec96430d94a38b240d31
+Author: Gianluca De Cicco 
+Date:   Thu Mar 23 15:12:24 2017 +0100
+
+fix regex in set async mode
+
+Index: resource-agents/heartbeat/pgsql
+===
+--- resource-agents.orig/heartbeat/pgsql
 resource-agents/heartbeat/pgsql
+@@ -1474,7 +1474,7 @@ set_async_mode_all() {
+ }
+ 
+ set_async_mode() {
+-cat $REP_MODE_CONF |  grep -q -e "[,' ]$1[,' ]"
++cat $REP_MODE_CONF |  grep -q -E "(\"$1\")|([,' ]$1[,' ])"
+ if [ $? -eq 0 ]; then
+ ocf_log info "Setup $1 into async mode."
+ runasowner -q err "echo \"synchronous_standby_names = ''\" > 
\"$REP_MODE_CONF\""
+@@ -1493,7 +1493,7 @@ set_sync_mode() {
+ ocf_log debug "$sync_node_in_conf is already sync mode."
+ else
+ ocf_log info "Setup $1 into sync mode."
+-runasowner -q err "echo \"synchronous_standby_names = '$1'\" > 
\"$REP_MODE_CONF\""
++runasowner -q err "echo \"synchronous_standby_names = '\\\"$1\\\"'\" 
> \"$REP_MODE_CONF\""
+ [ "$RE_CONTROL_SLAVE" = "false" ] && RE_CONTROL_SLAVE="true"
+ exec_with_retry 0 reload_conf
+ fi
diff -Nru resource-agents-4.0.0~rc1/debian/patches/series 
resource-agents-4.0.0~rc1/debian/patches/series
--- resource-agents-4.0.0~rc1/debian/patches/series 2017-01-18 
14:38:11.0 +0100
+++ resource-agents-4.0.0~rc1/debian/patches/series 2017-06-04 

Bug#864199: unblock: resource-agents/1:4.0.0~rc1-4

[Christoph Berg]

Re: Niels Thykier 2017-06-05 
> > unblock resource-agents/1:4.0.0~rc1-4
> 
> Unblocked, thanks.

The second after I had sent the mail, I noticed via DDPO that you had
already unblocked the package. Thanks for the awesome service :)

Christoph

Bug#864201: release.debian.org: jessie dblatex breaks jessie-stretch dist-upgrade

[Andreas Hoenen]

Package: release.debian.org
Severity: important

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'd kindly ask you to consider a fix for BTS #863890 for the next
jessie point release:

It has been reported that jessie-stretch dist-upgrades abort because
of the dblatex postrm script failing: it calls texlive-binaries
command mktexlsr which is unavailable at this very moment.

The fix is simple, but needs to be applied to the jessie version of
dblatex.  BTW, is there a final jessie point release planned to fix
such dist-upgrade problems?  This would help as users are expected to
upgrade to the latest jessie point release before upgrading to
stretch:
https://www.debian.org/releases/testing/amd64/release-notes/ch-upgrading.en.html#system-status

Thanks for your feedback on this, Andreas

- -- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-

iHsEARECADsWIQSkpui1WTrom0lrgvByjYt+uIjSzgUCWTURYx0cYW5kcmVhc0Bo
b2VuZW4tdGVyc3RhcHBlbi5kZQAKCRByjYt+uIjSzvw7AJ9zb3B+mEXEgA3BMF8f
JWUntfdxQgCfWKXuPEkFZDL8S7MaODl6udarS5A=
=KAX7
-END PGP SIGNATURE-
diff -Nru dblatex-0.3.5/debian/changelog dblatex-0.3.5/debian/changelog
--- dblatex-0.3.5/debian/changelog  2014-12-07 15:10:52.0 +0100
+++ dblatex-0.3.5/debian/changelog  2017-06-05 09:35:43.0 +0200
@@ -1,3 +1,14 @@
+dblatex (0.3.5-3) stable; urgency=high
+
+  * Remove the call of command "mktexlsr" in postrm:
++ It has been reported for some installations to result in upgrade errors
+  when dist-upgrading from jessie to stretch due to the command being
+  temporarily unavailable when dblatex postrm is called.
++ It is superfluous: mktexlsr gets called via a trigger anyway.
+Closes: #863890
+
+ -- Andreas Hoenen   Mon, 05 Jun 2017 09:35:43 
+0200
+
 dblatex (0.3.5-2) unstable; urgency=low
 
   * 20_nb_quotes_in_title.patch:
diff -Nru dblatex-0.3.5/debian/postrm dblatex-0.3.5/debian/postrm
--- dblatex-0.3.5/debian/postrm 2012-05-03 20:40:15.0 +0200
+++ dblatex-0.3.5/debian/postrm 2017-06-05 09:35:43.0 +0200
@@ -19,42 +19,10 @@
 
 
 case "$1" in
-remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
-
-# A call to 'mktexlsr' is needed to unregister the dblatex TeX files
-# in the TeX database '/var/lib/texmf/ls-R-TEXMFMAIN'.
-#
-# This call won't do any harm even if it might be superfluous in
-# special postrm cases, but it may take some time.
-# Thus a performance optimization can be applied to the main case
-# of successful package upgrade:
-# As the new version's postinst script will register the new version's
-# dblatex TeX files in the TeX database, the old version's files that
-# have vanished in the new version will be unregistered implicitly 
then.
-# Thus in the case of successful upgrade to another dblatex version
-# supporting the TeX (de)registration the deregistration call can be
-# left out as a superfluous duplicate.
-
-if test "$1" = upgrade -a -n "$2" && \
-   dpkg --compare-versions "$2" ge 0.1.9-3
-then
-true # Unregistration will be executed implicitly by
- # 'new-postinst configure'.
-else
-mktexlsr /usr/share/texmf # Unregister dblatex TeX files in TeX.
-fi
-;;
 purge)
-# TeX unregistration has already been executed before.
-# (Besides that mktexlsr is not guaranteed to be available at purge
-#  as it belongs to a non-essential package.)
-
 # Remove dblatex configuration directory.
 rm --recursive --force /etc/dblatex
 ;;
-*)
-echo "postrm called with unknown argument \`$1'" >&2
-exit 1
 esac
 
 # dh_installdeb will replace this with shell code automatically

Processed: Re: Bug#864201: release.debian.org: jessie dblatex breaks jessie-stretch dist-upgrade

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # control@ BCCed
> severity 864201 normal
Bug #864201 [release.debian.org] release.debian.org: jessie dblatex breaks 
jessie-stretch dist-upgrade
Severity set to 'normal' from 'important'
> tags 864201 + jessie moreinfo
Bug #864201 [release.debian.org] release.debian.org: jessie dblatex breaks 
jessie-stretch dist-upgrade
Added tag(s) jessie and moreinfo.
> user release.debian@packages.debian.org
Setting user to release.debian@packages.debian.org (was 
a...@adam-barratt.org.uk).
> usertags 864201 pu
There were no usertags set.
Usertags are now: pu.
> retitle 864201 jessie-pu: dblatex/0.3.5-2
Bug #864201 [release.debian.org] release.debian.org: jessie dblatex breaks 
jessie-stretch dist-upgrade
Changed Bug title to 'jessie-pu: dblatex/0.3.5-2' from 'release.debian.org: 
jessie dblatex breaks jessie-stretch dist-upgrade'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
864201: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864201
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864201: release.debian.org: jessie dblatex breaks jessie-stretch dist-upgrade

[Adam D. Barratt]

# control@ BCCed
severity 864201 normal
tags 864201 + jessie moreinfo
user release.debian@packages.debian.org
usertags 864201 pu
retitle 864201 jessie-pu: dblatex/0.3.5-2
thanks

On 2017-06-05 9:08, Andreas Hoenen wrote:

Package: release.debian.org
Severity: important

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'd kindly ask you to consider a fix for BTS #863890 for the next
jessie point release:


Then this should be a p-u request; fixing.


It has been reported that jessie-stretch dist-upgrades abort because
of the dblatex postrm script failing: it calls texlive-binaries
command mktexlsr which is unavailable at this very moment.

The fix is simple, but needs to be applied to the jessie version of
dblatex.


The same issue appears to apply to the dblatex package in unstable, 
which means it needs fixing there first.



BTW, is there a final jessie point release planned to fix
such dist-upgrade problems?


Why do you say "final jessie point release"? jessie will be supported as 
oldstable for the next year, as is usual.


+dblatex (0.3.5-3) stable; urgency=high

The version should be 0.3.5-2+deb8u1, and the distribution should be 
"jessie" - not least because by the time the update gets processed, 
jessie may no longer be stable; it certainly won't be by the time the 
next point release happens.


Regards,

Adam

Bug#863915: unblock: webkit2gtk/2.16.3-2

[Adam D. Barratt]

On Fri, 2017-06-02 at 11:52 -0400, Jeremy Bicha wrote:
> Here's my thinking as to how the first webkit2gtk stable update could work.
> 
> 1. A new webkit2gtk point release is released.
> 2. Since regressions are generally found within the first week and to
> try to limit the work needed by the SRMs, we wait a week before
> uploading to the s-p-u queue.
> 3. A SRM accepts it.
> 4. An email is sent out to the maintainers of the rdeps asking them to
> please test their package with the new webkit2gtk version in s-p-u
> within the next 2 weeks.
> 5. If no regressions are reported, the update is released in the next
> Debian 9 point release.

Has this been discussed with any of the r-dep maintainers? The plan only
really works if step 4 actually results in useful tests.

Regards,

Adam

Bug#864236: marked as done (unblock: wput/0.6.2+git20130413-5)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 20:17:00 +
with message-id <0897b856-92ff-1d94-266d-a163acb73...@thykier.net>
and subject line Re: Bug#864236: unblock: wput/0.6.2+git20130413-5
has caused the Debian Bug report #864236,
regarding unblock: wput/0.6.2+git20130413-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864236
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear release team,

Sorry for leaving this to the last minute, but I’m wondering if the
lack of TLS support due to a missing build-dep qualifies as a security
fix.  If it does, please unblock package wput; the diff against the
version in testing is

diff --git a/debian/changelog b/debian/changelog
index befb782..133714f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+wput (0.6.2+git20130413-5) unstable; urgency=medium
+
+  * Actually build with TLS support (LP: #1678463).
+
+ -- Stephen Kitt   Mon, 05 Jun 2017 16:39:05 +0200
+
 wput (0.6.2+git20130413-4) unstable; urgency=medium
 
   * Switch to https: VCS URIs (see #810378).
diff --git a/debian/control b/debian/control
index f03e232..bdcfcda 100644
--- a/debian/control
+++ b/debian/control
@@ -3,6 +3,7 @@ Maintainer: Stephen Kitt 
 Section: web
 Priority: optional
 Build-Depends: debhelper (>= 9),
+   libgcrypt20-dev,
libgnutls-openssl-dev,
autotools-dev
 Standards-Version: 3.9.8


unblock wput/0.6.2+git20130413-5

Regards,

Stephen

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing'), (500, 'stable'), (200, 
'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Stephen Kitt:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Dear release team,
> 
> Sorry for leaving this to the last minute, but I’m wondering if the
> lack of TLS support due to a missing build-dep qualifies as a security
> fix.  If it does, please unblock package wput; the diff against the
> version in testing is
> 
> [...]
> 
> unblock wput/0.6.2+git20130413-5
> 
> Regards,
> 
> Stephen
> 
> [...]

Unblocked, thanks.

~Niels--- End Message ---

Bug#864217: marked as done (unblock: sudo/1.8.19p1-2.1 (pre-approval request))

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 20:06:00 +
with message-id <108fdd01-d441-53dd-f7e5-623a4ca9e...@thykier.net>
and subject line Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval 
request)
has caused the Debian Bug report #864217,
regarding unblock: sudo/1.8.19p1-2.1 (pre-approval request)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi

Please unblock package sudo, actually a pre-approval request.

The upload addresses CVE-2017-1000368, Arbitrary terminal access,
which is #863897 in the BTS. See

http://www.openwall.com/lists/oss-security/2017/06/02/7

I'm including the generated debdiff against the current version in
stretch.

unblock sudo/1.8.19p1-2.1

Regards,
Salvatore
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog	2017-05-31 06:35:01.0 +0200
+++ sudo-1.8.19p1/debian/changelog	2017-06-05 06:19:37.0 +0200
@@ -1,3 +1,10 @@
+sudo (1.8.19p1-2.1) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso   Mon, 05 Jun 2017 06:19:37 +0200
+
 sudo (1.8.19p1-2) stretch; urgency=high
 
   * patch from upstream to fix CVE-2017-1000367, closes: #863731
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch	1970-01-01 01:00:00.0 +0100
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch	2017-06-05 06:19:37.0 +0200
@@ -0,0 +1,78 @@
+
+# HG changeset patch
+# User Todd C. Miller 
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent  6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF.  It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any.  With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+--- a/src/ttyname.c
 b/src/ttyname.c
+@@ -447,26 +447,39 @@ done:
+ char *
+ get_process_ttyname(char *name, size_t namelen)
+ {
+-char path[PATH_MAX], *line = NULL;
++char path[PATH_MAX];
++char *cp, buf[1024];
+ char *ret = NULL;
+-size_t linesize = 0;
+ int serrno = errno;
+-ssize_t len;
+-FILE *fp;
++ssize_t nread;
++int fd;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+ 
+-/* Try to determine the tty from tty_nr in /proc/pid/stat. */
++/*
++ * Try to determine the tty from tty_nr in /proc/pid/stat.
++ * Ignore /proc/pid/stat if it contains embedded NUL bytes.
++ */
+ snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
+-if ((fp = fopen(path, "r")) != NULL) {
+-	len = getline(, , fp);
+-	fclose(fp);
+-	if (len != -1) {
++if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++cp = buf;
++while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++if (nread == -1) {
++if (errno == EAGAIN || errno == EINTR)
++continue;
++break;
++}
++cp += nread;
++if (cp >= buf + sizeof(buf))
++break;
++}
++if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+ 	/*
+ 	 * Field 7 is the tty dev (0 if no tty).
+-	 * Since the process name at field 2 "(comm)" may include spaces,
+-	 * start at the last ')' found.
++	 * Since the process name at field 2 "(comm)" may include
++	 * whitespace (including newlines), start at the last ')' found.
+ 	 */
+-	char *cp = strrchr(line, ')');
++*cp = '\0';
++cp = strrchr(buf, ')');
+ 	if (cp != NULL) {
+ 		char *ep = cp;
+ 		const char *errstr;
+@@ -497,7 +510,8 @@ get_process_ttyname(char *name, size_t n
+ errno = ENOENT;
+ 
+ done:
+-free(line);
++if (fd != -1)
++	close(fd);
+ if (ret == NULL)
+ 	sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ 	"unable to resolve tty via %s", path);
diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series
--- sudo-1.8.19p1/debian/patches/series	2017-05-31 

Bug#864262: unblock: espeak-ng/1.49.0+dfsg-11

[Samuel Thibault]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hello,

espeak-ng used to have overlapping speech synthesis issues (#848016):
e.g. while moving fast in a list of items, the speech of each item would
get mixed with the previous one, making it difficult or impossible to
hear. We reduced the buffer size of espeak-ng from 200ms to 50ms to
considerably reduce the issue.

However, the modified buffer size happened to break the use of mbrola
voices (#860891), so we raised it a bit, from 50ms to 60ms, like
upstream did, to fix that.

However, that brought back some of the overlapping issues, making it
tedious to use...
(https://lists.debian.org/debian-accessibility/2017/06/msg2.html)

I have thus uploaded a version -11 of espeak-ng (attached debdiff) which
reduces it to 49ms, which avoids the overlapping regression, and which I
have tested as working with all mbrola voices.

unblock espeak-ng/1.49.0+dfsg-11

This contains udebs, so Cc-ing KiBi for the udeb ack.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 
'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Samuel
 ya(ka|ma|to)* ca existe une fois sur 2 au japon, c'est facile ;-)
 -+- #ens-mim au japon -+-
diff -Nru espeak-ng-1.49.0+dfsg/debian/changelog 
espeak-ng-1.49.0+dfsg/debian/changelog
--- espeak-ng-1.49.0+dfsg/debian/changelog  2017-04-29 16:32:54.0 
+0200
+++ espeak-ng-1.49.0+dfsg/debian/changelog  2017-06-05 22:04:57.0 
+0200
@@ -1,3 +1,11 @@
+espeak-ng (1.49.0+dfsg-11) unstable; urgency=medium
+
+  * patches/bufsize: Increasing the buffersize to 60ms brought back some
+overlapping. Revert this to 49ms, which both avoids overlapping, and
+was tested to work fine with all MBROLA voices.
+
+ -- Samuel Thibault   Mon, 05 Jun 2017 22:04:57 +0200
+
 espeak-ng (1.49.0+dfsg-10) unstable; urgency=medium
 
   * patches/bufsize: Increase buffersize to 60ms like upstream did, to fix 
using
diff -Nru espeak-ng-1.49.0+dfsg/debian/patches/bufsize 
espeak-ng-1.49.0+dfsg/debian/patches/bufsize
--- espeak-ng-1.49.0+dfsg/debian/patches/bufsize2017-04-29 
16:32:54.0 +0200
+++ espeak-ng-1.49.0+dfsg/debian/patches/bufsize2017-06-05 
22:04:57.0 +0200
@@ -5,7 +5,7 @@
// buflength is in mS, allocate 2 bytes per sample
if ((buffer_length == 0) || (output_mode & ENOUTPUT_MODE_SPEAK_AUDIO))
 -  buffer_length = 200;
-+  buffer_length = 60;
++  buffer_length = 49;
  
outbuf_size = (buffer_length * samplerate)/500;
out_start = (unsigned char *)realloc(outbuf, outbuf_size);

Bug#864267: jessie-pu: package libterralib/4.3.0+dfsg.1-2+deb8u1

[Andreas Beckmann]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

libterralib in jessie has Conflicts+Replaces against libterralib3, but
that package name has never been used before stretch. This causes
upgrade problems since apt does not consider libterralib3 from stretch
as a valid installation candidate. This does not seem to be solvable
within stretch.
A similar case was fixed in the previous jessie point release: openmpi.
Proposed patch attached.

Andreas
>From dc64a1dbcc9aaa2b3927fd4883e52ad7560b6e52 Mon Sep 17 00:00:00 2001
From: Andreas Beckmann 
Date: Mon, 5 Jun 2017 23:12:34 +0200
Subject: [PATCH] remove superfluous Conflicts/Replaces: libterralib3

---
 debian/changelog | 8 
 debian/control   | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 7963767..2dc6e2f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libterralib (4.3.0+dfsg.1-2+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Remove superfluous Conflicts/Replaces: libterralib3 since that causes
+problems upgrading to stretch which has that package.  (Closes: #863885)
+
+ -- Andreas Beckmann   Mon, 05 Jun 2017 23:06:46 +0200
+
 libterralib (4.3.0+dfsg.1-2) unstable; urgency=medium
 
   * Remove libjpeg8-dev dependency; just use libjpeg-dev.
diff --git a/debian/control b/debian/control
index bc4a29c..72564ba 100644
--- a/debian/control
+++ b/debian/control
@@ -37,8 +37,8 @@ Multi-Arch: same
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Pre-Depends: ${misc:Pre-Depends}
 Suggests: libterralib-doc (= ${binary:Version})
-Conflicts: libterralib1c2a, libterralib3
-Replaces: libterralib1c2a, libterralib3
+Conflicts: libterralib1c2a
+Replaces: libterralib1c2a
 Description: C++ library for Geographical Information Systems
  TerraLib enables quick development of custom-built geographical applications
  using spatial databases. As a research tool, TerraLib  is aimed at providing a
-- 
2.11.0

Bug#864088: marked as done (unblock (pre-approval): sqlite3/3.6.12-4)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jun 2017 19:27:09 +
with message-id 
and subject line unblock sqlite3
has caused the Debian Bug report #864088,
regarding unblock (pre-approval): sqlite3/3.6.12-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864088: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864088
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team,

I would like to upload a security related update for sqlite3. It contains:
- Prevent a possible NULL pointer dereference in the OP_Found opcode
that can follow an OOM error. Problem found by OSS-Fuzz[1],
- Stack overflow while parsing deeply nested JSON[2],
- JSON allows unescaped control characters in strings[3],
- JSON extension accepts invalid numeric values[4].

Upstream tagged these as 'code defect' and severity 'severe'. The
changes itself are small and the 3.19.2-1 version in experimental
contains these fixes.

Debdiff is attached. Thanks for consideration.

Regards,
Laszlo/GCS
[1] http://www.sqlite.org/src/info/c2de178fe7e2e4e0
[2] https://www.sqlite.org/src/info/981329adeef51011052
[3] https://www.sqlite.org/src/info/6c9b5514077fed34551
[4] https://www.sqlite.org/src/info/b93be8729a895a528e2
diff -Nru sqlite3-3.16.2/debian/changelog sqlite3-3.16.2/debian/changelog
--- sqlite3-3.16.2/debian/changelog	2017-02-13 17:31:26.0 +
+++ sqlite3-3.16.2/debian/changelog	2017-06-04 07:58:54.0 +
@@ -1,3 +1,13 @@
+sqlite3 (3.16.2-4) unstable; urgency=high
+
+  * Backport fix for a possible NULL pointer dereference in the OP_Found
+opcode that can follow an OOM error.
+  * Backport fix for stack overflow while parsing deeply nested JSON.
+  * Backport fix for JSON allows unescaped control characters in strings.
+  * Backport fix for JSON extension accepts invalid numeric values.
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 04 Jun 2017 07:58:54 +
+
 sqlite3 (3.16.2-3) unstable; urgency=medium
 
   * Backport upstream fix to ensure that sqlite3_blob_reopen() correctly
diff -Nru sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch
--- sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch	1970-01-01 00:00:00.0 +
+++ sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch	2017-06-04 07:58:54.0 +
@@ -0,0 +1,24 @@
+Index: sqlite3/src/vdbe.c
+==
+--- sqlite3/src/vdbe.c
 sqlite3/src/vdbe.c
+@@ -4017,14 +4017,16 @@
+ }
+ #endif
+ pIdxKey = 
+ pFree = 0;
+   }else{
++assert( pIn3->flags & MEM_Blob );
++rc = ExpandBlob(pIn3);
++assert( rc==SQLITE_OK || rc==SQLITE_NOMEM );
++if( rc ) goto no_mem;
+ pFree = pIdxKey = sqlite3VdbeAllocUnpackedRecord(pC->pKeyInfo);
+ if( pIdxKey==0 ) goto no_mem;
+-assert( pIn3->flags & MEM_Blob );
+-(void)ExpandBlob(pIn3);
+ sqlite3VdbeRecordUnpack(pC->pKeyInfo, pIn3->n, pIn3->z, pIdxKey);
+   }
+   pIdxKey->default_rc = 0;
+   takeJump = 0;
+   if( pOp->opcode==OP_NoConflict ){
+
diff -Nru sqlite3-3.16.2/debian/patches/40-JSON-1.patch sqlite3-3.16.2/debian/patches/40-JSON-1.patch
--- sqlite3-3.16.2/debian/patches/40-JSON-1.patch	1970-01-01 00:00:00.0 +
+++ sqlite3-3.16.2/debian/patches/40-JSON-1.patch	2017-06-04 07:58:54.0 +
@@ -0,0 +1,205 @@
+Index: sqlite3/ext/misc/json1.c
+==
+--- sqlite3/ext/misc/json1.c
 sqlite3/ext/misc/json1.c
+@@ -726,17 +726,18 @@
+   char c;
+   u32 j;
+   int iThis;
+   int x;
+   JsonNode *pNode;
+-  while( safe_isspace(pParse->zJson[i]) ){ i++; }
+-  if( (c = pParse->zJson[i])=='{' ){
++  const char *z = pParse->zJson;
++  while( safe_isspace(z[i]) ){ i++; }
++  if( (c = z[i])=='{' ){
+ /* Parse object */
+ iThis = jsonParseAddNode(pParse, JSON_OBJECT, 0, 0);
+ if( iThis<0 ) return -1;
+ for(j=i+1;;j++){
+-  while( safe_isspace(pParse->zJson[j]) ){ j++; }
++  while( safe_isspace(z[j]) ){ j++; }
+   x = jsonParseValue(pParse, j);
+   if( x<0 ){
+ if( x==(-2) && pParse->nNode==(u32)iThis+1 ) return j+1;
+ return -1;
+   }
+@@ -743,18 +744,18 @@
+   if( pParse->oom ) return -1;
+   pNode = >aNode[pParse->nNode-1];
+   if( pNode->eType!=JSON_STRING ) return -1;
+   pNode->jnFlags |= JNODE_LABEL;
+   j = x;
+-  while( safe_isspace(pParse->zJson[j]) ){ j++; }
+-  if( 

Bug#864028: unblock (pre-approval): flatpak/0.8.6-1

[Simon McVittie]

Control: retitle 864028 unblock (pre-approval): flatpak/0.8.6-1

> On Sat, 03 Jun 2017 at 12:47:30 +0100, Simon McVittie wrote:
> > The upstream developer is planning to release 0.8.6 at some point in the
> > near future, but for now here is an unblock request for the patchset that
> > would be in 0.8.6 if it was released today.

0.8.6 has now been released. It is identical to my proposed 0.8.5-3, other
than release stuff (configure.ac, NEWS), generated files and translations.

I attach an updated debdiff, with most of the generated bits filtered.

I suspect you're probably not going to want this for r0 at this point,
so I'll upload to unstable shortly to give it more visibility, with a
view to asking for a stretch-pu upload before r1. There is no new
public API, so that should be unproblematic.

Regards,
S
diffstat for flatpak-0.8.5 flatpak-0.8.6

 NEWS|   26 ++
 common/flatpak-dir.c|   70 +
 common/flatpak-run.c|  126 
 configure.ac|4 -
 dbus-proxy/flatpak-proxy.c  |2 
 debian/changelog|   27 ++
 document-portal/xdp-dbus.c  |   20 ++---
 document-portal/xdp-dbus.h  |2 
 lib/flatpak-version-macros.h|2 
 session-helper/flatpak-session-helper.c |2 
 tests/package_version.txt   |2 
 11 files changed, 222 insertions(+), 61 deletions(-)

diff -Nru --exclude configure --exclude po --exclude html flatpak-0.8.5/common/flatpak-dir.c flatpak-0.8.6/common/flatpak-dir.c
--- flatpak-0.8.5/common/flatpak-dir.c	2017-04-03 12:44:28.0 +0100
+++ flatpak-0.8.6/common/flatpak-dir.c	2017-06-05 13:45:47.0 +0100
@@ -3113,6 +3113,9 @@
   "X-Flatpak-Tags",
   (const char * const *) tags, length);
 }
+
+  /* Add a marker so consumers can easily find out that this launches a sandbox */
+  g_key_file_set_string (keyfile, "Desktop Entry", "X-Flatpak", app);
 }
 
   groups = g_key_file_get_groups (keyfile, NULL);
@@ -3408,21 +3411,33 @@
 GCancellable *cancellable,
 GError  **error)
 {
-  gboolean ret = FALSE;
+  const char *exported_subdirs[] = {
+"share/applications",  "../..",
+"share/icons", "../..",
+"share/dbus-1/services",   "../../.."
+  };
+  int i;
 
-  if (!flatpak_mkdir_p (destination, cancellable, error))
-goto out;
+  for (i = 0; i < G_N_ELEMENTS(exported_subdirs); i = i + 2)
+{
+  /* The fds are closed by this call */
+  g_autoptr(GFile) sub_source = g_file_resolve_relative_path (source, exported_subdirs[i]);
+  g_autoptr(GFile) sub_destination = g_file_resolve_relative_path (destination, exported_subdirs[i]);
+  g_autofree char *sub_symlink_prefix = g_build_filename (exported_subdirs[i+1], symlink_prefix, exported_subdirs[i], NULL);
 
-  /* The fds are closed by this call */
-  if (!export_dir (AT_FDCWD, flatpak_file_get_path_cached (source), symlink_prefix, "",
-   AT_FDCWD, flatpak_file_get_path_cached (destination),
-   cancellable, error))
-goto out;
+  if (!g_file_query_exists (sub_source, cancellable))
+continue;
 
-  ret = TRUE;
+  if (!flatpak_mkdir_p (sub_destination, cancellable, error))
+return FALSE;
 
-out:
-  return ret;
+  if (!export_dir (AT_FDCWD, flatpak_file_get_path_cached (sub_source), sub_symlink_prefix, "",
+   AT_FDCWD, flatpak_file_get_path_cached (sub_destination),
+   cancellable, error))
+return FALSE;
+}
+
+  return TRUE;
 }
 
 gboolean
@@ -7292,13 +7307,17 @@
  flatpak_repo_set_* () family of functions) */
   static const char *const supported_params[] = {
 "xa.title",
-"xa.default-branch", NULL
+"xa.default-branch",
+"xa.gpg-keys",
+"xa.redirect-url",
+NULL
   };
 
   g_autoptr(GVariant) summary = NULL;
   g_autoptr(GVariant) extensions = NULL;
   g_autoptr(GPtrArray) updated_params = NULL;
   GVariantIter iter;
+  g_autoptr(GBytes) gpg_keys = NULL;
 
   updated_params = g_ptr_array_new_with_free_func (g_free);
   summary = fetch_remote_summary_file (self, remote, cancellable, error);
@@ -7315,14 +7334,31 @@
 
   while (g_variant_iter_next (, "{sv}", , _var))
 {
-  /* At the moment, every supported parameter are strings */
-  if (g_strv_contains (supported_params, key) &&
-  g_variant_get_type_string (value_var))
+  /* At the moment, every supported parameter except gpg-keys are strings */
+  if (strcmp (key, "xa.gpg-keys") == 0 &&
+  g_variant_is_of_type (value_var, G_VARIANT_TYPE_BYTESTRING))
+{
+  const guchar *gpg_data = g_variant_get_data 

Processed: Re: Bug#864028: unblock (pre-approval): flatpak/0.8.6-1

[Debian Bug Tracking System]

Processing control commands:

> retitle 864028 unblock (pre-approval): flatpak/0.8.6-1
Bug #864028 [release.debian.org] unblock (pre-approval): flatpak/0.8.5-3
Changed Bug title to 'unblock (pre-approval): flatpak/0.8.6-1' from 'unblock 
(pre-approval): flatpak/0.8.5-3'.

-- 
864028: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864233: unblock: linux/4.9.30-1

[Axel Beckert]

Hi,

Ben Hutchings wrote:
> This includes many important bug fixes, including security fixes.  It
> adds support for system reset on Malta boards, additional GPUs on
> ARM64 systems, and PL011 serial consoles on ARM64 systems.  It makes
> the efivarfs module available in the installer, which is important for
> supporting some x86 systems.
> 
> The debdiff would be too large for you to review, unfortunately.
> Instead, here are the changelog entries:
> 
> linux (4.9.30-1) unstable; urgency=medium

JFTR: This upload of linux 4.9.30-1 to unstable made at least one
package start to FTBFS in unstable, namely radvd. Please see
https://bugs.debian.org/864269 for details.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#863915: Please test webkit2gtk 2.16.3-2 with your packages for stretch now!

[Jeremy Bicha]

Please test your packages on stretch with webkit2gtk 2.16.3-2 which I
have requested to be unblocked for stretch this week. The current
version in stretch is 2.14.7-1. 2.16.3 is a new major release but it
is also a security release and the webkit2gtk developers try to be
careful to avoid regressions in new release and fix regressions
quickly once informed of them.

A list of affected packages can be found at https://paste.debian.net/961084/

I suggest briefly enabling unstable in your sources.list and running
commands like this:
sudo apt update
sudo apt install gir1.2-webkit2-4.0
and then disable unstable again.

If you find any problems as a result of this update, please reply to
Debian bug #863915

I do apologize for the lateness of this request, but it seems like it
would be better to do this major version bump now rather than for 9.1.

My intention is to try to package further webkit2gtk updates for
Debian 9 "stretch" until buster is released as the new stable release.
webkit2gtk has new major versions every March and September (like
GNOME) with periodic security and bugfix releases in between. These
new versions are being packaged in Ubuntu LTS and most other major
Linux distributions. For more details, see bug #863915.

Thank you,
Jeremy Bicha

Bug#864233: unblock: linux/4.9.30-1

[Ben Hutchings]

On Tue, 2017-06-06 at 01:29 +0200, Axel Beckert wrote:
> Hi,
> 
> Ben Hutchings wrote:
> > This includes many important bug fixes, including security fixes.  It
> > adds support for system reset on Malta boards, additional GPUs on
> > ARM64 systems, and PL011 serial consoles on ARM64 systems.  It makes
> > the efivarfs module available in the installer, which is important for
> > supporting some x86 systems.
> > 
> > The debdiff would be too large for you to review, unfortunately.
> > Instead, here are the changelog entries:
> > 
> > linux (4.9.30-1) unstable; urgency=medium
> 
> JFTR: This upload of linux 4.9.30-1 to unstable made at least one
> package start to FTBFS in unstable, namely radvd. Please see
> https://bugs.debian.org/864269 for details.

radvd's autoconf test for  has probably failed at least
since Linux 2.6.32 when I made sure the kernel headers would never
define struct sockaddr for userland:


But the conflict between  and  is far
older than that, so if the test ever passed it should have resulted in
this build failure.  I think that's a clear bug in radvd.  It should
use either one or the other, and I think the sensible thing is to use
 as it has been doing up until now.

Ben.

-- 
Ben Hutchings
Every program is either trivial or else contains at least one bug


signature.asc
Description: This is a digitally signed message part

Bug#864262: unblock: espeak-ng/1.49.0+dfsg-11

[Cyril Brulebois]

Hi,

Samuel Thibault  (2017-06-05):
> espeak-ng used to have overlapping speech synthesis issues (#848016):
> e.g. while moving fast in a list of items, the speech of each item would
> get mixed with the previous one, making it difficult or impossible to
> hear. We reduced the buffer size of espeak-ng from 200ms to 50ms to
> considerably reduce the issue.
> 
> However, the modified buffer size happened to break the use of mbrola
> voices (#860891), so we raised it a bit, from 50ms to 60ms, like
> upstream did, to fix that.
> 
> However, that brought back some of the overlapping issues, making it
> tedious to use...
> (https://lists.debian.org/debian-accessibility/2017/06/msg2.html)
> 
> I have thus uploaded a version -11 of espeak-ng (attached debdiff) which
> reduces it to 49ms, which avoids the overlapping regression, and which I
> have tested as working with all mbrola voices.
> 
> unblock espeak-ng/1.49.0+dfsg-11
> 
> This contains udebs, so Cc-ing KiBi for the udeb ack.

No objections, feel free to unblock & urgent ASAP.


KiBi.


signature.asc
Description: Digital signature