Bug#869854: nmu: restbed-4.0~dfsg1-4 on armel
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hello, It looks like it was restbed rebuilt on all architectures except armel. Ring,which depends on restbed, fails to build on armel. I could reproduce the build failure on a porter box. Then I rebuilt restbed and it solved the issue. This is my first time doing this: nmu restbed-4.0~dfsg1-4 . armel . -m 'Rebuild against ssl1.1' Cheers <3 -- Alexandre Viau av...@debian.org signature.asc Description: OpenPGP digital signature
Bug#864028: stretch-pu: package flatpak 0.8.7-1~deb9u1
Hi, Now that stretch r1 is out, can this update be considered for r2? Filtered diff (patched tree in security vs. what I propose) in https://lists.debian.org/debian-release/2017/07/msg00555.html aka https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028#57 aka Message-ID: <20170715163609.nemdxrefaeird...@perpetual.pseudorandom.co.uk>. Notes on the differences and what I filtered are in the same mail. I would also be happy to add the equivalent of https://anonscm.debian.org/git/collab-maint/flatpak.git/diff/?id=debian/0.8.7-2=debian/0.8.7-1 to make this flatpak compatible with buster's libostree, if the SRMs would be OK with that; that would turn it into 0.8.7-2~deb9u1. The relevant commits will be in upstream release 0.8.8 eventually. Thanks, S
Bug#869920: stretch-pu: package whois/5.2.17+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu ICANN mandated a whois output change that broke the .com, .net, .jobs, .bz, .cc and .tv gTLDs, so we need a stable update. At the same time I would also like to fix support for 6to4 IP addresses, which I forgot to upload in time for the release. The other changes are just database updates. diff -Nru whois-5.2.15/debian/changelog whois-5.2.17+deb9u1/debian/changelog --- whois-5.2.15/debian/changelog 2017-02-27 00:37:41.0 +0100 +++ whois-5.2.17+deb9u1/debian/changelog2017-07-27 17:45:04.0 +0200 @@ -1,3 +1,32 @@ +whois (5.2.17+deb9u1) unstable; urgency=high + + * Rebuilt for stretch. + + -- Marco d'ItriThu, 27 Jul 2017 17:45:04 +0200 + +whois (5.2.17) unstable; urgency=high + + * Fixed whois referrals for .com, .net, .jobs, .bz, .cc and .tv, broken +by an ICANN-mandated output change: +https://www.icann.org/resources/pages/rdds-labeling-policy-2017-02-01-en + * Added the .xn--2scrj9c (ಭಾರತ, India), .xn--3hcrj9c (ଭାରତ, India), +.xn--45br5cyl (ভাৰত, India), .xn--h2breg3eve (भारतम्, India), +.xn--h2brj9c8c (भारोत, India), .xn--mgbbh1a (ﺏﺍﺮﺗ, India), +.xn--mgbgu82a (ڀﺍﺮﺗ, India) and .xn--rvc1e0am3e (ഭാരതം, India) +TLD servers. + * Updated the list of new gTLDs. + * whois.1: fixed a typo. (Closes: #866742) + + -- Marco d'Itri Thu, 27 Jul 2017 17:08:47 +0200 + +whois (5.2.16) unstable; urgency=medium + + * Fixed parsing of 6to4 addresses broken in 5.2.15. + * Updated the .do TLD server. + * Updated the list of new gTLDs. + + -- Marco d'Itri Mon, 13 Mar 2017 01:40:38 +0100 + whois (5.2.15) unstable; urgency=medium * Updated the .gf and .mq TLD servers. diff -Nru whois-5.2.15/new_gtlds_list whois-5.2.17+deb9u1/new_gtlds_list --- whois-5.2.15/new_gtlds_list 2017-02-27 00:37:41.0 +0100 +++ whois-5.2.17+deb9u1/new_gtlds_list 2017-07-27 17:44:55.0 +0200 @@ -60,6 +60,7 @@ app apple aquarelle +arab aramco archi army @@ -333,6 +334,7 @@ esq estate esurance +etisalat eurovision eus events @@ -446,6 +448,7 @@ gratis green gripe +grocery group guardian gucci @@ -487,6 +490,7 @@ hosting hot hoteles +hotels hotmail house how @@ -635,6 +639,7 @@ man management mango +map market marketing markets @@ -655,6 +660,7 @@ men menu meo +merckmsd metlife miami microsoft @@ -768,6 +774,7 @@ pet pfizer pharmacy +phd philips phone photo @@ -855,6 +862,7 @@ rogers room rsvp +rugby ruhr run rwe @@ -890,6 +898,7 @@ scjohnson scor scot +search seat secure security @@ -1169,6 +1178,7 @@ xn--kput3i xn--mgba3a3ejt xn--mgba7c0bbn0a +xn--mgbaakc7dvf xn--mgbab2bd xn--mgbb9fbpob xn--mgbca7dzdo @@ -1178,6 +1188,7 @@ xn--mxtq1m xn--ngbc5azd xn--ngbe9e0a +xn--ngbrx xn--nqv7f xn--nqv7fs00ema xn--nyqy26a diff -Nru whois-5.2.15/tld_serv_list whois-5.2.17+deb9u1/tld_serv_list --- whois-5.2.15/tld_serv_list 2017-02-27 00:37:41.0 +0100 +++ whois-5.2.17+deb9u1/tld_serv_list 2017-07-27 17:44:55.0 +0200 @@ -127,7 +127,7 @@ .djWEB http://www.nic.dj/whois.php .dkwhois.dk-hostmaster.dk .dmwhois.nic.dm -.doWEB http://www.nic.do/whois-h.php3 +.dowhois.nic.do .dzwhois.nic.dz .ecwhois.nic.ec .eewhois.tld.ee @@ -183,7 +183,7 @@ .joWEB http://www.dns.jo/Whois.aspx .jpwhois.jprs.jp .kewhois.kenic.or.ke -.kgwhois.domain.kg +.kgwhois.kg .khNONE# http://www.trc.gov.kh/index.php/en/newsCategory/view?id=42_id=68 .kiwhois.nic.ki .kmNONE# www.domaine.km @@ -349,7 +349,10 @@ # AW means that I had to guess the whois server name, but I was not able # to find any registered subdomains to verify it. +.xn--2scrj9c whois.inregistry.net# India .xn--3e0b707e whois.kr# Korea, Republic of +.xn--3hcrj9c whois.inregistry.net# India +.xn--45br5cyl whois.inregistry.net# India .xn--45brj9c whois.inregistry.net# India, Bengali AW .xn--54b7fta0ccNONE# Bangladesh .xn--80ao21a whois.nic.kz# Kazakhstan @@ -364,6 +367,8 @@ .xn--fpcrj9c3d whois.inregistry.net# India, Telugu AW .xn--fzc2c9e2c whois.nic.lk# Sri Lanka, Sinhala .xn--gecrj9c whois.inregistry.net# India, Gujarati AW +.xn--h2breg3evewhois.inregistry.net# India +.xn--h2brj9c8c whois.inregistry.net# India .xn--h2brj9c whois.inregistry.net# India, Hindi AW .xn--j1amh whois.dotukr.com# Ukraine .xn--j6w193g whois.hkirc.hk # Hong Kong @@ -371,24 +376,27 @@ .xn--kpry57d whois.twnic.net.tw # Taiwan, Traditional Chinese .xn--l1acc NONE# Mongolia .xn--lgbbat1ad8j whois.nic.dz
Bug#869956: transition: libevent 2.1.8-stable-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Block: -1 by 869900 869902 869951 Dear Release Team, I would like to upload libevent 2.1.8-stable to unstable. Test rebuild in Debian revealed 3 reverse build dependencies which FTBFS and I filed bugs against them linking to the build logs [1]. Test rebuild in Ubuntu showed similar results with a few unrelated build failures [2] Thanks, Balint [1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=libevent-20170726=rbalint%40ubuntu.com;dist=unstable [2] https://launchpad.net/~rbalint/+archive/ubuntu/libevent-2.1/+packages -- Balint Reczey Debian & Ubuntu Developer
Bug#869949: jessie-pu: package ipsec-tools/1:0.8.2+20140711-2+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu I'd like to update ipsec-tools in the next oldstable point release to address a security vulnerability in which a remote unauthenticated attacker could cause racoon to exhause CPU resources resulting in a denial-of-service. Because the issue has been known for some time, the security team does not feel that this warrants a DSA. Instead it should be updated via (old)stable-updates. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 for details. Note also that I already uploaded a package targeting stable-updates without prior approval. Apologies for getting the process wrong in that case. debdiff is attached. The diffstat is: changelog|6 ++ patches/CVE-2016-10396.patch | 201 patches/series |1 3 files changed, 208 insertions(+) Thanks noah diff -Nru ipsec-tools-0.8.2+20140711/debian/changelog ipsec-tools-0.8.2+20140711/debian/changelog --- ipsec-tools-0.8.2+20140711/debian/changelog 2015-05-22 01:03:06.0 -0700 +++ ipsec-tools-0.8.2+20140711/debian/changelog 2017-07-27 14:37:54.0 -0700 @@ -1,3 +1,9 @@ +ipsec-tools (1:0.8.2+20140711-2+deb8u2) oldstable; urgency=medium + + * Import NetBSD's patch to address CVE-2016-10396 (Closes: #867986) + + -- Noah MeyerhansThu, 27 Jul 2017 14:37:54 -0700 + ipsec-tools (1:0.8.2+20140711-2+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch --- ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch 1969-12-31 16:00:00.0 -0800 +++ ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch 2017-07-27 14:37:54.0 -0700 @@ -0,0 +1,201 @@ +Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 +Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 +Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 + +Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c +=== +--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c pkg-ipsec-tools/src/racoon/isakmp_frag.c +@@ -1,4 +1,4 @@ +-/*$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */ ++/*$NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */ + + /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */ + +@@ -173,6 +173,43 @@ vendorid_frag_cap(gen) + return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); + } + ++static int ++isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) ++{ ++ struct isakmp_frag_item *pitem = NULL; ++ struct isakmp_frag_item *citem = iph1->frag_chain; ++ ++ /* no frag yet, just insert at beginning of list */ ++ if (iph1->frag_chain == NULL) { ++ iph1->frag_chain = item; ++ return 0; ++ } ++ ++ do { ++ /* duplicate fragment number, abort (CVE-2016-10396) */ ++ if (citem->frag_num == item->frag_num) ++ return -1; ++ ++ /* need to insert before current item */ ++ if (citem->frag_num > item->frag_num) { ++ if (pitem != NULL) ++ pitem->frag_next = item; ++ else ++ /* insert at the beginning of the list */ ++ iph1->frag_chain = item; ++ item->frag_next = citem; ++ return 0; ++ } ++ ++ pitem = citem; ++ citem = citem->frag_next; ++ } while (citem != NULL); ++ ++ /* we reached the end of the list, insert */ ++ pitem->frag_next = item; ++ return 0; ++} ++ + int + isakmp_frag_extract(iph1, msg) + struct ph1handle *iph1; +@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) + item->frag_next = NULL; + item->frag_packet = buf; + +- /* Look for the last frag while inserting the new item in the chain */ +- if (item->frag_last) +- last_frag = item->frag_num; ++ /* Check for the last frag before inserting the new item in the chain */ ++ if (item->frag_last) { ++ /* if we have the last fragment, indices must match */ ++ if (iph1->frag_last_index != 0 && ++ item->frag_last != iph1->frag_last_index) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "Repeated last fragment index mismatch\n"); ++ racoon_free(item); ++ vfree(buf); ++ return -1; ++
NEW changes in stable-new
Processing changes file: enigmail_1.9.8.1-1~deb9u1_amd64.changes REJECT