NEW changes in stable-new
Processing changes file: mpv_0.23.0-2+deb9u1_source.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_all.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_amd64.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_arm64.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_armel.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_armhf.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_i386.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_mips.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_mips64el.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_mipsel.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_ppc64el.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u1_s390x.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u2_amd64.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u2_arm64.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u2_armel.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u2_armhf.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u2_i386.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u2_mips.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u2_mips64el.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u2_mipsel.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u2_ppc64el.changes ACCEPT Processing changes file: mpv_0.23.0-2+deb9u2_s390x.changes ACCEPT Processing changes file: ruby-omniauth_1.3.1-1+deb9u1_amd64.changes ACCEPT Processing changes file: thunderbird_52.5.2-2~deb9u1_amd64.changes ACCEPT Processing changes file: thunderbird_52.5.2-2~deb9u1_arm64.changes ACCEPT Processing changes file: thunderbird_52.5.2-2~deb9u1_armel.changes ACCEPT Processing changes file: thunderbird_52.5.2-2~deb9u1_armhf.changes ACCEPT Processing changes file: thunderbird_52.5.2-2~deb9u1_i386.changes ACCEPT Processing changes file: thunderbird_52.5.2-2~deb9u1_mips.changes ACCEPT Processing changes file: thunderbird_52.5.2-2~deb9u1_mips64el.changes ACCEPT Processing changes file: thunderbird_52.5.2-2~deb9u1_mipsel.changes ACCEPT Processing changes file: thunderbird_52.5.2-2~deb9u1_ppc64el.changes ACCEPT Processing changes file: thunderbird_52.5.2-2~deb9u1_s390x.changes ACCEPT Processing changes file: thunderbird_52.6.0-1~deb9u1_amd64.changes ACCEPT Processing changes file: thunderbird_52.6.0-1~deb9u1_arm64.changes ACCEPT Processing changes file: thunderbird_52.6.0-1~deb9u1_armel.changes ACCEPT Processing changes file: thunderbird_52.6.0-1~deb9u1_armhf.changes ACCEPT Processing changes file: thunderbird_52.6.0-1~deb9u1_i386.changes ACCEPT Processing changes file: thunderbird_52.6.0-1~deb9u1_mips.changes ACCEPT Processing changes file: thunderbird_52.6.0-1~deb9u1_mips64el.changes ACCEPT Processing changes file: thunderbird_52.6.0-1~deb9u1_mipsel.changes ACCEPT Processing changes file: thunderbird_52.6.0-1~deb9u1_ppc64el.changes ACCEPT Processing changes file: thunderbird_52.6.0-1~deb9u1_s390x.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_amd64.changes ACCEPT Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_arm64.changes ACCEPT Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_armel.changes ACCEPT Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_armhf.changes ACCEPT Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_i386.changes ACCEPT Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_mips.changes ACCEPT Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_mipsel.changes ACCEPT Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_powerpc.changes ACCEPT Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_ppc64el.changes ACCEPT Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_s390x.changes ACCEPT Processing changes file: awstats_7.2+dfsg-1+deb8u1_amd64.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_multi.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_amd64.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_arm64.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_armel.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_armhf.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_i386.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_mips.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_mipsel.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_powerpc.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_ppc64el.changes ACCEPT Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_s390x.changes ACCEPT Processing changes file: curl_7.38.0-4+deb8u9_amd64.changes ACCEPT Processing changes file: curl_7.38.0-4+deb8u9_arm64.changes ACCEPT Processing changes file: curl_7.38.0-4+deb8u9_armel.changes ACCEPT Processing changes file: curl_7.38.0-4+deb8u9_armhf.changes ACCEPT Processing changes file: curl_7.38.0-4+deb8u9_i386.changes ACCEPT Processing changes file: curl_7.38.0-4+deb8u9_mips.changes ACCEPT Processing changes file: curl_7.38.0-4+deb8u9_mipsel.changes ACCEPT Processing changes file: curl_7.38.0-4+deb8u9_powerpc.changes ACCEPT Processing changes file: curl_7.38.0-4+deb8u9_ppc64el.changes ACCEPT Processing changes file: curl_7.38.0-4+deb8u9_s390x.changes ACCEPT Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_amd64.changes ACCEPT Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_arm64.changes ACCEPT Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_armel.changes ACCEPT Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_armhf.changes ACCEPT Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_i386.changes ACCEPT Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_mips.changes ACCEPT Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_mipsel.changes ACCEPT Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_powerpc.changes ACCEPT Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_ppc64el.changes ACCEPT Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_s390x.changes ACCEPT Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_amd64.changes ACCEPT Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_arm64.changes ACCEPT Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_armel.changes ACCEPT Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_armhf.changes ACCEPT Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_i386.changes ACCEPT Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_mips.changes ACCEPT Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_mipsel.changes ACCEPT Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_powerpc.changes ACCEPT Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_ppc64el.changes ACCEPT Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_s390x.changes ACCEPT Processing changes file: gifsicle_1.86-1+deb8u1_amd64.changes ACCEPT Processing changes file: gifsicle_1.86-1+deb8u1_arm64.changes ACCEPT Processing changes file: gifsicle_1.86-1+deb8u1_armel.changes ACCEPT Processing changes file: gifsicle_1.86-1+deb8u1_armhf.changes ACCEPT Processing changes file: gifsicle_1.86-1+deb8u1_i386.changes ACCEPT Processing changes file: gifsicle_1.86-1+deb8u1_mips.changes ACCEPT Processing changes file: gifsicle_1.86-1+deb8u1_mipsel.changes ACCEPT Processing changes file: gifsicle_1.86-1+deb8u1_powerpc.changes ACCEPT Processing changes file: gifsicle_1.86-1+deb8u1_ppc64el.changes ACCEPT Processing changes file: gifsicle_1.86-1+deb8u1_s390x.changes ACCEPT Processing changes file: gimp_2.8.14-1+deb8u2_allonly.changes ACCEPT Processing changes file: gimp_2.8.14-1+deb8u2_amd64.changes ACCEPT Processing changes file: gimp_2.8.14-1+deb8u2_arm64.changes ACCEPT Processing changes file: gimp_2.8.14-1+deb8u2_armel.changes ACCEPT Processing changes file: gimp_2.8.14-1+deb8u2_armhf.changes ACCEPT
NEW changes in stable-new
Processing changes file: linux_4.9.80-2_mips64el.changes ACCEPT
NEW changes in stable-new
Processing changes file: linux_4.9.80-2_armel.changes ACCEPT
Bug#884711: stretch-pu: package dpdk/16.11.4-1+deb9u1
Control: tags -1 confirmed On Sun, Jan 14, 2018 at 20:14:14 +, Luca Boccassi wrote: > Thank you for the review, I have reworked the debdiff - rather than > taking the last 16.11.x version we uploaded in Sid and reverting a few > changes, instead I've taken the version in Stretch and merged the LTS > point releases and a couple of small changes, details below. > Great, thanks. Go ahead and upload to stretch. Cheers, Julien
Processed: Re: Bug#884711: stretch-pu: package dpdk/16.11.4-1+deb9u1
Processing control commands: > tags -1 confirmed Bug #884711 [release.debian.org] stretch-pu: package dpdk/16.11.4-1+deb9u1 Added tag(s) confirmed. -- 884711: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884711 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
Control: tag -1 confirmed On Mon, Dec 25, 2017 at 21:26:58 +0100, Ludovico Cavedon wrote: > I would like to submit to your consideration an update to ntopng in > stretch. > > The main bug that triggered this upload is #856048, which causes the > user management and preferences section of the web interface to > be unusuable. > > The fix is already in version 2.4+dfsg1-4 in unstable. > > There are three additional important issues from 2.4+dfsg1-4 that I > think it would make sense to include: > - #859653 which causes ntopng to crash if the mysql backend is selected. > This change only affects mysql users. On the other side it is an > obvious usage-after-free and out-of-bound memeory access issues. > - #866721 and #866719, which are securirity-related issues. Do you want > me to reach out to the security team about these first? Do we need to > treat the whole update as a security one instead, or split it? > Assuming this has been properly tested in a stretch environment, please go ahead and upload. Cheers, Julien
Bug#885184: stretch-pu: package agenda.app/0.42.2-1+deb9u1
Control: tag -1 confirmed On Mon, Dec 25, 2017 at 22:53:57 +0200, Yavor Doganov wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > Hi SRMs, > > Would you approve an update for agenda.app to fix #884098? > Proposed change was tested on a stretch machine; debdiff attached. > OK, go ahead. Cheers, Julien
Processed: Re: Bug#885184: stretch-pu: package agenda.app/0.42.2-1+deb9u1
Processing control commands: > tag -1 confirmed Bug #885184 [release.debian.org] stretch-pu: package agenda.app/0.42.2-1+deb9u1 Added tag(s) confirmed. -- 885184: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885184 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#882821: stretch-pu: package cerealizer/0.8.1-2~deb9u1
Control: tag -1 confirmed On Sun, Jan 14, 2018 at 10:57:12 +0100, Andreas Beckmann wrote: > Followup-For: Bug #882821 > Control: retitle -1 stretch-pu: package cerealizer/0.8.1-1+deb9u1 > Control: tag -1 - moreinfo > > Attached is a new debdiff without the git-dpm noise. > OK, go ahead. Cheers, Julien
Bug#883959: stretch-pu: package cappuccino/0.5.1-8~deb9u1
Control: tag -1 confirmed On Sun, Jan 14, 2018 at 10:42:33 +0100, Andreas Beckmann wrote: > Followup-For: Bug #883959 > Control: retitle -1 stretch-pu: package cappuccino/0.5.1-6+deb9u1 > Control: tag -1 - moreinfo > > New patch without the /usr/games/cappuccino symlink addition. > Thanks, go ahead. Cheers, Julien
Processed: Re: Bug#883959: stretch-pu: package cappuccino/0.5.1-8~deb9u1
Processing control commands: > tag -1 confirmed Bug #883959 [release.debian.org] stretch-pu: package cappuccino/0.5.1-6+deb9u1 Added tag(s) confirmed. -- 883959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883959 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#885531: stretch-pu: package soundtouch/1.9.2-2+deb9u1
Processing control commands: > tag -1 confirmed Bug #885531 [release.debian.org] stretch-pu: package soundtouch/1.9.2-2+deb9u1 Added tag(s) confirmed. -- 885531: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885531 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#885531: stretch-pu: package soundtouch/1.9.2-2+deb9u1
Control: tag -1 confirmed On Wed, Dec 27, 2017 at 17:14:59 +, James Cowgill wrote: > This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856, > and #870857. I have tested the package on stretch and with the attached > debdiff, soundstretch still works and the proof of concepts for the 3 > security issues behave correctly now. > > The patch under debian/patches uses DOS line endings because the file it > modifies also uses DOS line endings. > Go ahead, thanks. Cheers, Julien
Bug#888018: stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2018b
Control: tags -1 + confirmed On Mon, 2018-01-22 at 18:27 +0100, gregor herrmann wrote: > I've prepared an update for libdatetime-timezone-perl in stretch, > incorporating the tzdata 2018b release. The changes are in a quilt > patch which only touches the data files. Please go ahead. I'd been holding off in the hope that it would become clearer what was happening with a tzdata upload and whether we needed 2018c after all, but as I appear to have dropped the ball there a little, let's at least get on with this upload. Sorry for the delay. Regards, Adam
Processed: Re: Bug#888019: jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2018b
Processing control commands: > tags -1 + confirmed Bug #888019 [release.debian.org] jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2018b Added tag(s) confirmed. -- 888019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888019 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#888019: jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2018b
Control: tags -1 + confirmed On Mon, 2018-01-22 at 18:27 +0100, gregor herrmann wrote: > I've prepared an update for libdatetime-timezone-perl in jessie, > incorporating the tzdata 2018b release. The changes are in a quilt > patch which only touches the data files. > Please go ahead. Regards, Adam
Processed: Re: Bug#888018: stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2018b
Processing control commands: > tags -1 + confirmed Bug #888018 [release.debian.org] stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2018b Added tag(s) confirmed. -- 888018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888018 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#877593: stretch-pu: package ocfs2-tools/1.8.4-4+deb9u1
On Sat, Feb 10, 2018 at 09:39:09AM +0100, Julien Cristau wrote: > OK, please go ahead. Thanks, uploaded. -- Valentin
Bug#882815: stretch-pu: package exam/0.10.5-2~deb9u1
Control: tag -1 confirmed On Sun, Jan 14, 2018 at 12:34:00 +0100, Andreas Beckmann wrote: > diff -Nru exam-0.10.5/debian/changelog exam-0.10.5/debian/changelog > --- exam-0.10.5/debian/changelog 2016-06-14 19:54:12.0 +0200 > +++ exam-0.10.5/debian/changelog 2017-07-08 05:47:09.0 +0200 > @@ -1,3 +1,19 @@ > +exam (0.10.5-1+deb9u1) stretch; urgency=medium > + > + [ Andreas Beckmann ] > + * Non-maintainer upload. > + * Backport fixes from 0.10.5-2 to stretch. > + > + [ Scott Kitterman ] > + * Correct Vcs-* fields in debian/control to point to the correct package > +name > + * Use correct substitution varial for python3-exam so python3 interpreter "variable" :) > +depends are correctly generated (Closes: #867404) > + * Let dh_python determine the mock depends (corrects issue where python- > +exam incorrectly depended on python-mock instead of python3-mock) > + > + -- Scott KittermanFri, 07 Jul 2017 23:47:09 -0400 > + > exam (0.10.5-1) unstable; urgency=low > >* Initial release. (Closes: #825822) Go ahead. Cheers, Julien
Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
Control: tag -1 moreinfo On Fri, Dec 22, 2017 at 23:47:34 +, Roger A. Light wrote: > +Description: Fix for CVE-207-9868. > +Author: Roger Light> +Forwarded: not-needed > +Origin: upstream, > https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch > +--- a/src/persist.c > b/src/persist.c > +@@ -362,6 +362,10 @@ > + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving > in-memory database, out of memory."); > + return MOSQ_ERR_NOMEM; > + } > ++ > ++/* Restrict access to persistence file. */ > ++umask(0077); > ++ > + snprintf(outfile, len, "%s.new", db->config->persistence_filepath); > + outfile[len] = '\0'; > + Is this likely to negatively affect other files the application might create? Cheers, Julien
Processed: Re: Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
Processing control commands: > tag -1 moreinfo Bug #885027 [release.debian.org] stretch-pu: package mosquitto/1.4.10-3+deb9u1 Added tag(s) moreinfo. -- 885027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885027 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#884109: stretch-pu: package mariadb-10.1/10.1.29-0+deb9u1
Processing control commands: > tag -1 moreinfo Bug #884109 [release.debian.org] stretch-pu: package mariadb-10.1/10.1.29-0+deb9u1 Added tag(s) moreinfo. -- 884109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884109 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#884109: stretch-pu: package mariadb-10.1/10.1.29-0+deb9u1
Control: tag -1 moreinfo Hi Ondřej, On Mon, Dec 11, 2017 at 14:22:03 +, Ondřej Surý wrote: > this is stretch-pu for mariadb-10.1.29 upstream release and couple of > fixes that creeped in stretch version just before freeze. > > Fixes: > > * #875708 - Add libconfig-inifiles-perl to mariadb-client-10.1 depends to fix > mytop > ok > * Failing non-release archs were added to the list of architectures that are > allowed > to fail test > that doesn't sound necessary in stable? harmless though, so probably ok. > * mips64el was added to a list of other mips* platforms allowed to fail the > tests > That's a bit confusing, where did the mips64el binaries we do have come from if tests are expected to fail? > * I reverted upstream decision to use embedded pcre3 library as we > need to fix #878107 and #876299 in jessie and stretch too > Is there a plan for doing this? I'm not seeing a pu request for pcre3. > Upstream: > > * There's couple of minor security fixes that doesn't warrant security > update, but it should be updated nevertheless (this this pu request). > > I'll send the debdiff in a reply to this email, so this message reaches the > list. > I'm seeing quite a bunch of patch noise, including dropping patch descriptions (and authorship), which seems less than helpful. Can we please not? Cheers, Julien
Bug#885617: stretch-pu: package libextractor/1:1.3-4
Control: tag -1 moreinfo On Thu, Dec 28, 2017 at 17:11:02 +0100, Bertrand Marc wrote: > diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch > libextractor-1.3/debian/patches/CVE-2017-15600.patch > --- libextractor-1.3/debian/patches/CVE-2017-15600.patch 1970-01-01 > 01:00:00.0 +0100 > +++ libextractor-1.3/debian/patches/CVE-2017-15600.patch 2017-12-28 > 11:39:33.0 +0100 > @@ -0,0 +1,29 @@ > +From: Bertrand Marc, Markus Koschany > +Subject: CVE-2017-15600 > + > +Bug-Upstream: > http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg4.html > +Origin: > https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7 > +--- a/src/plugins/nsf_extractor.c > b/src/plugins/nsf_extractor.c > +@@ -152,13 +152,17 @@ > + char nsfversion[32]; > + const struct header *head; > + void *data; > ++ ssize_t ds; > + > +- if (sizeof (struct header) > > +- ec->read (ec->cls, > +-, > +-sizeof (struct header))) > ++ ds = ec->read (ec->cls, > ++ , > ++ sizeof (struct header)); > ++ if ( (-1 == ds) || > ++ (sizeof (struct header) > ds) ) > + return; > + head = data; > ++ if (NULL == head) > ++return 0; > + Curious how that works. 3 lines above is plain "return", and here "return 0". What's the type of that function and how did the compiler not flag this? Cheers, Julien
Processed: Re: Bug#885617: stretch-pu: package libextractor/1:1.3-4
Processing control commands: > tag -1 moreinfo Bug #885617 [release.debian.org] stretch-pu: package libextractor/1:1.3-4 Added tag(s) moreinfo. -- 885617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885617 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#886146: stretch-pu: package sqlcipher/3.2.0-2+deb9u1
Processing control commands: > tag -1 moreinfo Bug #886146 [release.debian.org] stretch-pu: package sqlcipher/3.2.0-2+deb9u1 Added tag(s) moreinfo. -- 886146: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886146 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#886146: stretch-pu: package sqlcipher/3.2.0-2+deb9u1
Control: tag -1 moreinfo On Tue, Jan 2, 2018 at 17:59:07 +0100, Gianfranco Costamagna wrote: > +sqlcipher (3.2.0-2+deb9u1) stretch; urgency=medium > + > + [ Philipp Berger ] > + * Fixup previous patch, to avoid a crash when opening file > +(Closes: #863530) > + That bug is still open, implying it still affects sid? Cheers, Julien
Bug#889937: transition: libminiupnpc
Control: tags -1 confirmed Control: block -1 with 889055 889059 On 08/02/18 23:56, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > > Dear release team, > > libminiupnpc16 is now in Experimental. I tried rebuilding all reverse > dependencies, which are: > > * 0ad > * bitcoin > * classified-ads > * dogecoin > * dolphin-emu > * eiskaltdcpp > * i2pd > * litecoin > * megaglest > * sushi > * swift-im > * transmission > * warzone2100 > > Out of this, eiskaltdcpp and bitcoin failed to build for apparently > unrelated issues, and for the 3rd one swift-im, I filed a bug: > https://bugs.debian.org/889062 bitcoin and swift-im are not in testing, so no big deal wrt the transition. Please file a bug for eiskaltdcpp. > 2 reverse dependencies seemed to have libminiupnpc upgrade issues, > and I fied bugs against them: > > sushi-1.4.0+git20160822+dfsg https://bugs.debian.org/889055 > warzone2100 3.2.1-2: https://bugs.debian.org/889059 > > I do have proposed patches from upstream, which basically means > doing this: > > #if defined(MINIUPNPC_API_VERSION) && (MINIUPNPC_API_VERSION >= 14) > miniupnpc_dev = upnpDiscover(3000, NULL, NULL, 0, 0, 2, ); /* use > default TTL of 2 */ > #elif defined(MINIUPNPC_API_VERSION) && (MINIUPNPC_API_VERSION >= 8) > miniupnpc_dev = upnpDiscover(3000, NULL, NULL, 0, 0, ); > #elif defined(MINIUPNPC_API_VERSION) && (MINIUPNPC_API_VERSION >= 3) > miniupnpc_dev = upnpDiscover(3000, NULL, NULL, 0); > #else > miniupnpc_dev = upnpDiscover(3000, NULL, NULL); > #endif > > which seems fairly easy to fix in both sushi and warzone2100, and both > of which has been documented in the bug reports by upstream. > > Therefore, I think it's time to request for a transition slot. Please > let me know when I can upload miniupnpc to Sid. Please go ahead. Emilio
Processed: Re: Bug#889937: transition: libminiupnpc
Processing control commands: > tags -1 confirmed Bug #889937 [release.debian.org] transition: libminiupnpc Added tag(s) confirmed. > block -1 with 889055 889059 Bug #889937 [release.debian.org] transition: libminiupnpc 889937 was not blocked by any bugs. 889937 was not blocking any bugs. Added blocking bug(s) of 889937: 889055 and 889059 -- 889937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889937 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
wanna-build access for binNMUs
On Tue, Jan 30, 2018 at 20:45:44 +0100, Emilio Pozuelo Monfort wrote: > On 30/01/18 08:54, Michael Stapelberg wrote: > > This would also be very helpful for fixing security issue #888777. > > You need to talk to the wanna-build team if you want to be able to schedule > binNMUs for your language rebuilds, just like the ocaml and haskell teams do. > FWIW I disagree, I think this is something the wanna-build team has essentially delegated to release, so getting people on board is a shared thing between those two teams rather than solely a w-b thing. It happens once every few years though so there isn't really a process to vet people. Cheers, Julien
Bug#877593: stretch-pu: package ocfs2-tools/1.8.4-4+deb9u1
Control: tag -1 confirmed On Tue, Oct 3, 2017 at 10:44:18 +0200, Valentin Vidic wrote: > Attached diff fixes an upgrade issue reported in #876195: > ocfs2 services are not started on boot after upgrade > because the service links are were not automatically > migrated from /etc/rcS.d to /etc/rc2.d. > > Please approve upload to stretch-pu. > OK, please go ahead. Cheers, Julien
Processed: Re: Bug#877593: stretch-pu: package ocfs2-tools/1.8.4-4+deb9u1
Processing control commands: > tag -1 confirmed Bug #877593 [release.debian.org] stretch-pu: package ocfs2-tools/1.8.4-4+deb9u1 Added tag(s) confirmed. -- 877593: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877593 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#884606: stretch-pu: package espeakup/1:0.80-5+b2
Processing control commands: > tag -1 confirmed Bug #884606 [release.debian.org] stretch-pu: package espeakup/1:0.80-5+b2 Added tag(s) confirmed. -- 884606: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884606 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#885582: stretch-pu: package ncurses/6.0+20161126-1+deb9u2
Processing control commands: > tag -1 moreinfo Bug #885582 [release.debian.org] stretch-pu: package ncurses/6.0+20161126-1+deb9u2 Added tag(s) moreinfo. -- 885582: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885582 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#885582: stretch-pu: package ncurses/6.0+20161126-1+deb9u2
Control: tag -1 moreinfo On Thu, Dec 28, 2017 at 11:34:33 +0100, Sven Joachim wrote: > Package: release.debian.org > Severity: normal > Tags: stretch d-i > User: release.debian@packages.debian.org > Usertags: pu > > I would like to fix bug #882620 aka CVE-2017-16879 in stretch, a buffer > overflow in the _nc_write_entry function. > > While this touches the tinfo library used in the installer, > _nc_write_entry() is only used by tic as far as I am aware. > Thanks, go ahead. [...] > +--- a/ncurses/tinfo/write_entry.c > b/ncurses/tinfo/write_entry.c > +@@ -267,6 +267,9 @@ _nc_write_entry(TERMTYPE *const tp) > + #endif > + #endif /* USE_SYMLINKS */ > + > ++unsigned limit2 = sizeof(filename) - (2 + LEAF_LEN); > ++char saved = '\0'; > ++ > + static int call_count; > + static time_t start_time; /* time at start of writes */ > + > +@@ -365,12 +368,18 @@ _nc_write_entry(TERMTYPE *const tp) > + start_time = 0; > + } > + > +-if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) > ++if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) { kind of curious that limit2 wasn't used here... > + _nc_warning("terminal name too long."); > ++saved = first_name[limit2]; > ++first_name[limit2] = '\0'; > ++} > + > + _nc_SPRINTF(filename, _nc_SLIMIT(sizeof(filename)) > + LEAF_FMT "/%s", first_name[0], first_name); > + > ++if (saved) > ++first_name[limit2] = saved; > ++ > + /* > + * Has this primary name been written since the first call to > + * write_entry()? If so, the newer write will step on the older, Cheers, Julien
Re: wanna-build access for binNMUs
On 10/02/18 09:26, Julien Cristau wrote: > On Tue, Jan 30, 2018 at 20:45:44 +0100, Emilio Pozuelo Monfort wrote: > >> On 30/01/18 08:54, Michael Stapelberg wrote: >>> This would also be very helpful for fixing security issue #888777. >> >> You need to talk to the wanna-build team if you want to be able to schedule >> binNMUs for your language rebuilds, just like the ocaml and haskell teams do. >> > FWIW I disagree, I think this is something the wanna-build team has > essentially delegated to release, so getting people on board is a shared > thing between those two teams rather than solely a w-b thing. It > happens once every few years though so there isn't really a process to > vet people. Ack. I wasn't around when this last happened, so I didn't quite know the procedure. Cheers, Emilio
Processed: Re: Bug#886326: stretch-pu: package zssh/1.5c.debian.1-3.2+deb9u1
Processing control commands: > tag -1 moreinfo Bug #886326 [release.debian.org] stretch-pu: package zssh/1.5c.debian.1-3.2+deb9u1 Added tag(s) moreinfo. -- 886326: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886326 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#886326: stretch-pu: package zssh/1.5c.debian.1-3.2+deb9u1
Control: tag -1 moreinfo On Thu, Jan 4, 2018 at 21:51:12 +0800, Boyuan Yang wrote: > After adoption of package zssh, I'm looking to fix the RC bug #769366 in > Debian Stretch. > A simple rebuild solved the problem, thus requesting a pre-approval from the > release team. > What is the issue and how does a rebuild solve it? Thanks, Julien
Processed: Re: Bug#882815: stretch-pu: package exam/0.10.5-2~deb9u1
Processing control commands: > tag -1 confirmed Bug #882815 [release.debian.org] stretch-pu: package exam/0.10.5-1+deb9u1 Added tag(s) confirmed. -- 882815: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882815 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#885069: stretch-pu: package open-iscsi/2.0.874-3~deb9u1
Processing control commands: > tag -1 moreinfo Bug #885069 [release.debian.org] stretch-pu: package open-iscsi/2.0.874-3~deb9u1 Added tag(s) moreinfo. -- 885069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885069 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#885069: stretch-pu: package open-iscsi/2.0.874-3~deb9u1
Control: tag -1 moreinfo On Sat, Dec 23, 2017 at 13:40:43 +0100, Christian Seiler wrote: > diff -Nru > open-iscsi-2.0.874/debian/patches/security/Check-for-root-peer-user-for-iscsiuio-IPC.patch > > open-iscsi-2.0.874/debian/patches/security/Check-for-root-peer-user-for-iscsiuio-IPC.patch > --- > open-iscsi-2.0.874/debian/patches/security/Check-for-root-peer-user-for-iscsiuio-IPC.patch > 1970-01-01 01:00:00.0 +0100 > +++ > open-iscsi-2.0.874/debian/patches/security/Check-for-root-peer-user-for-iscsiuio-IPC.patch > 2017-12-23 13:09:13.0 +0100 > @@ -0,0 +1,122 @@ > +From e313bd648a4c8a9526421e270eb597a5de1e0c7f Mon Sep 17 00:00:00 2001 > +From: Lee Duncan> +Date: Fri, 15 Dec 2017 10:36:11 -0800 > +Subject: [PATCH 1/8] Check for root peer user for iscsiuio IPC > + > +This fixes a possible vulnerability where a non-root > +process could connect with iscsiuio. Fouund by Qualsys. > +--- > + iscsiuio/src/unix/Makefile.am | 3 ++- > + iscsiuio/src/unix/iscsid_ipc.c | 47 > ++ > + 2 files changed, 49 insertions(+), 1 deletion(-) > + [...] > +@@ -1029,6 +1035,40 @@ static void iscsid_loop_close(void *arg) > + LOG_INFO(PFX "iSCSI daemon socket closed"); > + } > + > ++/* > ++ * check that the peer user is privilidged > ++ * This function doesn't actually do that. > ++ * return 1 if peer is ok else 0 > ++ * > ++ * XXX: this function is copied from iscsid_ipc.c and should be > ++ * moved into a common library > ++ */ > ++static int > ++mgmt_peeruser(int sock, char *user) > ++{ > ++struct ucred peercred; > ++socklen_t so_len = sizeof(peercred); > ++struct passwd *pass; > ++ > ++errno = 0; > ++if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, , > ++_len) != 0 || so_len != sizeof(peercred)) { > ++/* We didn't get a valid credentials struct. */ > ++LOG_ERR(PFX "peeruser_unux: error receiving credentials: %m"); > ++return 0; > ++} > ++ > ++pass = getpwuid(peercred.uid); > ++if (pass == NULL) { > ++LOG_ERR(PFX "peeruser_unix: unknown local user with uid %d", > ++(int) peercred.uid); > ++return 0; > ++} > ++ > ++strlcpy(user, pass->pw_name, PEERUSER_MAX); > ++return 1; > ++} > ++ > + /** > + * iscsid_loop() - This is the function which will process the broadcast > + * messages from iscsid > +@@ -1038,6 +1078,7 @@ static void *iscsid_loop(void *arg) > + { > + int rc; > + sigset_t set; > ++char user[PEERUSER_MAX]; > + > + pthread_cleanup_push(iscsid_loop_close, arg); > + > +@@ -1077,6 +1118,12 @@ static void *iscsid_loop(void *arg) > + continue; > + } > + > ++if (!mgmt_peeruser(iscsid_opts.fd, user) || strncmp(user, > "root", PEERUSER_MAX)) { > ++close(s2); > ++LOG_ERR(PFX "Access error: non-administrative > connection rejected"); > ++break; > ++} > ++ > + process_iscsid_broadcast(s2); > + close(s2); > + } The above makes little sense to me. We find out the peer uid, then instead of just comparing that against 0 we turn it into a struct passwd and compare pw_name against "root". Why? Cheers, Julien
Processed: Re: Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
Processing control commands: > tag -1 confirmed Bug #885183 [release.debian.org] stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1 Added tag(s) confirmed. -- 885183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885183 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#882821: stretch-pu: package cerealizer/0.8.1-2~deb9u1
Processing control commands: > tag -1 confirmed Bug #882821 [release.debian.org] stretch-pu: package cerealizer/0.8.1-1+deb9u1 Added tag(s) confirmed. -- 882821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882821 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#882824: stretch-pu: package python-arpy/1.1.1-3~deb9u1
Control: tag -1 moreinfo On Mon, Nov 27, 2017 at 03:01:48 +0100, Andreas Beckmann wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > Let's fix the python3 dependencies. #867418 > > There is some metadata noise by just rebuilding the package from sid. > And there is a lot of file movement noise in the python-arpy caused by > rebuilding a 4 year old package in stretch: > > $ debdiff python-arpy_1.1.1-2_all.deb python-arpy_1.1.1-3~deb9u1_all.deb > [The following lists of changes regard files as different if they have > different names, permissions or owners.] > I'm not convinced this is worth the churn. I can see it for a program, but for libraries what's the likelyhood anyone's actually going to run into the bug? Cheers, Julien
Processed: Re: Bug#882824: stretch-pu: package python-arpy/1.1.1-3~deb9u1
Processing control commands: > tag -1 moreinfo Bug #882824 [release.debian.org] stretch-pu: package python-arpy/1.1.1-3~deb9u1 Added tag(s) moreinfo. -- 882824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882824 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: linux_4.9.80-2_amd64.changes ACCEPT
Bug#884606: stretch-pu: package espeakup/1:0.80-5+b2
Control: tag -1 confirmed On Thu, Dec 21, 2017 at 15:44:56 +0100, Samuel Thibault wrote: > Samuel Thibault, on jeu. 21 déc. 2017 15:42:13 +0100, wrote: > > Cyril Brulebois, on jeu. 21 déc. 2017 15:37:00 +0100, wrote: > > > I don't think that's an issue with cherry-picking the relevant commit, > > > since it doesn't seem to contain any indications the default voice is > > > getting set to English? > > > > IIRC I had issues without it, so it was on purpose, and just missed > > documenting it. > > Here is the fixed patch. If kibi's happy, I'm happy. Go ahead and upload. Cheers, Julien
Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
Thanks for taking a look at this. The application only creates this file and log files, so I don't believe it should have any other impact. Regards, Roger On 10 February 2018 at 09:07, Julien Cristauwrote: > Control: tag -1 moreinfo > > On Fri, Dec 22, 2017 at 23:47:34 +, Roger A. Light wrote: > >> +Description: Fix for CVE-207-9868. >> +Author: Roger Light >> +Forwarded: not-needed >> +Origin: upstream, >> https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch >> +--- a/src/persist.c >> b/src/persist.c >> +@@ -362,6 +362,10 @@ >> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving >> in-memory database, out of memory."); >> + return MOSQ_ERR_NOMEM; >> + } >> ++ >> ++/* Restrict access to persistence file. */ >> ++umask(0077); >> ++ >> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath); >> + outfile[len] = '\0'; >> + > > Is this likely to negatively affect other files the application might > create? > > Cheers, > Julien
Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
I'm neither a DD nor a DM, should I just get my normal sponsor to upload or if not then who? Cheers, Roger On 10 February 2018 at 11:31, Julien Cristauwrote: > Control: tag -1 - moreinfo > Control: tag -1 confirmed > > OK, go ahead and upload then. > > Cheers, > Julien > > On Sat, Feb 10, 2018 at 11:13:06 +, Roger Light wrote: > >> Thanks for taking a look at this. >> >> The application only creates this file and log files, so I don't >> believe it should have any other impact. >> >> Regards, >> >> Roger >> >> >> On 10 February 2018 at 09:07, Julien Cristau wrote: >> > Control: tag -1 moreinfo >> > >> > On Fri, Dec 22, 2017 at 23:47:34 +, Roger A. Light wrote: >> > >> >> +Description: Fix for CVE-207-9868. >> >> +Author: Roger Light >> >> +Forwarded: not-needed >> >> +Origin: upstream, >> >> https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch >> >> +--- a/src/persist.c >> >> b/src/persist.c >> >> +@@ -362,6 +362,10 @@ >> >> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving >> >> in-memory database, out of memory."); >> >> + return MOSQ_ERR_NOMEM; >> >> + } >> >> ++ >> >> ++/* Restrict access to persistence file. */ >> >> ++umask(0077); >> >> ++ >> >> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath); >> >> + outfile[len] = '\0'; >> >> + >> > >> > Is this likely to negatively affect other files the application might >> > create? >> > >> > Cheers, >> > Julien >>
Bug#888019: jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2018b
On Sat, 10 Feb 2018 10:32:58 +, Adam D. Barratt wrote: > On Mon, 2018-01-22 at 18:27 +0100, gregor herrmann wrote: > > I've prepared an update for libdatetime-timezone-perl in jessie, > > incorporating the tzdata 2018b release. The changes are in a quilt > > patch which only touches the data files. > Please go ahead. Thank you; uploaded. Cheers, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `- NP: The Eagles: Hotel California signature.asc Description: Digital Signature
Bug#888018: stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2018b
On Sat, 10 Feb 2018 10:32:31 +, Adam D. Barratt wrote: > On Mon, 2018-01-22 at 18:27 +0100, gregor herrmann wrote: > > I've prepared an update for libdatetime-timezone-perl in stretch, > > incorporating the tzdata 2018b release. The changes are in a quilt > > patch which only touches the data files. > Please go ahead. Thanks, uploaded. Cheers, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `- NP: The Eagles: Hotel California signature.asc Description: Digital Signature
Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
On Sat, Feb 10, 2018 at 01:39:12PM +, Roger Light wrote: > I'm neither a DD nor a DM, should I just get my normal sponsor to > upload or if not then who? yes, ask your usual sponsor to upload. -- cheers, Holger signature.asc Description: PGP signature
NEW changes in stable-new
Processing changes file: linux_4.9.80-2_armhf.changes ACCEPT
Processed: Re: Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
Processing control commands: > tag -1 - moreinfo Bug #885027 [release.debian.org] stretch-pu: package mosquitto/1.4.10-3+deb9u1 Removed tag(s) moreinfo. > tag -1 confirmed Bug #885027 [release.debian.org] stretch-pu: package mosquitto/1.4.10-3+deb9u1 Added tag(s) confirmed. -- 885027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885027 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1
Control: tag -1 - moreinfo Control: tag -1 confirmed OK, go ahead and upload then. Cheers, Julien On Sat, Feb 10, 2018 at 11:13:06 +, Roger Light wrote: > Thanks for taking a look at this. > > The application only creates this file and log files, so I don't > believe it should have any other impact. > > Regards, > > Roger > > > On 10 February 2018 at 09:07, Julien Cristauwrote: > > Control: tag -1 moreinfo > > > > On Fri, Dec 22, 2017 at 23:47:34 +, Roger A. Light wrote: > > > >> +Description: Fix for CVE-207-9868. > >> +Author: Roger Light > >> +Forwarded: not-needed > >> +Origin: upstream, > >> https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch > >> +--- a/src/persist.c > >> b/src/persist.c > >> +@@ -362,6 +362,10 @@ > >> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving > >> in-memory database, out of memory."); > >> + return MOSQ_ERR_NOMEM; > >> + } > >> ++ > >> ++/* Restrict access to persistence file. */ > >> ++umask(0077); > >> ++ > >> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath); > >> + outfile[len] = '\0'; > >> + > > > > Is this likely to negatively affect other files the application might > > create? > > > > Cheers, > > Julien >
Re: Scheduling 9.4
On Sat, Feb 10, 2018 at 12:27:43PM +0100, Julien Cristau wrote: >Hi, > >we shipped 9.3 a couple of months ago, so we're overdue for 9.4. > >Can you please let us know your availability on the following: >- March 3 >- March 10 Both doable for me. >- March 17 >- March 24 I'm away at a conference 15-25, so no for me. >- March 31 Likely to be awkward, with a big family celebration that weekend. -- Steve McIntyre, Cambridge, UK.st...@einval.com We don't need no education. We don't need no thought control.
Re: wanna-build access for binNMUs
On 02/10/2018 09:26 AM, Julien Cristau wrote: > On Tue, Jan 30, 2018 at 20:45:44 +0100, Emilio Pozuelo Monfort wrote: > >> On 30/01/18 08:54, Michael Stapelberg wrote: >>> This would also be very helpful for fixing security issue #888777. >> >> You need to talk to the wanna-build team if you want to be able to schedule >> binNMUs for your language rebuilds, just like the ocaml and haskell teams do. >> > FWIW I disagree, I think this is something the wanna-build team has > essentially delegated to release, so getting people on board is a shared > thing between those two teams rather than solely a w-b thing. It > happens once every few years though so there isn't really a process to > vet people. So can we have an opinion on the current proposal, which is a single DD (stapelberg)? As far as I know DSA's ticket is currently blocked on this. Kind regards Philipp Kern signature.asc Description: OpenPGP digital signature
Bug#884606: stretch-pu: package espeakup/1:0.80-5+b2
Julien Cristau, on sam. 10 févr. 2018 10:55:09 +0100, wrote: > Control: tag -1 confirmed > > On Thu, Dec 21, 2017 at 15:44:56 +0100, Samuel Thibault wrote: > > > Samuel Thibault, on jeu. 21 déc. 2017 15:42:13 +0100, wrote: > > > Cyril Brulebois, on jeu. 21 déc. 2017 15:37:00 +0100, wrote: > > > > I don't think that's an issue with cherry-picking the relevant commit, > > > > since it doesn't seem to contain any indications the default voice is > > > > getting set to English? > > > > > > IIRC I had issues without it, so it was on purpose, and just missed > > > documenting it. > > > > Here is the fixed patch. > > If kibi's happy, I'm happy. Go ahead and upload. Uploaded, thanks! Samuel
Bug#886326: stretch-pu: package zssh/1.5c.debian.1-3.2+deb9u1
2018-02-10 19:08 GMT+08:00 Julien Cristau: > Control: tag -1 moreinfo > > On Thu, Jan 4, 2018 at 21:51:12 +0800, Boyuan Yang wrote: > >> After adoption of package zssh, I'm looking to fix the RC bug #769366 in >> Debian Stretch. >> A simple rebuild solved the problem, thus requesting a pre-approval from the >> release team. >> > What is the issue and how does a rebuild solve it? > > Thanks, > Julien The issue: zssh on Debian Stretch (at least on amd64 architecture) will not start at all and the symptom is the same as what happened in Debian Bug #769366. As described in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769366#61 , Current version of zssh in Debian Stretch (on amd64 architecture, versioned 1.5c.debian.1-3.2+b4) suffers from RC bug #769366. I had little idea why this happened because a no-change rebuild on Debian Stretch would make zssh fully functional. I tried gdb but the result was not helpful. The previous packager said he once solved this problem in a previous upload so the problem might have been introduced in one of the latter binNMUs. How does a rebuild solve it? I have no idea currently: It Just Works™. I could have digged into the problem but the time to be spent would not be efficient when a simple rebuild solves it. I think those described above should make a stretch-pu for zssh reasonable. -- Regards, Boyuan Yang
Processed: tagging 886326
Processing commands for cont...@bugs.debian.org: > tags 886326 - moreinfo Bug #886326 [release.debian.org] stretch-pu: package zssh/1.5c.debian.1-3.2+deb9u1 Removed tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 886326: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886326 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Scheduling 9.4
Hi, we shipped 9.3 a couple of months ago, so we're overdue for 9.4. Can you please let us know your availability on the following: - March 3 - March 10 - March 17 - March 24 - March 31 Thanks, Julien signature.asc Description: PGP signature
Bug#824872: marked as done (jessie-pu: package nspr/2:4.12-2+deb8u1)
Your message dated Sat, 10 Feb 2018 13:00:59 +0100 with message-id <20180210120059.7zy6arlg7x5ex...@betterave.cristau.org> and subject line Re: Bug#824872: jessie-pu: package nspr/2:4.12-2+deb8u1 has caused the Debian Bug report #824872, regarding jessie-pu: package nspr/2:4.12-2+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 824872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824872 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, as put out in more detail in https://lists.debian.org/debian-release/2016/02/msg00753.html we discussed in the LTS and security team the possibility to use the same NSS and NSPR upstream version in all suites to be able to handle things like CVE-2014-3566 and CVE-2015-4000 in a consistent manner. I'd like to propose this here again via a bug report so we have easier means of tracking/tagging. Would it be o.k. with the release team to update nss/nspr to the versions currently in sid/testing and continue to do so from here on. If it works out for jessie we'll do the same in LTS via wheezy-security. In order to increase confidence in the backports I've enabled the internal testsuites in nspr and nss. If this is o.k. I'm happy to attach debdiffs and provide a matching bug for nss as well. Cheers, -- Guido -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- The security team shipped nspr 2:4.12-1+debu8u1 (with the extra u) to jessie in DSA 3687-1. Cheers, Julien--- End Message ---
Bug#827160: marked as done (jessie-pu: package dosfstools/3.0.27-1+deb8u1)
Your message dated Sat, 10 Feb 2018 13:43:24 +0100 with message-id <20180210124324.fsz7wuaw4feqq...@betterave.cristau.org> and subject line Re: Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1 has caused the Debian Bug report #827160, regarding jessie-pu: package dosfstools/3.0.27-1+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 827160: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827160 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu X-Debbugs-CC: Andreas BombeOn my Debian Jessie machine, I would like to fix the two security issues in dosfstools that show up in the debsecan report: https://security-tracker.debian.org/tracker/CVE-2016-4804 > https://security-tracker.debian.org/tracker/CVE-2016-4804 >. The issues were fixed in Wheezy by the LTS team (DLA-474-1) and is also fixed in unstable. I would like to get it fixed in stable too, to get it out of my debsecan list. The attached patch is based on the patches in wheezy, and should solve the problems. Is it OK to upload the fix for stable? I plan to push the changes to a debian/jessie branch on collab-maint once I know the changes are acceptable for a stable update. -- System Information: Debian Release: 8.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=no_NO (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff --git a/debian/changelog b/debian/changelog index 4f1e009..db765aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +dosfstools (3.0.27-1+deb8u1) unstable; urgency=medium + + * Non-maintainer upload to fix security issue. + * Added d/gbp.conf to document git branch used for Jessie updates. + * [CVE-2015-8872] Invalid memory read in fsck.vfat + * [CVE-2016-4804] Heap overflow in function read_fat() + + -- Petter Reinholdtsen Mon, 13 Jun 2016 08:17:24 +0200 + dosfstools (3.0.27-1) unstable; urgency=medium * New upstream version 3.0.27 diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 000..3926a07 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = debian/jessie +pristine-tar = True diff --git a/debian/patches/CVE-2015-8872.diff b/debian/patches/CVE-2015-8872.diff new file mode 100644 index 000..07fb6c8 --- /dev/null +++ b/debian/patches/CVE-2015-8872.diff @@ -0,0 +1,22 @@ +https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7 + +Index: dosfstools-collab/src/fat.c +=== +--- dosfstools-collab.orig/src/fat.c 2016-06-13 08:07:44.669688617 +0200 dosfstools-collab/src/fat.c 2016-06-13 08:07:44.665688587 +0200 +@@ -197,10 +197,12 @@ + data[1] = new >> 4; + } else { + FAT_ENTRY subseqEntry; +- get_fat(, fs->fat, cluster + 1, fs); ++ if (cluster != fs->clusters - 1) ++ get_fat(, fs->fat, cluster + 1, fs); ++ else ++ subseqEntry.value = 0; + data[0] = new & 0xff; +- data[1] = (new >> 8) | (cluster == fs->clusters - 1 ? 0 : +-(0xff & subseqEntry.value) << 4); ++ data[1] = (new >> 8) | ((0xff & subseqEntry.value) << 4); + } + size = 2; + break; diff --git a/debian/patches/CVE-2016-4804.diff b/debian/patches/CVE-2016-4804.diff new file mode 100644 index 000..d28174c --- /dev/null +++ b/debian/patches/CVE-2016-4804.diff @@ -0,0 +1,64 @@ +https://github.com/dosfstools/dosfstools/commit/e8eff147e9da1185f9afd5b25948153a3b97cf52 + +Index: dosfstools-collab/src/boot.c +=== +--- dosfstools-collab.orig/src/boot.c 2016-06-13 07:59:10.337694024 +0200 dosfstools-collab/src/boot.c 2016-06-13 08:00:46.290436480 +0200 +@@ -101,8 +101,8 @@ + (unsigned long long)fs->fat_start, + (unsigned long long)fs->fat_start / lss); + printf("%10d FATs, %d bit entries\n", b->fats, fs->fat_bits); +-printf("%10d bytes per FAT (= %u sectors)\n", fs->fat_size, +- fs->fat_size / lss); ++printf("%10lld bytes per FAT (= %llu sectors)\n", (long long)fs->fat_size, ++ (long long)fs->fat_size / lss); + if (!fs->root_cluster) { +
NEW changes in stable-new
Processing changes file: linux_4.9.80-2_mips.changes ACCEPT
NEW changes in stable-new
Processing changes file: linux_4.9.80-2_mipsel.changes ACCEPT