NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: mpv_0.23.0-2+deb9u1_source.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_all.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_amd64.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_arm64.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_armel.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_armhf.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_i386.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_mips.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_mips64el.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_mipsel.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_ppc64el.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u1_s390x.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u2_amd64.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u2_arm64.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u2_armel.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u2_armhf.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u2_i386.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u2_mips.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u2_mips64el.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u2_mipsel.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u2_ppc64el.changes
  ACCEPT
Processing changes file: mpv_0.23.0-2+deb9u2_s390x.changes
  ACCEPT
Processing changes file: ruby-omniauth_1.3.1-1+deb9u1_amd64.changes
  ACCEPT
Processing changes file: thunderbird_52.5.2-2~deb9u1_amd64.changes
  ACCEPT
Processing changes file: thunderbird_52.5.2-2~deb9u1_arm64.changes
  ACCEPT
Processing changes file: thunderbird_52.5.2-2~deb9u1_armel.changes
  ACCEPT
Processing changes file: thunderbird_52.5.2-2~deb9u1_armhf.changes
  ACCEPT
Processing changes file: thunderbird_52.5.2-2~deb9u1_i386.changes
  ACCEPT
Processing changes file: thunderbird_52.5.2-2~deb9u1_mips.changes
  ACCEPT
Processing changes file: thunderbird_52.5.2-2~deb9u1_mips64el.changes
  ACCEPT
Processing changes file: thunderbird_52.5.2-2~deb9u1_mipsel.changes
  ACCEPT
Processing changes file: thunderbird_52.5.2-2~deb9u1_ppc64el.changes
  ACCEPT
Processing changes file: thunderbird_52.5.2-2~deb9u1_s390x.changes
  ACCEPT
Processing changes file: thunderbird_52.6.0-1~deb9u1_amd64.changes
  ACCEPT
Processing changes file: thunderbird_52.6.0-1~deb9u1_arm64.changes
  ACCEPT
Processing changes file: thunderbird_52.6.0-1~deb9u1_armel.changes
  ACCEPT
Processing changes file: thunderbird_52.6.0-1~deb9u1_armhf.changes
  ACCEPT
Processing changes file: thunderbird_52.6.0-1~deb9u1_i386.changes
  ACCEPT
Processing changes file: thunderbird_52.6.0-1~deb9u1_mips.changes
  ACCEPT
Processing changes file: thunderbird_52.6.0-1~deb9u1_mips64el.changes
  ACCEPT
Processing changes file: thunderbird_52.6.0-1~deb9u1_mipsel.changes
  ACCEPT
Processing changes file: thunderbird_52.6.0-1~deb9u1_ppc64el.changes
  ACCEPT
Processing changes file: thunderbird_52.6.0-1~deb9u1_s390x.changes
  ACCEPT

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_amd64.changes
  ACCEPT
Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_arm64.changes
  ACCEPT
Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_armel.changes
  ACCEPT
Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_armhf.changes
  ACCEPT
Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_i386.changes
  ACCEPT
Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_mips.changes
  ACCEPT
Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_mipsel.changes
  ACCEPT
Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_powerpc.changes
  ACCEPT
Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_ppc64el.changes
  ACCEPT
Processing changes file: asterisk_11.13.1~dfsg-2+deb8u5_s390x.changes
  ACCEPT
Processing changes file: awstats_7.2+dfsg-1+deb8u1_amd64.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_multi.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_amd64.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_arm64.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_armel.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_armhf.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_i386.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_mips.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_mipsel.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_powerpc.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_ppc64el.changes
  ACCEPT
Processing changes file: bind9_9.9.5.dfsg-9+deb8u15_s390x.changes
  ACCEPT
Processing changes file: curl_7.38.0-4+deb8u9_amd64.changes
  ACCEPT
Processing changes file: curl_7.38.0-4+deb8u9_arm64.changes
  ACCEPT
Processing changes file: curl_7.38.0-4+deb8u9_armel.changes
  ACCEPT
Processing changes file: curl_7.38.0-4+deb8u9_armhf.changes
  ACCEPT
Processing changes file: curl_7.38.0-4+deb8u9_i386.changes
  ACCEPT
Processing changes file: curl_7.38.0-4+deb8u9_mips.changes
  ACCEPT
Processing changes file: curl_7.38.0-4+deb8u9_mipsel.changes
  ACCEPT
Processing changes file: curl_7.38.0-4+deb8u9_powerpc.changes
  ACCEPT
Processing changes file: curl_7.38.0-4+deb8u9_ppc64el.changes
  ACCEPT
Processing changes file: curl_7.38.0-4+deb8u9_s390x.changes
  ACCEPT
Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_amd64.changes
  ACCEPT
Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_arm64.changes
  ACCEPT
Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_armel.changes
  ACCEPT
Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_armhf.changes
  ACCEPT
Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_i386.changes
  ACCEPT
Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_mips.changes
  ACCEPT
Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_mipsel.changes
  ACCEPT
Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_powerpc.changes
  ACCEPT
Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_ppc64el.changes
  ACCEPT
Processing changes file: firefox-esr_52.6.0esr-1~deb8u1_s390x.changes
  ACCEPT
Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_amd64.changes
  ACCEPT
Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_arm64.changes
  ACCEPT
Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_armel.changes
  ACCEPT
Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_armhf.changes
  ACCEPT
Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_i386.changes
  ACCEPT
Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_mips.changes
  ACCEPT
Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_mipsel.changes
  ACCEPT
Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_powerpc.changes
  ACCEPT
Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_ppc64el.changes
  ACCEPT
Processing changes file: gdk-pixbuf_2.31.1-2+deb8u7_s390x.changes
  ACCEPT
Processing changes file: gifsicle_1.86-1+deb8u1_amd64.changes
  ACCEPT
Processing changes file: gifsicle_1.86-1+deb8u1_arm64.changes
  ACCEPT
Processing changes file: gifsicle_1.86-1+deb8u1_armel.changes
  ACCEPT
Processing changes file: gifsicle_1.86-1+deb8u1_armhf.changes
  ACCEPT
Processing changes file: gifsicle_1.86-1+deb8u1_i386.changes
  ACCEPT
Processing changes file: gifsicle_1.86-1+deb8u1_mips.changes
  ACCEPT
Processing changes file: gifsicle_1.86-1+deb8u1_mipsel.changes
  ACCEPT
Processing changes file: gifsicle_1.86-1+deb8u1_powerpc.changes
  ACCEPT
Processing changes file: gifsicle_1.86-1+deb8u1_ppc64el.changes
  ACCEPT
Processing changes file: gifsicle_1.86-1+deb8u1_s390x.changes
  ACCEPT
Processing changes file: gimp_2.8.14-1+deb8u2_allonly.changes
  ACCEPT
Processing changes file: gimp_2.8.14-1+deb8u2_amd64.changes
  ACCEPT
Processing changes file: gimp_2.8.14-1+deb8u2_arm64.changes
  ACCEPT
Processing changes file: gimp_2.8.14-1+deb8u2_armel.changes
  ACCEPT
Processing changes file: gimp_2.8.14-1+deb8u2_armhf.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: linux_4.9.80-2_mips64el.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: linux_4.9.80-2_armel.changes
  ACCEPT

Bug#884711: stretch-pu: package dpdk/16.11.4-1+deb9u1

[Julien Cristau]

Control: tags -1 confirmed

On Sun, Jan 14, 2018 at 20:14:14 +, Luca Boccassi wrote:

> Thank you for the review, I have reworked the debdiff - rather than
> taking the last 16.11.x version we uploaded in Sid and reverting a few
> changes, instead I've taken the version in Stretch and merged the LTS
> point releases and a couple of small changes, details below.
> 
Great, thanks.  Go ahead and upload to stretch.

Cheers,
Julien

Processed: Re: Bug#884711: stretch-pu: package dpdk/16.11.4-1+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed
Bug #884711 [release.debian.org] stretch-pu: package dpdk/16.11.4-1+deb9u1
Added tag(s) confirmed.

-- 
884711: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884711
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

[Julien Cristau]

Control: tag -1 confirmed

On Mon, Dec 25, 2017 at 21:26:58 +0100, Ludovico Cavedon wrote:

> I would like to submit to your consideration an update to ntopng in
> stretch.
> 
> The main bug that triggered this upload is #856048, which causes the
> user management and preferences section of the web interface to
> be unusuable.
> 
> The fix is already in version 2.4+dfsg1-4 in unstable.
> 
> There are three additional important issues from 2.4+dfsg1-4 that I
> think it would make sense to include:
> - #859653 which causes ntopng to crash if the mysql backend is selected.
>   This change only affects mysql users. On the other side it is an
>   obvious usage-after-free and out-of-bound memeory access issues.
> - #866721 and #866719, which are securirity-related issues. Do you want
>   me to reach out to the security team about these first? Do we need to
>   treat the whole update as a security one instead, or split it?
> 
Assuming this has been properly tested in a stretch environment, please
go ahead and upload.

Cheers,
Julien

Bug#885184: stretch-pu: package agenda.app/0.42.2-1+deb9u1

[Julien Cristau]

Control: tag -1 confirmed

On Mon, Dec 25, 2017 at 22:53:57 +0200, Yavor Doganov wrote:

> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Hi SRMs,
> 
> Would you approve an update for agenda.app to fix #884098?
> Proposed change was tested on a stretch machine; debdiff attached.
> 
OK, go ahead.

Cheers,
Julien

Processed: Re: Bug#885184: stretch-pu: package agenda.app/0.42.2-1+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #885184 [release.debian.org] stretch-pu: package agenda.app/0.42.2-1+deb9u1
Added tag(s) confirmed.

-- 
885184: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885184
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882821: stretch-pu: package cerealizer/0.8.1-2~deb9u1

[Julien Cristau]

Control: tag -1 confirmed

On Sun, Jan 14, 2018 at 10:57:12 +0100, Andreas Beckmann wrote:

> Followup-For: Bug #882821
> Control: retitle -1 stretch-pu: package cerealizer/0.8.1-1+deb9u1
> Control: tag -1 - moreinfo
> 
> Attached is a new debdiff without the git-dpm noise.
> 
OK, go ahead.

Cheers,
Julien

Bug#883959: stretch-pu: package cappuccino/0.5.1-8~deb9u1

[Julien Cristau]

Control: tag -1 confirmed

On Sun, Jan 14, 2018 at 10:42:33 +0100, Andreas Beckmann wrote:

> Followup-For: Bug #883959
> Control: retitle -1 stretch-pu: package cappuccino/0.5.1-6+deb9u1
> Control: tag -1 - moreinfo
> 
> New patch without the /usr/games/cappuccino symlink addition.
> 
Thanks, go ahead.

Cheers,
Julien

Processed: Re: Bug#883959: stretch-pu: package cappuccino/0.5.1-8~deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #883959 [release.debian.org] stretch-pu: package cappuccino/0.5.1-6+deb9u1
Added tag(s) confirmed.

-- 
883959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883959
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#885531: stretch-pu: package soundtouch/1.9.2-2+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #885531 [release.debian.org] stretch-pu: package soundtouch/1.9.2-2+deb9u1
Added tag(s) confirmed.

-- 
885531: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885531
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#885531: stretch-pu: package soundtouch/1.9.2-2+deb9u1

[Julien Cristau]

Control: tag -1 confirmed

On Wed, Dec 27, 2017 at 17:14:59 +, James Cowgill wrote:

> This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856,
> and #870857. I have tested the package on stretch and with the attached
> debdiff, soundstretch still works and the proof of concepts for the 3
> security issues behave correctly now.
> 
> The patch under debian/patches uses DOS line endings because the file it
> modifies also uses DOS line endings.
> 
Go ahead, thanks.

Cheers,
Julien

Bug#888018: stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2018b

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2018-01-22 at 18:27 +0100, gregor herrmann wrote:
> I've prepared an update for libdatetime-timezone-perl in stretch,
> incorporating the tzdata 2018b release. The changes are in a quilt
> patch which only touches the data files.

Please go ahead.

I'd been holding off in the hope that it would become clearer what was
happening with a tzdata upload and whether we needed 2018c after all,
but as I appear to have dropped the ball there a little, let's at least
get on with this upload. Sorry for the delay.

Regards,

Adam

Processed: Re: Bug#888019: jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2018b

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #888019 [release.debian.org] jessie-pu: package 
libdatetime-timezone-perl/1:1.75-2+2018b
Added tag(s) confirmed.

-- 
888019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888019
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#888019: jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2018b

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2018-01-22 at 18:27 +0100, gregor herrmann wrote:
> I've prepared an update for libdatetime-timezone-perl in jessie,
> incorporating the tzdata 2018b release. The changes are in a quilt
> patch which only touches the data files.
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#888018: stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2018b

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #888018 [release.debian.org] stretch-pu: package 
libdatetime-timezone-perl/1:2.09-1+2018b
Added tag(s) confirmed.

-- 
888018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888018
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#877593: stretch-pu: package ocfs2-tools/1.8.4-4+deb9u1

[Valentin Vidic]

On Sat, Feb 10, 2018 at 09:39:09AM +0100, Julien Cristau wrote:
> OK, please go ahead.

Thanks, uploaded.

-- 
Valentin

Bug#882815: stretch-pu: package exam/0.10.5-2~deb9u1

[Julien Cristau]

Control: tag -1 confirmed

On Sun, Jan 14, 2018 at 12:34:00 +0100, Andreas Beckmann wrote:

> diff -Nru exam-0.10.5/debian/changelog exam-0.10.5/debian/changelog
> --- exam-0.10.5/debian/changelog  2016-06-14 19:54:12.0 +0200
> +++ exam-0.10.5/debian/changelog  2017-07-08 05:47:09.0 +0200
> @@ -1,3 +1,19 @@
> +exam (0.10.5-1+deb9u1) stretch; urgency=medium
> +
> +  [ Andreas Beckmann ]
> +  * Non-maintainer upload.
> +  * Backport fixes from 0.10.5-2 to stretch.
> +
> +  [ Scott Kitterman ]
> +  * Correct Vcs-* fields in debian/control to point to the correct package
> +name
> +  * Use correct substitution varial for python3-exam so python3 interpreter

"variable" :)

> +depends are correctly generated (Closes: #867404)
> +  * Let dh_python determine the mock depends (corrects issue where python-
> +exam incorrectly depended on python-mock instead of python3-mock)
> +
> + -- Scott Kitterman   Fri, 07 Jul 2017 23:47:09 -0400
> +
>  exam (0.10.5-1) unstable; urgency=low
>  
>* Initial release. (Closes: #825822)

Go ahead.

Cheers,
Julien

Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

[Julien Cristau]

Control: tag -1 moreinfo

On Fri, Dec 22, 2017 at 23:47:34 +, Roger A. Light wrote:

> +Description: Fix for CVE-207-9868.
> +Author: Roger Light 
> +Forwarded: not-needed
> +Origin: upstream, 
> https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch
> +--- a/src/persist.c
>  b/src/persist.c
> +@@ -362,6 +362,10 @@
> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving 
> in-memory database, out of memory.");
> + return MOSQ_ERR_NOMEM;
> + }
> ++
> ++/* Restrict access to persistence file. */
> ++umask(0077);
> ++
> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
> + outfile[len] = '\0';
> + 

Is this likely to negatively affect other files the application might
create?

Cheers,
Julien

Processed: Re: Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #885027 [release.debian.org] stretch-pu: package mosquitto/1.4.10-3+deb9u1
Added tag(s) moreinfo.

-- 
885027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885027
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#884109: stretch-pu: package mariadb-10.1/10.1.29-0+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #884109 [release.debian.org] stretch-pu: package 
mariadb-10.1/10.1.29-0+deb9u1
Added tag(s) moreinfo.

-- 
884109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884109
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#884109: stretch-pu: package mariadb-10.1/10.1.29-0+deb9u1

[Julien Cristau]

Control: tag -1 moreinfo

Hi Ondřej,

On Mon, Dec 11, 2017 at 14:22:03 +, Ondřej Surý wrote:

> this is stretch-pu for mariadb-10.1.29 upstream release and couple of
> fixes that creeped in stretch version just before freeze.
> 
> Fixes:
> 
> * #875708 - Add libconfig-inifiles-perl to mariadb-client-10.1 depends to fix 
> mytop
> 
ok

> * Failing non-release archs were added to the list of architectures that are 
> allowed
>   to fail test
> 
that doesn't sound necessary in stable?  harmless though, so probably
ok.

> * mips64el was added to a list of other mips* platforms allowed to fail the 
> tests
> 
That's a bit confusing, where did the mips64el binaries we do have come
from if tests are expected to fail?

> * I reverted upstream decision to use embedded pcre3 library as we
>   need to fix #878107 and #876299 in jessie and stretch too
> 
Is there a plan for doing this?  I'm not seeing a pu request for pcre3.

> Upstream:
> 
> * There's couple of minor security fixes that doesn't warrant security
>   update, but it should be updated nevertheless (this this pu request).
> 
> I'll send the debdiff in a reply to this email, so this message reaches the 
> list.
> 
I'm seeing quite a bunch of patch noise, including dropping patch
descriptions (and authorship), which seems less than helpful.  Can we
please not?

Cheers,
Julien

Bug#885617: stretch-pu: package libextractor/1:1.3-4

[Julien Cristau]

Control: tag -1 moreinfo

On Thu, Dec 28, 2017 at 17:11:02 +0100, Bertrand Marc wrote:

> diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch 
> libextractor-1.3/debian/patches/CVE-2017-15600.patch
> --- libextractor-1.3/debian/patches/CVE-2017-15600.patch  1970-01-01 
> 01:00:00.0 +0100
> +++ libextractor-1.3/debian/patches/CVE-2017-15600.patch  2017-12-28 
> 11:39:33.0 +0100
> @@ -0,0 +1,29 @@
> +From: Bertrand Marc , Markus Koschany 
> +Subject: CVE-2017-15600
> +
> +Bug-Upstream: 
> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg4.html
> +Origin: 
> https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7
> +--- a/src/plugins/nsf_extractor.c
>  b/src/plugins/nsf_extractor.c
> +@@ -152,13 +152,17 @@
> +   char nsfversion[32];
> +   const struct header *head;
> +   void *data;
> ++  ssize_t ds;
> + 
> +-  if (sizeof (struct header) >
> +-  ec->read (ec->cls,
> +-,
> +-sizeof (struct header)))
> ++  ds = ec->read (ec->cls,
> ++ ,
> ++ sizeof (struct header));
> ++  if ( (-1 == ds) ||
> ++   (sizeof (struct header) > ds) )
> + return;
> +   head = data; 
> ++  if (NULL == head)
> ++return 0; 
> + 

Curious how that works.  3 lines above is plain "return", and here
"return 0".  What's the type of that function and how did the compiler
not flag this?

Cheers,
Julien

Processed: Re: Bug#885617: stretch-pu: package libextractor/1:1.3-4

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #885617 [release.debian.org] stretch-pu: package libextractor/1:1.3-4
Added tag(s) moreinfo.

-- 
885617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#886146: stretch-pu: package sqlcipher/3.2.0-2+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #886146 [release.debian.org] stretch-pu: package sqlcipher/3.2.0-2+deb9u1
Added tag(s) moreinfo.

-- 
886146: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886146
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#886146: stretch-pu: package sqlcipher/3.2.0-2+deb9u1

[Julien Cristau]

Control: tag -1 moreinfo

On Tue, Jan  2, 2018 at 17:59:07 +0100, Gianfranco Costamagna wrote:

> +sqlcipher (3.2.0-2+deb9u1) stretch; urgency=medium
> +
> +  [ Philipp Berger ]
> +  * Fixup previous patch, to avoid a crash when opening file
> +(Closes: #863530)
> +

That bug is still open, implying it still affects sid?

Cheers,
Julien

Bug#889937: transition: libminiupnpc

[Emilio Pozuelo Monfort]

Control: tags -1 confirmed
Control: block -1 with 889055 889059

On 08/02/18 23:56, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
> 
> Dear release team,
> 
> libminiupnpc16 is now in Experimental. I tried rebuilding all reverse
> dependencies, which are:
> 
> * 0ad
> * bitcoin
> * classified-ads
> * dogecoin
> * dolphin-emu
> * eiskaltdcpp
> * i2pd
> * litecoin
> * megaglest
> * sushi
> * swift-im
> * transmission
> * warzone2100
> 
> Out of this, eiskaltdcpp and bitcoin failed to build for apparently
> unrelated issues, and for the 3rd one swift-im, I filed a bug:
> https://bugs.debian.org/889062

bitcoin and swift-im are not in testing, so no big deal wrt the transition.

Please file a bug for eiskaltdcpp.

> 2 reverse dependencies seemed to have libminiupnpc upgrade issues,
> and I fied bugs against them:
> 
> sushi-1.4.0+git20160822+dfsg https://bugs.debian.org/889055
> warzone2100 3.2.1-2: https://bugs.debian.org/889059
> 
> I do have proposed patches from upstream, which basically means
> doing this:
> 
> #if defined(MINIUPNPC_API_VERSION) && (MINIUPNPC_API_VERSION >= 14)
>   miniupnpc_dev = upnpDiscover(3000, NULL, NULL, 0, 0, 2, ); /* use 
> default TTL of 2 */
> #elif defined(MINIUPNPC_API_VERSION) && (MINIUPNPC_API_VERSION >= 8)
>   miniupnpc_dev = upnpDiscover(3000, NULL, NULL, 0, 0, );
> #elif defined(MINIUPNPC_API_VERSION) && (MINIUPNPC_API_VERSION >= 3)
>   miniupnpc_dev = upnpDiscover(3000, NULL, NULL, 0);
> #else
>   miniupnpc_dev = upnpDiscover(3000, NULL, NULL);
> #endif
> 
> which seems fairly easy to fix in both sushi and warzone2100, and both
> of which has been documented in the bug reports by upstream.
> 
> Therefore, I think it's time to request for a transition slot. Please
> let me know when I can upload miniupnpc to Sid.

Please go ahead.

Emilio

Processed: Re: Bug#889937: transition: libminiupnpc

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed
Bug #889937 [release.debian.org] transition: libminiupnpc
Added tag(s) confirmed.
> block -1 with 889055 889059
Bug #889937 [release.debian.org] transition: libminiupnpc
889937 was not blocked by any bugs.
889937 was not blocking any bugs.
Added blocking bug(s) of 889937: 889055 and 889059

-- 
889937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889937
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

wanna-build access for binNMUs

[Julien Cristau]

On Tue, Jan 30, 2018 at 20:45:44 +0100, Emilio Pozuelo Monfort wrote:

> On 30/01/18 08:54, Michael Stapelberg wrote:
> > This would also be very helpful for fixing security issue #888777.
> 
> You need to talk to the wanna-build team if you want to be able to schedule
> binNMUs for your language rebuilds, just like the ocaml and haskell teams do.
> 
FWIW I disagree, I think this is something the wanna-build team has
essentially delegated to release, so getting people on board is a shared
thing between those two teams rather than solely a w-b thing.  It
happens once every few years though so there isn't really a process to
vet people.

Cheers,
Julien

Bug#877593: stretch-pu: package ocfs2-tools/1.8.4-4+deb9u1

[Julien Cristau]

Control: tag -1 confirmed

On Tue, Oct  3, 2017 at 10:44:18 +0200, Valentin Vidic wrote:

> Attached diff fixes an upgrade issue reported in #876195:
> ocfs2 services are not started on boot after upgrade
> because the service links are were not automatically
> migrated from /etc/rcS.d to /etc/rc2.d.
> 
> Please approve upload to stretch-pu.
> 
OK, please go ahead.

Cheers,
Julien

Processed: Re: Bug#877593: stretch-pu: package ocfs2-tools/1.8.4-4+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #877593 [release.debian.org] stretch-pu: package ocfs2-tools/1.8.4-4+deb9u1
Added tag(s) confirmed.

-- 
877593: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877593
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#884606: stretch-pu: package espeakup/1:0.80-5+b2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #884606 [release.debian.org] stretch-pu: package espeakup/1:0.80-5+b2
Added tag(s) confirmed.

-- 
884606: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884606
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#885582: stretch-pu: package ncurses/6.0+20161126-1+deb9u2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #885582 [release.debian.org] stretch-pu: package 
ncurses/6.0+20161126-1+deb9u2
Added tag(s) moreinfo.

-- 
885582: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885582
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#885582: stretch-pu: package ncurses/6.0+20161126-1+deb9u2

[Julien Cristau]

Control: tag -1 moreinfo

On Thu, Dec 28, 2017 at 11:34:33 +0100, Sven Joachim wrote:

> Package: release.debian.org
> Severity: normal
> Tags: stretch d-i
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> I would like to fix bug #882620 aka CVE-2017-16879 in stretch, a buffer
> overflow in the _nc_write_entry function.
> 
> While this touches the tinfo library used in the installer,
> _nc_write_entry() is only used by tic as far as I am aware.
> 
Thanks, go ahead.

[...]
> +--- a/ncurses/tinfo/write_entry.c
>  b/ncurses/tinfo/write_entry.c
> +@@ -267,6 +267,9 @@ _nc_write_entry(TERMTYPE *const tp)
> + #endif
> + #endif /* USE_SYMLINKS */
> + 
> ++unsigned limit2 = sizeof(filename) - (2 + LEAF_LEN);
> ++char saved = '\0';
> ++
> + static int call_count;
> + static time_t start_time;   /* time at start of writes */
> + 
> +@@ -365,12 +368,18 @@ _nc_write_entry(TERMTYPE *const tp)
> + start_time = 0;
> + }
> + 
> +-if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN))
> ++if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) {

kind of curious that limit2 wasn't used here...

> + _nc_warning("terminal name too long.");
> ++saved = first_name[limit2];
> ++first_name[limit2] = '\0';
> ++}
> + 
> + _nc_SPRINTF(filename, _nc_SLIMIT(sizeof(filename))
> + LEAF_FMT "/%s", first_name[0], first_name);
> + 
> ++if (saved)
> ++first_name[limit2] = saved;
> ++
> + /*
> +  * Has this primary name been written since the first call to
> +  * write_entry()?  If so, the newer write will step on the older,

Cheers,
Julien

Re: wanna-build access for binNMUs

[Emilio Pozuelo Monfort]

On 10/02/18 09:26, Julien Cristau wrote:
> On Tue, Jan 30, 2018 at 20:45:44 +0100, Emilio Pozuelo Monfort wrote:
> 
>> On 30/01/18 08:54, Michael Stapelberg wrote:
>>> This would also be very helpful for fixing security issue #888777.
>>
>> You need to talk to the wanna-build team if you want to be able to schedule
>> binNMUs for your language rebuilds, just like the ocaml and haskell teams do.
>>
> FWIW I disagree, I think this is something the wanna-build team has
> essentially delegated to release, so getting people on board is a shared
> thing between those two teams rather than solely a w-b thing.  It
> happens once every few years though so there isn't really a process to
> vet people.

Ack. I wasn't around when this last happened, so I didn't quite know the 
procedure.

Cheers,
Emilio

Processed: Re: Bug#886326: stretch-pu: package zssh/1.5c.debian.1-3.2+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #886326 [release.debian.org] stretch-pu: package 
zssh/1.5c.debian.1-3.2+deb9u1
Added tag(s) moreinfo.

-- 
886326: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886326
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#886326: stretch-pu: package zssh/1.5c.debian.1-3.2+deb9u1

[Julien Cristau]

Control: tag -1 moreinfo

On Thu, Jan  4, 2018 at 21:51:12 +0800, Boyuan Yang wrote:

> After adoption of package zssh, I'm looking to fix the RC bug #769366 in 
> Debian Stretch.
> A simple rebuild solved the problem, thus requesting a pre-approval from the 
> release team.
> 
What is the issue and how does a rebuild solve it?

Thanks,
Julien

Processed: Re: Bug#882815: stretch-pu: package exam/0.10.5-2~deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #882815 [release.debian.org] stretch-pu: package exam/0.10.5-1+deb9u1
Added tag(s) confirmed.

-- 
882815: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882815
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#885069: stretch-pu: package open-iscsi/2.0.874-3~deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #885069 [release.debian.org] stretch-pu: package open-iscsi/2.0.874-3~deb9u1
Added tag(s) moreinfo.

-- 
885069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885069
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#885069: stretch-pu: package open-iscsi/2.0.874-3~deb9u1

[Julien Cristau]

Control: tag -1 moreinfo

On Sat, Dec 23, 2017 at 13:40:43 +0100, Christian Seiler wrote:

> diff -Nru 
> open-iscsi-2.0.874/debian/patches/security/Check-for-root-peer-user-for-iscsiuio-IPC.patch
>  
> open-iscsi-2.0.874/debian/patches/security/Check-for-root-peer-user-for-iscsiuio-IPC.patch
> --- 
> open-iscsi-2.0.874/debian/patches/security/Check-for-root-peer-user-for-iscsiuio-IPC.patch
> 1970-01-01 01:00:00.0 +0100
> +++ 
> open-iscsi-2.0.874/debian/patches/security/Check-for-root-peer-user-for-iscsiuio-IPC.patch
> 2017-12-23 13:09:13.0 +0100
> @@ -0,0 +1,122 @@
> +From e313bd648a4c8a9526421e270eb597a5de1e0c7f Mon Sep 17 00:00:00 2001
> +From: Lee Duncan 
> +Date: Fri, 15 Dec 2017 10:36:11 -0800
> +Subject: [PATCH 1/8] Check for root peer user for iscsiuio IPC
> +
> +This fixes a possible vulnerability where a non-root
> +process could connect with iscsiuio. Fouund by Qualsys.
> +---
> + iscsiuio/src/unix/Makefile.am  |  3 ++-
> + iscsiuio/src/unix/iscsid_ipc.c | 47 
> ++
> + 2 files changed, 49 insertions(+), 1 deletion(-)
> +
[...]
> +@@ -1029,6 +1035,40 @@ static void iscsid_loop_close(void *arg)
> + LOG_INFO(PFX "iSCSI daemon socket closed");
> + }
> + 
> ++/*
> ++ * check that the peer user is privilidged
> ++ *

This function doesn't actually do that.

> ++ * return 1 if peer is ok else 0
> ++ *
> ++ * XXX: this function is copied from iscsid_ipc.c and should be
> ++ * moved into a common library
> ++ */
> ++static int
> ++mgmt_peeruser(int sock, char *user)
> ++{
> ++struct ucred peercred;
> ++socklen_t so_len = sizeof(peercred);
> ++struct passwd *pass;
> ++
> ++errno = 0;
> ++if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, ,
> ++_len) != 0 || so_len != sizeof(peercred)) {
> ++/* We didn't get a valid credentials struct. */
> ++LOG_ERR(PFX "peeruser_unux: error receiving credentials: %m");
> ++return 0;
> ++}
> ++
> ++pass = getpwuid(peercred.uid);
> ++if (pass == NULL) {
> ++LOG_ERR(PFX "peeruser_unix: unknown local user with uid %d",
> ++(int) peercred.uid);
> ++return 0;
> ++}
> ++
> ++strlcpy(user, pass->pw_name, PEERUSER_MAX);
> ++return 1;
> ++}
> ++
> + /**
> +  *  iscsid_loop() - This is the function which will process the broadcast
> +  *  messages from iscsid
> +@@ -1038,6 +1078,7 @@ static void *iscsid_loop(void *arg)
> + {
> + int rc;
> + sigset_t set;
> ++char user[PEERUSER_MAX];
> + 
> + pthread_cleanup_push(iscsid_loop_close, arg);
> + 
> +@@ -1077,6 +1118,12 @@ static void *iscsid_loop(void *arg)
> + continue;
> + }
> + 
> ++if (!mgmt_peeruser(iscsid_opts.fd, user) || strncmp(user, 
> "root", PEERUSER_MAX)) {
> ++close(s2);
> ++LOG_ERR(PFX "Access error: non-administrative 
> connection rejected");
> ++break;
> ++}
> ++
> + process_iscsid_broadcast(s2);
> + close(s2);
> + }

The above makes little sense to me.  We find out the peer uid, then
instead of just comparing that against 0 we turn it into a struct passwd
and compare pw_name against "root".  Why?

Cheers,
Julien

Processed: Re: Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #885183 [release.debian.org] stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
Added tag(s) confirmed.

-- 
885183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885183
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#882821: stretch-pu: package cerealizer/0.8.1-2~deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #882821 [release.debian.org] stretch-pu: package cerealizer/0.8.1-1+deb9u1
Added tag(s) confirmed.

-- 
882821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882821
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882824: stretch-pu: package python-arpy/1.1.1-3~deb9u1

[Julien Cristau]

Control: tag -1 moreinfo

On Mon, Nov 27, 2017 at 03:01:48 +0100, Andreas Beckmann wrote:

> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Let's fix the python3 dependencies. #867418
> 
> There is some metadata noise by just rebuilding the package from sid.
> And there is a lot of file movement noise in the python-arpy caused by
> rebuilding a 4 year old package in stretch:
> 
> $ debdiff python-arpy_1.1.1-2_all.deb python-arpy_1.1.1-3~deb9u1_all.deb
> [The following lists of changes regard files as different if they have
> different names, permissions or owners.]
> 
I'm not convinced this is worth the churn.  I can see it for a program,
but for libraries what's the likelyhood anyone's actually going to run
into the bug?

Cheers,
Julien

Processed: Re: Bug#882824: stretch-pu: package python-arpy/1.1.1-3~deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #882824 [release.debian.org] stretch-pu: package python-arpy/1.1.1-3~deb9u1
Added tag(s) moreinfo.

-- 
882824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882824
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: linux_4.9.80-2_amd64.changes
  ACCEPT

Bug#884606: stretch-pu: package espeakup/1:0.80-5+b2

[Julien Cristau]

Control: tag -1 confirmed

On Thu, Dec 21, 2017 at 15:44:56 +0100, Samuel Thibault wrote:

> Samuel Thibault, on jeu. 21 déc. 2017 15:42:13 +0100, wrote:
> > Cyril Brulebois, on jeu. 21 déc. 2017 15:37:00 +0100, wrote:
> > > I don't think that's an issue with cherry-picking the relevant commit,
> > > since it doesn't seem to contain any indications the default voice is
> > > getting set to English?
> > 
> > IIRC I had issues without it, so it was on purpose, and just missed
> > documenting it.
> 
> Here is the fixed patch.

If kibi's happy, I'm happy.  Go ahead and upload.

Cheers,
Julien

Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

[Roger Light]

Thanks for taking a look at this.

The application only creates this file and log files, so I don't
believe it should have any other impact.

Regards,

Roger


On 10 February 2018 at 09:07, Julien Cristau  wrote:
> Control: tag -1 moreinfo
>
> On Fri, Dec 22, 2017 at 23:47:34 +, Roger A. Light wrote:
>
>> +Description: Fix for CVE-207-9868.
>> +Author: Roger Light 
>> +Forwarded: not-needed
>> +Origin: upstream, 
>> https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch
>> +--- a/src/persist.c
>>  b/src/persist.c
>> +@@ -362,6 +362,10 @@
>> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving 
>> in-memory database, out of memory.");
>> + return MOSQ_ERR_NOMEM;
>> + }
>> ++
>> ++/* Restrict access to persistence file. */
>> ++umask(0077);
>> ++
>> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
>> + outfile[len] = '\0';
>> +
>
> Is this likely to negatively affect other files the application might
> create?
>
> Cheers,
> Julien

Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

[Roger Light]

I'm neither a DD nor a DM, should I just get my normal sponsor to
upload or if not then who?

Cheers,

Roger

On 10 February 2018 at 11:31, Julien Cristau  wrote:
> Control: tag -1 - moreinfo
> Control: tag -1 confirmed
>
> OK, go ahead and upload then.
>
> Cheers,
> Julien
>
> On Sat, Feb 10, 2018 at 11:13:06 +, Roger Light wrote:
>
>> Thanks for taking a look at this.
>>
>> The application only creates this file and log files, so I don't
>> believe it should have any other impact.
>>
>> Regards,
>>
>> Roger
>>
>>
>> On 10 February 2018 at 09:07, Julien Cristau  wrote:
>> > Control: tag -1 moreinfo
>> >
>> > On Fri, Dec 22, 2017 at 23:47:34 +, Roger A. Light wrote:
>> >
>> >> +Description: Fix for CVE-207-9868.
>> >> +Author: Roger Light 
>> >> +Forwarded: not-needed
>> >> +Origin: upstream, 
>> >> https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch
>> >> +--- a/src/persist.c
>> >>  b/src/persist.c
>> >> +@@ -362,6 +362,10 @@
>> >> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving 
>> >> in-memory database, out of memory.");
>> >> + return MOSQ_ERR_NOMEM;
>> >> + }
>> >> ++
>> >> ++/* Restrict access to persistence file. */
>> >> ++umask(0077);
>> >> ++
>> >> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
>> >> + outfile[len] = '\0';
>> >> +
>> >
>> > Is this likely to negatively affect other files the application might
>> > create?
>> >
>> > Cheers,
>> > Julien
>>

Bug#888019: jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2018b

[gregor herrmann]

On Sat, 10 Feb 2018 10:32:58 +, Adam D. Barratt wrote:

> On Mon, 2018-01-22 at 18:27 +0100, gregor herrmann wrote:
> > I've prepared an update for libdatetime-timezone-perl in jessie,
> > incorporating the tzdata 2018b release. The changes are in a quilt
> > patch which only touches the data files.
> Please go ahead.

Thank you; uploaded.


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: The Eagles: Hotel California


signature.asc
Description: Digital Signature

Bug#888018: stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2018b

[gregor herrmann]

On Sat, 10 Feb 2018 10:32:31 +, Adam D. Barratt wrote:

> On Mon, 2018-01-22 at 18:27 +0100, gregor herrmann wrote:
> > I've prepared an update for libdatetime-timezone-perl in stretch,
> > incorporating the tzdata 2018b release. The changes are in a quilt
> > patch which only touches the data files.
> Please go ahead.

Thanks, uploaded.
 

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: The Eagles: Hotel California


signature.asc
Description: Digital Signature

Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

[Holger Levsen]

On Sat, Feb 10, 2018 at 01:39:12PM +, Roger Light wrote:
> I'm neither a DD nor a DM, should I just get my normal sponsor to
> upload or if not then who?

yes, ask your usual sponsor to upload.


-- 
cheers,
Holger


signature.asc
Description: PGP signature

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: linux_4.9.80-2_armhf.changes
  ACCEPT

Processed: Re: Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 - moreinfo
Bug #885027 [release.debian.org] stretch-pu: package mosquitto/1.4.10-3+deb9u1
Removed tag(s) moreinfo.
> tag -1 confirmed
Bug #885027 [release.debian.org] stretch-pu: package mosquitto/1.4.10-3+deb9u1
Added tag(s) confirmed.

-- 
885027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885027
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

[Julien Cristau]

Control: tag -1 - moreinfo
Control: tag -1 confirmed

OK, go ahead and upload then.

Cheers,
Julien

On Sat, Feb 10, 2018 at 11:13:06 +, Roger Light wrote:

> Thanks for taking a look at this.
> 
> The application only creates this file and log files, so I don't
> believe it should have any other impact.
> 
> Regards,
> 
> Roger
> 
> 
> On 10 February 2018 at 09:07, Julien Cristau  wrote:
> > Control: tag -1 moreinfo
> >
> > On Fri, Dec 22, 2017 at 23:47:34 +, Roger A. Light wrote:
> >
> >> +Description: Fix for CVE-207-9868.
> >> +Author: Roger Light 
> >> +Forwarded: not-needed
> >> +Origin: upstream, 
> >> https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch
> >> +--- a/src/persist.c
> >>  b/src/persist.c
> >> +@@ -362,6 +362,10 @@
> >> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving 
> >> in-memory database, out of memory.");
> >> + return MOSQ_ERR_NOMEM;
> >> + }
> >> ++
> >> ++/* Restrict access to persistence file. */
> >> ++umask(0077);
> >> ++
> >> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
> >> + outfile[len] = '\0';
> >> +
> >
> > Is this likely to negatively affect other files the application might
> > create?
> >
> > Cheers,
> > Julien
> 

Re: Scheduling 9.4

[Steve McIntyre]

On Sat, Feb 10, 2018 at 12:27:43PM +0100, Julien Cristau wrote:
>Hi,
>
>we shipped 9.3 a couple of months ago, so we're overdue for 9.4.
>
>Can you please let us know your availability on the following:
>- March 3
>- March 10

Both doable for me.

>- March 17
>- March 24

I'm away at a conference 15-25, so no for me.

>- March 31

Likely to be awkward, with a big family celebration that weekend.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
We don't need no education.
We don't need no thought control.

Re: wanna-build access for binNMUs

[Philipp Kern]

On 02/10/2018 09:26 AM, Julien Cristau wrote:
> On Tue, Jan 30, 2018 at 20:45:44 +0100, Emilio Pozuelo Monfort wrote:
> 
>> On 30/01/18 08:54, Michael Stapelberg wrote:
>>> This would also be very helpful for fixing security issue #888777.
>>
>> You need to talk to the wanna-build team if you want to be able to schedule
>> binNMUs for your language rebuilds, just like the ocaml and haskell teams do.
>>
> FWIW I disagree, I think this is something the wanna-build team has
> essentially delegated to release, so getting people on board is a shared
> thing between those two teams rather than solely a w-b thing.  It
> happens once every few years though so there isn't really a process to
> vet people.

So can we have an opinion on the current proposal, which is a single DD
(stapelberg)? As far as I know DSA's ticket is currently blocked on this.

Kind regards
Philipp Kern




signature.asc
Description: OpenPGP digital signature

Bug#884606: stretch-pu: package espeakup/1:0.80-5+b2

[Samuel Thibault]

Julien Cristau, on sam. 10 févr. 2018 10:55:09 +0100, wrote:
> Control: tag -1 confirmed
> 
> On Thu, Dec 21, 2017 at 15:44:56 +0100, Samuel Thibault wrote:
> 
> > Samuel Thibault, on jeu. 21 déc. 2017 15:42:13 +0100, wrote:
> > > Cyril Brulebois, on jeu. 21 déc. 2017 15:37:00 +0100, wrote:
> > > > I don't think that's an issue with cherry-picking the relevant commit,
> > > > since it doesn't seem to contain any indications the default voice is
> > > > getting set to English?
> > > 
> > > IIRC I had issues without it, so it was on purpose, and just missed
> > > documenting it.
> > 
> > Here is the fixed patch.
> 
> If kibi's happy, I'm happy.  Go ahead and upload.

Uploaded, thanks!

Samuel

Bug#886326: stretch-pu: package zssh/1.5c.debian.1-3.2+deb9u1

[Boyuan Yang]

2018-02-10 19:08 GMT+08:00 Julien Cristau :
> Control: tag -1 moreinfo
>
> On Thu, Jan  4, 2018 at 21:51:12 +0800, Boyuan Yang wrote:
>
>> After adoption of package zssh, I'm looking to fix the RC bug #769366 in 
>> Debian Stretch.
>> A simple rebuild solved the problem, thus requesting a pre-approval from the 
>> release team.
>>
> What is the issue and how does a rebuild solve it?
>
> Thanks,
> Julien

The issue: zssh on Debian Stretch (at least on amd64 architecture)
will not start at all and the
symptom is the same as what happened in Debian Bug #769366.

As described in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769366#61 , Current
version
of zssh in Debian Stretch (on amd64 architecture, versioned
1.5c.debian.1-3.2+b4) suffers from
RC bug #769366. I had little idea why this happened because a
no-change rebuild on Debian
Stretch would make zssh fully functional. I tried gdb but the result
was not helpful.

The previous packager said he once solved this problem in a previous
upload so the problem
might have been introduced in one of the latter binNMUs.

How does a rebuild solve it? I have no idea currently: It Just Works™.
I could have digged into
the problem but the time to be spent would not be efficient when a
simple rebuild solves it.

I think those described above should make a stretch-pu for zssh reasonable.

--
Regards,
Boyuan Yang

Processed: tagging 886326

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 886326 - moreinfo
Bug #886326 [release.debian.org] stretch-pu: package 
zssh/1.5c.debian.1-3.2+deb9u1
Removed tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
886326: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886326
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Scheduling 9.4

[Julien Cristau]

Hi,

we shipped 9.3 a couple of months ago, so we're overdue for 9.4.

Can you please let us know your availability on the following:
- March 3
- March 10
- March 17
- March 24
- March 31

Thanks,
Julien


signature.asc
Description: PGP signature

Bug#824872: marked as done (jessie-pu: package nspr/2:4.12-2+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 10 Feb 2018 13:00:59 +0100
with message-id <20180210120059.7zy6arlg7x5ex...@betterave.cristau.org>
and subject line Re: Bug#824872: jessie-pu: package nspr/2:4.12-2+deb8u1
has caused the Debian Bug report #824872,
regarding jessie-pu: package nspr/2:4.12-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
824872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824872
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
as put out in more detail in

  https://lists.debian.org/debian-release/2016/02/msg00753.html

we discussed in the LTS and security team the possibility to use the
same NSS and NSPR upstream version in all suites to be able to handle
things like CVE-2014-3566 and CVE-2015-4000 in a consistent manner.

I'd like to propose this here again via a bug report so we have easier
means of tracking/tagging. Would it be o.k. with the release team to update
nss/nspr to the versions currently in sid/testing and continue to do so
from here on. If it works out for jessie we'll do the same in LTS via
wheezy-security.
In order to increase confidence in the backports I've enabled the
internal testsuites in nspr and nss.

If this is o.k. I'm happy to attach debdiffs and provide a matching bug
for nss as well.

Cheers,
 -- Guido

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
The security team shipped nspr 2:4.12-1+debu8u1 (with the extra u) to
jessie in DSA 3687-1.

Cheers,
Julien--- End Message ---

Bug#827160: marked as done (jessie-pu: package dosfstools/3.0.27-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 10 Feb 2018 13:43:24 +0100
with message-id <20180210124324.fsz7wuaw4feqq...@betterave.cristau.org>
and subject line Re: Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
has caused the Debian Bug report #827160,
regarding jessie-pu: package dosfstools/3.0.27-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
827160: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827160
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: Andreas Bombe 

On my Debian Jessie machine, I would like to fix the two security issues
in dosfstools that show up in the debsecan report:
https://security-tracker.debian.org/tracker/CVE-2016-4804 >
https://security-tracker.debian.org/tracker/CVE-2016-4804 >.

The issues were fixed in Wheezy by the LTS team (DLA-474-1) and is also
fixed in unstable.  I would like to get it fixed in stable too, to get
it out of my debsecan list.

The attached patch is based on the patches in wheezy, and should solve
the problems.

Is it OK to upload the fix for stable?

I plan to push the changes to a debian/jessie branch on collab-maint
once I know the changes are acceptable for a stable update.

-- System Information:
Debian Release: 8.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=no_NO (charmap=locale: Cannot set
LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 4f1e009..db765aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+dosfstools (3.0.27-1+deb8u1) unstable; urgency=medium
+
+  * Non-maintainer upload to fix security issue.
+  * Added d/gbp.conf to document git branch used for Jessie updates.
+  * [CVE-2015-8872] Invalid memory read in fsck.vfat
+  * [CVE-2016-4804] Heap overflow in function read_fat()
+
+ -- Petter Reinholdtsen   Mon, 13 Jun 2016 08:17:24 +0200
+
 dosfstools (3.0.27-1) unstable; urgency=medium
 
   * New upstream version 3.0.27
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..3926a07
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/jessie
+pristine-tar = True
diff --git a/debian/patches/CVE-2015-8872.diff b/debian/patches/CVE-2015-8872.diff
new file mode 100644
index 000..07fb6c8
--- /dev/null
+++ b/debian/patches/CVE-2015-8872.diff
@@ -0,0 +1,22 @@
+https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7
+
+Index: dosfstools-collab/src/fat.c
+===
+--- dosfstools-collab.orig/src/fat.c	2016-06-13 08:07:44.669688617 +0200
 dosfstools-collab/src/fat.c	2016-06-13 08:07:44.665688587 +0200
+@@ -197,10 +197,12 @@
+ 	data[1] = new >> 4;
+ 	} else {
+ 	FAT_ENTRY subseqEntry;
+-	get_fat(, fs->fat, cluster + 1, fs);
++	if (cluster != fs->clusters - 1)
++	get_fat(, fs->fat, cluster + 1, fs);
++	else
++	subseqEntry.value = 0;
+ 	data[0] = new & 0xff;
+-	data[1] = (new >> 8) | (cluster == fs->clusters - 1 ? 0 :
+-(0xff & subseqEntry.value) << 4);
++	data[1] = (new >> 8) | ((0xff & subseqEntry.value) << 4);
+ 	}
+ 	size = 2;
+ 	break;
diff --git a/debian/patches/CVE-2016-4804.diff b/debian/patches/CVE-2016-4804.diff
new file mode 100644
index 000..d28174c
--- /dev/null
+++ b/debian/patches/CVE-2016-4804.diff
@@ -0,0 +1,64 @@
+https://github.com/dosfstools/dosfstools/commit/e8eff147e9da1185f9afd5b25948153a3b97cf52
+
+Index: dosfstools-collab/src/boot.c
+===
+--- dosfstools-collab.orig/src/boot.c	2016-06-13 07:59:10.337694024 +0200
 dosfstools-collab/src/boot.c	2016-06-13 08:00:46.290436480 +0200
+@@ -101,8 +101,8 @@
+ 	   (unsigned long long)fs->fat_start,
+ 	   (unsigned long long)fs->fat_start / lss);
+ printf("%10d FATs, %d bit entries\n", b->fats, fs->fat_bits);
+-printf("%10d bytes per FAT (= %u sectors)\n", fs->fat_size,
+-	   fs->fat_size / lss);
++printf("%10lld bytes per FAT (= %llu sectors)\n", (long long)fs->fat_size,
++	   (long long)fs->fat_size / lss);
+ if (!fs->root_cluster) {
+ 	

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: linux_4.9.80-2_mips.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: linux_4.9.80-2_mipsel.changes
  ACCEPT