Re: gcc-6: please enable PIE hardening flags by default on amd64 ppc64el and s390x
On Tue, 23 Aug 2016 00:25:30 +0200 Balint Reczeywrote: > Package: gcc-6 > Version: 6.1.1-12 > Severity: wishlist > Tags: patch > > Dear Matthias, > > As a continuation of the discussions [1][2] on debian-devel I'm > attaching the simple patch that implements enabling the PIE > hardening flags for a subset of the architectures. > > I'm open to changing the subset, it matches the set selected in Ubuntu > as a start, but porters may have different preferences [2]. > > I'm continuing with a full archive rebuild to see the amount of packages > to be updated for the change in the default flags. > > The same patch applies to gcc-5, too, if it does not get removed > from the archive before the patch is accepted for gcc-6. > > Cheers, > Balint > > [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html > [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html > Hi, As per [1], please enable PIE by default on the following architectures: * amd64 * arm64 * armel * armhf * i386 * mips * mips64el * mipsel * ppc64el * s390x All of these architectures (except amd64+i386 with porter waivers) had at least 2 porters supporting PIE. Thanks, ~Niels [1] https://lists.debian.org/<2c67a60f-2bbb-2f4e-2ad3-cd9978fb5...@thykier.net>
Re: Enabling PIE by default for Stretch
Niels Thykier: > Hi, > > As brought up on the meeting last night, I think we should try to go for > PIE by default in Stretch on all release architectures! > * It is a substantial hardening feature > * Upstream has vastly reduced the performance penalty for x86 > * The majority of all porters believe their release architecture is >ready for it. > * We have sufficient time to solve any issues or revert if it turns out >to be too problematic. > > [...] > > * Deadline for major concerns: Fri, 7th of October 2016. > > [...] > > Thanks, > ~Niels > > [...] It appears that there were no major concerns. I will follow up #835148 and request PIE by default for the following architectures. * amd64 * arm64 * armel * armhf * i386 * mips * mips64el * mipsel * ppc64el * s390x Should you be a porter for an architecture not listed above and want PIE by default on your architecture, please follow up on #835148 as well (or a file a new wishlist bug if #835148 is closed when you do it) NB: The omission of powerpc was intentional as there were no porters supporting it during the roll-call. Thanks, ~Niels
Re: Porter roll call for Debian Stretch
On Sun, 2016-10-09 at 21:12 +0300, Adrian Bunk wrote: > [ adding debian-powerpc ] > > On Sun, Oct 09, 2016 at 06:54:44PM +0200, Moritz Mühlenhoff wrote: > > Niels Thykierschrieb: > > > If I am to support powerpc as a realease architecture for Stretch, I > > > need to know that there are *active* porters behind it committed to > > > keeping it in the working. People who would definitely catch such > > > issues long before the release. People who file bugs / submit patches > > > etc. > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832931 is about > > a powerpc-specific build failure of mariadb in stable. The maintainer > > said he can't work on it, so if anyone considers himself/herself a > > powerpc porter, this is something to look it. > > Can you give a hint what exactly should be looked at? https://buildd.debian.org/status/fetch.php?pkg=mariadb-10.0=powerpc=10.0.27-0%2Bdeb8u1=1473621159 > The bug did not make it clear that there is any problem left at all when > I looked at it recently. > > The last message was closing the bug. > > There was a control command reopening the bug without giving any > rationale, but the last control command was > fixed 832931 10.0.27-1 For unstable, yes. The stable package is still broken. > buildd.debian.org says that 10.0.27-0+deb8u1 was installed on jessie.[1] That's an artefact of how builds for suites with "overlays" (i.e. pu / tpu) are displayed. If one actually looks at the archive: mariadb-client-10.0 | 10.0.25-0+deb8u1 | stable | powerpc mariadb-client-10.0 | 10.0.27-0+deb8u1 | stable | amd64, arm64, armel, armhf, i386, mips, mipsel, ppc64el, s390x Regards, Adam
Re: Porter roll call for Debian Stretch
[ adding debian-powerpc ] On Sun, Oct 09, 2016 at 06:54:44PM +0200, Moritz Mühlenhoff wrote: > Niels Thykierschrieb: > > If I am to support powerpc as a realease architecture for Stretch, I > > need to know that there are *active* porters behind it committed to > > keeping it in the working. People who would definitely catch such > > issues long before the release. People who file bugs / submit patches etc. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832931 is about > a powerpc-specific build failure of mariadb in stable. The maintainer > said he can't work on it, so if anyone considers himself/herself a > powerpc porter, this is something to look it. Can you give a hint what exactly should be looked at? The bug did not make it clear that there is any problem left at all when I looked at it recently. The last message was closing the bug. There was a control command reopening the bug without giving any rationale, but the last control command was fixed 832931 10.0.27-1 buildd.debian.org says that 10.0.27-0+deb8u1 was installed on jessie.[1] If there is a problem left somewhere it is well-hidden, and not visible immediately when looking at the bug - I thought this was already resolved. > Cheers, > Moritz cu Adrian [1] https://buildd.debian.org/status/package.php?p=mariadb-10.0=jessie -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Re: Porter roll call for Debian Stretch
Niels Thykierschrieb: > If I am to support powerpc as a realease architecture for Stretch, I > need to know that there are *active* porters behind it committed to > keeping it in the working. People who would definitely catch such > issues long before the release. People who file bugs / submit patches etc. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832931 is about a powerpc-specific build failure of mariadb in stable. The maintainer said he can't work on it, so if anyone considers himself/herself a powerpc porter, this is something to look it. Cheers, Moritz
Processed: official DD
Processing commands for cont...@bugs.debian.org: > # bugs with submitter b...@sandroknauss.de > submitter 839905 ! Bug #839905 [pkg-kde-tools] pkgkde-symbolshelper: Use of uninitialized value in concatenation (.) or string at /usr/bin/pkgkde-symbolshelper line 318. Changed Bug submitter to 'Sandro Knauß' from 'Sandro Knauß '. > submitter 832420 ! Bug #832420 [wnpp] ITP: qtwebengine -- Web content engine library for Qt Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß '. > submitter 832067 ! Bug #832067 [ring] ring: No interaction via system tray in plasma5 (KDE) Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß '. > submitter 796744 ! Bug #796744 [release.debian.org] jessie-pu: package owncloud-client/1.7.0~beta1+really1.6.4+dfsg-1 Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß '. > submitter 695433 ! Bug #695433 [plasma-netbook] [plasma-netbook] screenlock does not work Changed Bug submitter to 'Sandro Knauß ' from 'b...@sandroknauss.de'. > submitter 760412 ! Bug #760412 [kdelibs5-dev] kdelibs5-dev: Hardcoded "Found KDE 4.12" in FindKDE4Internal.cmake Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß '. > submitter 799267 ! Bug #799267 [ubuntu-dev-tools] [ubuntu-dev-tools] Support for overlay in mk-sbuild Changed Bug submitter to 'Sandro Knauß ' from 'b...@sandroknauss.de'. > submitter 778864 ! Bug #778864 [kde-baseapps] kde-baseapps: Include necessary patch for ownclouds dolphin plugin Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß '. > submitter 832103 ! Bug #832103 [docker.io] docker.io: Can't run images after upgrading to 1.11.2~ds1-6 Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß '. > submitter 796774 ! Bug #796774 [gpgsm] [gpgsm] Can't create new certificate Changed Bug submitter to 'Sandro Knauß ' from 'b...@sandroknauss.de'. > submitter 796490 ! Bug #796490 [texlive-latex-base] [texlive-latex-base] pdflatex does not create reproducible pdfs with multiple images Changed Bug submitter to 'Sandro Knauß ' from 'b...@sandroknauss.de'. > # bugs with owner b...@sandroknauss.de > owner 832420 ! Bug #832420 [wnpp] ITP: qtwebengine -- Web content engine library for Qt Owner changed from "Sandro Knauß" to Sandro Knauß . > thanks Stopping processing here. Please contact me if you need assistance. -- 695433: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695433 760412: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760412 778864: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778864 796490: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796490 796744: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796744 796774: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796774 799267: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799267 832067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832067 832103: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832103 832420: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832420 839905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839905 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#813272: marked as done (RM: guile-1.8/1.8.8+1-10)
Your message dated Sun, 9 Oct 2016 17:16:41 +0300 with message-id <20161009141641.42jxs5zwmpkey...@bunk.spdns.de> and subject line guile-1.8 has already been removed from unstable and testing has caused the Debian Bug report #813272, regarding RM: guile-1.8/1.8.8+1-10 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 813272: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813272 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org X-Debbugs-Cc: guile-...@packages.debian.org User: release.debian@packages.debian.org Usertags: rm According to the maintainer (and several other people) guile-1.8 should not be release in Stretch, and it's already too much it ended up in Jessie. See #760986 Please remove it from stretch now, it's not being autoremoved because it's in key_packages (for it's popcon, apparently…). After the removal #783684 should prevent it's coming back. A clean solution (according to my tests with dak rm) would be remove guile-1.8/1.8.8+1-10 lilypond/2.18.2-4.1 denemo/2.0.0-0.1 songwrite/0.14-10 frescobaldi/2.18.1+ds1-3 -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: http://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature --- End Message --- --- Begin Message --- guile-1.8 has already been removed from unstable and testing. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed--- End Message ---
Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi Stable Release Managers, X-Debbugs-CC'ed Andreas Metzler. gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3, having a flaw in the OCSP certificate check. This was fixed upstream and included in unstable with 3.5.3-4 but would not warrant a DSA. Attached is proposed debdiff for jessie. Would it be acceptable for an upcoming point release? Regards, Salvatore diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog --- gnutls28-3.3.8/debian/changelog 2015-08-14 18:29:51.0 +0200 +++ gnutls28-3.3.8/debian/changelog 2016-10-09 14:36:18.0 +0200 @@ -1,3 +1,11 @@ +gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium + + * Non-maintainer upload. + * CVE-2016-7444: Incorrect certificate validation when using OCSP responses +(GNUTLS-SA-2016-3) + + -- Salvatore BonaccorsoSun, 09 Oct 2016 14:36:18 +0200 + gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch --- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 2016-10-09 14:36:18.0 +0200 @@ -0,0 +1,24 @@ +From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Sat, 27 Aug 2016 17:00:22 +0200 +Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP + response + +Previously the OCSP certificate check wouldn't verify the serial length +and could succeed in cases it shouldn't. + +Reported by Stefan Buehler. +--- + lib/x509/ocsp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/x509/ocsp.c b/lib/x509/ocsp.c +@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r + gnutls_assert(); + goto cleanup; + } ++ cserial.size = t; + + if (rserial.size != cserial.size + || memcmp(cserial.data, rserial.data, rserial.size) != 0) { diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series --- gnutls28-3.3.8/debian/patches/series 2015-08-13 19:52:00.0 +0200 +++ gnutls28-3.3.8/debian/patches/series 2016-10-09 14:36:18.0 +0200 @@ -14,3 +14,4 @@ 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch +52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
Bug#836795: jessie-pu: package samba/2:4.1.17+dfsg-2+deb8u2
On Sun, Oct 09, 2016 at 10:34:55AM +0100, Adam D. Barratt wrote: > On Sun, 2016-10-09 at 00:16 +, Jelmer Vernooij wrote: > > On Sat, Sep 24, 2016 at 08:14:38PM +0100, Adam D. Barratt wrote: > > > Control: tags -1 -moreinfo +confirmed > > > > > > On Mon, 2016-09-05 at 20:50 +, Jelmer Vernooij wrote: > > > > I'd like to update Samba in jessie to 4.2.14+dfsg. Debdiff is attached. > > > > > > > > The 4 Samba releases since 4.2.10 (currently in jessie) only fix > > > > important bugs, in particular a CVE (CVE-2016-2119) and various > > > > regressions introduced by the security fixes from 4.2.10. > > > > > > Please go ahead, with the changelog distribution set to "jessie". > > > > > > I'll hopefully be able to find a suitable machine on my work network to > > > test with, and I assume at least Lars Maes would also be happy to test. > > > > Can I also upload a new minor version of tevent that's required by > > this version of Samba? > > I'd prefer a separate bug for that, please, as tracking one package > upload per p-u bug makes things much easier. Done, submitted as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840188 signature.asc Description: PGP signature
Bug#836795: jessie-pu: package samba/2:4.1.17+dfsg-2+deb8u2
On Sun, 2016-10-09 at 00:16 +, Jelmer Vernooij wrote: > On Sat, Sep 24, 2016 at 08:14:38PM +0100, Adam D. Barratt wrote: > > Control: tags -1 -moreinfo +confirmed > > > > On Mon, 2016-09-05 at 20:50 +, Jelmer Vernooij wrote: > > > I'd like to update Samba in jessie to 4.2.14+dfsg. Debdiff is attached. > > > > > > The 4 Samba releases since 4.2.10 (currently in jessie) only fix > > > important bugs, in particular a CVE (CVE-2016-2119) and various > > > regressions introduced by the security fixes from 4.2.10. > > > > Please go ahead, with the changelog distribution set to "jessie". > > > > I'll hopefully be able to find a suitable machine on my work network to > > test with, and I assume at least Lars Maes would also be happy to test. > > Can I also upload a new minor version of tevent that's required by > this version of Samba? I'd prefer a separate bug for that, please, as tracking one package upload per p-u bug makes things much easier. Regards, Adam
Re: Stretch freeze and the possible future upload of MATE 1.18
On 09/10/16 00:22, Mike Gabriel wrote: > Hi Vlad, > > thanks for taking this initiative of communication. Much appreciated. > > I try to give some answers, Niels may jump in and correct me, if necessary. > > On Fr 07 Okt 2016 14:51:47 CEST, Vlad Orlov wrote: > >> Hi, >> >>> It depends on what the MATE release includes. If it involves a >>> transition (e.g. ABI / API bumps), then you are looking at 5th of >>> November as deadline. >> >> Hmm... does it mean changes in soname of some library from MATE >> that will cause package name change? E.g. libmate-desktop-2.so -> >> libmate-desktop-3.so, then package libmate-desktop-2-17 would have >> its name changed too. > > Yes. And all packages build-depending on libmate-desktop-dev would require to > be > rebuilt. > > In MATE this is non-criticial as long as only MATE packages B-D on > libmate-desktop-dev. But if there is any package outside of the Debian MATE > team's scope, then this gets nasty so close to the freeze. In theory, that is irrelevant. A library transition is a library transition, and the transition freeze is on November the 5th. So if you have a library that bumps the SONAME, then you should do that before that date. >> Or does something else count as transition? E.g. if some of MATE >> packages would change dependency from libmateweather to libgweather. > > No. This should be fine. That's fine indeed. Porting your apps (or even libraries, as long as you don't break the ABI) from a library to another, e.g. from mateweather to libgweather, or from libunique to GtkApplication is fine. >>> Otherwise, I strongly recommend using early/mid-December as the latest >>> deadline upstream. That way the MATE packaging has 2-3 weeks to get it >>> uploaded plus another 2-3 to fix any bugs without any extra hassle. I >>> assume here that there is no need for new packages (based on your input >>> below). >> >> Yes, there's no plan to add new packages into MATE. > > Ok. Good. > >> So December means we need to meet soft freeze date (2017-01-05)? >> That is, if we already handled the transitions. > > By this date, packages have to be landed in testing. So, they have to be > uploaded to unstable "a couple of days" earlier. With the last freeze for > jessie, there was 10 days delay for the migration of packages from unstable to > testing. IIRC. > >> Are new upstream versions allowed into Testing between soft freeze >> and full freeze (provided that these are only new versions, not new >> packages)? > > IIRC, this was possible with review by someone from the release team. As the > MATE upstream team is really careful and minimal with the changes in point > release, I'd say all potential upstream releases of MATE within one release > series (i.e. within 1.16 or 1.18) would be good candidates for receiving > permission to be uploaded. Review is required after the full freeze (a freeze exception). Between soft freeze and full freeze, a new version can be uploaded, but beware of the 10 day migration delay, possible build failures, RC bugs, new dependencies... that could delay your package migration. So don't upload 10 days before the freeze, do it with more margin as to allow for any necessary fixes. So yes, I'd suggest to get everything released and uploaded sometime in December, to then have a little time to get everything migrated. Cheers, Emilio
Re: jessie-ignore for "maintainer address bounces" bugs?
On 08/10/16 09:51, Andreas Beckmann wrote: > On 2016-09-10 10:37, Andreas Beckmann wrote: >> Hi, >> >> would it be OK to tag "maintainer address bounces" bugs as jessie-ignore? > > This would affect about 10 bugs in jessie and a few less in wheezy. I wouldn't do that to these bugs for now, as I think they should be fixed and are easy to do so. In any case, we'll review all bugs by the time of the freeze and will add the tag to those we think need it. Emilio