NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: systemd_241-7~deb10u1_mips64el.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: systemd_241-7~deb10u1_armel.changes
  ACCEPT
Processing changes file: systemd_241-7~deb10u1_armhf.changes
  ACCEPT
Processing changes file: systemd_241-7~deb10u1_mips.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: systemd_241-7~deb10u1_arm64.changes
  ACCEPT
Processing changes file: systemd_241-7~deb10u1_i386.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: systemd_241-7~deb10u1_amd64.changes
  ACCEPT
Processing changes file: systemd_241-7~deb10u1_ppc64el.changes
  ACCEPT
Processing changes file: systemd_241-7~deb10u1_s390x.changes
  ACCEPT

Bug#930795: unblock: ruby-airbrussh/1.3.2-1

[Samuel Henrique]

Hello Adam,

Thanks for your patience and explanation, here's the debdiff with the
solution I picked,

I backported the fix to 1.3.1-2, the version is 1.3.1-2+deb10u1 and I will
need to wait until 1.3.3-1 hits testing*, which is fine (2 days), to upload
it.

* because the current version in testing is the same as in stable, and the
version in testing needs to be higher/bug fixed in there as well.

Regards,

-- 
Samuel Henrique 


ruby-airbrussh_1.3.1-2+deb10u1.debdiff
Description: Binary data

Bug#887507: marked as done (stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u1)

[Debian Bug Tracking System]

Your message dated Wed, 21 Aug 2019 01:16:01 +0200
with message-id <20190820231601.ga4...@debian.org>
and subject line Re: Bug#887507: stretch-pu: package 
roundcube/1.2.3+dfsg.1-4+deb9u1
has caused the Debian Bug report #887507,
regarding stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
887507: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887507
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hey,

upstream releases only bugfix releases for the 1.2 branch. As they,
do not add any new feature IMO it would makes sense to ship the newest
1.2.7 for Debian Stretch users. This is a prepackage request, I havn't
packaged 1.2.7 for Debian yet, as I would only put effort into it, if it
can enter stretch in principal. What I can present at the current state
is a diff of the upstream tarballs (excluded the minified files, cause
we create those in the packageing process itself). I don't expect any
changes in the debian folder itself, but I would present a complete
debdiff, if you approved the general idea of shipping 1.2.7 via pu.


Regards,

sandro


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -ru -x '*.min.js' -x '*.min.css' roundcubemail-1.2.3/bin/installto.sh 
roundcubemail-1.2.7/bin/installto.sh
--- roundcubemail-1.2.3/bin/installto.sh2016-11-27 17:08:57.0 
+0100
+++ roundcubemail-1.2.7/bin/installto.sh2017-11-08 19:52:27.0 
+0100
@@ -42,7 +42,6 @@
 $input = trim(fgets(STDIN));
 
 if (strtolower($input) == 'y') {
-  $err = false;
   echo "Copying files to target location...";
 
   // Save a copy of original .htaccess file (#1490623)
@@ -56,16 +55,16 @@
   }
   foreach ($dirs as $dir) {
 // @FIXME: should we use --delete for all directories?
-$delete = in_array($dir, array('program', 'installer')) ? '--delete ' : '';
-if (!system("rsync -avC " . $delete . INSTALL_PATH . "$dir/* 
$target_dir/$dir/")) {
-  $err = true;
-  break;
+$delete  = in_array($dir, array('program', 'installer')) ? '--delete ' : 
'';
+$command = "rsync -aC --out-format \"%n\" " . $delete . INSTALL_PATH . 
"$dir/* $target_dir/$dir/";
+if (!system($command, $ret) || $ret > 0) {
+  rcube::raise_error("Failed to execute command: $command", false, true);
 }
   }
   foreach 
(array('index.php','.htaccess','config/defaults.inc.php','composer.json-dist','CHANGELOG','README.md','UPGRADING','LICENSE','INSTALL')
 as $file) {
-if (!system("rsync -av " . INSTALL_PATH . "$file $target_dir/$file")) {
-  $err = true;
-  break;
+$command = "rsync -a --out-format \"%n\" " . INSTALL_PATH . "$file 
$target_dir/$file";
+if (file_exists(INSTALL_PATH . $file) && (!system($command, $ret) || $ret 
> 0)) {
+  rcube::raise_error("Failed to execute command: $command", false, true);
 }
   }
 
@@ -96,13 +95,12 @@
   echo "done.\n\n";
   }
 
-  if (!$err) {
-echo "Running update script at target...\n";
-system("cd $target_dir && php bin/update.sh --version=$oldversion");
-echo "All done.\n";
-  }
+  echo "Running update script at target...\n";
+  system("cd $target_dir && php bin/update.sh --version=$oldversion");
+  echo "All done.\n";
 }
-else
+else {
   echo "Update cancelled. See ya!\n";
+}
 
 ?>
diff -ru -x '*.min.js' -x '*.min.css' roundcubemail-1.2.3/CHANGELOG 
roundcubemail-1.2.7/CHANGELOG
--- roundcubemail-1.2.3/CHANGELOG   2016-11-27 17:08:57.0 +0100
+++ roundcubemail-1.2.7/CHANGELOG   2017-11-08 19:52:27.0 +0100
@@ -1,6 +1,61 @@
 CHANGELOG Roundcube Webmail
 ===
 
+RELEASE 1.2.7
+-
+- Fix rewind(): stream does not support seeking (#5950)
+- Fix bug where HTML messages could have been rendered empty on some systems 
(#5957)
+- Fix (again) bug where image data URIs in css style were treated as 
evil/remote in mail preview (#5580)
+- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838, #5959)
+- Fix file disclosure 

Processed: tagging 929611

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # Silly thinko
> tags 929611 - moreinfo + confirmed
Bug #929611 [release.debian.org] stretch-pu: package lemonldap-ng/1.9.7-3+deb9u2
Removed tag(s) moreinfo.
Bug #929611 [release.debian.org] stretch-pu: package lemonldap-ng/1.9.7-3+deb9u2
Added tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
929611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929611
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#902683: marked as done (stretch-pu: package python-proliantutils/2.1.11-2)

[Debian Bug Tracking System]

Your message dated Tue, 20 Aug 2019 23:56:00 +0100
with message-id 

and subject line Re: Bug#902683: stretch-pu: package 
python-proliantutils/2.1.11-2
has caused the Debian Bug report #902683,
regarding stretch-pu: package python-proliantutils/2.1.11-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
902683: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902683
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I've prepared an update to python-proliantutils which fixes FTBFS when
there is internet connectivity in the build host. Please find the diff
attached to this bug report. Trivially, it replaces 1.1.1.1 by a never
reachable IP address in the test suite.

This update package will fix #902241.

The resulting built package is here:
http://sid.gplhost.com/stretch-proposed-updates/proliantutils/

Cheers,

Thomas Goirand (zigo)
diff -Nru python-proliantutils-2.1.11/debian/changelog 
python-proliantutils-2.1.11/debian/changelog
--- python-proliantutils-2.1.11/debian/changelog2016-09-26 
19:13:41.0 +0200
+++ python-proliantutils-2.1.11/debian/changelog2018-06-29 
16:25:22.0 +0200
@@ -1,3 +1,10 @@
+python-proliantutils (2.1.11-2+deb9u1) stretch; urgency=medium
+
+  * Add replace-quad1-by-doc-reserved-ip.patch which fixes FTBFS when the
+build machine has internet connectivity (Closes: #902241).
+
+ -- Thomas Goirand   Fri, 29 Jun 2018 16:25:22 +0200
+
 python-proliantutils (2.1.11-2) unstable; urgency=medium
 
   * d/s/options: extend-diff-ignore of .gitreview
diff -Nru 
python-proliantutils-2.1.11/debian/patches/replace-quad1-by-doc-reserved-ip.patch
 
python-proliantutils-2.1.11/debian/patches/replace-quad1-by-doc-reserved-ip.patch
--- 
python-proliantutils-2.1.11/debian/patches/replace-quad1-by-doc-reserved-ip.patch
   1970-01-01 01:00:00.0 +0100
+++ 
python-proliantutils-2.1.11/debian/patches/replace-quad1-by-doc-reserved-ip.patch
   2018-06-29 16:25:22.0 +0200
@@ -0,0 +1,23 @@
+Description: Replace 1.1.1.1 by doc reserved IPs
+ Looks like there's connectivity to 1.1.1.1 when the build machine has
+ internet access. Swiching to 198.51.100.1 never works, as it is a reserved
+ IP range for documentation purpose.
+ .
+ Note that upstream already removed 1.1.1.1 from its test decoration, so it
+ isn't needed to forward the patch in upstream master branch.
+Author: Thomas Goirand 
+Bug-Debian: https://bugs.debian.org/902241
+Forwarded: not-needed
+Last-Update: 2018-06-29
+
+--- 
python-proliantutils-2.1.11.orig/proliantutils/tests/ilo/test_firmware_controller.py
 
python-proliantutils-2.1.11/proliantutils/tests/ilo/test_firmware_controller.py
+@@ -551,7 +551,7 @@ class FirmwareImageUploaderTestCase(unit
+ self.assertEqual(returned_sock, ssl_mock.wrap_socket())
+ 
+ @ddt.data(('foo.bar.com', exception.IloConnectionError),
+-  ('1.1.1.1', exception.IloConnectionError),
++  ('198.51.100.1', exception.IloConnectionError),
+   ('any_kind_of_address', exception.IloConnectionError),)
+ @ddt.unpack
+ def test__get_socket_throws_exception_in_case_of_failed_connection(
diff -Nru python-proliantutils-2.1.11/debian/patches/series 
python-proliantutils-2.1.11/debian/patches/series
--- python-proliantutils-2.1.11/debian/patches/series   1970-01-01 
01:00:00.0 +0100
+++ python-proliantutils-2.1.11/debian/patches/series   2018-06-29 
16:25:22.0 +0200
@@ -0,0 +1 @@
+replace-quad1-by-doc-reserved-ip.patch
--- End Message ---
--- Begin Message ---
On Tue, 2019-07-16 at 20:31 +0100, Adam D. Barratt wrote:
> On Sat, 2019-03-09 at 16:40 +, Adam D. Barratt wrote:
> > On Thu, 2018-11-01 at 20:32 +, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > > 
> > > On Fri, 2018-06-29 at 16:50 +0200, Thomas Goirand wrote:
> > > > I've prepared an update to python-proliantutils which fixes
> > > > FTBFS
> > > > when there is internet connectivity in the build host. Please
> > > > find
> > > > the diff attached to this bug report. Trivially, it replaces
> > > > 1.1.1.1
> > > > by a never reachable IP address in the test suite.
> > > 
> > > This wasn't fixed in unstable last time I looked, but apparently
> > > has
> > > been in the meantime, so please go ahead.
> > 
> > Ping?
> 
> Ping? If nothing happens by August 15th then I plan to close this
> bug.
> 

Doing so with this message.

Regards,

Adam--- End Message ---

Bug#887427: marked as done (stretch-pu: package buildbot/0.8.12-3.2)

[Debian Bug Tracking System]

Your message dated Tue, 20 Aug 2019 23:55:16 +0100
with message-id 

and subject line Re: Bug#887427: stretch-pu: package buildbot/0.8.12-3.2
has caused the Debian Bug report #887427,
regarding stretch-pu: package buildbot/0.8.12-3.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
887427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887427
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello there,

In Stretch we have buildbot package version 0.8.12-3.2 (abandoned by 
maintainer).
Unfortunately it's unusable, because of hardcoded versioned dependence on
sqlalchemy with version lesser than one in stretch.

Piotr Ozarowski  tried to fix this, removing dependence from control,
but this is not enough (package builds, installs but not work at all), see 
#867588

This could be easy fixed by removing versioned runtime dependencies:

diff --git a/setup.py b/setup.py
index e70ab16..2f9f716 100755
--- a/setup.py
+++ b/setup.py
@@ -381,11 +381,8 @@ else:
 ]
 
 setup_args['install_requires'] += [
-# sqlalchemy-0.8 betas show issues with sqlalchemy-0.7.2, so stick to 
0.7.10
-'sqlalchemy >= 0.6, <= 0.7.10',
-# buildbot depends on sqlalchemy internals, and this is the tested
-# version.
-'sqlalchemy-migrate==0.7.2',
+'sqlalchemy >= 0.6',
+'sqlalchemy-migrate>=0.7.2',
 'python-dateutil>=1.5',
 ]
 setup_args['tests_require'] = [

After that package could be installed and used in Debian Stretch release. (At 
least
autotests pass and buildbot works as expected.)

Waiting for approve to do NMU to stretch-proposed-updates.



-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (670, 'stable-updates'), (670, 'stable'), (630, 'testing'), (600, 
'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8), 
LANGUAGE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On Tue, 2019-07-16 at 20:29 +0100, Adam D. Barratt wrote:
> On Sun, 2018-12-02 at 16:53 +0100, Julien Cristau wrote:
> > Control: tag -1 - moreinfo
> > Control: tag -1 + confirmed
> > 
> > On Tue, Jan 16, 2018 at 02:54:14PM +0300, Alexander GQ Gerasiov
> > wrote:
> [...]
> > > Waiting for approve to do NMU to stretch-proposed-updates.
> > > 
> > 
> > Sounds ok.  Please use version 0.8.12-3.2+deb9u1.
> 
> Ping? If nothing happens by August 15th then I plan to close this
> bug.

Doing so with this message.

Regards,

Adam--- End Message ---

Processed: Bug#932111: buster-pu: package webkit2gtk/2.24.3-1~deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #932111 [release.debian.org] buster-pu: package webkit2gtk/2.24.3-1~deb10u1
Added tag(s) confirmed.

-- 
932111: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932111
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#912068: marked as done (stretch-pu: package apache-directory-server/2.0.0~M15-4)

[Debian Bug Tracking System]

Your message dated Tue, 20 Aug 2019 23:56:39 +0100
with message-id 

and subject line Re: Bug#912068: stretch-pu: package 
apache-directory-server/2.0.0~M15-4
has caused the Debian Bug report #912068,
regarding stretch-pu: package apache-directory-server/2.0.0~M15-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
912068: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912068
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I would like to upload fixes for two RC bugs that affect stretch and make
the package uninstallable and, after manually fixing that, unusable:

 #909063 - apacheds: package installation fails due to incorrect 
apacheds.service unit
 #911557 - apacheds: broken symlinks: 
/usr/share/apacheds/lib/{log4j-1.2,commons-io,antlr}.jar

Find attached the diff between the version now in stretch and the proposed
version.

-BEGIN PGP SIGNATURE-

iQKJBAEBCABzFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlvUzCUxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYyMcZG9taW5p
ay5nZW9yZ2VAaXQucGlyYXRlbnBhcnRlaS5kZQAKCRC3mjwWoMTylrCFD/0QUhlM
ijX+9V3iHy8/j5T/jsLB5jyOcYuuFofC1vucHN9IQAx809U002X1ODYwicydkXcq
wpo9RAvPqJr1zYO47p9O8M/qj0wf1r4g/avZRH0rJbf1n0I8O8yJAUvTHtKjQXub
sARZm3HmZ/axSES281IzBthvjmPnMMJR6347irFrTIemgvBO84yxTw6n4qHMD+uc
hJPfjJ0bYuk+db0zv99QG8cSfGJoZG5IxpasIQKFvkBzj147EW+uzEahy/UxnqUw
kUobzzsviLR9qh2R2Rf8RlIIuKsfP9Fvdtf4aUwd00XpsW6nk3O37Rrlz/ZeWosP
RPEizy0cwaFYWxlTwVRd/2Gj6wKnGVHbNBU6x++XRGEae5nyFB5AnQcbWw8Zoj+M
Q4Cgfh07RtN5nu9o07MNrorr1ks/2muDFp+0Mu8T2inQ4p0V9Wf2RFEEJy/BPZMX
p7/h+4iP5CO2vtT130zhZhbj0laxdQ1HRVIjAmknSrYHF5QAY3BNINHiYp4YjfTH
piIGjddlW+DDwNvN/UXIAOtmxJlfpB/pcblSzzMLnTnxgNoxXxfPVN2qYQDJznvf
vk9yx1t2P829QE09eeOpR9TQnujU6uwN5rOosTw8mv4oH2Z7YOcJQ3V7otMUCXp4
Z3IfnTn+Cyj1HBMixuPc4KduGAufG6mdvX2Osw==
=oswM
-END PGP SIGNATURE-
diff --git a/debian/apacheds.service b/debian/apacheds.service
index e6de514..23efa17 100644
--- a/debian/apacheds.service
+++ b/debian/apacheds.service
@@ -8,14 +8,15 @@ Type=simple
 User=apacheds
 Group=apacheds
 EnvironmentFile=/etc/default/apacheds
-ExecStart=${JAVA_HOME}/bin/java ${JAVA_OPTS} \
--Dapacheds.controls=${ADS_CONTROLS} \
--Dapacheds.extendedOperations=${ADS_EXTENDED_OPERATIONS} \
-
-Dlog4j.configuration=file:${ADS_INSTANCES}/${ADS_INSTANCE}/conf/log4j.properties
 \
--Dapacheds.log.dir=${ADS_INSTANCES}/${ADS_INSTANCE}/log \
--cp '${ADS_HOME}/lib/*' \
-org.apache.directory.server.UberjarMain \
-${ADS_INSTANCES}/${ADS_INSTANCE}/
+ExecStart=/bin/sh -c "exec \
+${JAVA_HOME}/bin/java ${JAVA_OPTS} \
+  -Dapacheds.controls=${ADS_CONTROLS} \
+  -Dapacheds.extendedOperations=${ADS_EXTENDED_OPERATIONS} \
+  
-Dlog4j.configuration=file:${ADS_INSTANCES}/${ADS_INSTANCE}/conf/log4j.properties
 \
+  -Dapacheds.log.dir=${ADS_INSTANCES}/${ADS_INSTANCE}/log \
+  -cp '${ADS_HOME}/lib/*' \
+  org.apache.directory.server.UberjarMain \
+  ${ADS_INSTANCES}/${ADS_INSTANCE}/"
 PrivateTmp=true
 
 [Install]
diff --git a/debian/changelog b/debian/changelog
index 62c6358..bdfa64f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+apache-directory-server (2.0.0~M15-4+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Fix command in systemd service file. (Closes: #909063)
+  * Add missing dependencies to libraries. (Closes: #911557)
+
+ -- Dominik George   Sat, 27 Oct 2018 15:32:48 +0200
+
 apache-directory-server (2.0.0~M15-4) unstable; urgency=medium
 
   * Transition to Jetty 9
diff --git a/debian/control b/debian/control
index 0b02379..31df170 100644
--- a/debian/control
+++ b/debian/control
@@ -30,7 +30,14 @@ Homepage: http://directory.apache.org
 
 Package: libapacheds-java
 Architecture: all
-Depends: ${maven:Depends}, ${misc:Depends}, libapacheds-i18n-java (= 
${source:Version}), libapacheds-kerberos-codec-java (= ${source:Version})
+Depends:
+ libantlr-java,
+ libapacheds-i18n-java (= ${source:Version}),
+ libapacheds-kerberos-codec-java (= ${source:Version}),
+ libcommons-io-java,
+ liblog4j1.2-java,
+ ${maven:Depends},
+ ${misc:Depends},
 Suggests: ${maven:OptionalDepends}
 Description: Apache Directory Server (Libraries)
  ApacheDS is an embbedable directory server entirely written in Java, which
--- End Message ---
--- Begin Message ---
On Tue, 2019-07-16 at 

Bug#932111: buster-pu: package webkit2gtk/2.24.3-1~deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

This request never reached debian-release, most likely due to the size
of the diff.

On Mon, 2019-07-15 at 13:57 +0300, Alberto Garcia wrote:
> the i386 build of webkit2gtk that went into buster requires an
> SSE2-capable CPU. Because of this, apps that use this library
> (e.g. Zenity or Liferea) can crash.
> 
> A bug was filed for this problem (#930935) but it was too late
> to fix the package for buster, so it was decided to do it in the
> first update. There's a section on the release notes explaining the
> situation and warning affected i386 users to wait until this is
> solved:
[...]
> This upload fixes this problem. Note that I'm also updating the
> package to the most recent stable release (version 2.24.3), published
> two weeks ago. It contains many other fixes including those for two
> other Debian bugs (#929749, #870814). The reason why I'm doing this
> is because that's the same approach that we are going to follow with
> the webkit2gtk security releases.

Please go ahead.

Regards,

Adam

Processed: Bug#934308: buster-pu: package dpdk/18.11.2-2+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #934308 [release.debian.org] buster-pu: package dpdk/18.11.2-2+deb10u1
Added tag(s) confirmed.

-- 
934308: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934308
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934308: buster-pu: package dpdk/18.11.2-2+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

This request never made it to debian-release, most likely due to the
size of the diff.

On Fri, 2019-08-09 at 13:54 +0100, Luca Boccassi wrote:
> We would like to upload a new LTS release version of DPDK to buster.
> We have already done this previously in stretch, and it was approved
> for the 16.11 LTS series [1][2][3], but given this is a new Debian
> release in combination with a new LTS release train I have not yet
> uploaded to p-u and will wait for an explicit ACK. We would like to
> upload new 18.11 LTS versions as they are released upstream to buster
> -
> EOL is projected in November 2020.

What's the plan for after that point?

> As with the 16.11 LTS, the 18.11 LTS point release has only bug
> fixes and no API/ABI changes and has been tested extensively and
> deployed on Debian Buster and more distros, which includes running
> regression tests.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#887736: stretch-pu: package openvswitch/2.6.2~pre+git20161223-3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #887736 [release.debian.org] stretch-pu: package 
openvswitch/2.6.2~pre+git20161223-3
Added tag(s) moreinfo.

-- 
887736: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887736
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#887736: stretch-pu: package openvswitch/2.6.2~pre+git20161223-3

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Fri, 2018-01-19 at 15:21 +0100, Thomas Goirand wrote:
> I started maintaining OpenVSwitch long after the Stretch release, and
> discovered #858418, which is very annoying for OpenVSwitch users.
> 
> tl;dr: #858418 prevent anyone that has a valid
> /etc/network/interfaces
> with OpenVSwitch directive from having a working network at boot. The
> init script uses a non-documented, not-to-be-used systemd internal,
> which is miserably failing.
> 
> After a long discussion with the bug reporter (which can be read on
> the BTS), I came to the conclusion that he's right, and that the most
> reasonable and safe way to fix the current situation is to apply the
> patch he suggested (and which resulting debdiff I attached to this
> bug).

As I understand things, that fix swaps use of one systemd internal for
another, which doesn't seem like a great plan.

When this was discussed (some time ago) on IRC, one of the systemd
maintainers essentially said "don't do that". With apologies for the
delay in doing so, I've CCed the maintainer list to see if we can find
a mutually acceptable solution.

Regards,

Adam

Bug#905061: marked as done (stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1)

[Debian Bug Tracking System]

Your message dated Tue, 20 Aug 2019 23:29:27 +0100
with message-id 
<098ffdfec287b4849a660b71c3855ef01a23a357.ca...@adam-barratt.org.uk>
and subject line Re: Bug#905061: stretch-pu: package 
mruby/1.2.0+20161228+git30d5424a-1+deb9u1
has caused the Debian Bug report #905061,
regarding stretch-pu: package mruby/1.2.0+20161228+git30d5424a-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
905061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905061
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release manager,

I hereby propose an update for stretch of mruby. It contains a patch
fixing CVE-2017-9527 [1]. The security issue was marked as being
no-DSA [2].

The changelog entry is:

  mruby (1.2.0+20161228+git30d5424a-1+deb9u1) stretch; urgency=high

* Backport patches from 1.3.0. (Closes: #865778)
  - CVE-2017-9527: heap-based use-after-free

   -- Nobuhiro Iwamatsu   Tue, 14 Nov 2017 12:40:35 +0900

Please see the attached debdiff for details.

Best regards,
  Nobuhiro

[1] https://bugs.debian.org/865778
[2] https://security-tracker.debian.org/tracker/CVE-2017-9527

-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6


mruby_1.2.0+20161228+git30d5424a-1+deb9u1.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
On Thu, 2018-11-01 at 20:37 +, Adam D. Barratt wrote:
> On Tue, 2018-07-31 at 11:56 +0200, Moritz Mühlenhoff wrote:
> > On Tue, Jul 31, 2018 at 11:29:16AM +0900, Nobuhiro Iwamatsu wrote:
> [...]
> > > I hereby propose an update for stretch of mruby.
> > 
> > There's a few more no-dsa issues for mruby, if you're doing an
> > update
> > anyway, could you also check whether they make sense to be fixed in
> > stretch?
> > 
> > See here:
> > https://security-tracker.debian.org/tracker/CVE-2018-10191
> > https://security-tracker.debian.org/tracker/CVE-2018-14337
> > https://security-tracker.debian.org/tracker/CVE-2018-12249
> > https://security-tracker.debian.org/tracker/CVE-2018-12248
> > https://security-tracker.debian.org/tracker/CVE-2018-11743
> 
> Ping?

There's been no response in over a year, so I'm closing this request.

Regards,

Adam--- End Message ---

Processed: Re: Bug#916650: stretch-pu: package liquidsoap/1.1.1-7.2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #916650 [release.debian.org] stretch-pu: package liquidsoap/1.1.1-7.2
Removed tag(s) moreinfo.
Bug #916650 [release.debian.org] stretch-pu: package liquidsoap/1.1.1-7.2
Added tag(s) confirmed.

-- 
916650: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916650
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931968: stretch-pu: package libtk-img/1:1.4.6+dfsg-1+deb9u1 pre-approval

[Adam D. Barratt]

Control; tags -1 -moreinfo +confirmed

On Mon, 2019-07-29 at 10:42 +0300, Sergei Golovan wrote:
> Hi Adam,
> 
> On Fri, Jul 26, 2019 at 10:46 PM Adam D. Barratt
>  wrote:
> > Control: tags -1 + moreinfo
> > 
> > On 2019-07-13 01:26, Sergei Golovan wrote:
> > > I'd like to fix #931422 (see [1]) for stretch (the bug is already
> > > fixed
> > > in unstable, see also #931967 [2]).
> > > 
> > > The diff with the current 1:1.4.6+dfsg-1 is attaced.
> > > 
> > > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931422
> > > [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931967
> > 
> > The same question applies here as for the buster update, i.e. what
> > is
> > the practical impact of the change?
> 
> The answer is the same as for bug 931967. From the user point of view
> nothing should be changed. Just some images which now cause a
> segfault when loaded by libtk-img will load just fine.

Thanks. Please go ahead.

Regards,

Adam

Bug#924278: stretch-pu: package clamav/0.100.2+dfsg-0+deb9u1

[Adam D. Barratt]

On Tue, 2019-08-20 at 23:38 +0200, Sebastian Andrzej Siewior wrote:
> On 2019-08-20 22:18:28 [+0100], Adam D. Barratt wrote:
> > Indeed, and then we dropped the ball again. :-(
> > 
> > Let's get this going.
> 
> So I upload the here promissed Stretch package

Yep, then we smile sweetly at ftp-master to get it processed from NEW.

> and then open p-u bugs
> for the transition?

Is anything required beyond binNMUs of r-deps?

Regards,

Adam

Bug#887507: stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u1

[Adam D. Barratt]

On Mon, 2018-12-03 at 08:15 +0100, Julien Cristau wrote:
> Control: tag -1 + moreinfo
> 
> On Wed, Jan 17, 2018 at 05:04:15PM +0100, Sandro Knauß wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: stretch
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > Hey,
> > 
> > upstream releases only bugfix releases for the 1.2 branch. As they,
> > do not add any new feature IMO it would makes sense to ship the
> > newest
> > 1.2.7 for Debian Stretch users. This is a prepackage request, I
> > havn't
> > packaged 1.2.7 for Debian yet, as I would only put effort into it,
> > if it
> > can enter stretch in principal. What I can present at the current
> > state
> > is a diff of the upstream tarballs (excluded the minified files,
> > cause
> > we create those in the packageing process itself). I don't expect
> > any
> > changes in the debian folder itself, but I would present a complete
> > debdiff, if you approved the general idea of shipping 1.2.7 via pu.
> > 
> Hi Sandro,
> 
> sounds fine to me in theory, please follow up with a tested debdiff
> and
> remove the moreinfo tag.

That was 8 months ago now and there's been no follow up. Is this still
of any interest?

Regards,

Adam

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Thu, 2019-07-18 at 05:07 +0200, Christoph Biedl wrote:
> Adam D. Barratt wrote...
> 
> > Assuming I count correctly, your mail was from approximately 6
> > weeks
> > before the date of the upcoming 9.9 point release.
> 
> This story has a tendency to fall off radar repeatedly. Perhaps we
> can
> eventually find a solution for this in the next days?

I guess we should just get on with it.

FWIW, we're currently about 2.5 weeks from the next point release. I
realise that {c,sh}ould have been longer.

Regards,

Adam

Processed: Re: Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #925251 [release.debian.org] stretch-pu: package file/1:5.30-1+deb9u2
Added tag(s) confirmed.

-- 
925251: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925251
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#916650: stretch-pu: package liquidsoap/1.1.1-7.2

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Sat, 2019-02-09 at 22:05 +0200, Kyle Robbertze wrote:
> On 2019/02/09 16:08, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> > 
> > On Sun, 2018-12-16 at 23:58 +0200, Kyle Robbertze wrote:
> > > The current liquidsoap package in stable segfaults imediately on
> > > run.
> > > Details are in bug #812591. The segfault is due to Ocaml version
> > > 4.02
> > > which is present in stable. The fix upstream has been applied
> > > here
> > > (sourced from Ubuntu where it has been working since 17.10). It
> > > is
> > > part of the version currently in buster and unstable.
> > 
> > Apologies for not getting back to you sooner.
> 
> No worries, we all get busy :)

Apparently so. *sigh*

[...]
> > If a package is incompatible with a newer version of Ocaml, is
> > there no
> > way of indicating this via e.g. dependency relationships, or the
> > package somehow indicating which versions of Ocaml it is compatible
> > with? This seems like the sort of thing that could also cause
> > issues
> > with partial upgrades between stable releases.
> 
> With this fix, it is compatible with newer Ocaml versions and the new
> version in buster and unstable are too. As far as I can tell, there
> have
> been no issues with newer versions outside of this. The common
> convention seems to be to declare an un-versioned or minimum version
> dependency on Ocaml and expect it to work with future versions.
> 

OK, I guess we can go with this. Sorry for the delay (again).

Regards,

Adam

Bug#887324: stretch-pu: package python-flask-rdf/0.2.0-1.1~deb9u1

[Adam D. Barratt]

On Mon, 2018-06-25 at 05:17 +0200, Andreas Beckmann wrote:
> Control: tag -1 moreinfo
> 
> On Sun, 14 Jan 2018 23:45:31 +0100 Andreas Beckmann 
> wrote:
> > Let's fix the python3 dependency by rebuilding the package from
> > sid,
> > Depends: [-python3-mimeparse-] {+python3-mimeparse, python3-six,
> > python3:any (>= 3.3.2-2~)+}
> 
> That is not sufficient: #896358, #896385
> 
> ImportError: No module named 'rdflib'

What's the status here?

Regards,

Adam

Bug#912531: stretch-pu: package exiv2/0.25-3.1+deb9u2

[Adam D. Barratt]

On Sun, 2019-03-31 at 15:44 -0400, Roberto C.Sánchez wrote:
> On Sun, Mar 31, 2019 at 08:09:27PM +0100, Adam D. Barratt wrote:
> > On Thu, 2018-11-01 at 21:07 -0400, Roberto C.Sánchez wrote:
> > > On Thu, Nov 01, 2018 at 06:50:53PM +, Adam D. Barratt wrote:
> > > > Control: tags -1 + moreinfo
> > > > 
> > > > On Wed, 2018-10-31 at 23:25 -0400, Roberto C. Sanchez wrote:
> > > > > I have prepared an update for exiv2 in jessie (0.24-
> > > > > 4.1+deb8u2)
> > > > > related to CVE-2018-16336 and also including a minor fix to
> > > > > the
> > > > > previous patch for CVE-2018-10958 and CVE-2018-10999.
> > > > 
> > > > The Security Tracker indicates that CVE-2018-16336 is as-yet
> > > > unfixed in
> > > > unstable; is that correct?
> > > > 
> > > 
> > > Hi Adam,
> > > 
> > > That is correct.  I completely overlooked it.  I will check with
> > > the
> > > maintainers about their plans for unstable.
> > 
> > Was there any progress there? The issue is still marked as
> > affecting
> > unstable in the tracker.
> > 
> No real progress.  I sent a message [0] to the packaging team's
> mailing
> list that same day (1st November).  Salvatore responded a few days
> later, but there was no response after that.
> 
> Regards,
> 
> -Roberto
> 
> [0] 
> https://alioth-lists.debian.net/pipermail/pkg-kde-extras/2018-November/029728.html
> 

Still nothing? We're about to hit 10 months since the initial request.
:-(

Regards,

Adam

Bug#885069: stretch-pu: package open-iscsi/2.0.874-3~deb9u1

[Adam D. Barratt]

On Fri, 2019-04-26 at 21:42 +0200, Salvatore Bonaccorso wrote:
> Hi Christian,
> 
> On Fri, Nov 09, 2018 at 06:53:07AM +0100, Salvatore Bonaccorso wrote:
> > Hi Christian,
> > 
> > On Sat, Feb 10, 2018 at 10:15:48AM +0100, Julien Cristau wrote:
> > > Control: tag -1 moreinfo
> > > 
> > > On Sat, Dec 23, 2017 at 13:40:43 +0100, Christian Seiler wrote:
[...]
> > > The above makes little sense to me.  We find out the peer uid,
> > > then
> > > instead of just comparing that against 0 we turn it into a struct
> > > passwd
> > > and compare pw_name against "root".  Why?
> > 
> > Did you had any chance to look at Julien's concerns/questions back
> > on
> > this proposed update for stretch?
> 
> Friendly ping :)
> 

If there's no follow-up by the time the 9.10 point release happens
(~2.5 weeks time) then I will close this request.

Regards,

Adam

Bug#902487: debdiff log

[Adam D. Barratt]

Control: tags -1 + confirmed

Sorry for the delay in getting back to you.

On Wed, 2018-06-27 at 11:45 +0530, Manas Kashyap wrote:
> diff -Nru ruby-encryptor-3.0.0/debian/changelog ruby-encryptor-
> 3.0.0/debian/changelog
> --- ruby-encryptor-3.0.0/debian/changelog   2016-04-06
> 19:23:59.0 +
> +++ ruby-encryptor-3.0.0/debian/changelog   2018-06-26
> 07:14:17.0 +
> @@ -1,3 +1,11 @@
> +ruby-encryptor (3.0.0-1+deb9u1) stretch; urgency=medium
> +
> +  * Team upload
> +  * Ignore test failures (Its only reverse dependency is ruby-attr-
> encrypted
> +which handles this correctly, all of its tests pass) (Closes:
> #880276)
> 

This really doesn't make me happy as a fix, but let's go with it.

Regards,

Adam

Processed: Re: Bug#902487: debdiff log

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #902487 [release.debian.org] stretch-pu: package 
ruby-encryptor/3.0.0-1+deb9u1
Added tag(s) confirmed.

-- 
902487: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902487
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#928556: stretch-pu: package gocode/20150303-3+deb9u2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2019-05-07 at 05:57 +0200, Andreas Beckmann wrote:
> the last stretch-pu update of gocode caused a regression on
> jessie->stretch updates. If I make the recently added Pre-Depends
> versioned to pull in the version from stretch first, everything seems
> to
> work again as expected.
> 

Hopefully there won't be too many such updates in practice now.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#928556: stretch-pu: package gocode/20150303-3+deb9u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #928556 [release.debian.org] stretch-pu: package gocode/20150303-3+deb9u2
Added tag(s) confirmed.

-- 
928556: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928556
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#917880: stretch-pu: package kamailio/4.4.4-2+deb9u3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #917880 [release.debian.org] stretch-pu: package kamailio/4.4.4-2+deb9u3
Added tag(s) moreinfo.

-- 
917880: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917880
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#917880: stretch-pu: package kamailio/4.4.4-2+deb9u3

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Mon, 2018-12-31 at 11:22 +0100, Victor Seva wrote:
> version in stable can't be used with TLS enabled due to #902452 with
> severity grave. If user enables TLS kamailio fails to start.
> 

Apologies for the delay in getting back to you.

Is the result of the patch that kamaillo assumes that Kerberos is
always OK with newer OpenSSL versions, or the reverse?

Regards,

Adam

Bug#915935: stretch-pu: package zfs-auto-snapshot/1.2.1-1+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2018-12-08 at 01:07 +0100, Andreas Beckmann wrote:
> Can we backport the changes from unstable that silence the cronjobs
> after package removal? #850776
> 

Please go ahead; sorry for the delay.

Regards,

Adam

Processed: Re: Bug#915935: stretch-pu: package zfs-auto-snapshot/1.2.1-1+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #915935 [release.debian.org] stretch-pu: package 
zfs-auto-snapshot/1.2.1-1+deb9u1
Added tag(s) confirmed.

-- 
915935: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915935
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#934356: stretch-pu: package mitmproxy/0.18.2-6

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #934356 [release.debian.org] stretch-pu: package mitmproxy/0.18.2-6
Added tag(s) confirmed.

-- 
934356: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934356
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934356: stretch-pu: package mitmproxy/0.18.2-6

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2019-08-10 at 09:27 +0200, Sebastien Delafond wrote:
> Could 0.18.2-6+deb9u1 be included in stretch's next point release ?
> It
> closes #934033, which is an FTBFS on stretch, by blacklisting a
> couple
> #more things from the test suite.
> 

Please go ahead.

Regards,

Adam

Bug#933176: stretch-pu: package fig2dev/1:3.2.6a-2+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2019-07-27 at 11:33 +0200, Roland Rosenfeld wrote:
> This fixes CVE-2019-14275 in stretch.  Since this is tagged
> "unimportant" by the security team on
> https://security-tracker.debian.org/tracker/CVE-2019-14275 they won't
> publish a DSA, so I tend to send this into the next point release of
> buster.

stretch. :-)

> Attached you'll find the diff against 3.2.6a-2+deb9u1.
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#933176: stretch-pu: package fig2dev/1:3.2.6a-2+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #933176 [release.debian.org] stretch-pu: package fig2dev/1:3.2.6a-2+deb9u1
Added tag(s) confirmed.

-- 
933176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933176
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931350: stretch-pu: package fence-agents/4.0.25-1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2019-07-02 at 21:20 +0200, Valentin Vidic wrote:
> I would like to upload a new version of fence-agents to stretch in
> order
> to fix the UTF-8 problem that was recently fixed for buster too.
> debdiff
> of the change is attached.
> 

Please go ahead; sorry for the delay.

Regards,

Adam

Processed: Re: Bug#931350: stretch-pu: package fence-agents/4.0.25-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #931350 [release.debian.org] stretch-pu: package fence-agents/4.0.25-1
Added tag(s) confirmed.

-- 
931350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931350
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #931610 [release.debian.org] stretch-pu: package pound/2.7-1.3+deb9u1
Added tag(s) confirmed.

-- 
931610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931610
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2019-07-13 at 12:36 +0200, Carsten Leonhardt wrote:
> Control: tags -1 - moreinfo
> 
> Hi,
> 
> attached is a new debdiff, the only change is that I removed some
> cruft
> from the "Origin" field in the patch metadata.
> 
> I've deployed this version on live servers this morning and tested
> them.
> 

Please go ahead; thanks.

Regards,

Adam

Bug#929611: Update

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Wed, 2019-06-26 at 14:08 +0200, Xavier wrote:
> Hi all,
> 
> I updated my debdiff due to a little security hole discovered in
> lemonldap-ng 1.9.x

Please go ahead; sorry for the delay.

Regards,

Adam

Processed: Re: Bug#929611: Update

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #929611 [release.debian.org] stretch-pu: package lemonldap-ng/1.9.7-3+deb9u2
Added tag(s) moreinfo.

-- 
929611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929611
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924278: stretch-pu: package clamav/0.100.2+dfsg-0+deb9u1

[Sebastian Andrzej Siewior]

On 2019-08-20 22:18:28 [+0100], Adam D. Barratt wrote:
> Indeed, and then we dropped the ball again. :-(
> 
> Let's get this going.

So I upload the here promissed Stretch package and then open p-u bugs
for the transition?

> Regards,
> 
> Adam

Sebastian

Bug#930795: unblock: ruby-airbrussh/1.3.2-1

[Adam D. Barratt]

On Tue, 2019-08-20 at 22:22 +0100, Samuel Henrique wrote:
> Hello Adam,
> 
> > It certainly can't be 1.3.2-1+deb10u1, as that version number is
> > higher
> > than the package in unstable. Either one would need to go with
> > 1.3.1-
> > 2+deb10u1 with just the bug fix applied, or 1.3.2-1~deb10u1 with a
> > "backports-style" changelog containing both 1.3.2-1 and then the
> > stable
> > update. In either case we would need a debdiff that reflects the
> > chosen
> > approach.
> > 
> > One thing that will need to be fixed in unstable first either way:
> > 
> > Not built on buildd: arch all binaries uploaded by samueloph
> > 
> > As per the d-d-a announcement, that will need a new source upload
> > to
> > unstable to resolve, as arch:all can't be usefully binNMUed.
> 
> I just uploaded 1.3.3-1 (source-only) to unstable, can I just wait
> until it migrates to testing and then go with "1.3.2-1+deb10u1" ?
> If so, I will remove the "moreinfo" tag when it the package migrates
> to Testing (in 2 days) and we can use the latest debdiff on this
> thread.

That doesn't really make sense as a version here, as it's not a stable
update on top of 1.3.2-1; stable only has 1.3.1-2.

If you really want to go with the complete version rather than just the
specific fix, then either 1.3.2-1~deb10u1 - and therefore with the
original 1.3.2-1 changelog with a "backports style" entry on top - or
1.3.2-0+deb10u1.

Regards,

Adam

Bug#931358: release.debian.org: buster-pu (pre-approval): musescore/2.3.2+dfsg2-7? -7~deb10+1?

[Thorsten Glaser]

Adam D. Barratt dixit:

>Please go ahead; sorry for the delay.

Done, thanks!

bye,
//mirabilos
-- 
> Hi, does anyone sell openbsd stickers by themselves and not packaged
> with other products?
No, the only way I've seen them sold is for $40 with a free OpenBSD CD.
-- Haroon Khalid and Steve Shockley in gmane.os.openbsd.misc

Bug#932251: buster-pu: package spl-linux/0.7.12-2+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2019-07-17 at 07:06 +, Aron Xu wrote:
> On Wed, Jul 17, 2019 at 01:41:12AM +, Aron Xu wrote:
> > We would like to apply a single-line patch in addition to spl-
> > linux/0.7.12-2
> > which fixes a deadlock[1], please see the changes in debdiff.
> > 
> > [1]
> > https://github.com/zfsonlinux/spl/commit/cb4464f1549087794fdbe0f5ad2328618de2033e
> > 

Please go ahead.

Regards,

Adam

Bug#924278: stretch-pu: package clamav/0.100.2+dfsg-0+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2019-05-18 at 23:41 +0200, Sebastian Andrzej Siewior wrote:
> On 2019-03-27 19:43:13 [+], Adam D. Barratt wrote:
> > Sure. To make things easier to keep track of (at least for me),
> > could
> > you open a new bug for the 0.100.3 update, and we'll keep using
> > this
> > one for the effective transition.
> 
> Please find attach a debdiff between 0.100.3 (current Stretch) and
> 0.101.2 (Buster and proposed Stretch).
> The package is unchanged since I created the bug. I have no idea who
> is
> waiting here for whom but I *think* the stable team waited for an
> update. In case it is not, I am back to patience mode :)

Indeed, and then we dropped the ball again. :-(

Let's get this going.

Regards,

Adam

Processed: Re: Bug#931282: unblock: s-nail/14.9.11-3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #931282 [release.debian.org] buster-pu: package s-nail/14.9.11-2+deb10u1
Added tag(s) moreinfo.

-- 
931282: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931282
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931282: unblock: s-nail/14.9.11-3

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Mon, 2019-07-01 at 10:49 +0200, Paride Legovini wrote:
> Paul Gevers wrote on 30/06/2019:
> 
> > Hi Paride,
> > 
> > On 30-06-2019 14:55, Paride Legovini wrote:
> > > Please unblock package s-nail. Version 14.9.11-3 contains a
> > > targeted fix for
> > > #930691 I've got from upstream. The debdiff between -2 and -3 is
> > > attached.
> > 
> > The time for unblocks for buster has come and gone. The deadline
> > was
> > last Tuesday, we are now in deep freeze. If you consider the bug
> > severe
> > enough (please fix the bug metadata if you do) you can consider a
> > stable
> > release update targeting buster (I have updated this bugs
> > metadata),
> > such that this can be fixed in the first point release.
> 
> Thanks Paul,
> 
> I'll call this a off-by-one-week error. I am sorry. At least I know
> that
> when I've got the patch for #930691 it was already too late for an
> unblock.
> 
> I reviewed the policy for stable release updates; while definitely a
> deal breaker for some users I'm not sure #930691 qualifies as "a
> truly
> critical functionality problem". Affected users are those using the
> GSSAPI + Kerberos authentication.
> 
> What's the take of the stable release team here?

Sorry for the delay in getting back to you.

This looks like it would be OK for stable, but we would need a debdiff
of a package built and tested on stable (and appropriately versioned),
please.

Regards,

Adam

Processed: Re: Bug#932251: buster-pu: package spl-linux/0.7.12-2+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #932251 [release.debian.org] buster-pu: package spl-linux/0.7.12-2+deb10u1
Added tag(s) confirmed.

-- 
932251: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932251
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#924278: stretch-pu: package clamav/0.100.2+dfsg-0+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #924278 [release.debian.org] stretch-pu: package 
clamav/0.101.2+dfsg-0+deb9u1
Added tag(s) confirmed.

-- 
924278: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924278
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#930795: unblock: ruby-airbrussh/1.3.2-1

[Samuel Henrique]

Hello Adam,

It certainly can't be 1.3.2-1+deb10u1, as that version number is higher
> than the package in unstable. Either one would need to go with 1.3.1-
> 2+deb10u1 with just the bug fix applied, or 1.3.2-1~deb10u1 with a
> "backports-style" changelog containing both 1.3.2-1 and then the stable
> update. In either case we would need a debdiff that reflects the chosen
> approach.
>
> One thing that will need to be fixed in unstable first either way:
>
> Not built on buildd: arch all binaries uploaded by samueloph
>
> As per the d-d-a announcement, that will need a new source upload to
> unstable to resolve, as arch:all can't be usefully binNMUed.
>

I just uploaded 1.3.3-1 (source-only) to unstable, can I just wait until it
migrates to testing and then go with "1.3.2-1+deb10u1" ?
If so, I will remove the "moreinfo" tag when it the package migrates to
Testing (in 2 days) and we can use the latest debdiff on this thread.

Thanks,

-- 
Samuel Henrique 

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: systemd_241-7~deb10u1_source.changes
  ACCEPT

Bug#935137:

[Samuel Henrique]

Hello,

> I forgot to add the patch to d/series, you'll find the updated debdiff
> > attached.
>
> Please go ahead.
>

acme-tiny_4.0.4-1+deb10u1_source.changes ACCEPTED into
proposed-updates->stable-new

-- 
Samuel Henrique 

Bug#933125: systemd 241-7~deb10u1 flagged for acceptance

[Adam D Barratt]

package release.debian.org
tags 933125 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: systemd
Version: 241-7~deb10u1

Explanation: network: Fix failure to bring up interface with Linux kernel 5.2; 
ask-password: Prevent buffer overflow when reading from keyring; network: 
Behave more gracefully when IPv6 has been disabled

Processed: systemd 241-7~deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 933125 = buster pending
Bug #933125 [release.debian.org] buster-pu: package systemd/241-5+deb10u1
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
933125: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933125
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#933769: buster-pu: package erlang-p1-pkix/1.0.0-3+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #933769 [release.debian.org] buster-pu: package 
erlang-p1-pkix/1.0.0-3+deb10u1
Added tag(s) confirmed.

-- 
933769: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933754: buster-pu: package mariadb-10.3 10.3.17-0+deb9u1

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Thu, 2019-08-08 at 19:23 +0200, Moritz Mühlenhoff wrote:
> On Fri, Aug 02, 2019 at 10:48:53PM +0100, Otto Kekäläinen wrote:
> > MariaDB 10.3.17 includes security fixes and a few bug fixes
> > appropriate for a stable release.
> > 
> > This bug report is intentionally void of the debdiff as I might
> > still
> > amend something, or the severity of the security issues might
> > change
> > on further investigation.
> > 
> > See buster branch at 
> > https://salsa.debian.org/mariadb-team/mariadb-10.3/
> > 
> > 
> > Changelog:
> > 
> > mariadb-10.3 (1:10.3.17-0+deb9u1) buster; urgency=high
> 
> Should rather be +deb10u1, Buster is the tenth stable release.

Indeed. However, as Otto said, there isn't a finalised diff included
for checking.

Regards,

Adam

Processed: Re: Bug#933754: buster-pu: package mariadb-10.3 10.3.17-0+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #933754 [release.debian.org] buster-pu: package mariadb-10.3 
10.3.17-0+deb9u1
Added tag(s) moreinfo.

-- 
933754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933754
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#934300: buster-pu: package apt/1.8.3~deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #934300 [release.debian.org] buster-pu: package apt/1.8.3~deb10u1
Added tag(s) moreinfo.

-- 
934300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934300
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934300: buster-pu: package apt/1.8.3~deb10u1

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Fri, 2019-08-09 at 11:50 +0200, Julian Andres Klode wrote:
> I just uploaded 1.8.3 to unstable which includes a fix for HTTPS
> proxying - when using the CONNECT method, we were sending the proxy's
> host name in the Host header, where we should have sent the
> destination
> host name.
> 
> This breaks ACLs on proxies that filter on that field and might thus
> prevent access to HTTPS repositories over such proxies.
> 

+apt (1.8.3) unstable; urgency=medium

Please provide a debdiff for the proposed buster upload, as built and
tested there.

Regards,

Adam

Bug#933769: buster-pu: package erlang-p1-pkix/1.0.0-3+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Fri, 2019-08-16 at 11:03 +0200, Philipp Huebner wrote:
> Control: tags -1 - moreinfo
> 
> > Thanks for looking at fixing this is stable. The unstable upload is
> > a
> > pre-requisite to that, so tagging accordingly - please remove the
> > "moreinfo" tag once the fix is in unstable.
> 
> It is now.
> 

Thanks. Please go ahead.

Regards,

Adam

Bug#935200: buster-pu: package asterisk/1:16.2.1~dfsg-1+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2019-08-20 at 22:37 +0200, Bernhard Schmidt wrote:
> I'd like to update asterisk with a fix for two minor CVEs that have
> been deemed
> no-dsa. Exactly the same change (apart from the d/gbp.conf update for
> the
> Buster branch) has been uploaded to sid as -2 and migrated to testing
> a month
> ago.
> 

Please go ahead.

Regards,

Adam

Bug#935165: buster-pu: package newsboat/2.13-1+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2019-08-20 at 13:33 +0300, Nikos Tsipinakis wrote:
> I'd like to patch a use-after-free bug in newsboat. It was reported
> in debian
> in #898559[1] and fixed upstream[2]. While I haven't been able to
> reproduce a
> crash with it it's clear that it's there and I have received feedback
> that it
> indeed fixes the linked issue.
> 

Please go ahead.

Regards,

Adam

Bug#934934: buster-pu: package piuparts/1.0.0+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Fri, 2019-08-16 at 22:33 +0200, Holger Levsen wrote:
> We'd like to update piuparts with the following changes in buster,
> fixing a
> bunch of rather important bugs (as well as one trivial wishlist bug
> and a 
> trivial normal bug), including one for buster=stable (which missed
> the buster
> relase because 1.0.1 was not accepted).
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#935200: buster-pu: package asterisk/1:16.2.1~dfsg-1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #935200 [release.debian.org] buster-pu: package 
asterisk/1:16.2.1~dfsg-1+deb10u1
Added tag(s) confirmed.

-- 
935200: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935200
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#934934: buster-pu: package piuparts/1.0.0+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #934934 [release.debian.org] buster-pu: package piuparts/1.0.0+deb10u1
Added tag(s) confirmed.

-- 
934934: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934934
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#935165: buster-pu: package newsboat/2.13-1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #935165 [release.debian.org] buster-pu: package newsboat/2.13-1+deb10u1
Added tag(s) confirmed.

-- 
935165: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935165
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#933839: buster-pu: package resource-agents/1:4.2.0-2+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #933839 [release.debian.org] buster-pu: package 
resource-agents/1:4.2.0-2+deb10u1
Added tag(s) confirmed.

-- 
933839: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933839
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#933911: buster-pu: package pulseaudio

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #933911 [release.debian.org] buster-pu: package pulseaudio
Added tag(s) confirmed.

-- 
933911: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933911
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#933636: CVE-2019-14934

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #933637 [release.debian.org] buster-pu: package pdfresurrect/0.15-2
Added tag(s) moreinfo.

-- 
933637: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933637
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933911: buster-pu: package pulseaudio

[Adam D. Barratt]

Control: tags -1 + confirmed

On Thu, 2019-08-15 at 11:28 -0400, Felipe Sateler wrote:
> Control: tags -1 -moreinfo
> 
> On Sun, Aug 11, 2019 at 9:53 AM Jonathan Wiltshire 
> wrote:
> > Control: tag -1 moreinfo
> > 
> > Hi,
> > 
> > On Sun, Aug 04, 2019 at 09:31:37PM -0400, Felipe Sateler wrote:
[...]
> > > There is a bug affecting pulseaudio users: #913102. This bug
> > causes the
> > > mute state to be incorrectly restored. Some users have asked for
> > the fix
> > > (which is now on unstable), to be backported to buster given that
> > GDM is
> > > affected by this bug. The upstream patch fixing this issue is
> > very
> > > small[1].

Please go ahead; thanks.

Regards,

Adam

Bug#933839: buster-pu: package resource-agents/1:4.2.0-2+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2019-08-04 at 11:08 +0200, Valentin Vidic wrote:
>  * ethmonitor: does not list interfaces without assigned IP address
>  * ZFS: monitoring action broken by a bashism bug
>  * Xen: toolstack detection generates warnings in the logs
> 

Please go ahead.

Regards,

Adm

Processed: Re: Bug#933636: CVE-2019-14934

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #933636 [release.debian.org] stretch-pu: package pdfresurrect/0.12-6
Added tag(s) moreinfo.

-- 
933636: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933636
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933636: CVE-2019-14934

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Tue, 2019-08-13 at 23:29 -0700, Francois Marier wrote:
> There is now an additional CVE that affects pdfresurrect in buster
> and
> stretch:
> 
>   https://security-tracker.debian.org/tracker/CVE-2019-14934
> 
> Neither this one or CVE-2019-14267 are deemed worthy of a DSA
> however.
> 
> If you approve the first upload I have prepared for buster and
> stretch, I
> will revise it to include the fix for this second CVE, but I will
> wait for
> your initial approval before putting any more work into this.

It looks OK to me. Tagging moreinfo until there's a final diff.

Regards,

Adam

Processed: Re: Bug#933175: buster-pu: package fig2dev/1:3.2.7a-5

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #933175 [release.debian.org] buster-pu: package fig2dev/1:3.2.7a-5
Added tag(s) confirmed.

-- 
933175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933175
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933369: buster-pu: package dma/0.11-1+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2019-07-29 at 21:13 +0200, Laurent Bigonville wrote:
> dma currently use the TLSv1_client_method() function that means that
> it
> only support TLS 1.0 which is considered deprecated (and forbidden by
> PCI certification).
> 
> For what I can read, major providers are planning to remove support
> for
> TLS 1.0 and TLS 1.1 current 2020.
> 
> The attached patches (cherry-picked from upstream) are switching to
> the
> "version-flexible" function (TLS_client_method())
> 

Please go ahead.

Regards,

Adam

Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Thu, 2019-08-08 at 21:33 +0200, Hugo Lefeuvre wrote:
> Hi Salvatore,
> 
> > > Done! You can find an updated debdiff for buster in attachement.
> > > The new
> > > debdiff ships CVE-2019-5058.patch which addresses the remaining
> > > issue in
> > > IMG_xcf.c.
> > 
> > Is the attachment missing?
> 
> Right, attachment is missing! Better now :)
> 

Please go ahead; thanks.

Regards,

Adam

Bug#933175: buster-pu: package fig2dev/1:3.2.7a-5

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2019-07-27 at 11:30 +0200, Roland Rosenfeld wrote:
> This fixes CVE-2019-14275 in buster.  Since this is tagged
> "unimportant" by the security team on
> https://security-tracker.debian.org/tracker/CVE-2019-14275 they won't
> publish a DSA, so I tend to send this into the next point release of
> buster.
> 
> Attached you'll find the diff agains 3.2.7a-5.  The patch is a little
> longer, because I included the test code to check for this
> vulnerability and code for the salsa CI pipeline.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#933369: buster-pu: package dma/0.11-1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #933369 [release.debian.org] buster-pu: package dma/0.11-1+deb10u1
Added tag(s) confirmed.

-- 
933369: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933369
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #933147 [release.debian.org] buster-pu: package 
libsdl2-image/2.0.4+dfsg1+deb10u1
Added tag(s) confirmed.

-- 
933147: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933147
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#935200: buster-pu: package asterisk/1:16.2.1~dfsg-1+deb10u1

[Bernhard Schmidt]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to update asterisk with a fix for two minor CVEs that have been deemed
no-dsa. Exactly the same change (apart from the d/gbp.conf update for the
Buster branch) has been uploaded to sid as -2 and migrated to testing a month
ago.

Debdiff attached.

Bernhard
diff -Nru asterisk-16.2.1~dfsg/debian/changelog 
asterisk-16.2.1~dfsg/debian/changelog
--- asterisk-16.2.1~dfsg/debian/changelog   2019-03-07 23:13:24.0 
+0100
+++ asterisk-16.2.1~dfsg/debian/changelog   2019-08-20 22:31:33.0 
+0200
@@ -1,3 +1,13 @@
+asterisk (1:16.2.1~dfsg-1+deb10u1) buster; urgency=medium
+
+  * AST-2019-002 / CVE-2019-12827
+Buffer overflow in res_pjsip_messaging (Closes: #931980)
+  * AST-2019-003 / CVE-2019-13161
+Remote Crash Vulnerability in chan_sip (Closes: #931981)
+  * d/gbp.conf: Update for Buster branch
+
+ -- Bernhard Schmidt   Tue, 20 Aug 2019 22:31:36 +0200
+
 asterisk (1:16.2.1~dfsg-1) unstable; urgency=medium
 
   * New upstream version 16.2.1~dfsg
diff -Nru asterisk-16.2.1~dfsg/debian/gbp.conf 
asterisk-16.2.1~dfsg/debian/gbp.conf
--- asterisk-16.2.1~dfsg/debian/gbp.conf2019-03-07 23:13:24.0 
+0100
+++ asterisk-16.2.1~dfsg/debian/gbp.conf2019-08-20 22:31:33.0 
+0200
@@ -4,3 +4,4 @@
 pristine-tar = True
 sign-tags = True
 filter = .gitignore
+debian-branch = buster
diff -Nru asterisk-16.2.1~dfsg/debian/patches/AST-2019-002.patch 
asterisk-16.2.1~dfsg/debian/patches/AST-2019-002.patch
--- asterisk-16.2.1~dfsg/debian/patches/AST-2019-002.patch  1970-01-01 
01:00:00.0 +0100
+++ asterisk-16.2.1~dfsg/debian/patches/AST-2019-002.patch  2019-08-20 
22:31:33.0 +0200
@@ -0,0 +1,40 @@
+From 785bf3a755e47d92caef110e6040295764d08127 Mon Sep 17 00:00:00 2001
+From: George Joseph 
+Date: Wed, 12 Jun 2019 12:03:04 -0600
+Subject: [PATCH] res_pjsip_messaging:  Check for body in in-dialog message
+
+We now check that a body exists and it has a length > 0 before
+attempting to process it.
+
+ASTERISK-28447
+Reported-by: Gil Richard
+
+Change-Id: Ic469544b22ab848734636588d4c93426cc6f4b1f
+---
+ res/res_pjsip_messaging.c | 9 ++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c
+index 0e10a8f047..930cf84a53 100644
+--- a/res/res_pjsip_messaging.c
 b/res/res_pjsip_messaging.c
+@@ -90,10 +90,13 @@ static enum pjsip_status_code 
check_content_type_in_dialog(const pjsip_rx_data *
+   static const pj_str_t text = { "text", 4};
+   static const pj_str_t application = { "application", 11};
+ 
++  if (!(rdata->msg_info.msg->body && rdata->msg_info.msg->body->len > 0)) 
{
++  return res;
++  }
++
+   /* We'll accept any text/ or application/ content type */
+-  if (rdata->msg_info.msg->body && rdata->msg_info.msg->body->len
+-  && (pj_stricmp(>msg_info.msg->body->content_type.type, 
) == 0
+-  || 
pj_stricmp(>msg_info.msg->body->content_type.type, ) == 0)) {
++  if (pj_stricmp(>msg_info.msg->body->content_type.type, ) == 0
++  || 
pj_stricmp(>msg_info.msg->body->content_type.type, ) == 0) {
+   res = PJSIP_SC_OK;
+   } else if (rdata->msg_info.ctype
+   && (pj_stricmp(>msg_info.ctype->media.type, ) == 0
+-- 
+2.21.0
+
diff -Nru asterisk-16.2.1~dfsg/debian/patches/AST-2019-003.patch 
asterisk-16.2.1~dfsg/debian/patches/AST-2019-003.patch
--- asterisk-16.2.1~dfsg/debian/patches/AST-2019-003.patch  1970-01-01 
01:00:00.0 +0100
+++ asterisk-16.2.1~dfsg/debian/patches/AST-2019-003.patch  2019-08-20 
22:31:33.0 +0200
@@ -0,0 +1,39 @@
+From 1e4df0215af4f192ed06a7fc7589c799f1ec6091 Mon Sep 17 00:00:00 2001
+From: Francesco Castellano 
+Date: Fri, 28 Jun 2019 18:15:31 +0200
+Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+The chan_sip module performs a T.38 re-invite using a single media
+stream of udptl, and expects the SDP answer to be the same.
+
+If an SDP answer is received instead that contains an additional
+media stream with no joint codec a crash will occur as the code
+assumes that at least one joint codec will exist in this
+scenario.
+
+This change removes this assumption.
+
+ASTERISK-28465
+
+Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 898b646..a609ff8 100644
+--- a/channels/chan_sip.c
 b/channels/chan_sip.c
+@@ -10965,7 +10965,13 @@
+   ast_rtp_lookup_mime_multiple2(s3, NULL, 
newnoncodeccapability, 0, 0));
+   }
+ 
+-  if (portno != -1 || vportno != -1 || tportno != -1) {
++  /* When UDPTL is negotiated it is expected that there are no compatible 
codecs as audio or
++   * video is not being transported, thus we continue in this function 
further up if that is

Bug#933125: buster-pu: package systemd/241-5+deb10u1

[Adam D. Barratt]

Hi,

Apologies for missing your mail originally.

On Sun, 2019-08-18 at 19:36 +0200, Michael Biebl wrote:
> Hi Adam
> 
> Am 16.08.19 um 22:08 schrieb Adam D. Barratt:
> > Control: tags -1 + confirmed
> > 
> > On Fri, 2019-07-26 at 21:43 +0200, Michael Biebl wrote:
[...]
> > > 241-5+deb10u1 is identical to 241-7 which has been uploaded to
> > > unstable/bullseye and we haven't received any regression reports
> > > so
> > > far.
> > 
> > In that case, feel free to make it -7~deb10u1, with the appropriate
> > changelog wrangling, if that would be preferable.
> 
> I considered adding a changelog entry like this as it seemed the most
> obvious correct one:
> 
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,9 @@
> +systemd (241-7~deb10u1) buster; urgency=medium
> +
> +  * Rebuild for buster
> +
> + -- Michael Biebl   Sat, 17 Aug 2019 11:00:59
> +0200
> +
>  systemd (241-7) unstable; urgency=medium
> 
>[ Michael Biebl ]
[...]
> But this then triggers warnings from dpkg-genchanges:
> 
> dpkg-genchanges: warning: the current version (241-7~deb10u1) is
> earlier than the previous one (241-7)
> 
> and lintian:
> W: systemd: latest-debian-changelog-entry-without-new-version
[...]
> Adam, so I wonder, what's the proper changelog wrangling in this
> case?

I would say this and ignore the warnings. It looks like you already did
that. :-)

Regards,

Adam

Bug#932522: buster-pu: package pam-u2f/1.0.7-1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2019-08-13 at 01:15 +0200, Nicolas Braud-Santoni wrote:
[...]
> On Fri, Jul 26, 2019 at 04:13:20PM -0300, Adam D. Barratt wrote:
> > On 2019-07-20 11:15, Nicolas Braud-Santoni wrote:
> > > Here is an updated debdiff; the only modification is in the
> > > changelog,
> > > as I forgot to close #930047 there.
> > 
> > +  * Backport a reliability fix
> > +pam-u2f could previously segfault following a failure to
> > allocate a
> > buffer.
> > 
> > I assume this is backported from the version of the package
> > currently in unstable?
> 
> Yes, all the fixes are backported from upstream's 1.0.8, which is
> currently in sid and bullseye.
[...]
> > +pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high
> > 
> > Just "buster", please.
> 
> Fixed, thanks for the catch.
> May I go ahead and upload?  Updated debdiff attached

Please do.

Regards,

Adam

Processed: Re: Bug#932522: buster-pu: package pam-u2f/1.0.7-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #932522 [release.debian.org] buster-pu: package pam-u2f/1.0.7-1
Added tag(s) confirmed.

-- 
932522: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932522
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#932193: buster-pu: package netdata/1.12.0-1+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2019-07-16 at 15:46 +0200, Daniel Baumann wrote:
> attached is the diff for netdata with cherry-picked patches from
> later
> Debian uploads to disable spying on users and a couple of other
> important things.
> 


Please go ahead.

Regards,

Adam

Processed: Re: Bug#932193: buster-pu: package netdata/1.12.0-1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #932193 [release.debian.org] buster-pu: package netdata/1.12.0-1+deb10u1
Added tag(s) confirmed.

-- 
932193: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932193
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#931766: buster-pu: package openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u1 - new debdiff

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #931766 [release.debian.org] buster-pu: package 
openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-13
Added tag(s) confirmed.

-- 
931766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931766
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931967: buster-pu: package libtk-img/1:1.4.8+dfsg-1+deb10u1 pre-approval

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2019-07-29 at 10:37 +0300, Sergei Golovan wrote:
> Hi Adam,
> 
> On Fri, Jul 26, 2019 at 10:32 PM Adam D. Barratt
>  wrote:
> > On 2019-07-13 01:19, Sergei Golovan wrote:
> > > I'd like to fix #931422 (see [1]) for buster (the bug is already
> > > fixed
> > > in unstable and prospectively in testing).
> > > 
> > > The diff with the current 1:1.4.8+dfsg-1 is attaced, it's fairly
> > > small.
> > 
> > What are the implications of the change on functionality and
> > consumers
> > of the library?
> 
> To my knowledge, the functionality doesn't change. It definitely
> doesn't change on a script level,
> on a C level there are a few internal symbols that won't be available
> in the fixed library (e.g. TkimgTIFFInitJpeg), though they aren't
> exported, they aren't listed in `objdump -T libtkimgtiff*.so`,
> and they aren't supposed to be used by a caller to this library (and
> noone calls them indeed).

OK, thanks. Please go ahead.

Regards,

Adam

Bug#931126: unblock: enigmail/2:2.0.11+ds1-2

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Sat, 2019-07-20 at 23:43 -0400, Daniel Kahn Gillmor wrote:
> On Sat 2019-07-20 21:41:12 -0300, Jonathan Wiltshire wrote:
> > Hi,
> > 
> > On Mon, Jul 01, 2019 at 01:21:22PM -0400, Daniel Kahn Gillmor
> > wrote:
> > > On Sun 2019-06-30 20:01:21 +0200, Paul Gevers wrote:
> > > > The time for unblocks for buster has come and gone. The
> > > > deadline was
> > > > last Tuesday, we are now in deep freeze and we were not able to
> > > > process
> > > > your unblock request and give it an exception. I assume this
> > > > should be
> > > > fixed via the security archive, please confirm that (and I'll
> > > > fix this
> > > > bugs metadata). Otherwise I propose you prepare a stable
> > > > release update
> > > > targeting buster, such that this can be fixed in the first
> > > > point release.
> > > 
> > > I'm fine with this going through either security or the first
> > > buster
> > > point release.  So yes, Paul, if you can update this issue to be
> > > treated
> > > as a security issue, that would be great.
> > 
> > Would you prefer to do this as a security upload (in which case
> > this
> > unblock bug should be closed) or as a no-dsa (we will repurpose it
> > for a
> > p-u)?
> 
> At this point, given the upstream changes and the issues with the SKS
> keyserver network, i think we should aim to import 2.0.12 into
> buster, not 2.0.11.
> 
> I would love it if someone else wants to step up and help with this.
> I'm currently working on an update to GnuPG for buster, and have not
> had time yet to do the 2.0.12 upload for Buster (either as a security
> or point release).

Tagging as moreinfo for now, until there's a definite plan and diff
either way.

Regards,

Adam

Processed: Re: Bug#931126: unblock: enigmail/2:2.0.11+ds1-2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #931126 [release.debian.org] buster-pu: package enigmail
Added tag(s) moreinfo.

-- 
931126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931126
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931766: buster-pu: package openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u1 - new debdiff

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2019-07-29 at 16:52 +0200, Thomas Goirand wrote:
> On 7/22/19 1:47 AM, Jonathan Wiltshire wrote:
> > Seem to be some merge artefacts here, including possibly an entire
> > duplicate entry?
> 
> Indeed. Sorry for my mistake. Please find attached, the new (cleaner)
> debdiff for this p-u.
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#931967: buster-pu: package libtk-img/1:1.4.8+dfsg-1+deb10u1 pre-approval

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #931967 [release.debian.org] buster-pu: package 
libtk-img/1:1.4.8+dfsg-1+deb10u1 pre-approval
Added tag(s) confirmed.

-- 
931967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931967
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#931358: release.debian.org: buster-pu (pre-approval): musescore/2.3.2+dfsg2-7? -7~deb10+1?

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #931358 [release.debian.org] buster-pu (pre-approval): 
musescore/2.3.2+dfsg2-7~deb10u1
Added tag(s) confirmed.

-- 
931358: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931358
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931358: release.debian.org: buster-pu (pre-approval): musescore/2.3.2+dfsg2-7? -7~deb10+1?

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2019-07-03 at 14:31 +0200, Thorsten Glaser wrote:
> retitle 931358 buster-pu (pre-approval): musescore/2.3.2+dfsg2-
> 7~deb10u1
> thanks
> 
> Hi again,
> 
> now, with sensible amounts of coffee input, the debdiff as
> prepared in git and of an actual .dsc/.changes ready for
> uploading, attached.
> 

Please go ahead; sorry for the delay.

Regards,

Adam

Re: Dropping mips architecture for bullseye and sid

[Matthias Klose]

On 20.08.19 15:17, Aurelien Jarno wrote:
> Dear release team,
> 
> On 2019-07-20 12:46, Aurelien Jarno wrote:
>> Dear all,
>>
>> The mips architecture, supporting 32-bit big-endian MIPS CPUs, has
>> been supported in Debian for more than 15 years. Due to the limited 2GB
>> virtual address space and due to the fact this architecture is one of
>> the last big-endian architecture Debian supports, the porting effort
>> is increasingly difficult. On the other hand the interest for this
>> architecture is going down, and with it the human resources available
>> for porting is going down.
>>
>> Now that buster has been released, it is probably time to drop this
>> architecture from bullseye and sid. Unless there is a sudden interest
>> for this architecture, that is commitment from some new porters and new
>> hardware for the build daemons, the plan is to ask for the ftpmasters
>> to drop this architecture in about 4 weeks.
> 
> This has now been one month, and nobody volunteered to help. Therefore
> it's time to drop the "mips" architecture. From what I understood the
> first step of the removal is to get rid of it in testing. Could you
> please take care of that?
> 
> Once it's done, I'll forward the request to ftpmasters.

what's the plan for mips, keep it in ports, or remove it completely?

what's the plan with mipsel?

Bug#934967: nmu: rebuild packages for binutils 2.32.51.x

[Matthias Klose]

On 17.08.19 15:32, Matthias Klose wrote:
> Please binNUM these packages for the recent binutils upload to unstable:
> 
> naev 0.7.0-2
> wcc 0.0.2+dfsg-3 (amd64 only)

looking-glass 0+b1-1

is needed too.