NEW changes in stable-new
Processing changes file: thunderbird_68.10.0-1~deb10u1_source.changes ACCEPT Processing changes file: thunderbird_68.10.0-1~deb10u1_all.changes ACCEPT Processing changes file: thunderbird_68.10.0-1~deb10u1_amd64.changes ACCEPT Processing changes file: thunderbird_68.10.0-1~deb10u1_arm64.changes ACCEPT Processing changes file: thunderbird_68.10.0-1~deb10u1_i386.changes ACCEPT Processing changes file: thunderbird_68.10.0-1~deb10u1_mips64el.changes ACCEPT Processing changes file: thunderbird_68.10.0-1~deb10u1_ppc64el.changes ACCEPT Processing changes file: thunderbird_68.10.0-1~deb10u1_s390x.changes ACCEPT
NEW changes in stable-new
Processing changes file: coturn_4.5.1.1-1.1+deb10u1_sourceonly.changes ACCEPT Processing changes file: coturn_4.5.1.1-1.1+deb10u1_amd64.changes ACCEPT Processing changes file: coturn_4.5.1.1-1.1+deb10u1_arm64.changes ACCEPT Processing changes file: coturn_4.5.1.1-1.1+deb10u1_armel.changes ACCEPT Processing changes file: coturn_4.5.1.1-1.1+deb10u1_armhf.changes ACCEPT Processing changes file: coturn_4.5.1.1-1.1+deb10u1_i386.changes ACCEPT Processing changes file: coturn_4.5.1.1-1.1+deb10u1_mips.changes ACCEPT Processing changes file: coturn_4.5.1.1-1.1+deb10u1_mips64el.changes ACCEPT Processing changes file: coturn_4.5.1.1-1.1+deb10u1_mipsel.changes ACCEPT Processing changes file: coturn_4.5.1.1-1.1+deb10u1_ppc64el.changes ACCEPT Processing changes file: coturn_4.5.1.1-1.1+deb10u1_s390x.changes ACCEPT Processing changes file: docker.io_18.09.1+dfsg1-7.1+deb10u2_source.changes ACCEPT Processing changes file: docker.io_18.09.1+dfsg1-7.1+deb10u2_all.changes ACCEPT Processing changes file: docker.io_18.09.1+dfsg1-7.1+deb10u2_amd64.changes ACCEPT Processing changes file: docker.io_18.09.1+dfsg1-7.1+deb10u2_arm64.changes ACCEPT Processing changes file: docker.io_18.09.1+dfsg1-7.1+deb10u2_armel.changes ACCEPT Processing changes file: docker.io_18.09.1+dfsg1-7.1+deb10u2_armhf.changes ACCEPT Processing changes file: docker.io_18.09.1+dfsg1-7.1+deb10u2_i386.changes ACCEPT Processing changes file: docker.io_18.09.1+dfsg1-7.1+deb10u2_ppc64el.changes ACCEPT Processing changes file: docker.io_18.09.1+dfsg1-7.1+deb10u2_s390x.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_source.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_all.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_amd64.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_arm64.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_armhf.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_i386.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_mips.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_mips64el.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_mipsel.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_ppc64el.changes ACCEPT Processing changes file: firefox-esr_68.10.0esr-1~deb10u1_s390x.changes ACCEPT Processing changes file: imagemagick_6.9.10.23+dfsg-2.1+deb10u1_amd64.changes ACCEPT Processing changes file: imagemagick_6.9.10.23+dfsg-2.1+deb10u1_arm64.changes ACCEPT Processing changes file: imagemagick_6.9.10.23+dfsg-2.1+deb10u1_armel.changes ACCEPT Processing changes file: imagemagick_6.9.10.23+dfsg-2.1+deb10u1_armhf.changes ACCEPT Processing changes file: imagemagick_6.9.10.23+dfsg-2.1+deb10u1_i386.changes ACCEPT Processing changes file: imagemagick_6.9.10.23+dfsg-2.1+deb10u1_mips.changes ACCEPT Processing changes file: imagemagick_6.9.10.23+dfsg-2.1+deb10u1_mips64el.changes ACCEPT Processing changes file: imagemagick_6.9.10.23+dfsg-2.1+deb10u1_mipsel.changes ACCEPT Processing changes file: imagemagick_6.9.10.23+dfsg-2.1+deb10u1_ppc64el.changes ACCEPT Processing changes file: imagemagick_6.9.10.23+dfsg-2.1+deb10u1_s390x.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_source.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_all.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_amd64.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_armel.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_armhf.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_i386.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_mips.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_mips64el.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_mipsel.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_ppc64el.changes ACCEPT Processing changes file: php7.3_7.3.14-1~deb10u1_s390x.changes ACCEPT Processing changes file: php7.3_7.3.19-1~deb10u1_amd64.changes ACCEPT Processing changes file: php7.3_7.3.19-1~deb10u1_arm64.changes ACCEPT Processing changes file: php7.3_7.3.19-1~deb10u1_armel.changes ACCEPT Processing changes file: php7.3_7.3.19-1~deb10u1_armhf.changes ACCEPT Processing changes file: php7.3_7.3.19-1~deb10u1_i386.changes ACCEPT Processing changes file: php7.3_7.3.19-1~deb10u1_mips.changes ACCEPT Processing changes file: php7.3_7.3.19-1~deb10u1_mips64el.changes ACCEPT Processing changes file: php7.3_7.3.19-1~deb10u1_mipsel.changes ACCEPT Processing changes file: php7.3_7.3.19-1~deb10u1_ppc64el.changes ACCEPT Processing changes file: php7.3_7.3.19-1~deb10u1_s390x.changes ACCEPT Processing changes file: roundcube_1.3.14+dfsg.1-1~deb10u1_source.changes ACCEPT Processing changes file:
Bug#964574: buster-pu: package file-roller/3.30.1-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Low severity issue in file-roller, I've verified with a reproducer that the issue is fixed and did various tests to ensure that nothing breaks functionality-wise. debdiff below. Cheers, Moritz diff -Nru file-roller-3.30.1/debian/changelog file-roller-3.30.1/debian/changelog --- file-roller-3.30.1/debian/changelog 2018-12-24 02:34:26.0 +0100 +++ file-roller-3.30.1/debian/changelog 2020-07-08 20:12:00.0 +0200 @@ -1,3 +1,9 @@ +file-roller (3.30.1-2+deb10u1) buster; urgency=medium + + * CVE-2020-11736 (Closes: #956638) + + -- Moritz Muehlenhoff Wed, 08 Jul 2020 20:12:00 +0200 + file-roller (3.30.1-2) unstable; urgency=medium * Restore -Wl,-O1 to our LDFLAGS diff -Nru file-roller-3.30.1/debian/patches/02_CVE-2020-11736.patch file-roller-3.30.1/debian/patches/02_CVE-2020-11736.patch --- file-roller-3.30.1/debian/patches/02_CVE-2020-11736.patch 1970-01-01 01:00:00.0 +0100 +++ file-roller-3.30.1/debian/patches/02_CVE-2020-11736.patch 2020-07-08 20:12:00.0 +0200 @@ -0,0 +1,201 @@ +--- file-roller-3.30.1.orig/src/fr-archive-libarchive.c file-roller-3.30.1/src/fr-archive-libarchive.c +@@ -603,6 +603,149 @@ _g_output_stream_add_padding (ExtractDat + } + + ++static gboolean ++_symlink_is_external_to_destination (GFile *file, ++ const char *symlink, ++ GFile *destination, ++ GHashTable *external_links); ++ ++ ++static gboolean ++_g_file_is_external_link (GFile *file, ++GFile *destination, ++GHashTable *external_links) ++{ ++ GFileInfo *info; ++ gboolean external; ++ ++ if (g_hash_table_lookup (external_links, file) != NULL) ++ return TRUE; ++ ++ info = g_file_query_info (file, ++G_FILE_ATTRIBUTE_STANDARD_IS_SYMLINK "," G_FILE_ATTRIBUTE_STANDARD_SYMLINK_TARGET, ++G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, ++NULL, ++NULL); ++ ++ if (info == NULL) ++ return FALSE; ++ ++ external = FALSE; ++ ++ if (g_file_info_get_is_symlink (info)) { ++ if (_symlink_is_external_to_destination (file, ++ g_file_info_get_symlink_target (info), ++ destination, ++ external_links)) ++ { ++ g_hash_table_insert (external_links, g_object_ref (file), GINT_TO_POINTER (1)); ++ external = TRUE; ++ } ++ } ++ ++ g_object_unref (info); ++ ++ return external; ++} ++ ++ ++static gboolean ++_symlink_is_external_to_destination (GFile *file, ++ const char *symlink, ++ GFile *destination, ++ GHashTable *external_links) ++{ ++ gboolean external = FALSE; ++ GFile*parent; ++ char**components; ++ int i; ++ ++ if ((file == NULL) || (symlink == NULL)) ++ return FALSE; ++ ++ if (symlink[0] == '/') ++ return TRUE; ++ ++ parent = g_file_get_parent (file); ++ components = g_strsplit (symlink, "/", -1); ++ for (i = 0; components[i] != NULL; i++) { ++ char *name = components[i]; ++ GFile *tmp; ++ ++ if ((name[0] == 0) || ((name[0] == '.') && (name[1] == 0))) ++ continue; ++ ++ if ((name[0] == '.') && (name[1] == '.') && (name[2] == 0)) { ++ if (g_file_equal (parent, destination)) { ++ external = TRUE; ++ break; ++ } ++ else { ++ tmp = g_file_get_parent (parent); ++ g_object_unref (parent); ++ parent = tmp; ++ } ++ } ++ else { ++ tmp = g_file_get_child (parent, components[i]); ++ g_object_unref (parent); ++ parent = tmp; ++ } ++ ++ if (_g_file_is_external_link (parent, destination, external_links)) { ++ external = TRUE; ++ break; ++ } ++ } ++ ++ g_strfreev (components); ++ g_object_unref (parent); ++ ++ return external; ++} ++ ++ ++static gboolean ++_g_path_is_external_to_destination (const char *relative_path, ++ GFile *destination, ++
NEW changes in stable-new
Processing changes file: chromium_83.0.4103.116-1~deb10u1_source.changes ACCEPT Processing changes file: chromium_83.0.4103.116-1~deb10u1_all.changes ACCEPT Processing changes file: chromium_83.0.4103.116-1~deb10u1_amd64.changes ACCEPT Processing changes file: chromium_83.0.4103.116-1~deb10u1_arm64.changes ACCEPT Processing changes file: chromium_83.0.4103.116-1~deb10u2_source.changes ACCEPT Processing changes file: chromium_83.0.4103.116-1~deb10u2_all.changes ACCEPT Processing changes file: chromium_83.0.4103.116-1~deb10u2_amd64.changes ACCEPT Processing changes file: chromium_83.0.4103.116-1~deb10u2_arm64.changes ACCEPT Processing changes file: chromium_83.0.4103.116-1~deb10u2_armhf.changes ACCEPT Processing changes file: chromium_83.0.4103.116-1~deb10u2_i386.changes ACCEPT
Arch qualification for buster: call for DSA, Security, toolchain concerns
Hi, [Note, this e-mail may look familiar as it is mostly copied over from the buster call, not much has changed, AFAICT]. As part of the interim architecture qualification for bullseye, we request that DSA, the security team, Wanna build, and the toolchain maintainers review and update their list of known concerns for bullseye release architectures. Summary of the current concerns and issues: * DSA have announced a blocking issue for armel and armhf (see below) * Concerns from DSA about ppc64el and s390x have been carried over from (stretch and) buster. * Concerns from the GCC maintainers about i386, armel, armhf, mips64el and mipsel have been carried over from (stretch and) buster. If the issues and concerns from you or your team are not up to date, then please follow up to this email (keeping debian-release@l.d.o in CC to ensure we are notified). Whilst porters remain ultimately responsible for ensuring the architectures are ready for release, we do expect that you / your team are willing to assist with clarifications of the concerns and to apply patches/changes in a timely manner to resolve the concerns. List of blocking issues by architecture === The following is a summary from the current architecture qualification table. armel/armhf: * Undesirable to keep the hardware running beyond 2020. armhf VM support uncertain. (DSA) - Source: [DSA Sprint report] - I was under the impression that this issue has been resolved (at least for armhf) by now, but we like a fresh statement on this. [DSA Sprint report]: https://lists.debian.org/debian-project/2018/02/msg4.html List of concerns for architectures == The following is a summary from the current architecture qualification table. * Concern for ppc64el and s390x: we are dependent on sponsors for hardware. (Raised by DSA; carried over from stretch and buster) * Concern for armel and armhf: only secondary upstream support in GCC (Raised by the GCC maintainer; carried over from stretch and buster) * Concern for mips, mips64el, mipsel and ppc64el: no upstream support in GCC; Debian carries patches in binutils and GCC that haven't been integrated upstream even after a long time. (Raised by the GCC maintainer; carried over from stretch and buster) Architecture status === These are the architectures currently being built for bullseye: * Intel/AMD-based: amd64, i386 * ARM-based: arm64, armel, armhf * MIPS-based: mipsel, mips64el * Other: ppc64el, s390x If the blocking issues cannot be resolved, affected architectures are at risk of removal from testing before bullseye is frozen. We are currently unaware of any new architectures likely to be ready in time for inclusion in bullseye. On behalf of the release team, Paul Gevers signature.asc Description: OpenPGP digital signature
Bug#964482: buster-pu: xen/4.11.4+24-gddaaccbbab-1~deb10u1
Hi, On 7/8/20 9:35 AM, Moritz Muehlenhoff wrote: > On Tue, Jul 07, 2020 at 10:56:18PM +0200, Hans van Kranenburg wrote: >> Additional To: t...@security.debian.org >> >> Hi Security team, >> >> After our last security update, which was >> 4.11.3+24-g14b62ab3e5-1~deb10u1, we found out that there is a bugfix to >> be done to help users upgrade from Buster to Bullseye. This fix was >> included in the unstable xen 4.11.4-1 upload (it also helps for the >> future from there) and has been in unstable for 41 days now. >> >> I have chosen to not bother you with a new security upload for 4.11.4 to >> Buster at that time (while it included security fixes) because I didn't >> want to skip going through the stable release process because of this >> packaging change. >> >> Now, we're at the verge of a new buster point release. >> >> Can you please read https://bugs.debian.org/964482 and ack that we can >> do a combination of the security updates and this packaging change for >> stable? > > Ack, we can piggyback the fix for 964482 to the buster-security update, > no problem. Ok, clear. In that case it will be a security update with the fix included. I was just trying to be more 'compliant'. :) Upstream Xen testing finished and has all the commits in stable-4.11 now. I did the upload for Debian unstable already, it's processed now. https://packages.debian.org/source/sid/xen So, I changed the changelog to buster-security, and did another build and test run here, all is looking good. https://salsa.debian.org/xen-team/debian-xen/-/commit/0da17d8b443233e521c84886c2fc913ea4ee4480 Since I'm a DM I guess I need a sponsor for the security upload. Can someone from the security team do this? I put everything here, signed and well: https://syrinx.knorrie.org/~knorrie/tmp/xen/ I have another question, which is about timing. I have been asking around a bit a few weeks ago, but did not get any response on this: For the users, who are running some Xen cluster, it's really useful to get Xen and Linux kernel changes at the same time, to reduce the amount of 'reboot stress' we're causing them. Does anyone have a brilliant idea about how to improve this? I mean, if we do this security update now, then next week the new kernel is in the point release In general, if the kernel team does a security update, or if a point release happens, it would be useful to push out a Xen update as well at the same time... I can of course write some dirty script that polls kernel team git all the time and then emails me with "hola! activity in a -security branch!"... Thanks, Hans
Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1
Control: retitle -1 buster-pu: package nginx/1.14.2-2+deb10u2 The version was correct in the debdiff but not in the bug title. On Mon, Jan 20, 2020 at 10:43:58PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2020-01-11 at 12:24 +0200, Christos Trochalakis wrote: > > I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non- > > critical > > CVE-2019-20372. > > > > Please go ahead. I have uploaded the package to DELAYED/2. Feel free to cancel if anyone disagrees. > Regards, > > Adam cu Adrian
Processed: Re: Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1
Processing control commands: > retitle -1 buster-pu: package nginx/1.14.2-2+deb10u2 Bug #948652 [release.debian.org] buster-pu: package nginx/1.14.2-2+deb10u1 Changed Bug title to 'buster-pu: package nginx/1.14.2-2+deb10u2' from 'buster-pu: package nginx/1.14.2-2+deb10u1'. -- 948652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948652 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#948650: stretch-pu: package nginx/1.10.3-1+deb9u3
On Sat, Jun 20, 2020 at 08:22:51PM +0100, Adam D. Barratt wrote: > On Mon, 2020-03-30 at 22:05 +0100, Adam D. Barratt wrote: > > On Mon, 2020-01-20 at 22:43 +, Adam D. Barratt wrote: > > > Control: tags -1 + confirmed > > > > > > On Sat, 2020-01-11 at 12:19 +0200, Christos Trochalakis wrote: > > > > I'd like to upload nginx 1.10.3-1+deb9u4, addressing the non- > > > > critical > > > > CVE-2019-20372. > > > > > > Please go ahead, thanks. > > > > Ping? > > As a note, we're now planning for the final point release for stretch > before it moves to LTS. Is this update still something of interest? I have uploaded the package to DELAYED/2. Feel free to cancel if anyone disagrees. > Regards, > > Adam cu Adrian
Bug#907981: stretch-pu: package openbsc/0.15.0-2
On Thu, Jul 02, 2020 at 08:19:46PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Tue, 2018-09-04 at 20:38 +0200, Ruben Undheim wrote: > > I would like to upload a fix for FTBFS (#880233) to stretch. > > The same fix has been in sid earlier: > > Apologies for the long delay. I'm not sure how this got overlooked for > so long. > > If this is still something you'd be interested in fixing, then please > go ahead, bearing in mind that the window for getting fixes into the > final point release before stretch moves to LTS is the weekend after > this one. The change in libdbi that broke openbsc is being reverted in #893439, I would recommend dropping the openbsc change. > Regards, > > Adam cu Adrian
Bug#964482: buster-pu: xen/4.11.4+24-gddaaccbbab-1~deb10u1
On Tue, Jul 07, 2020 at 10:56:18PM +0200, Hans van Kranenburg wrote: > Additional To: t...@security.debian.org > > Hi Security team, > > After our last security update, which was > 4.11.3+24-g14b62ab3e5-1~deb10u1, we found out that there is a bugfix to > be done to help users upgrade from Buster to Bullseye. This fix was > included in the unstable xen 4.11.4-1 upload (it also helps for the > future from there) and has been in unstable for 41 days now. > > I have chosen to not bother you with a new security upload for 4.11.4 to > Buster at that time (while it included security fixes) because I didn't > want to skip going through the stable release process because of this > packaging change. > > Now, we're at the verge of a new buster point release. > > Can you please read https://bugs.debian.org/964482 and ack that we can > do a combination of the security updates and this packaging change for > stable? Ack, we can piggyback the fix for 964482 to the buster-security update, no problem. Cheers, Moritz