Bug#990866: unblock: postgresql-13/13.3-1
> > [ Checklist ] > [x] attach debian/ diff against the package in testing Now for real. Christoph diff --git a/debian/changelog b/debian/changelog index 2f18705..38aedbf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,47 @@ +postgresql-13 (13.3-1) unstable; urgency=medium + + * New upstream version. + ++ Prevent integer overflows in array subscripting calculations (Tom Lane) + + The array code previously did not complain about cases where an array's + lower bound plus length overflows an integer. This resulted in later + entries in the array becoming inaccessible (since their subscripts could + not be written as integers), but more importantly it confused subsequent + assignment operations. This could lead to memory overwrites, with + ensuing crashes or unwanted data modifications. (CVE-2021-32027) + ++ Fix mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE + target lists (Tom Lane) + + If the UPDATE list contains any multi-column sub-selects (which give + rise to junk columns in addition to the results proper), the UPDATE path + would end up storing tuples that include the values of the extra junk + columns. That's fairly harmless in the short run, but if new columns are + added to the table then the values would become accessible, possibly + leading to malfunctions if they don't match the datatypes of the added + columns. + + In addition, in versions supporting cross-partition updates, a + cross-partition update triggered by such a case had the reverse problem: + the junk columns were removed from the target list, typically causing an + immediate crash due to malfunction of the multi-column sub-select + mechanism. (CVE-2021-32028) + ++ Fix possibly-incorrect computation of UPDATE ... RETURNING outputs for + joined cross-partition updates (Amit Langote, Etsuro Fujita) + + If an UPDATE for a partitioned table caused a row to be moved to another + partition with a physically different row type (for example, one with a + different set of dropped columns), computation of RETURNING results for + that row could produce errors or wrong answers. No error is observed + unless the UPDATE involves other tables being joined to the target + table. (CVE-2021-32029) + + * Mark libio-pty-perl and libipc-run-perl as . (Closes: #988121) + + -- Christoph Berg Tue, 11 May 2021 22:10:35 +0200 + postgresql-13 (13.2-1) unstable; urgency=medium * New upstream version. diff --git a/debian/control b/debian/control index ee5acf8..8913183 100644 --- a/debian/control +++ b/debian/control @@ -20,8 +20,8 @@ Build-Depends: gdb , gettext, libicu-dev, - libio-pty-perl, - libipc-run-perl, + libio-pty-perl , + libipc-run-perl , libkrb5-dev, libldap2-dev, libpam0g-dev | libpam-dev, diff --git a/debian/rules b/debian/rules index c115945..e70a10e 100755 --- a/debian/rules +++ b/debian/rules @@ -76,6 +76,7 @@ COMMON_CONFIGURE_FLAGS= \ $(SELINUX_FLAGS) \ $(SPINLOCK_FLAGS) \ MKDIR_P='/bin/mkdir -p' \ + PROVE='/usr/bin/prove' \ TAR='/bin/tar' \ XSLTPROC='xsltproc --nonet' \ CFLAGS='$(CFLAGS)' \
Bug#990866: unblock: postgresql-13/13.3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package postgresql-13 [ Reason ] The new version fixes CVE-2021-32027 CVE-2021-32028 CVE-2021-32029, and other bugs. [ Tests ] PG itself has an extensive testsuite running at build and autopkgtest time, and the postgresql-common testsuite is also running on the package. [ Risks ] I had thought the package would migrate by itself and hence had not followed up. There is one crashing bug in 13.2 exposed by the 13.3 testsuite that just made me aware the migration hasn't happened yet: SELECT i, to_char(i * interval '1mon', 'rm'), to_char(i * interval '1mon', 'RM') FROM generate_series(-13, 13) i; [ Checklist ] [x] all debian/ changes are documented in the d/changelog [x] I reviewed all debian/ changes and I approve them [x] attach debian/ diff against the package in testing [ Other info ] New PostgreSQL upstream versions are waived by the security team, so this new version would have been acceptable for bullseye-security which should make it acceptable for bullseye as well. unblock postgresql-13/13.3-1 Christoph signature.asc Description: PGP signature
Bug#990500: marked as done (unblock: lxml/4.6.3+dfsg-0.1)
Your message dated Fri, 09 Jul 2021 21:12:51 + with message-id and subject line unblock lxml has caused the Debian Bug report #990500, regarding unblock: lxml/4.6.3+dfsg-0.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 990500: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990500 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Please unblock package lxml [ Reason ] The source of lxml contained a file that's marked as unacceptable by ftp-master and as such a future upload of lxml would hit the auto-reject list. To avoid problems with security uploads, I prefer to fix the issue now. The file was a image shipped with the documentation, which wasn't even used. In the process of fixing this issue, I discovered that the documentation package was nearly empty and didn't contain any documentation. This is fixed by enabling the build of the documentation. [ Impact ] If not unblocked, security or plain pu uploads will have to take remove the file at that time. [ Tests ] The removed file is just an unlinked image. I have checked that the package now contains the documentation files. [ Risks ] Close to 0 risk as it's just removing an image and building documentation files. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock lxml/4.6.3+dfsg-0.1 diff -Nru lxml-4.6.3/debian/changelog lxml-4.6.3+dfsg/debian/changelog --- lxml-4.6.3/debian/changelog 2021-03-22 14:31:55.0 +0100 +++ lxml-4.6.3+dfsg/debian/changelog2021-06-26 19:40:37.0 +0200 @@ -1,3 +1,11 @@ +lxml (4.6.3+dfsg-0.1) unstable; urgency=medium + + * Non-maintainer upload + * Repack upstream to drop non-free and unused file (Closes: #988717) + * Build and ship documentation (Closes: #799334) + + -- Paul Gevers Sat, 26 Jun 2021 19:40:37 +0200 + lxml (4.6.3-1) unstable; urgency=high * New upstream version. diff -Nru lxml-4.6.3/debian/control lxml-4.6.3+dfsg/debian/control --- lxml-4.6.3/debian/control 2020-12-07 14:42:24.0 +0100 +++ lxml-4.6.3+dfsg/debian/control 2021-06-26 19:40:37.0 +0200 @@ -9,6 +9,7 @@ python3-setuptools (>= 0.6.29), python3-bs4, python3-html5lib, + python3-lxml , cython3, cython3-dbg, python3-sphinx-autoapi, X-Python-Version: all diff -Nru lxml-4.6.3/debian/rules lxml-4.6.3+dfsg/debian/rules --- lxml-4.6.3/debian/rules 2020-07-17 11:16:59.0 +0200 +++ lxml-4.6.3+dfsg/debian/rules2021-06-26 19:40:37.0 +0200 @@ -24,6 +24,9 @@ touch $@ build3-python%: prebuild python$* setup.py build +ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS))) + python$* doc/mkhtml.py doc/html . $(UPSTREAMVER) +endif touch $@ dbg-build3-python%: prebuild python$*-dbg setup.py build Binary files /tmp/nGluINxi3b/lxml-4.6.3/doc/html/flattr-badge-large.png and /tmp/DP0ayk9l1g/lxml-4.6.3+dfsg/doc/html/flattr-badge-large.png differ OpenPGP_signature Description: OpenPGP digital signature --- End Message --- --- Begin Message --- Unblocked.--- End Message ---
Bug#989037: marked as done (unblock: rails/2:6.0.3.7+dfsg-1)
Your message dated Fri, 9 Jul 2021 22:04:26 +0200 with message-id <2d3c9ff6-de7a-bd08-003a-d108ad0cc...@debian.org> and subject line Re: Bug#989037: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1 has caused the Debian Bug report #989037, regarding unblock: rails/2:6.0.3.7+dfsg-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 989037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989037 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: debian-r...@lists.debian.org Hello, Rails was recently affected by 3 CVEs (CVE-2021-2290{2,4} and CVE-2021-22885). I'm attaching a filtered diff for your review; the diff is really small and minimal which should be clear by looking at it. The only caveat is that it needs ruby-marcel, which has an unblock request (#989036) opened a few minutes ago. rails has been in unstable for around 9 days now[1]; I've done some testing and it all works OK w/ Bullseye, so it should be good to go. [1]: https://tracker.debian.org/pkg/rails The command used to filter the debdiff is as follows: filterdiff --exclude='*/Gemfile.lock' --exclude='*/CHANGELOG.md' --exclude='*/gem_version.rb' --exclude='*/package.json' --exclude='*/test/*' ../rails.debdiff Let me know if you need any other information from my end. Thanks! - u rails_filtered.debdiff Description: Binary data --- End Message --- --- Begin Message --- Hi, On 18-06-2021 22:23, Paul Gevers wrote: > On 06-06-2021 06:14, Paul Gevers wrote: >> I am hoping it's possible to just downgrade the *dependency* in rails >> only, such that the upload can happen via unstable. There is no "direct >> bullseye" route. Or do you expect you'll have to make (lots) of changes >> to rails to match the right ruby-marcel package? If that's the case, >> than ruby-marcel/unstable isn't a drop in replacement for >> ruby-marcel/bullseye and I'd expect that ruby-marcel/unstable would need >> a versioned Breaks for reverse dependent packages (ruby-activestorage), >> but I'm not seeing that. > > Did your experimenting (as discussed on IRC last week) yield anything? Unblocked the latest version in unstable. Paul OpenPGP_signature Description: OpenPGP digital signature --- End Message ---
Bug#989036: marked as done (unblock: ruby-marcel/1.0.1+dfsg-2)
Your message dated Fri, 9 Jul 2021 22:06:11 +0200 with message-id and subject line Re: Bug#989036: unblock: ruby-marcel/1.0.1+dfsg-2 has caused the Debian Bug report #989036, regarding unblock: ruby-marcel/1.0.1+dfsg-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 989036: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989036 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: debian-r...@lists.debian.org Hello, We had to bump ruby-marcel to a newer version because the mimemagic dependency - which relies on GPL-licensed mime type data from freedesktop.org’s shared-mime-info project - is removed. Marcel now directly uses mime type data adapted from the Apache Tika project, distributed under the Apache License. This is the only major change here + some other bug fixes to get everything working. ruby-marcel has been in unstable for around 9 days now[1]; I've done some testing and it all works OK w/ Bullseye, so it should be good to go. [1]: https://tracker.debian.org/pkg/ruby-marcel Since this is licensing + bug fix, I believe it'd be a good idea to have this included in Bullseye; this is also needed for rails to be unblocked (another separate request). Attaching a filtered debdiff for your review. The command used to filter the debdiff is as follows: filterdiff --exclude='*/APACHE-LICENSE' --exclude='*/.*' --exclude='*/data/*' --exclude='*/script/*' --exclude='*/test/*' --exclude='*/Gemfile.lock' --exclude='*/README.md' ../ruby-marcel.debdiff Let me know if you need any other information from my end. Thanks! - u ruby-marcel_filtered.debdiff Description: Binary data --- End Message --- --- Begin Message --- Hi, On 06-06-2021 06:13, Paul Gevers wrote: > On 24-05-2021 10:17, Utkarsh Gupta wrote: >> We had to bump ruby-marcel to a newer version because the mimemagic >> dependency - which relies on GPL-licensed mime type data from >> freedesktop.org’s shared-mime-info project - is removed. > > I'm having trouble understanding what you wrote here. Did something in > Debian now break the old ruby-marcel and you had to update ruby-marcel? > If so, can you try again to explain how that happened? If not, I don't > think you "had to bump ruby-marcel because of the mimemagic dependency"? As rails in unstable now doesn't need this anymore, I'm closing this request. Paul OpenPGP_signature Description: OpenPGP digital signature --- End Message ---