Processed: unblock: flask-security/5.1.2-1
Processing control commands: > affects -1 + src:flask-security Bug #1033185 [release.debian.org] unblock: flask-security/5.1.2-1 Added indication that 1033185 affects src:flask-security -- 1033185: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033185 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1033180: unblock: stayrtr/0.5.1-1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: stay...@packages.debian.org
Control: affects -1 + src:stayrtr
Please unblock package stayrtr
The new upstream release contains only an important bug fix, needed to
stop the daemon from crashing in specific conditions.
(This is the upstream bug report of a Debian user who was stuck with the
version in testing: https://github.com/bgp/stayrtr/issues/96.)
diff attached, edited for clarity.
unblock stayrtr/0.5.1-1
--
ciao,
Marco
diff -Nru stayrtr-0.5.0/cmd/stayrtr/stayrtr.go
stayrtr-0.5.1/cmd/stayrtr/stayrtr.go
--- stayrtr-0.5.0/cmd/stayrtr/stayrtr.go2023-02-23 22:35:40.0
+0100
+++ stayrtr-0.5.1/cmd/stayrtr/stayrtr.go2023-03-01 15:36:19.0
+0100
@@ -261,6 +261,38 @@
vrplist = append(vrplist, vrp)
}
+ sort.Slice(vrplist, func(i, j int) bool {
+ // Sort VRPs as per draft-ietf-sidrops-8210bis-10
+ /*
+ 11. ROA PDU Race Minimization
+ When a cache is sending ROA (IPv4 or IPv6) PDUs
to a router, especially an initial
+ full load in response to a Reset Query PDU, two
undesirable race conditions are possible:
+
+ Break Before Make:
+ For some prefix P, an AS may announce two (or
more) ROAs because they are in the
+ process of changing what provider AS is
announcing P. This is a case of "make before break."
+ If a cache is feeding a router and sends the
one not yet in service a significant time
+ before sending the one currently in service,
then BGP data could be marked invalid during
+ the interval. To minimize that interval, the
cache SHOULD announce all ROAs for the same
+ prefix as close to sequentially as possible.
+ Shorter Prefix First:
+ If an AS has issued a ROA for P0, and another
AS (likely their customer) has issued a ROA
+ for P1 which is a sub-prefix of P0, a router
which receives the ROA for P0 before that for
+ P1 is likely to mark a BGP prefix P1 invalid.
Therefore, the cache SHOULD announce the
+ sub-prefix P1 before the covering prefix P0.
+ */
+ CIDRSizei, _ := vrplist[i].Prefix.Mask.Size()
+ CIDRSizej, _ := vrplist[j].Prefix.Mask.Size()
+ if CIDRSizei == CIDRSizej {
+ if vrplist[i].MaxLen != vrplist[j].MaxLen {
+ return vrplist[i].MaxLen > vrplist[j].MaxLen
+ }
+ return bytes.Compare(vrplist[i].Prefix.IP,
vrplist[j].Prefix.IP) < 1
+ } else {
+ return CIDRSizei > CIDRSizej
+ }
+ })
+
for _, v := range brklistjson {
if v.Expires != nil {
// Prevent stale VRPs from being considered
@@ -299,7 +331,7 @@
}
// Ensure that these are sorted, otherwise they
- // don't has right.
+ // don't hash right.
sort.Slice(v.Providers, func(i, j int) bool {
return v.Providers[i] < v.Providers[j]
})
diff -Nru stayrtr-0.5.0/cmd/stayrtr/stayrtr_test.go
stayrtr-0.5.1/cmd/stayrtr/stayrtr_test.go
--- stayrtr-0.5.0/cmd/stayrtr/stayrtr_test.go 2023-02-23 22:35:40.0
+0100
+++ stayrtr-0.5.1/cmd/stayrtr/stayrtr_test.go 2023-03-01 15:36:19.0
+0100
@@ -103,11 +103,6 @@
got, _, _, count, v4count, v6count := processData(stuff, nil, nil)
want := []rtr.VRP{
{
- Prefix: mustParseIPNet("192.168.0.0/24"),
- MaxLen: 24,
- ASN:123,
- },
- {
Prefix: mustParseIPNet("2001:db8::/32"),
MaxLen: 33,
ASN:123,
@@ -117,6 +112,11 @@
MaxLen: 25,
ASN:123,
},
+ {
+ Prefix: mustParseIPNet("192.168.0.0/24"),
+ MaxLen: 24,
+ ASN:123,
+ },
}
if count != 3 || v4count != 2 || v6count != 1 {
t.Errorf("Wanted count = 3, v4count = 2, v6count = 1, but got
%d, %d, %d", count, v4count, v6count)
diff -Nru stayrtr-0.5.0/debian/changelog stayrtr-0.5.1/debian/changelog
--- stayrtr-0.5.0/debian/changelog 2023-02-27 03:36:29.0 +0100
+++ stayrtr-0.5.1/debian/changelog 2023-03-05 01:11:49.0 +0100
@@ -1,3 +1,9 @@
+
Processed: unblock: stayrtr/0.5.1-1
Processing control commands: > affects -1 + src:stayrtr Bug #1033180 [release.debian.org] unblock: stayrtr/0.5.1-1 Added indication that 1033180 affects src:stayrtr -- 1033180: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033180 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1033090: unblock: dhcpdump/1.8-6
Control: tags -1 - moreinfo
Hi Sebastian,
On Sat, 2023-03-18 at 09:06 +0100, Sebastian Ramacher wrote:
> Unfortunately these fixes come with a complete overhaul of debian/ which
> is no longer appopriate at this point of the freeze. Please upload a new
> version with targetted fixes only.
Thanks!
https://mentors.debian.net/package/dhcpdump/
Adam, please sponsor it and add DM rights, if you find appropriate.
Here is my reasoning for the additional changes to the old packaging:
- not installing copyright is a lintian error
- not stripped binary is a lintian error
- dhcpdump runs as root and processes data from the network, building with
hardening flags is essential (IMHO)
I allowed myself to change maintainer and close the ITA, not sure how good is
that at this time. I can easily change it back to a QA upload and postpone for
trixie.
--
With best regards,
b.
diff -Nru dhcpdump-1.8/debian/changelog dhcpdump-1.8/debian/changelog
--- dhcpdump-1.8/debian/changelog 2022-12-05 15:08:35.0 +
+++ dhcpdump-1.8/debian/changelog 2023-03-18 21:43:18.0 +
@@ -1,3 +1,57 @@
+dhcpdump (1.8-7) unstable; urgency=medium
+
+ * Revert all non-targeted changes since 1.8-4
+ * New maintainer (Closes: #934419)
+ * Fix old packaging
+- install copyright
+- hardening flags
+- proper strip
+ * Add 2 missing checks to d/p/dhcpdump-bugfix_strcounts.patch
+
+ -- Boian Bonev Sat, 18 Mar 2023 21:43:18 +
+
+dhcpdump (1.8-6) unstable; urgency=medium
+
+ * QA upload.
+ * Upload 1.8-5 fixes to unstable.
+
+ -- Adam Borowski Wed, 08 Mar 2023 17:43:02 +0100
+
+dhcpdump (1.8-5) experimental; urgency=medium
+
+ [ Boian Bonev ]
+ * QA upload.
+ * Install binary and man page.
+ * Add patches that fix:
+- build options in Makefile (hardening and cross)
+- ethertype handling (Closes: #873635)
+- flags calculation
+- opt82 processing
+- counts in string arrays (OOB access)
+- spelling errors
+- wrong description in man page (Closes: #647228)
+ * Do not depend on tcpdump.
+ * Bump standards to 4.6.2, no changes.
+ * Remove unrelated key and override source not signed.
+ * wrap-and-sort
+
+ [ Joao Paulo Lima de Oliveira ]
+ * debian/control:
+- Set Rules-Requires-Root:no.
+- Set homepage-field.
+- Bumped Standards-Version to 4.6.1.
+- Set debhelper-compat version in Build-Depends.
+- Added Depends ${shlibs:Depends} in Depends fields.
+ * debian/rules:
+- Rewrite to use dh-sequencer.
+ * debian/metadata:
+- Added missing upstream metadata.
+- Added upstream's key.
+ * debian/watch:
+- Add watch file.
+
+ -- Boian Bonev Thu, 23 Feb 2023 08:31:03 +
+
dhcpdump (1.8-4) unstable; urgency=medium
* QA upload.
diff -Nru dhcpdump-1.8/debian/control dhcpdump-1.8/debian/control
--- dhcpdump-1.8/debian/control 2022-12-05 15:08:35.0 +
+++ dhcpdump-1.8/debian/control 2023-03-18 21:43:18.0 +
@@ -1,13 +1,20 @@
Source: dhcpdump
Section: admin
Priority: optional
-Maintainer: Debian QA Group
-Build-Depends: libpcap0.8-dev
-Standards-Version: 3.8.0.1
+Maintainer: Boian Bonev
+Build-Depends:
+ debhelper-compat (= 13),
+ libpcap-dev,
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
+Homepage: http://www.mavetju.org/download/
Package: dhcpdump
Architecture: any
-Depends: ${shlibs:Depends}, tcpdump
-Description: Parse DHCP packets from tcpdump
- This package provides a tool for visualization of DHCP packets as
- recorded and output by tcpdump to analyze DHCP server responses.
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Description: Parse DHCP packets from interface
+ This package provides a tool for visualization of DHCP packets
+ on a network interface to analyze DHCP client requests and
+ server responses.
diff -Nru dhcpdump-1.8/debian/patches/dhcpdump-bugfix_ethertype.patch dhcpdump-1.8/debian/patches/dhcpdump-bugfix_ethertype.patch
--- dhcpdump-1.8/debian/patches/dhcpdump-bugfix_ethertype.patch 1970-01-01 00:00:00.0 +
+++ dhcpdump-1.8/debian/patches/dhcpdump-bugfix_ethertype.patch 2023-03-18 21:33:55.0 +
@@ -0,0 +1,22 @@
+Description: Fix network order 16bit value
+ Get the packet's ethertype in a way that works on any
+ kind of endian machine
+ .
+Author: Ben Hildred <426...@gmail.com>
+Origin: vendor
+Forwarded: BTS #873635
+Last-Update: 2017-08-29
+
+--- a/dhcpdump.c
b/dhcpdump.c
+@@ -132,8 +132,8 @@ void pcap_callback(u_char *user, const s
+ offset += ETHER_HDR_LEN;
+
+ // Check for IPv4 packets
+- if (eh->ether_type != 8) {
+- printf("Ignored non IPv4 packet: %d\n", eh->ether_type);
++ if (eh->ether_type != htons(0x800)) {
++ printf("Ignored non IPv4 packet: %x\n", ntohs(eh->ether_type));
+ return;
+ }
+
diff -Nru dhcpdump-1.8/debian/patches/dhcpdump-bugfix_flags.patch dhcpdump-1.8/debian/patches/dhcpdump-bugfix_flags.patch
--- dhcpdump-1.8/debian/patches/dhcpdump-bugfix_flags.patch 1970-01-01 00:00:00.0 +
+++ dhcpdump-1.8/debian/pa
Processed: Re: Bug#1033090: unblock: dhcpdump/1.8-6
Processing control commands: > tags -1 - moreinfo Bug #1033090 [release.debian.org] unblock: dhcpdump/1.8-6 Removed tag(s) moreinfo. -- 1033090: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033090 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1032999: unblock: mesa/22.3.6-1
On Sat, Mar 18, 2023 at 05:33:02PM +0100, Paul Gevers wrote: > Oh, we were going to unblock this mesa, but we're waiting for > llvm-toolchain-15 to get fixed. I think that might take some more time, so I > propose that the version in unstable is uploaded to testing-proposed-updates > such that it gets build against the version of llvm-toolchain-15 in testing. > Please, changelog only (with a correct version). That sounds like a plan. J -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1032939: unblock: network-manager/1.42.4-1
Control: tags -1 moreinfo Hi Michael, On 14-03-2023 13:47, Michael Biebl wrote: please unblock package network-manager. The current version in testing is 1.42.0-1 and upstream has created two stable point releases 1.42.2 and 1.42.4, cherry-picking various fixes into the nm-1.42 stable branch, most notably a fix for #1031891, a regression in the dnsmasq DNS backend when using a global DNS configuration. Upstream is rather conservative in cherry-picking fixes into their stable branches and the package ships an extensive test-suite, which is run during build. What does "rather conservative" mean? Do you have a link to their policy? Normally we'd like to have a more verbose description of the changes. The diff is uncomfortably big. Please try to avoid white space changes next time too (debian/org.freedesktop.NetworkManager.rules), those are horrible to review. Is there a reason why you "Use execute_before instead of override for dh_install" now? > I've filtered out generated files (like Makfile.in) and po/* Next time, please provide the full filter that you used. I would not have guessed from that line that you stripped a lot of docs/ too. No new regressions were reported for 1.42.4-1. I would thus like to see 1.42.4-1 unblocked for bookworm. Ack. I'm leaning to let it in now, but later in the freeze, please cherry-pick or defer. Paul OpenPGP_signature Description: OpenPGP digital signature
Processed: Re: Bug#1032939: unblock: network-manager/1.42.4-1
Processing control commands: > tags -1 moreinfo Bug #1032939 [release.debian.org] unblock: network-manager/1.42.4-1 Added tag(s) moreinfo. -- 1032939: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032939 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 1033075
Processing commands for cont...@bugs.debian.org:
> tags 1033075 - moreinfo
Bug #1033075 {Done: Jonathan Wiltshire } [release.debian.org]
unblock: strongswan/5.9.8-5
Removed tag(s) moreinfo.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
1033075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033075
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#1029123: bullseye-pu: package apache2/2.4.55-1~deb11u1
Hi,
On Sat, Mar 18, 2023 at 05:42:40PM +, Adam D. Barratt wrote:
> On Wed, 2023-01-18 at 11:25 +0400, Yadd wrote:
> > Apache2 has 3 new security issues:
> > * CVE-2006-20001: mod_dav out of bounds read, or write of zero byte.
> >A carefully crafted If: request header can cause a memory read, or
> > write
> >of a single zero byte, in a pool (heap) memory location beyond the
> > header
> >value sent. This could cause the process to crash.
> > * CVE-2022-36760: mod_proxy_ajp Possible request smuggling.
> >Inconsistent Interpretation of HTTP Requests ('HTTP Request
> > Smuggling')
> >vulnerability in mod_proxy_ajp of Apache HTTP Server allows an
> > attacker
> >to smuggle requests to the AJP server it forwards requests to.
> > * CVE-2022-37436: mod_proxy prior to 2.4.55 allows a backend to
> > trigger HTTP
> >response splitting.
> >A malicious backend can cause the response headers to be truncated
> > early,
> >resulting in some headers being incorporated into the response
> > body. If
> >the later headers have any security purpose, they will not be
> > interpreted
> >by the client.
>
> Apologies for letting this fall through the cracks until now.
>
> >From comments in #1032977, it sounds as if this request has been
> effectively superseded by an impending DSA release?
Yes, there will be a DSA release for apache2 based on 2.4.56 upstream
(versioned 2.4.56-1~deb11u1), which will include those changes as
well.
Regards,
Salvatore
Processed: tagging 1025708
Processing commands for cont...@bugs.debian.org: > tags 1025708 - moreinfo Bug #1025708 [release.debian.org] bullseye-pu: package debootstrap/1.0.123+deb11u2 Ignoring request to alter tags of bug #1025708 to the same tags previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 1025708: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025708 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Uploading linux (6.1.20-1)
Hi I would like to upload another Linux upload, version 6.1.20-1 to unstable (aimed to move to bookworm). It consists of importing as usual the new stable series, 6.1.16 up to 6.1.20, including CVE fixes for CVE-2023-1032, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1118, CVE-2023-25012 and CVE-2023-28466. We have again an ABI bump icluded. Other packaging changes are mainly to add further support for Debian installation and support for hardware or features. Listing the full additional changes they are: * [arm64,armhf,riscv64] drivers/ata: Enable AHCI_DWC as module (Closes: #1032362) * [x86] drivers/platform/x86: Enable THINKPAD_LMI as module (Closes: #1032399) * [rt] Refresh "printk: Bring back the RT bits." for context changes in 6.1.16 * Bump ABI to 7 * net/sched: Drop setting of NET_CLS_TCINDEX (retired upstream) * net/kcm: Enable AF_KCM as module (Closes: #1023958) * wifi: mt76: do not run mt76_unregister_device() on unregistered hw This prevents a kernel panic when unloading the module, which happens within the installer after firmware files have been deployed, at least with mt7921e (Closes: #1029116). Thanks to Helmut Grohne for the initial patch, which led upstream to propose this patch. * udeb: Add michael_mic to crypto-modules, for ath11k and others. Thanks to Nicolas Dandrimont for reporting and Benoît Chauvet for testing (See: #1032140). * [powerpc/powerpc64,ppc64el] udeb: add DRM ast driver to fb-modules (Closes: #990016) * Enable modules to be used by rasdaemon tool on Intel platforms (Closes: #1032467) - [amd64] drivers/edac: Enable EDAC_IGEN6 as module - [x86] drivers/acpi/apei: Enable ACPI_APEI_EINJ as module * Enable important configs for ChromeOS boards: - Enable GOOGLE_VPD, GOOGLE_SMI, GOOGLE_FRAMEBUFFER_COREBOOT as modules - [x86] Enable FB_SIMPLE as built-in - [x86,armhf,arm64] Change GOOGLE_FRAMEBUFFER_COREBOOT and GOOGLE_COREBOOT_TABLE to built-in (except cloud-*) - [x86,arm64] Enable CHROMEOS_ACPI as module - [x86,arm64] Enable TCG_TIS_SPI_CR50 as built-in - [x86,arm64] Enable TCG_TIS_I2C_CR50 as module I cannot completely exclude there will be no regressions, as it includes as well a stable import which was following the merge window for 6.3 upstream, this is defintively bigger as the other rounds. But I'm following the exact same strategy for those imports as we would do for the point release. Once we are confident with the unstable upload, I should fill an unblock request for the release team. Regards, Salvatore signature.asc Description: PGP signature
Bug#1033151: marked as done (unblock: firefox-esr/102.9.0esr-2)
Your message dated Sat, 18 Mar 2023 20:20:28 +
with message-id
and subject line unblock firefox-esr
has caused the Debian Bug report #1033151,
regarding unblock: firefox-esr/102.9.0esr-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1033151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033151
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package firefox-esr
(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)
[ Reason ]
New version fixes CVEs and the RC bug that was putting the package in
the autorm list.
[ Impact ]
No firefox in bookwork.
[ Tests ]
Package was smoke-tested.
[ Risks ]
Apart from the upstream differences from the CVE fixes/new upstream
release, that we'd take (and have taken) in stable, the differences are
very limited in scope (see attached diff)
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock firefox-esr/102.9.0esr-2
diff -Nru firefox-esr-102.8.0esr/debian/browser.mozconfig.in
firefox-esr-102.9.0esr/debian/browser.mozconfig.in
--- firefox-esr-102.8.0esr/debian/browser.mozconfig.in 2023-02-15
08:44:35.0 +0900
+++ firefox-esr-102.9.0esr/debian/browser.mozconfig.in 2023-03-18
06:53:04.0 +0900
@@ -30,6 +30,6 @@
ac_add_options --with-unsigned-addon-scopes=app,system
ac_add_options --allow-addon-sideload
ac_add_options --enable-alsa
-%if DIST == bullseye || DIST == buster || DIST == stretch
+%if DIST == bullseye || DIST == buster || DIST == stretch || DEB_HOST_ARCH ==
s390x
ac_add_options --without-wasm-sandboxed-libraries
%endif
diff -Nru firefox-esr-102.8.0esr/debian/changelog
firefox-esr-102.9.0esr/debian/changelog
--- firefox-esr-102.8.0esr/debian/changelog 2023-02-15 08:45:08.0
+0900
+++ firefox-esr-102.9.0esr/debian/changelog 2023-03-18 06:53:38.0
+0900
@@ -1,3 +1,22 @@
+firefox-esr (102.9.0esr-2) unstable; urgency=medium
+
+ * gfx/skia/generate_mozbuild.py, gfx/skia/moz.build: Remove explicit NEON
+flags from skia build. Closes: #982794. Thanks Emanuele Rocca.
+
+ -- Mike Hommey Sat, 18 Mar 2023 06:53:38 +0900
+
+firefox-esr (102.9.0esr-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Fixes for mfsa2023-10, also known as:
+CVE-2023-25751, CVE-2023-28164, CVE-2023-28162, CVE-2023-25752,
+CVE-2023-28176.
+
+ * debian/browser.mozconfig.in: Disable wasm sandboxing on s390x for now.
+It doesn't work at the moment.
+
+ -- Mike Hommey Wed, 15 Mar 2023 07:26:00 +0900
+
firefox-esr (102.8.0esr-1) unstable; urgency=medium
* New upstream release.
diff -Nru
firefox-esr-102.8.0esr/debian/patches/debian-hacks/Add-a-2-minutes-timeout-on-xpcshell-tests.patch
firefox-esr-102.9.0esr/debian/patches/debian-hacks/Add-a-2-minutes-timeout-on-xpcshell-tests.patch
---
firefox-esr-102.8.0esr/debian/patches/debian-hacks/Add-a-2-minutes-timeout-on-xpcshell-tests.patch
2023-02-15 08:44:54.0 +0900
+++
firefox-esr-102.9.0esr/debian/patches/debian-hacks/Add-a-2-minutes-timeout-on-xpcshell-tests.patch
2023-03-18 06:53:24.0 +0900
@@ -7,7 +7,7 @@
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/testing/xpcshell/runxpcshelltests.py
b/testing/xpcshell/runxpcshelltests.py
-index 212bfeb..6761334 100755
+index c3de2a2..0636219 100755
--- a/testing/xpcshell/runxpcshelltests.py
+++ b/testing/xpcshell/runxpcshelltests.py
@@ -13,6 +13,7 @@ import os
@@ -18,7 +18,7 @@
import shutil
import signal
import subprocess
-@@ -835,9 +836,23 @@ class XPCShellTestThread(Thread):
+@@ -837,9 +838,23 @@ class XPCShellTestThread(Thread):
if self.interactive:
self.log.info("%s | Process ID: %d" % (name, self.proc_ident))
diff -Nru
firefox-esr-102.8.0esr/debian/patches/porting/Bug-1822827-Remove-explicit-NEON-flags-from-skia-bui.patch
firefox-esr-102.9.0esr/debian/patches/porting/Bug-1822827-Remove-explicit-NEON-flags-from-skia-bui.patch
---
firefox-esr-102.8.0esr/debian/patches/porting/Bug-1822827-Remove-explicit-NEON-flags-from-skia-bui.patch
1970-01-01 09:00:00.0 +0900
+++
firefox-esr-102.9.0esr/debian/patches/porting/Bug-1822827-Remove-explicit-NEON-flags-from-skia-bui.patch
2023-03-18 06:53:24.0 +0900
@@ -0,0 +1,44 @@
+From: Emanuele Rocca
+Date: S
Bug#1033167: usrmerge: messes with /etc/shells
Package: usrmerge Version: 25 Severity: serious Justification: violates policy section 10.7.4 Control: affects -1 + debianutils dash X-Debbugs-Cc: jo...@debian.org, cl...@debian.org, andre...@debian.org, debian-release@lists.debian.org Hi, I think that it is quite obvious that /etc/shells is debianutils' territory. When I found that on some systems /etc/shells was out of sync with /var/lib/shells.state, I was quite puzzled until I noticed that usrmerge messes with this file. This really is debianutils' configuration file and usrmerge has no business in touching it in uncoordinated ways. Refer to policy section 10.7.4 for details, so usrmerge is technically rc-buggy. However, usrmerge does have reason to touch it, so the solution is not simply to drop convert-etc-shells with no replacement. Let us dive a bit into how an essential system can come to be. 1. We start either merged (e.g. debootstrap or mmdebstrap with --hook-dir=.../merged-usr) or unmerged (mmdebstrap without hook or an old debootstrap --no-merged-usr). 2. We either install usrmerge or usr-is-merged. Though we cannot combine starting unmerged with usr-is-merged for obvious reasons. 3. The last invocation of update-shells happens before or after usrmerge.postinst. (Not relevant in case of usr-is-merged) So what happens in these cases? If and only if usrmerge is used, convert-etc-shells turns /bin/sh into /usr/bin/sh. So whenever we start out merged and use usr-is-merged, /usr/bin/sh goes missing. If usrmerge is used, the order of entries in /etc/shells depends on whether update-shells is run after it or not. Likewise /var/lib/shells.state also depends. This is not some mmdebstrap-specific problem. You can easily observe this with debootstrap --no-merged-usr and installing usrmerge vs just doing debootstrap. This is bad from a reproducibility point of view and it is rooted in usrmerge not cooperating with other packages, but instead doing things behind their back, which happens to violate policy. So how to fix this? For one thing, the /bin/sh difference is rooted in the fact that /bin/sh is a standard value of debianutils and not managed using shells.d even though dash ships plain /bin/sh these days. I think dash should just add /bin/sh to /usr/share/debianutils/shells.d/dash and we'd be done as all entries in shells.d are correctly managed wrt. merged-/usr by update-shells. The next thing is that convert-etc-shells needs to go away from usrmerge. In the age of systems with usr-is-merged, there is no convert-etc-shells (as there is no usrmerge), so it must work without somehow anyway. When you run update-shells after a merge, it will pick up the merged shell locations (for shells managed in shells.d) and add them to /etc/shells. So usrmerge should ensure that update-shells is called after having performed the merge. This is the only way to get reproducibility. (That doesn't quite answer yet when to run it, how to run it, nor whether that makes convert-etc-shells unnecessary though.) Then we still have add-shell and remove-shell and most packages using them induce policy violations (reverting admin changes on upgrade), so we want to change them to the shells.d mechanism in the long run, but that's not where we are today and especially not what we can rely on in bookworm. So for these entries, we still do need convert-etc-shells and indeed we cannot just delete it. convert-etc-shells compensates for the difference in behaviour of add-shell pre-merge vs post-merge. I think the best solution here would be merging convert-etc-shells into update-shells. Whenever we run update-shells, it should check whether the system is already merged and when it is, perform the equivalent to convert-etc-shells. Then usrmerge can just install an empty (except for a comment) /usr/share/debianutils/shells.d/usrmerge to trigger update-shells and things become fully reproducible in all cases, because no matter how we started, we will run update-shells post merge and that'll do the right thing. And since usrmerge now uses the tools provided by debianutils, this fully resolves the policy violation. Also note that usr-is-merged does not have to invoke the trigger as debianutils is configured after /usr is merged. So unless I am mistaken, this leads to the following action items: * update-shells absorbs convert-etc-shells. * dash adds /bin/sh to shells.d/dash. * usrmerge creates an empty shells.d/usrmerge file. * usrmerge depends on a version of debianutils that has absorbed convert-etc-shells. Does that make sense to you? I haven't actually implemented and tested this yet. Do you see any obvious flaws in the arguments or the proposed solution? I'm Ccing release managers as it looks like we're starting a transition of an essential package right in the middle of the freeze. Not good, but this looks still manageable to me. Helmut
Bug#1029123: bullseye-pu: package apache2/2.4.55-1~deb11u1
On Wed, 2023-01-18 at 11:25 +0400, Yadd wrote:
> Apache2 has 3 new security issues:
> * CVE-2006-20001: mod_dav out of bounds read, or write of zero byte.
>A carefully crafted If: request header can cause a memory read, or
> write
>of a single zero byte, in a pool (heap) memory location beyond the
> header
>value sent. This could cause the process to crash.
> * CVE-2022-36760: mod_proxy_ajp Possible request smuggling.
>Inconsistent Interpretation of HTTP Requests ('HTTP Request
> Smuggling')
>vulnerability in mod_proxy_ajp of Apache HTTP Server allows an
> attacker
>to smuggle requests to the AJP server it forwards requests to.
> * CVE-2022-37436: mod_proxy prior to 2.4.55 allows a backend to
> trigger HTTP
>response splitting.
>A malicious backend can cause the response headers to be truncated
> early,
>resulting in some headers being incorporated into the response
> body. If
>the later headers have any security purpose, they will not be
> interpreted
>by the client.
Apologies for letting this fall through the cracks until now.
>From comments in #1032977, it sounds as if this request has been
effectively superseded by an impending DSA release?
Regards,
Adam
Bug#1033160: bullseye-pu: package flatpak/1.10.8-0+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: flat...@packages.debian.org Control: affects -1 + src:flatpak [ Reason ] New upstream stable release fixing a security issue. [ Impact ] The same two CVEs that were fixed in 1.14.4-1 (#1033078), which the security team have indicated are not going to get a DSA: CVE-2023-28101: A malicious Flatpak app could prevent the flatpak(1) CLI from displaying its permissions as intended, by having crafted permissions or other metadata containing terminal escape sequences or other special characters. (#1033098) CVE-2023-28100: A malicious Flatpak app could execute code outside the sandbox if run from a Linux virtual console. (#1033099) Additionally, the new upstream stable release has some other bug fixes backported from 1.12.x and 1.14.x for: - temporary directories not being cleaned up if an upgrade is cancelled, in particular if it's blocked by parental controls (libmalcontent); - the `flatpak history` command, which didn't previously work in bullseye; - a build bug fix which isn't directly relevant to bullseye, but was necessary to get the upstream release out, and is harmless in bullseye [ Tests ] The automated test suite is run at build-time and by autopkgtest, and still passes. It includes tests for the two CVE issues and the `flatpak history` fixes. Coverage on buildds and lxc is not great, because we're unable to actually run Flatpak apps in that environment, but I ran the autopkgtest in autopkgtest-virt-qemu before upload (which does get full coverage) and that also passes. The new upstream stable release also adds unit test coverage for the seccomp filter changes in previous security updates (CVE-2021-41133, etc.), which were previously backported without automated tests. A manual smoke-test on my partner's Debian 11 system was successful. [ Risks ] The security fixes are new, but are narrowly-targeted and seem rather safe. The other changes have been in testing/unstable and in bullseye-backports for a long time without regression reports. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The attached debdiff has been filtered to remove Autotools noise. The diffstat is unfiltered. * app/flatpak-builtins-info.c, app/flatpak-builtins-remote-info.c, app/flatpak-cli-transaction.c, common/flatpak-context.c, common/flatpak-utils.c, common/flatpak-utils-private.h: CVE-2023-28101 * common/flatpak-run.c: CVE-2023-28100 * configure.ac, Makefile.am: unrelated bug fix for ability to compile with newer gpgme (unnecessary for bullseye, but necessary to get the upstream release out) * app/flatpak-builtins-history.c, app/flatpak-main.c: unrelated bug fixes for `flatpak history` backported from the version in testing/unstable * common/flatpak-dir.c: unrelated bug fix for a temporary directory not being cleaned up if an upgrade is cancelled * tests: Test coverage for CVE-2023-28101, CVE-2023-28100, previous CVE fixes, and the history bugfix debdiff *.dsc | filterdiff -p1 -xMakefile.in -x'*/Makefile.in' -xaclocal.m4 -xconfig.guess -xconfig.sub -xconfigure -x'doc/reference/html/*.html' -xdoc/reference/html/style.css -xltmain.sh -x'm4/l*.m4' -x'po/*.po' -x'po/*.pot' diffstat for flatpak-1.10.7 flatpak-1.10.8 Makefile.am|4 Makefile.in| 94 NEWS | 36 aclocal.m4 | 193 app/flatpak-builtins-history.c | 59 app/flatpak-builtins-info.c|8 app/flatpak-builtins-remote-info.c |5 app/flatpak-cli-transaction.c | 12 app/flatpak-main.c |5 common/flatpak-context.c | 36 common/flatpak-dir.c | 15 common/flatpak-ref-utils-private.h |1 common/flatpak-run.c |4 common/flatpak-utils-private.h | 14 common/flatpak-utils.c | 119 common/flatpak-version-macros.h|2 config.guess | 1502 +++-- config.sub
Processed: bullseye-pu: package flatpak/1.10.8-0+deb11u1
Processing control commands: > affects -1 + src:flatpak Bug #1033160 [release.debian.org] bullseye-pu: package flatpak/1.10.8-0+deb11u1 Added indication that 1033160 affects src:flatpak -- 1033160: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033160 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1032977: unblock: apache2/2.4.56-1
On Sat, Mar 18, 2023 at 09:17:25AM +0100, Sebastian Ramacher wrote: > Control: tags -1 moreinfo > > Hi security team > > On 2023-03-15 06:46:32 +0400, Yadd wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: apac...@packages.debian.org > > Control: affects -1 + src:apache2 > > > > Please unblock package apache2 > > > > [ Reason ] > > Apache2 < 2.4.56 is vulnerable to 2 CVE, the major is CVE-2023-25690 > > (bypass access control using HTTP Request Smuggling attack) > > What's the plan regarding apache2 in bookworm? Will future DSAs update > apache2 with update bugfix releases? Indeed, that's also what was done for bullseye as well, e.g. DSA 4982 moved to 2.4.51 or DSA 5035 moved to 2.4.52. As such, it would be good to age apache to 10 days; we'd like to release 2.4.56 for bullseye-security and otherwise the higher version in stable over testing might cause upgrade issues. Cheers, Moritz
Bug#1033157: bullseye-pu: package debian-archive-keyring/2021.1.1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: debian-archive-keyr...@packages.debian.org, j...@debian.org Control: affects -1 + src:debian-archive-keyring [ Reason ] The bookworm archive keys need adding to stable to ensure smooth upgrades for users. [ Impact ] Users cannot upgrade. [ Tests ] Build-time consistency checks, manual testing. [ Risks ] Low risk, this is basically only data changes. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable diff -Nru debian-archive-keyring-2021.1.1/active-keys/add-bookworm-automatic debian-archive-keyring-2021.1.1+deb11u1/active-keys/add-bookworm-automatic --- debian-archive-keyring-2021.1.1/active-keys/add-bookworm-automatic 1970-01-01 01:00:00.0 +0100 +++ debian-archive-keyring-2021.1.1+deb11u1/active-keys/add-bookworm-automatic 2023-03-18 14:53:41.0 + @@ -0,0 +1,191 @@ +Comment: add bookworm automatic key (archive) +Date: Thu, 16 Mar 2023 08:31:32 + +Action: import +Data: + -BEGIN PGP PUBLIC KEY BLOCK- + + mQINBGPL0BUBEADmW5NdOOHwPIJlgPu6JDcKw/NZJPR8lsD3K87ZM18gzyQZJD+w + ns6TSXOsx+BmpouHZgvh3FQADj/hhLjpNSqH5IH0xY7nic9BuSeyKx2WvfG62yxw + XcFkwTxoWpF3tg0cv+kT4VA3MfVj5GebuS4F9Jv01WuGkxUllzdzeAoC70IYNOKV + +Av7hX5cOaCAgvDCQmhVnQ6Nz4fXdPdMHVodlPsKbv8ymVsfvb8UzQ6dl9w1gIu9 + 4S0FCQeEePSii23jHISYwku/f6huQGxSjAy8yxab0aZshl98c3pGGfOJHntmHwOG + gqV+Gm1hbcBjc6X8ybL2KEr/Lu4xAK3xSQmP+tO6MNxfBTCeo8fXRT95pqj7t3QH + Iu+LbVYrkLQ6St9mdOgUUsAdVYXJ3eh8Y+CfjmBywNRizOGHrEp8JsAcS0+a9yBL + +BYWhS4BL/EeeacRLT9kfzIqS1OD/RL/4Qbi2GLGFsiHaKFUn4xse20ZXq5XtEL6 + ltQVIr/iAlBtdSOnge/ZkNvd3SQIyC2QBNAy67QutS8yiaCE2vtr8i5GQOu2fgr1 + NJ0VjuwshmgJvbZ2m/9Zq1Yp1iMnPVJtOWcNxTZAWJDN4L5OdoqbaOkqS/+cgLy2 + UTsc0A7cxt/2ugOtln/utXsfgb3Qno69yCuSbQmVM1NrwvZVxPIWi7B2gQARAQAB + iQJOBB8BCgA4FiEEuLgLW2I+q2rYd1xFt8XX1jUJR/gFAmPL0BcXDIABgOl28UpQ + ikjpyj/pvDciUsoc+WQCBwAACgkQt8XX1jUJR/jTMRAAt6Mltzz7xk7RGIGaF+ug + 0QSoh9n07Y0oxEAb1cPSvo3o5wnxQ6ZYIukr2KTFkXaDh35XpXoA2Z9Uf6wz4h8B + nF8DWhbo+2sSq9au0J16bsLuIHfhzJWXSwyekHOrLiiiSfhjey9eQzgOT8jJsEjy + FzfxtMOTepXX8yQdp4SK3WYdVjAcbwjFGcbh5VqQIsr1+MdlaVchqWP1vm1ADvQF + C87hQjhpMzQoU7WVkJWsqlMuXh95h59h/SndBiHKXHQfs/LAM7M2K/fgS9+EbPWW + fC97/8SqpXheDsvCvueumTyzUCNXFpNGwUUA1qO6GTaMwHjaX/AeCaRMxCQcLdQ0 + 7b6zc13dqiMAAL1eSQ10TFP9kD2QoyPjF6lh0S5xshHWET5duw71KjYAAOGdv8J3 + 9DGMvT8OdL8UklIJy7KLjxJOjY21oPCHgx1cQKLONCgOAcQ4ZmzBOP8sWZ7ld8OV + Ke4c/bOqwbRMLNXUwuVJuejwvoypCOxbdlYUnfL633wVMQBM8ilog+2TydStV4AU + CQVsICw4iaXUU+B6gh1euvgvCW13q7pMFJDPbpC+EFC1Fl4RT+CFLE8XG0kXHQ3x + HWo+/b49x3MYv5wS33+NZpfdHEuHKwybfTIVshlPU8rXmrwmVXO9iRmAczjcoeYZ + OTI5EJz20PBi65wAdpAFVBeJAk4EHwEKADgWIQS4uAtbYj6rath3XEW3xdfWNQlH + +AUCY8vQFxcMgAH7+r21QbXclVvZum7bFs9bsSUlxAIHAAAKCRC3xdfWNQlH+KbZ + D/4uoBtdR5LdZGh5sDBjhcDJ+09vhagDh4/lLsiH5/HEmY5M0fwUTvnzV00Bsu3y + u/blyKaX/oram1jBzwucqkIXFx/KF6ErMkHBQi0w7Kqb+nY1s24rD6++VL/ZIA5A + CLoMxD/xWNN0GA3IMa5HquAxejhgpKB1Dm7QcEab2Jk2hnlCFBgmjun1xEqb2IO0 + fmfXjREpRBbzvmOTCkEUm8CIikJy7CHmAIVOJnxQZyK5bua05fKZOJQvb7VmmhJw + /1eE5+VU0fMHbZDkVeL0LOAecpPGH3uCEXaf4J0Pu4jXCHqz9UPMNRawNWEcBRTZ + oq5M5GpRkIpPpt8j7jGoQaKM5bUxtsS0+8L56n03J5xWBy+yEQPYnBJs5n61/dcc + aRwqO47TJsADIqg7T5Q+v97+1xXzMc8KkTbtQatWdukNuVrbLNXlLYI/sPChqMtZ + J7yW9Qhz+ljJnBKkYTjG5OLjsInB80cNFOkZMjsj9gQgAagSwqll/IIXry0zKF/Z + A3ARmy7G5vjvqP8HjSWbcqbjdz27/H8Zn/HaGRK5GwoBS/4CyDiuvrq9bS6bk7E4 + Ql6Ni2UF7brjEULiYfbMdL0HHaKHuU3rWBCZtFRyVJ3yUKP/UAdxtS8VwbkYBOIp + gS4Y6RwXeQmC9G6crnXR6hsODs5E47hiugf/HkhvyQ6CJokCTgQfAQoAOBYhBLi4 + C1tiPqtq2HdcRbfF19Y1CUf4BQJjy9AYFwyAAYyCPe0QqoBBY54SEFrOjW4MFKRw + AgcAAAoJELfF19Y1CUf4uo0P/i+m8SnrFF7IcsppML6dsxOvioUt5dBbXgkSbCUh + dciW583S04mqS8iicMoUSXg+WKXWJ+UaAnfh6yWLcbeYpH8SZ+TX+J3WuLj4ECPe + MYfLGY4eehKIJqnEDfVqtoc8g5w9JxFglZBTZ/PJeyj6I2ovzVG1YH2ZER0cvRvi + tywWBP3edDBa/KPHzBVLaeWuuH28aAGHF2pHtEh+nDfQ/EblDlPUkGclnu79E82g + dl3W0GvcbMXccVIvik9IHPI042me4KJwy7X3qoNGbn3+XditIA+6rb1N+wGDdQkD + s9MvGmoQoxs5iFi5kW/AIdIMHCR+A6MMO4KGQ6E6UDd/DM3iFh2V+gavktk85sIk + Thy378l3JQRidRptifTJjESnyM/NUjN8JMb6peyn0xKyYE6uNK9cZAmbEWGCdZfp + 62gPUo6dR7BHe2a1qJokvfSJdjZtczBuWotFs6EQcCuRDqpySzrLYitCNxNqJ0FG + +kryruObVXgr4y+r1C7+CczmGF0m8zp1BuGaT6pbx7X6VqazYSfOkQSk4Wyk89Ry + 45RZmg79Mgv1s6NNz4ngW7LYNJgMZXwYHL99UiL47dOFBCIXTqVXURwU+BkVxwqZ + Bq10BWd+qdMPGl8hsA3zi64PJMg0u4YaWs/jasZaWaJI6tv/M1WsfQ3TCZrtT6YE + nhieiQJOBB8BCgA4FiEEuLgLW2I+q2rYd1xFt8XX1jUJR/gFAmPL0BgXDIABMJkR + vqlm0GEwUwRXEbTl/xWw/YICBwAACgkQt8XX1jUJR/ilGw//W+ckV1lt00dA+S2T + L7qaQehp//03GXnC4CRVEWalaoEylcqHlvyUiQc6+r44ZkoLTRSadNWt6EIISFaZ + OiIEDrzzpNUVu/9heQeJeeOzPOFQ0LBNI86xo8e1EmvWMBLDf6NGJZtoG1qBNIyJ + k0x7x51pOGf7h8xlvEDo3F0JNC5/N1FjtdAHdyA8HLQFkePIWHUm+h76lgF3Z5cE + 3Myh7XA0NfKe33pgI7CWhbNiF62XhOMAVM6Lrjk+Zp7FWDplSiNu+J3TTjR0sAkp + H5Uf4V3i7zIhlVKKhV+Ktr5ojuj805U1tocrH68bBn4weLDfPzGp4rZ5aMoKqK+
Processed: bullseye-pu: package debian-archive-keyring/2021.1.1+deb11u1
Processing control commands: > affects -1 + src:debian-archive-keyring Bug #1033157 [release.debian.org] bullseye-pu: package debian-archive-keyring/2021.1.1+deb11u1 Added indication that 1033157 affects src:debian-archive-keyring -- 1033157: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033157 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed (with 5 errors): Re: Bug#1033067: unblock: glide/2002.04.10ds1-21
Processing commands for cont...@bugs.debian.org: > severity 1033067 minor Bug #1033067 [release.debian.org] unblock: glide/2002.04.10ds1-21 Severity set to 'minor' from 'normal' > user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was j...@debian.org). > usertag 1033067 bookworm-can-defer Usertags were: unblock. Usertags are now: bookworm-can-defer unblock. > On Thu, Mar 16, 2023 at 11:05:11PM +0100, Guillem Jover wrote: Unknown command or malformed arguments to command. > > This non-key package does not currently contain autopkgtests. Unknown command or malformed arguments to command. > > Unknown command or malformed arguments to command. > > These two releases include a couple of changes to make the package Unknown command or malformed arguments to command. > > finally reproducible, as the generated shared libraries would change Unknown command or malformed arguments to command. Too many unknown commands, stopping here. Please contact me if you need assistance. -- 1033067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033067 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1033067: unblock: glide/2002.04.10ds1-21
severity 1033067 minor user release.debian@packages.debian.org usertag 1033067 bookworm-can-defer On Thu, Mar 16, 2023 at 11:05:11PM +0100, Guillem Jover wrote: > This non-key package does not currently contain autopkgtests. > > These two releases include a couple of changes to make the package > finally reproducible, as the generated shared libraries would change > the optimized objects being linked to depending on the build system > (for host=i386 build=amd64). This feels like something for the first point release, it's not release critical. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1033025: unblock: socklog/2.1.0+repack-5
On Sat, Mar 18, 2023 at 09:13:50AM +0100, Sebastian Ramacher wrote: > On 2023-03-16 17:32:25 +0100, Mathieu Mirmont wrote: > > On Thu, Mar 16, 2023 at 02:57:52PM +0100, Sebastian Ramacher wrote: > > > Control: tags -1 moreinfo > > > > > > Hi Mathieu > > > > > > On 2023-03-15 23:05:39 +0100, Mathieu Mirmont wrote: > > > > diff -Nru socklog-2.1.0+repack/debian/changelog > > > > socklog-2.1.0+repack/debian/changelog > > > > --- socklog-2.1.0+repack/debian/changelog 2020-12-22 > > > > 22:40:42.0 +0100 > > > > +++ socklog-2.1.0+repack/debian/changelog 2023-03-06 > > > > 22:01:18.0 +0100 > > > > @@ -1,3 +1,15 @@ > > > > +socklog (2.1.0+repack-5) unstable; urgency=medium > > > > + > > > > + * Various uninteresting changes > > > > > > What are these uninteresting changes? > > > > Sorry that's not the greatest description indeed. Looking at the git > > commit this is: > > > > - Use spaces instead of tabs to align columns in d/socklog.install and > > d/socklog-run.runit. > > This is unnecessary noise at this stage of the freeze. For the next > time, please defer such changes. Anyway, unblocked. Yeah I agree, I was hoping to get it uploaded before the hard freeze deadline. Otherwise I would have just pushed the one commit that addressed the RC bug. Thanks for unblocking. Cheers, -- Mathieu Mirmont signature.asc Description: Digital signature
Bug#1032999: marked as done (unblock: mesa/22.3.6-1)
Your message dated Sat, 18 Mar 2023 14:37:01 + with message-id and subject line Re: Bug#1032999: unblock: mesa/22.3.6-1 has caused the Debian Bug report #1032999, regarding unblock: mesa/22.3.6-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1032999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032999 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: m...@packages.debian.org Control: affects -1 + src:mesa Control: block -1 by 1032887 Please consider unblocking package mesa. [ Reason ] New upstream bugfix release, fixing #1029731 (RC) and many more. [ Impact ] If not accepted, bookworm will ship with various avoidable crashes and hangs in the graphics driver stack. [ Tests ] Has been in unstable for 17 days, currently no RC bugs. [ Risks ] I'll leave this for the Mesa maintainers to answer... [ Checklist ] [x] all changes are documented in the d/changelog [ ] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] I am not a maintainer of this package, just an interested user. This can't migrate until llvm-toolchain-15 does (see #1032887, which I believe is only waiting for a maintainer re-upload with build artifacts excluded). unblock mesa/22.3.6-1 --- End Message --- --- Begin Message --- On Thu, Mar 16, 2023 at 04:59:19PM +0200, Timo Aaltonen wrote: > Paul Gevers kirjoitti 15.3.2023 klo 21.46: > > Hi Timo, > > > > On 15-03-2023 19:15, Timo Aaltonen wrote: > > > There's actually 22.3.7 out, which I was thinking of uploading to > > > sid, > > > > Is that following the freeze policy [1]? I.e. targeted fixes? (It might > > be, I don't know the release policy of mesa). > > Mesa does quarterly feature releases, and then bugfix releases on top of > those. 22.3 was the feature release, 22.3.x are for bugfixes only. So yes, > it does follow the policy. 23.0 is the latest release and will stay in > experimental until bookworm is out. > > > > since it's the last release of the 22.3.x series. Maybe that should > > > be requested to be unblocked instead once it's available? > > > > Well, it's blocked by something else, having *this* version tested in > > unstable is worth quite a bit for us. So, please only upload that > > version if it meets the freeze policy. > > > > Paul > > I think it makes sense to let 22.3.6 migrate first, and not risk that by > another upload at this time. Once it has migrated, I'll see if 22.3.7-1 > could make it to the release or not. I am normally quite suspect about bugfix-only new upstream releases, but I do trust this upstream more than others and the release notes are reassuring. A skim of the changes looks right. Unblocked. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1--- End Message ---
Upcoming stable point release (11.7)
Hi, The next point release for "bullseye" (11.7) is scheduled for Saturday, April 29th. Processing of new uploads into bullseye-proposed-updates will be frozen during the preceding weekend. Regards, Adam
Re: 11.7 planning
On Wed, Mar 15, 2023 at 08:33:47PM +, Jonathan Wiltshire wrote: > We're overdue for 11.7 and need it done with a keyring update included > before bookworm can be released. The wheels are turning on the keyring so > how do dates in April look for everybody? Saturdays are 1st (probably too > soon), 8th, 15th, 22nd and 29th. So 29th April is the earliest viable option; announcements to follow. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 signature.asc Description: PGP signature
Bug#1033076: marked as done (unblock: python-motor/2.3.0-3)
Your message dated Sat, 18 Mar 2023 13:29:21 + with message-id and subject line Re: Bug#1033076: unblock: python-motor/2.3.0-3 has caused the Debian Bug report #1033076, regarding unblock: python-motor/2.3.0-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033076: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033076 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: python-mo...@packages.debian.org Control: affects -1 + src:python-motor Please unblock package python-motor [ Reason ] python-motor in testing is affected by the grave RC bug #1031763 reported by an end user. [ Impact ] If python-motor doesn't migrate, the RC bug will cause a removal of the package from bookworm, but it won't pull reverse dependencies in the process on first sight. Overall impact looks thus somewhat low. [ Tests ] I didn't run the test suite as I discovered the registered autopkgtest needed a package mongodb-server, which is not available in any section of the archive currently. Build time tests also require a running mongodb server to be actually executed, which I don't have at hand, nor I have the energy to deploy. Best I could do was to mimick autodep8 in unstable and testing context: (sid-amd64-sbuild)$ python3 Python 3.11.2 (main, Mar 5 2023, 08:28:49) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import motor >>> motor (testing-amd64-sbuild)$ python3 Python 3.11.2 (main, Feb 12 2023, 00:48:52) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import motor >>> motor [ Risks ] As I didn't extensively test the package, it is quite possible issues are hidden, but I didn't get any (negative) feedback from the bug submitter so far, so maybe things are okay after all. The package does not have reverse dependencies so risks of affecting other packages look low. [ Checklist ] [*] all changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in testing [ Other info ] There was a standards version bump from 4.5.1 to 4.6.2 by the Janitor lingering in the repository. Said bump didn't seem to require changes from packaging perspective, so I kept the modification as is. This change may be reverted if deemed not appropriate. unblock python-motor/2.3.0-3 Have a nice day, :) -- Étienne Mollier Fingerprint: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da Sent from /dev/pts/5, please excuse my verbosity. On air: Pendragon - Indigo diff -Nru python-motor-2.3.0/debian/changelog python-motor-2.3.0/debian/changelog --- python-motor-2.3.0/debian/changelog 2022-05-26 20:39:58.0 +0200 +++ python-motor-2.3.0/debian/changelog 2023-03-03 14:29:00.0 +0100 @@ -1,3 +1,17 @@ +python-motor (2.3.0-3) unstable; urgency=medium + + * Team upload. + + [ Debian Janitor ] + * Update standards version to 4.6.2, no changes needed. + + [ Étienne Mollier ] + * python-3.11.patch: add patch from upstream. +This fixes an import error of motor.motor_asyncio. +Thanks to Andrey Rakhmatullin for the hint! (Closes: #1031763) + + -- Étienne Mollier Fri, 03 Mar 2023 14:29:00 +0100 + python-motor (2.3.0-2) unstable; urgency=medium * Remove obsolete field Name from debian/upstream/metadata (already present in diff -Nru python-motor-2.3.0/debian/control python-motor-2.3.0/debian/control --- python-motor-2.3.0/debian/control 2022-05-26 20:39:58.0 +0200 +++ python-motor-2.3.0/debian/control 2023-03-03 14:29:00.0 +0100 @@ -7,7 +7,7 @@ dh-python, python3-all, python3-setuptools, -Standards-Version: 4.5.1 +Standards-Version: 4.6.2 Homepage: https://github.com/mongodb/motor Vcs-Browser: https://salsa.debian.org/python-team/packages/python-motor Vcs-Git: https://salsa.debian.org/python-team/packages/python-motor.git diff -Nru python-motor-2.3.0/debian/patches/python-3.11.patch python-motor-2.3.0/debian/patches/python-3.11.patch --- python-motor-2.3.0/debian/patches/python-3.11.patch 1970-01-01 01:00:00.0 +0100 +++ python-motor-2.3.0/debian/patches/python-3.11.patch 2023-03-03 14:29:00.0 +0100 @@ -0,0 +1,34 @@ +Description: fix asyncio.coroutine import error with python3.11 +Author: Steven Silvester +Bug: https://github.
Bug#1033075: marked as done (unblock: strongswan/5.9.8-5)
Your message dated Sat, 18 Mar 2023 13:36:05 + with message-id and subject line Re: Bug#1033075: unblock: strongswan/5.9.8-5 has caused the Debian Bug report #1033075, regarding unblock: strongswan/5.9.8-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033075 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: strongs...@packages.debian.org Control: affects -1 + src:strongswan Hi release team, I've updated the strongSwan package in sid few days ago to fix a security issue (only present in testing/sid, not stable). The timing (with the freeze) wasn't perfect, and I actually lost a couple of days by uploading the binary instead of the sources. I'm unsure why it didn't migrate with the new freeze policy (it had 10 days) but could you let it migrate now? The changes are minimal and actually fix a security issue. unblock strongswan/5.9.8-5 --- End Message --- --- Begin Message --- On Thu, Mar 16, 2023 at 10:23:26PM +0100, Yves-Alexis Perez wrote: > I've updated the strongSwan package in sid few days ago to fix a > security issue (only present in testing/sid, not stable). The timing > (with the freeze) wasn't perfect, and I actually lost a couple of days > by uploading the binary instead of the sources. There's some metadata noise in the translations, but otherwise fine. Unblocked. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1--- End Message ---
Bug#1033075: unblock: strongswan/5.9.8-5
On Sat, 2023-03-18 at 09:04 +0100, Sebastian Ramacher wrote:
> Could you please provide a diff between testing und unstable? Thanks
Sure, here it is.
--
Yves-Alexis
diff --git a/debian/changelog b/debian/changelog
index 0c44889a4f..d652c79fa1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+strongswan (5.9.8-5) unstable; urgency=medium
+
+ * No-change upload for source-only upload.
+
+ -- Yves-Alexis Perez Fri, 03 Mar 2023 18:56:58 +0100
+
+strongswan (5.9.8-4) unstable; urgency=medium
+
+ * d/patches: libtls-Fix-authentication-bypass-and-expired-pointer added.
+Fix authentication bypass and use-after-free in libtls (CVE-2023-26463)
+ * d/control: replace lsb-base dependency by sysvinit-utils
+ * d/control: update standards version to 4.6.2
+
+ -- Yves-Alexis Perez Sun, 26 Feb 2023 09:40:09 +0100
+
strongswan (5.9.8-3) unstable; urgency=medium
* d/tests: also drop _copyright test since the util is gone as well
diff --git a/debian/control b/debian/control
index 8d79682193..3035fc5818 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: net
Priority: optional
Maintainer: strongSwan Maintainers
Uploaders: Yves-Alexis Perez
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
Vcs-Browser: https://salsa.debian.org/debian/strongswan
Vcs-Git: https://salsa.debian.org/debian/strongswan.git
Build-Depends: bison,
@@ -209,7 +209,7 @@ Architecture: any
Pre-Depends: ${misc:Pre-Depends}
Depends: adduser,
libstrongswan (= ${binary:Version}),
- lsb-base (>= 3.0-6),
+ sysvinit-utils (>= 3.05-3),
${misc:Depends},
${shlibs:Depends}
Recommends: strongswan-charon
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 48731a6968..b872cdb2e8 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,4 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/master
-upstream-branch = upstream/latest
+debian-branch = debian/bookworm
+upstream-branch = upstream/bookworm
diff --git a/debian/patches/0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch b/debian/patches/0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch
new file mode 100644
index 00..5826e2e64a
--- /dev/null
+++ b/debian/patches/0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch
@@ -0,0 +1,43 @@
+From: Tobias Brunner
+Date: Fri, 17 Feb 2023 15:07:20 +0100
+Subject: libtls: Fix authentication bypass and expired pointer dereference
+
+`public` is returned, but previously only if a trusted key was found.
+We obviously don't want to return untrusted keys. However, since the
+reference is released after determining the key type, the returned
+object also doesn't have the correct refcount.
+
+So when the returned reference is released after verifying the TLS
+signature, the public key object is actually destroyed. The certificate
+object then points to an expired pointer, which is dereferenced once it
+itself is destroyed after the authentication is complete. Depending on
+whether the pointer is valid (i.e. points to memory allocated to the
+process) and what was allocated there after the public key was freed,
+this could result in a segmentation fault or even code execution.
+
+Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type")
+Fixes: CVE-2023-26463
+---
+ src/libtls/tls_server.c | 8
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
+index c9c3009..573893f 100644
+--- a/src/libtls/tls_server.c
b/src/libtls/tls_server.c
+@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id)
+ cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
+ if (cert)
+ {
+- public = cert->get_public_key(cert);
+- if (public)
++ current = cert->get_public_key(cert);
++ if (current)
+ {
+- key_type = public->get_type(public);
+- public->destroy(public);
++ key_type = current->get_type(current);
++ current->destroy(current);
+ }
+ enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+ key_type, id, peer_auth, TRUE);
diff --git a/debian/patches/series b/debian/patches/series
index 3bd034cee4..488dca9c13 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
03_systemd-service.patch
04_disable-libtls-tests.patch
dont-load-kernel-libipsec-plugin-by-default.patch
+0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch
signature.asc
Description: This is a digitally signed message part
Processed: Re: Bug#1032977: unblock: apache2/2.4.56-1
Processing control commands: > tags -1 - moreinfo Bug #1032977 [release.debian.org] unblock: apache2/2.4.56-1 Removed tag(s) moreinfo. -- 1032977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032977 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1032977: unblock: apache2/2.4.56-1
Control: tags -1 - moreinfo hi Sebastian, On Sat, Mar 18, 2023 at 09:17:25AM +0100, Sebastian Ramacher wrote: > Control: tags -1 moreinfo > > Hi security team > > On 2023-03-15 06:46:32 +0400, Yadd wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: apac...@packages.debian.org > > Control: affects -1 + src:apache2 > > > > Please unblock package apache2 > > > > [ Reason ] > > Apache2 < 2.4.56 is vulnerable to 2 CVE, the major is CVE-2023-25690 > > (bypass access control using HTTP Request Smuggling attack) > > What's the plan regarding apache2 in bookworm? Will future DSAs update > apache2 with update bugfix releases? Yes that is the plan. We do have e.g. already for bullseye-security 2.4.56-1~deb11u1 pending (we were waiting to move the version to bookworm and get some more coverage). The plan for bookworm is the same and do sas we switched for bullseye. Regards, Salvatore
NEW changes in stable-new
Processing changes file: intel-microcode_3.20230214.1~deb11u1_source.changes REJECT
Bug#1033151: unblock: firefox-esr/102.9.0esr-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package firefox-esr
(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)
[ Reason ]
New version fixes CVEs and the RC bug that was putting the package in
the autorm list.
[ Impact ]
No firefox in bookwork.
[ Tests ]
Package was smoke-tested.
[ Risks ]
Apart from the upstream differences from the CVE fixes/new upstream
release, that we'd take (and have taken) in stable, the differences are
very limited in scope (see attached diff)
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock firefox-esr/102.9.0esr-2
diff -Nru firefox-esr-102.8.0esr/debian/browser.mozconfig.in
firefox-esr-102.9.0esr/debian/browser.mozconfig.in
--- firefox-esr-102.8.0esr/debian/browser.mozconfig.in 2023-02-15
08:44:35.0 +0900
+++ firefox-esr-102.9.0esr/debian/browser.mozconfig.in 2023-03-18
06:53:04.0 +0900
@@ -30,6 +30,6 @@
ac_add_options --with-unsigned-addon-scopes=app,system
ac_add_options --allow-addon-sideload
ac_add_options --enable-alsa
-%if DIST == bullseye || DIST == buster || DIST == stretch
+%if DIST == bullseye || DIST == buster || DIST == stretch || DEB_HOST_ARCH ==
s390x
ac_add_options --without-wasm-sandboxed-libraries
%endif
diff -Nru firefox-esr-102.8.0esr/debian/changelog
firefox-esr-102.9.0esr/debian/changelog
--- firefox-esr-102.8.0esr/debian/changelog 2023-02-15 08:45:08.0
+0900
+++ firefox-esr-102.9.0esr/debian/changelog 2023-03-18 06:53:38.0
+0900
@@ -1,3 +1,22 @@
+firefox-esr (102.9.0esr-2) unstable; urgency=medium
+
+ * gfx/skia/generate_mozbuild.py, gfx/skia/moz.build: Remove explicit NEON
+flags from skia build. Closes: #982794. Thanks Emanuele Rocca.
+
+ -- Mike Hommey Sat, 18 Mar 2023 06:53:38 +0900
+
+firefox-esr (102.9.0esr-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Fixes for mfsa2023-10, also known as:
+CVE-2023-25751, CVE-2023-28164, CVE-2023-28162, CVE-2023-25752,
+CVE-2023-28176.
+
+ * debian/browser.mozconfig.in: Disable wasm sandboxing on s390x for now.
+It doesn't work at the moment.
+
+ -- Mike Hommey Wed, 15 Mar 2023 07:26:00 +0900
+
firefox-esr (102.8.0esr-1) unstable; urgency=medium
* New upstream release.
diff -Nru
firefox-esr-102.8.0esr/debian/patches/debian-hacks/Add-a-2-minutes-timeout-on-xpcshell-tests.patch
firefox-esr-102.9.0esr/debian/patches/debian-hacks/Add-a-2-minutes-timeout-on-xpcshell-tests.patch
---
firefox-esr-102.8.0esr/debian/patches/debian-hacks/Add-a-2-minutes-timeout-on-xpcshell-tests.patch
2023-02-15 08:44:54.0 +0900
+++
firefox-esr-102.9.0esr/debian/patches/debian-hacks/Add-a-2-minutes-timeout-on-xpcshell-tests.patch
2023-03-18 06:53:24.0 +0900
@@ -7,7 +7,7 @@
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/testing/xpcshell/runxpcshelltests.py
b/testing/xpcshell/runxpcshelltests.py
-index 212bfeb..6761334 100755
+index c3de2a2..0636219 100755
--- a/testing/xpcshell/runxpcshelltests.py
+++ b/testing/xpcshell/runxpcshelltests.py
@@ -13,6 +13,7 @@ import os
@@ -18,7 +18,7 @@
import shutil
import signal
import subprocess
-@@ -835,9 +836,23 @@ class XPCShellTestThread(Thread):
+@@ -837,9 +838,23 @@ class XPCShellTestThread(Thread):
if self.interactive:
self.log.info("%s | Process ID: %d" % (name, self.proc_ident))
diff -Nru
firefox-esr-102.8.0esr/debian/patches/porting/Bug-1822827-Remove-explicit-NEON-flags-from-skia-bui.patch
firefox-esr-102.9.0esr/debian/patches/porting/Bug-1822827-Remove-explicit-NEON-flags-from-skia-bui.patch
---
firefox-esr-102.8.0esr/debian/patches/porting/Bug-1822827-Remove-explicit-NEON-flags-from-skia-bui.patch
1970-01-01 09:00:00.0 +0900
+++
firefox-esr-102.9.0esr/debian/patches/porting/Bug-1822827-Remove-explicit-NEON-flags-from-skia-bui.patch
2023-03-18 06:53:24.0 +0900
@@ -0,0 +1,44 @@
+From: Emanuele Rocca
+Date: Sat, 18 Mar 2023 06:48:32 +0900
+Subject: Bug 1822827 - Remove explicit NEON flags from skia build
+
+While Firefox builds for Android ARMv7 don't support non-NEON
+processors, downstreams (including non-Android ones) may still want to
+support them.
+
+Because those Firefox builds don't support non-NEON processors, the NEON
+flags are actually already passed globally, and they don't need to be
+explicitly added. NEON_FLAGS is actually only meant to be used for
+sources that specifically need NEON support even when the target doesn't
+support it, for, e.g. specialized code behind runtime CPU detection.
+---
+ gfx/skia/generate_mozbuild.py | 2 --
+ gfx/skia/moz.build| 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/gfx/skia/generate_mozbuild.py b/gfx/skia/g
Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
On Sat, 2023-03-18 at 08:54 +0100, Tobias Frost wrote: > On Fri, Mar 17, 2023 at 09:15:36PM +0100, Salvatore Bonaccorso wrote: > > Yes this is correct, you do not need to mention it. I just wanted > > to > > make double sure it's as well on the radar (and have not checked if > > you have uploaded with -v to incude the intermediate changelog > > entries > > as well). > > I think I've forgotten that part… > So please reject my upload and I'll fix that… > The changelog has them, but the .changes indeed doesn't Flagged for rejection, pending dak actually processing that (we're mid- dinstall currently). Regards, Adam
Processed: Re: Bug#1032977: unblock: apache2/2.4.56-1
Processing control commands: > tags -1 moreinfo Bug #1032977 [release.debian.org] unblock: apache2/2.4.56-1 Added tag(s) moreinfo. -- 1032977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032977 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1033025: marked as done (unblock: socklog/2.1.0+repack-5)
Your message dated Sat, 18 Mar 2023 08:14:50 +
with message-id
and subject line unblock socklog
has caused the Debian Bug report #1033025,
regarding unblock: socklog/2.1.0+repack-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1033025: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033025
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sock...@packages.debian.org
Control: affects -1 + src:socklog
Please unblock package socklog
[ Reason ]
Fix RC bug #1031794.
[ Impact ]
No change of behaviour.
[ Tests ]
After a manual package install and update the services socklog-klog
and socklog-unix run fine. Also dpkg-source -x does not complain
anymore.
[ Risks ]
Low, the changes are trivial.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
I was hoping to get this pushed before the hard freeze but I wasn't
lucky finding an uploader on time. The changes are therefore a bit
more than what I would want at this point but they are all trivial.
unblock socklog/2.1.0+repack-5
--
Mathieu Mirmont
diff -Nru socklog-2.1.0+repack/debian/changelog
socklog-2.1.0+repack/debian/changelog
--- socklog-2.1.0+repack/debian/changelog 2020-12-22 22:40:42.0
+0100
+++ socklog-2.1.0+repack/debian/changelog 2023-03-06 22:01:18.0
+0100
@@ -1,3 +1,15 @@
+socklog (2.1.0+repack-5) unstable; urgency=medium
+
+ * Various uninteresting changes
+ * watch, repack.sh: append +repack to tarball filename
+ * Refresh lintian overrides
+ * service/socklog-unix: remove supervise symlink (Closes: #1031794)
+ * control: bump debian policy to 4.6.2, no change required
+ * gitlab-ci.yml: disable unnecessary jobs
+ * gbp.conf: add configuration file
+
+ -- Mathieu Mirmont Mon, 06 Mar 2023 22:01:18 +0100
+
socklog (2.1.0+repack-4) unstable; urgency=medium
* copyright: bump the year
diff -Nru socklog-2.1.0+repack/debian/control
socklog-2.1.0+repack/debian/control
--- socklog-2.1.0+repack/debian/control 2020-12-22 22:40:42.0 +0100
+++ socklog-2.1.0+repack/debian/control 2023-03-06 21:52:36.0 +0100
@@ -5,7 +5,7 @@
Uploaders: Gerrit Pape
Vcs-Browser: https://salsa.debian.org/debian/socklog
Vcs-Git: https://salsa.debian.org/debian/socklog.git
-Standards-Version: 4.5.1
+Standards-Version: 4.6.2
Homepage: http://smarden.org/socklog
Build-Depends: debhelper-compat (= 13),
dh-runit,
@@ -37,9 +37,8 @@
${misc:Depends}, ${shlibs:Depends}
Recommends: ipsvd, mailx
Provides: system-log-daemon, linux-kernel-log-daemon
-Conflicts: system-log-daemon, linux-kernel-log-daemon, ${runit:Conflicts}
-Breaks: socklog (<= 2.1.0+repack-3), ${runit:Breaks}
-Replaces: socklog (<= 2.1.0+repack-3)
+Conflicts: system-log-daemon, linux-kernel-log-daemon
+Breaks: ${runit:Breaks}
Description: system and kernel logging services - runit services
socklog cooperates with the runit package to create a small and
secure replacement for rsyslog. socklog supports system logging
diff -Nru socklog-2.1.0+repack/debian/copyright
socklog-2.1.0+repack/debian/copyright
--- socklog-2.1.0+repack/debian/copyright 2020-11-23 16:13:31.0
+0100
+++ socklog-2.1.0+repack/debian/copyright 2023-03-06 21:52:36.0
+0100
@@ -9,7 +9,7 @@
Files: debian/*
Copyright: Copyright 2001-2008, Gerrit Pape
- 2019-2020, Mathieu Mirmont
+ 2019-2023, Mathieu Mirmont
License: BSD-3-clause
License: BSD-3-clause
diff -Nru socklog-2.1.0+repack/debian/gbp.conf
socklog-2.1.0+repack/debian/gbp.conf
--- socklog-2.1.0+repack/debian/gbp.conf1970-01-01 01:00:00.0
+0100
+++ socklog-2.1.0+repack/debian/gbp.conf2023-03-06 22:01:10.0
+0100
@@ -0,0 +1,3 @@
+[DEFAULT]
+pristine-tar = True
+sign-tags = True
diff -Nru socklog-2.1.0+repack/debian/gitlab-ci.yml
socklog-2.1.0+repack/debian/gitlab-ci.yml
--- socklog-2.1.0+repack/debian/gitlab-ci.yml 2020-11-02 03:12:15.0
+0100
+++ socklog-2.1.0+repack/debian/gitlab-ci.yml 2023-03-06 21:52:36.0
+0100
@@ -1,3 +1,7 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 1
+ SALSA_CI_DISABLE_AUTOPKGTEST: 1
diff -Nru sockl
Bug#1033139: marked as done (unblock: graphite-web/1.1.8-2)
Your message dated Sat, 18 Mar 2023 08:15:57 + with message-id and subject line unblock graphite-web has caused the Debian Bug report #1033139, regarding unblock: graphite-web/1.1.8-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033139: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033139 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package graphite-web [ Reason ] Debian release -2 adds support for pyparsing 3, which is currenly in Bookworm. Without this patch, graphite-web doesn't work. [ Impact ] Without this patch, graphite-web doesn't work in Bookworm. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock graphite-web/1.1.8-2 diff -Nru graphite-web-1.1.8/debian/changelog graphite-web-1.1.8/debian/changelog --- graphite-web-1.1.8/debian/changelog 2023-02-07 15:42:01.0 +0100 +++ graphite-web-1.1.8/debian/changelog 2023-03-17 14:24:47.0 +0100 @@ -1,3 +1,9 @@ +graphite-web (1.1.8-2) unstable; urgency=medium + + * Add fix-compat-with-pyparsing-3.patch. + + -- Thomas Goirand Fri, 17 Mar 2023 14:24:47 +0100 + graphite-web (1.1.8-1.1) unstable; urgency=medium * NMU diff -Nru graphite-web-1.1.8/debian/patches/fix-compat-with-pyparsing-3.patch graphite-web-1.1.8/debian/patches/fix-compat-with-pyparsing-3.patch --- graphite-web-1.1.8/debian/patches/fix-compat-with-pyparsing-3.patch 1970-01-01 01:00:00.0 +0100 +++ graphite-web-1.1.8/debian/patches/fix-compat-with-pyparsing-3.patch 2023-03-17 14:24:47.0 +0100 @@ -0,0 +1,27 @@ +Description: Fix compat with pyparsing 3 +Author: Viacheslav Chimishuk +Forwarded: no +Last-Update: 2023-03-17 + +--- graphite-web-1.1.8.orig/webapp/graphite/render/evaluator.py graphite-web-1.1.8/webapp/graphite/render/evaluator.py +@@ -58,7 +58,7 @@ def evaluateTokens(requestContext, token + return evaluateTokens(requestContext, tokens.template, arglist) + + if tokens.expression: +-if tokens.expression.pipedCalls: ++if tokens.expression.pipedCalls.asList(): + # when the expression has piped calls, we pop the right-most call and pass the remaining + # expression into it via pipedArg, to get the same result as a nested call + rightMost = tokens.expression.pipedCalls.pop() +--- graphite-web-1.1.8.orig/webapp/graphite/render/grammar_unsafe.py graphite-web-1.1.8/webapp/graphite/render/grammar_unsafe.py +@@ -80,7 +80,7 @@ kwargs = delimitedList(kwarg) + + + def setRaw(s, loc, toks): +-toks[0].raw = s[toks[0].start:toks[0].end] ++toks[0]['raw'] = s[toks[0].start:toks[0].end] + + + call = Group( diff -Nru graphite-web-1.1.8/debian/patches/series graphite-web-1.1.8/debian/patches/series --- graphite-web-1.1.8/debian/patches/series2023-02-07 15:42:01.0 +0100 +++ graphite-web-1.1.8/debian/patches/series2023-03-17 14:24:47.0 +0100 @@ -1,3 +1,4 @@ local_settings.patch settings_debian.patch CVE-2022-4728-CVE-2022-4729-CVE-2022-4730.patch +fix-compat-with-pyparsing-3.patch --- End Message --- --- Begin Message --- Unblocked.--- End Message ---
Bug#1033025: unblock: socklog/2.1.0+repack-5
On 2023-03-16 17:32:25 +0100, Mathieu Mirmont wrote:
> On Thu, Mar 16, 2023 at 02:57:52PM +0100, Sebastian Ramacher wrote:
> > Control: tags -1 moreinfo
> >
> > Hi Mathieu
> >
> > On 2023-03-15 23:05:39 +0100, Mathieu Mirmont wrote:
> > > diff -Nru socklog-2.1.0+repack/debian/changelog
> > > socklog-2.1.0+repack/debian/changelog
> > > --- socklog-2.1.0+repack/debian/changelog 2020-12-22 22:40:42.0
> > > +0100
> > > +++ socklog-2.1.0+repack/debian/changelog 2023-03-06 22:01:18.0
> > > +0100
> > > @@ -1,3 +1,15 @@
> > > +socklog (2.1.0+repack-5) unstable; urgency=medium
> > > +
> > > + * Various uninteresting changes
> >
> > What are these uninteresting changes?
>
> Sorry that's not the greatest description indeed. Looking at the git
> commit this is:
>
> - Use spaces instead of tabs to align columns in d/socklog.install and
> d/socklog-run.runit.
This is unnecessary noise at this stage of the freeze. For the next
time, please defer such changes. Anyway, unblocked.
Cheers
> - Add set -eu at the top of the d/repack.sh script.
> - Update the copyright date in d/copyright.
> - Include /usr/share/dpkg/buildflags.mk in d/rules.
> - Remove Breaks/Replaces: socklog (<= 2.1.0+repack-3) in d/control
> (see below for the rationale).
>
> > > diff -Nru socklog-2.1.0+repack/debian/control
> > > socklog-2.1.0+repack/debian/control
> > > --- socklog-2.1.0+repack/debian/control 2020-12-22 22:40:42.0
> > > +0100
> > > +++ socklog-2.1.0+repack/debian/control 2023-03-06 21:52:36.0
> > > +0100
> > > @@ -37,9 +37,8 @@
> > > ${misc:Depends}, ${shlibs:Depends}
> > > Recommends: ipsvd, mailx
> > > Provides: system-log-daemon, linux-kernel-log-daemon
> > > -Conflicts: system-log-daemon, linux-kernel-log-daemon, ${runit:Conflicts}
> > > -Breaks: socklog (<= 2.1.0+repack-3), ${runit:Breaks}
> > > -Replaces: socklog (<= 2.1.0+repack-3)
> > > +Conflicts: system-log-daemon, linux-kernel-log-daemon
> > > +Breaks: ${runit:Breaks}
> >
> > What's the rationale behind those changes?
>
> Until socklog 2.1.0+repack-3 the two binary packages were merged into
> one. That version was never released and bullseye shipped with
> 2.1.0+repack-4 so this Breaks/Replaces is now obsolete.
>
> Then there's ${runit:Conflicts} and ${runit:Breaks} that expand to the
> same value. Using both seems redundant and Breaks is sufficient since
> the packages can be unpacked at the same time.
>
> Cheers,
>
> --
> Mathieu Mirmont
>
--
Sebastian Ramacher
Bug#1033090: unblock: dhcpdump/1.8-6
Control: tags -1 moreinfo
On 2023-03-17 05:02:56 +, Boian Bonev wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: dhcpd...@packages.debian.org, kilob...@debian.org
> Control: affects -1 + src:dhcpdump
>
> Please unblock package dhcpdump
>
> [ Reason ]
> Patches in 1.8-6 fix:
> - a severe bug (OOB access) that is triggered by network data
> - a bug in protocol decode that make it non-working on big-endian
> and improve/fix behavior for:
> - DHCP flags display
> - option 82 data display
Unfortunately these fixes come with a complete overhaul of debian/ which
is no longer appopriate at this point of the freeze. Please upload a new
version with targetted fixes only.
Cheers
>
> [ Impact ]
> Users will have a buggy tool.
>
> [ Tests ]
> Fully tested on different types of DHCP traffic.
>
> [ Risks ]
> Very low - the package is leaf and fixes are trivial to verify.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> [ Other info ]
> N/A
>
> unblock dhcpdump/1.8-6
> diff -Nru dhcpdump-1.8/debian/changelog dhcpdump-1.8/debian/changelog
> --- dhcpdump-1.8/debian/changelog 2022-12-05 15:08:35.0 +
> +++ dhcpdump-1.8/debian/changelog 2023-03-08 16:43:02.0 +
> @@ -1,3 +1,45 @@
> +dhcpdump (1.8-6) unstable; urgency=medium
> +
> + * QA upload.
> + * Upload 1.8-5 fixes to unstable.
> +
> + -- Adam Borowski Wed, 08 Mar 2023 17:43:02 +0100
> +
> +dhcpdump (1.8-5) experimental; urgency=medium
> +
> + [ Boian Bonev ]
> + * QA upload.
> + * Install binary and man page.
> + * Add patches that fix:
> +- build options in Makefile (hardening and cross)
> +- ethertype handling (Closes: #873635)
> +- flags calculation
> +- opt82 processing
> +- counts in string arrays (OOB access)
> +- spelling errors
> +- wrong description in man page (Closes: #647228)
> + * Do not depend on tcpdump.
> + * Bump standards to 4.6.2, no changes.
> + * Remove unrelated key and override source not signed.
> + * wrap-and-sort
> +
> + [ Joao Paulo Lima de Oliveira ]
> + * debian/control:
> +- Set Rules-Requires-Root:no.
> +- Set homepage-field.
> +- Bumped Standards-Version to 4.6.1.
> +- Set debhelper-compat version in Build-Depends.
> +- Added Depends ${shlibs:Depends} in Depends fields.
> + * debian/rules:
> +- Rewrite to use dh-sequencer.
> + * debian/metadata:
> +- Added missing upstream metadata.
> +- Added upstream's key.
> + * debian/watch:
> +- Add watch file.
> +
> + -- Boian Bonev Thu, 23 Feb 2023 08:31:03 +
> +
> dhcpdump (1.8-4) unstable; urgency=medium
>
>* QA upload.
> diff -Nru dhcpdump-1.8/debian/control dhcpdump-1.8/debian/control
> --- dhcpdump-1.8/debian/control 2022-12-05 15:08:35.0 +
> +++ dhcpdump-1.8/debian/control 2023-02-23 06:56:52.0 +
> @@ -2,12 +2,19 @@
> Section: admin
> Priority: optional
> Maintainer: Debian QA Group
> -Build-Depends: libpcap0.8-dev
> -Standards-Version: 3.8.0.1
> +Build-Depends:
> + debhelper-compat (= 13),
> + libpcap-dev,
> +Standards-Version: 4.6.2
> +Rules-Requires-Root: no
> +Homepage: http://www.mavetju.org/download/
>
> Package: dhcpdump
> Architecture: any
> -Depends: ${shlibs:Depends}, tcpdump
> -Description: Parse DHCP packets from tcpdump
> - This package provides a tool for visualization of DHCP packets as
> - recorded and output by tcpdump to analyze DHCP server responses.
> +Depends:
> + ${misc:Depends},
> + ${shlibs:Depends},
> +Description: Parse DHCP packets from interface
> + This package provides a tool for visualization of DHCP packets
> + on a network interface to analyze DHCP client requests and
> + server responses.
> diff -Nru dhcpdump-1.8/debian/copyright dhcpdump-1.8/debian/copyright
> --- dhcpdump-1.8/debian/copyright 2022-12-05 15:08:35.0 +
> +++ dhcpdump-1.8/debian/copyright 2023-02-23 06:59:21.0 +
> @@ -3,8 +3,23 @@
> Source: http://www.mavetju.org/download/
>
> Files: *
> -Copyright: 2001, 2002 by Edwin Groothuis, ed...@mavetju.org
> - All rights reserved.
> +Copyright: 2001-2002 Edwin Groothuis
> +License: BSD-2-clause
> +
> +Files: debian/*
> +Copyright:
> + 2001-2008 Martin Schulze
>
> + 2017 Manuel A. Fernandez Montecelo
> + 2017 Svante Signell
> + 2017 Chris Lamb
> + 2017 Helmut Grohne
> + 2022 Marcos Talau
> + 2022 Bastian Germann
> + 2022 Olivier Chirossel
> + 2023 Joao Paulo Lima de Oliveira
> + 2023 Boian Bonev
> +License: BSD-2-clause
> +
> License: BSD-2-clause
> Redistribution and use in source and binary forms, with or without
> modification, are permitted provided that the following conditions
> diff -Nru dhcpdump-1.8/debian/patches/dhcpdump-bugfix_ethertype.patch
>
Processed: Re: Bug#1033090: unblock: dhcpdump/1.8-6
Processing control commands: > tags -1 moreinfo Bug #1033090 [release.debian.org] unblock: dhcpdump/1.8-6 Added tag(s) moreinfo. -- 1033090: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033090 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1033075: unblock: strongswan/5.9.8-5
Processing control commands: > tags -1 moreinfo Bug #1033075 [release.debian.org] unblock: strongswan/5.9.8-5 Added tag(s) moreinfo. -- 1033075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033075 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1033075: unblock: strongswan/5.9.8-5
Control: tags -1 moreinfo On 2023-03-16 22:23:26 +0100, Yves-Alexis Perez wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: strongs...@packages.debian.org > Control: affects -1 + src:strongswan > > Hi release team, > > I've updated the strongSwan package in sid few days ago to fix a > security issue (only present in testing/sid, not stable). The timing > (with the freeze) wasn't perfect, and I actually lost a couple of days > by uploading the binary instead of the sources. > > I'm unsure why it didn't migrate with the new freeze policy (it had 10 > days) but could you let it migrate now? The changes are minimal and > actually fix a security issue. > > unblock strongswan/5.9.8-5 Could you please provide a diff between testing und unstable? Thanks Cheers -- Sebastian Ramacher
Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
On Fri, Mar 17, 2023 at 09:15:36PM +0100, Salvatore Bonaccorso wrote: > Yes this is correct, you do not need to mention it. I just wanted to > make double sure it's as well on the radar (and have not checked if > you have uploaded with -v to incude the intermediate changelog entries > as well). I think I've forgotten that part… So please reject my upload and I'll fix that… -- tobi
