Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1

[Yadd]

On 5/2/23 23:26, Paul Gevers wrote:

Hi Yadd,

On 02-05-2023 10:15, Yadd wrote:

extracting only CVE patch means:
  * keep some (unimportant) bugs in Bullseye
  * publish such version number:
    5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1


Indeed, both are totally acceptable. Can we have a debdiff please?

Paul


Hi,

here is the current debdiff (without the big removal of useless 
discoveryjs-json-ext/benchmarks)


Regards,
Yadddiff --git a/README.md b/README.md
index c712d27f..a6549c1c 100644
--- a/README.md
+++ b/README.md
@@ -158,11 +158,11 @@ or are automatically applied via regex from your webpack 
configuration.
 
  Transpiling
 
-|
Name
|Status |  Install Size  | Description  
 |
-| 
::
 | :---: | :: | 
:
 |
-| https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;> 
| ![babel-npm]  | ![babel-size]  | Loads ES2015+ code and transpiles to ES5 
using https://github.com/babel/babel;>Babel |
-|  https://github.com/TypeStrong/ts-loader;>https://cdn.rawgit.com/Microsoft/TypeScript/master/doc/logo.svg;>  |  
![type-npm]  |  ![type-size]  | Loads TypeScript like JavaScript
  |
-|https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;>| 
![coffee-npm] | ![coffee-size] | Loads CoffeeScript like JavaScript 
   |
+|  
   Name 

|Status |  Install Size  | Description  
 |
+| 
:--:
 | :---: | :: | 
:
 |
+|  https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;>  
| ![babel-npm]  | ![babel-size] 
 | Loads ES2015+ code and transpiles to ES5 using https://github.com/babel/babel;>Babel |
+| https://github.com/TypeStrong/ts-loader;>https://raw.githubusercontent.com/microsoft/TypeScript-Website/f407e1ae19e5e990d9901ac8064a32a8cc60edf0/packages/typescriptlang-org/static/branding/ts-logo-128.svg;>
 |  ![type-npm]  |  ![type-size]  | Loads TypeScript like JavaScript
  |
+| https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;>   
  | ![coffee-npm] | ![coffee-size] 
| Loads CoffeeScript like JavaScript
|
 
 [babel-npm]: https://img.shields.io/npm/v/babel-loader.svg
 [babel-size]: https://packagephobia.com/badge?p=babel-loader
@@ -175,7 +175,7 @@ or are automatically applied via regex from your webpack 
configuration.
 
 |  
 Name   
 | Status  |   Install Size   | Description 
|
 | 
:---:
 | :-: | :--: | 
:--
 |
-|https://github.com/webpack-contrib/html-loader;>https://worldvectorlogo.com/logos/html5.svg;>   
 |   ![html-npm]   |   ![html-size]   | Exports HTML as string, 
requires references to static resources |
+|   https://github.com/webpack-contrib/html-loader;>https://worldvectorlogo.com/logos/html5-2.svg;> 
  |   

Bug#1035398: [pre-approval] unblock: dwarves/1.24-4.1

[Cyril Brulebois]

Hi!

Aurelien Jarno  (2023-05-02):
> > [ Reason ]
> > Back in #1033301, Aurelien reported that the arm64 kernel size did
> > increase significantly due to issues with BTF deduplication. First
> > suspected to be a Linux kernel upstream issue, Aurelien discussed this
> > on with upstream and it was found that the issue is caused by a
> > src:dwarves regression (applied in 1.24-4).
> > 
> > Details in https://bugs.debian.org/1033301#31
> > 
> > The (not yet uploaded) dwarves upload with attache debdiff
> > cherry-picks the upstream commit.
> > 
> > (Please provide enough (but not too much) information to help
> > the release team to judge the request efficiently. E.g. by
> > filling in the sections below.)
> > 
> > [ Impact ]
> > Increased arm64 kernel size.
> > 
> > [ Tests ]
> > Apart from the report from Aurelien[1], package passes its autopkgtest.
> > 
> >  [1]  https://lore.kernel.org/linux-arm-kernel/zezhajup21ln5...@aurel32.net/
> 
> Thanks a lot for preparing this pre-approval request and the
> corresponding upload. I confirm that I tested the exact same change on
> arm64, on both native and cross-compiled build and that it fixes the
> issue I reported.
> 
> > [ Risks ]
> > The upstream commit zero-initializes memory which previous was not
> > initialized after allocation, and might have contained garbage values
> > which were used. The fix is isolated as a oneliner.
> 
> I agree that the risk is quite low. The fix also likely improves
> reproducibility by removing a dependence on build time random data which
> is always good think.

Thanks from me as well for the d-i side: this issue worried me earlier
but didn't reach my list of topics to keep an eye on for Bookworm
(https://salsa.debian.org/installer-team/debian-installer/-/issues/1),
I'm glad you kept track!

I'll let someone else from the release team comment on the actual
unblock request though.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1035403: unblock: src:texlive-extra/2022.20230122-4

[Hilmar Preusse]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package src:texlive-extra. It was already uploaded
to unstable.

Recently we were informed (#1035313), that color handling for some
dvi viewers is broken due to a bug in pstricks. The upstream author
released a simple fix, which was tested and was proven to solve this
specific issue.

[ Reason ]
We would like to unbreak the color handling in dvi previewers, which
is confusing for end users, if the displayed fonts do not have the
expected color.

[ Impact ]
Wrong color in previewed documents is confusing and could reduce
credibility of used software.

[ Tests ]
There were no automated tests. We applied the (one line) patch we got
from upstream. The submitter confirmed that the patch solved
the specific issue.

[ Risks ]
Code change is rather trivial and should not affect source packages.
The human end users already confirmed that the change is useful.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Thanks,
  Hilmar

unblock src:texlive-extra/2022.20230122-4/2022.20230122-4

-- 
sigmentation fault
diff -Nru texlive-extra-2022.20230122/debian/changelog texlive-extra-2022.20230122/debian/changelog
--- texlive-extra-2022.20230122/debian/changelog	2023-03-24 09:56:36.0 +0100
+++ texlive-extra-2022.20230122/debian/changelog	2023-05-02 12:56:07.0 +0200
@@ -1,3 +1,10 @@
+texlive-extra (2022.20230122-4) unstable; urgency=medium
+
+  * Apply patch for pstricks.tex to fix dvi color handling
+(Closes: #1035313).
+
+ -- Hilmar Preusse   Tue, 02 May 2023 12:56:07 +0200
+
 texlive-extra (2022.20230122-3) unstable; urgency=medium
 
   * Apply patch for ooffice.4ht to fix conversion LaTeX ->
diff -Nru texlive-extra-2022.20230122/debian/patches/pstricks_color texlive-extra-2022.20230122/debian/patches/pstricks_color
--- texlive-extra-2022.20230122/debian/patches/pstricks_color	1970-01-01 01:00:00.0 +0100
+++ texlive-extra-2022.20230122/debian/patches/pstricks_color	2023-05-02 09:30:12.0 +0200
@@ -0,0 +1,14 @@
+--- texlive-extra-2022.20230122.orig/texmf-dist/tex/generic/pstricks/pstricks.tex
 texlive-extra-2022.20230122/texmf-dist/tex/generic/pstricks/pstricks.tex
+@@ -4246,8 +4251,9 @@
+ \@namedef{endpspicture*}{\endpspicture}
+ %
+ \ifx\pstcustomize\relax \input pstricks.con \fi
+-\pstVerb{0.8 setlinewidth 0 setgray}%default setting (needed for lualatex)
+-
++%%% changed 20230430 by hv, confuses otherwise the dvi color handling
++\ifluatex\pstVerb{0.8 setlinewidth 0 setgray}\fi%default setting (needed for lualatex)
++%%%
+ \catcode`\@=\PstAtCode\relax
+ %
+ \endinput
diff -Nru texlive-extra-2022.20230122/debian/patches/series texlive-extra-2022.20230122/debian/patches/series
--- texlive-extra-2022.20230122/debian/patches/series	2023-03-15 21:17:39.0 +0100
+++ texlive-extra-2022.20230122/debian/patches/series	2023-05-01 23:30:44.0 +0200
@@ -14,3 +14,4 @@
 # fix-jadetex-new-latex
 #tex4ht-babel
 update_ooffice.4ht
+pstricks_color


signature.asc
Description: PGP signature

Bug#1035393: marked as done (unblock: rust-env-logger-0.7/0.7.1-4)

[Debian Bug Tracking System]

Your message dated Tue, 02 May 2023 20:48:40 +
with message-id 
and subject line unblock rust-env-logger-0.7
has caused the Debian Bug report #1035393,
regarding unblock: rust-env-logger-0.7/0.7.1-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035393: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035393
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package rust-env-logger-0.7

A bug was raised regarding missing breaks/replaces in rust-env-logger-0.7,
analysis revealed that debcargo was setting breaks+replaces against a virtual
package, the breaks against the virtual package are considered by dpkg but the
replaces are not leading to the potential for unpack failures during upgrade
from bullseye to bookworm.

This upload manually changes the breaks+replaces to point at the physical
package instead. How this should be handled automatically in debcargo is
under consideration, but a repack with the latest debcargo would probablly not
be appropriate at this point in the release cycle anyway.

unblock rust-env-logger-0.7/0.7.1-4

-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 4.19.0-18-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru rust-env-logger-0.7-0.7.1/debian/changelog 
rust-env-logger-0.7-0.7.1/debian/changelog
--- rust-env-logger-0.7-0.7.1/debian/changelog  2021-10-23 19:30:54.0 
+
+++ rust-env-logger-0.7-0.7.1/debian/changelog  2023-05-02 07:01:45.0 
+
@@ -1,3 +1,11 @@
+rust-env-logger-0.7 (0.7.1-4) unstable; urgency=medium
+
+  * Team upload.
+  * Declare breaks+replaces against physical package, rather than virtual one
+(Closes: #1034949)
+
+ -- Peter Michael Green   Tue, 02 May 2023 07:01:45 +
+
 rust-env-logger-0.7 (0.7.1-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru rust-env-logger-0.7-0.7.1/debian/control 
rust-env-logger-0.7-0.7.1/debian/control
--- rust-env-logger-0.7-0.7.1/debian/control2021-10-23 19:30:54.0 
+
+++ rust-env-logger-0.7-0.7.1/debian/control2023-05-02 07:01:07.0 
+
@@ -39,8 +39,8 @@
  librust-env-logger-dev (= ${binary:Version}),
  librust-env-logger-0-dev (= ${binary:Version}),
  librust-env-logger-0.7.1-dev (= ${binary:Version})
-Replaces: librust-env-logger-0.7.1-dev
-Breaks: librust-env-logger-0.7.1-dev
+Replaces: librust-env-logger-dev (<< 0.7.2)
+Breaks: librust-env-logger-dev (<< 0.7.2)
 Description: Logging implementation for `log` which is configured via an 
environment variable - Rust source code
  This package contains the source for the Rust env_logger crate, packaged by
  debcargo for use with cargo and dh-cargo.
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#1035372: marked as done (unblock: wbar/2.3.4-13)

[Debian Bug Tracking System]

Your message dated Tue, 02 May 2023 20:47:26 +
with message-id 
and subject line unblock wbar
has caused the Debian Bug report #1035372,
regarding unblock: wbar/2.3.4-13
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035372
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: a...@debian.org

Please unblock package wbar

[ Reason ]

There is currently a dpkg unpack error when wbar is upgraded from
Bullseye to Bookworm while the old wbar-config package is still
installed. (#1035001) wbar-config has been removed from Debian.
The error is caused by an old glade file, once needed by wbar-config
but now installed into wbar itself. That was not intentional. Since
the file is not needed, I have simply removed it from the package.

[ Impact ]

There will be a dpkg unpack error when upgrading wbar from Bullseye to
Bookworm.

[ Tests ]

I have confirmed that the glade file has been removed from wbar.

[ Risks ]

None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock wbar/2.3.4-13
diff -Nru wbar-2.3.4/debian/changelog wbar-2.3.4/debian/changelog
--- wbar-2.3.4/debian/changelog 2022-08-23 00:05:18.0 +0200
+++ wbar-2.3.4/debian/changelog 2023-04-27 15:44:41.0 +0200
@@ -1,3 +1,11 @@
+wbar (2.3.4-13) unstable; urgency=medium
+
+  * Do not install wbar.glade because it is not required and breaks wbar on
+upgrade from Bullseye to Bookworm (leftover from the wbar-config removal).
+Thanks to Helmut Grohne for the report. (Closes: #1035001)
+
+ -- Markus Koschany   Thu, 27 Apr 2023 15:44:41 +0200
+
 wbar (2.3.4-12) unstable; urgency=medium
 
   * Declare compliance with Debian Policy 4.6.1.
diff -Nru wbar-2.3.4/debian/rules wbar-2.3.4/debian/rules
--- wbar-2.3.4/debian/rules 2022-08-23 00:05:18.0 +0200
+++ wbar-2.3.4/debian/rules 2023-04-27 15:44:41.0 +0200
@@ -17,6 +17,7 @@
 override_dh_install:
$(RM) -r debian/wbar/etc/bash_completion.d
$(RM) debian/wbar/etc/wbar.d/wbar.desktop
+   $(RM) -r debian/wbar/usr/share/wbar/glade/
dh_install
 
 override_dh_missing:
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#1035345: marked as done (unblock: libbssolv-perl/0.17-4)

[Debian Bug Tracking System]

Your message dated Tue, 02 May 2023 20:46:04 +
with message-id 
and subject line unblock libbssolv-perl
has caused the Debian Bug report #1035345,
regarding unblock: libbssolv-perl/0.17-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035345: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035345
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libbssolv-p...@packages.debian.org
Control: affects -1 + src:libbssolv-perl

Please unblock package libbssolv-perl

Library libbssolv is used by e.g. OBS to resolve dependencies
of packages to be built. When processing Debian packages,
the current version doesn’t accept "0" as a valid epoch, resulting
it packages like woff-tools that have a zero epoch (0:2009.10.04-2)
to be skipped and be forever unresolvable.

Since the only rdep of libbssolv-perl in Debian is OBS, impact on the
rest of Debian is near-zero. The risk of not shipping this change is also
low, but it would help users avoid patching this package.

In the debdiff, I’m also including low-impact changes to the metadata
that were sitting in Git for the last two years.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock libbssolv-perl/0.17-4
diff --git a/debian/changelog b/debian/changelog
index 9cb7ecf70812..b138325c88db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+libbssolv-perl (0.17-4) unstable; urgency=medium
+
+  [ Debian Janitor ]
+  * Bump debhelper from old 12 to 13.
+  * Update standards version to 4.6.0, no changes needed.
+
+  [ Andrej Shadura ]
+  * Add a patch proposed upstream to accept "0" as a valid epoch.
+See https://github.com/openSUSE/perl-BSSolv/pull/17
+
+ -- Andrej Shadura   Mon, 01 May 2023 16:14:28 +0200
+
 libbssolv-perl (0.17-3) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/control b/debian/control
index 02b5c716f1f6..7adabd60217f 100644
--- a/debian/control
+++ b/debian/control
@@ -4,11 +4,11 @@ Uploaders: Mike Gabriel 
 Section: perl
 Testsuite: autopkgtest-pkg-perl
 Priority: optional
-Build-Depends: debhelper-compat (= 12),
+Build-Depends: debhelper-compat (= 13),
libsolv-dev (>= 0.7),
perl-xs-dev,
perl:native
-Standards-Version: 4.5.0
+Standards-Version: 4.6.0
 Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/libbssolv-perl
 Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/libbssolv-perl.git
 Homepage: https://github.com/openSUSE/perl-BSSolv
diff --git a/debian/patches/1001-accept-0-as-epoch.patch 
b/debian/patches/1001-accept-0-as-epoch.patch
new file mode 100644
index ..e29b40182832
--- /dev/null
+++ b/debian/patches/1001-accept-0-as-epoch.patch
@@ -0,0 +1,25 @@
+From: Sjoerd Simons 
+Date: Mon, 1 May 2023 15:35:09 +0200
+Subject: Accept "0" as an epoch
+
+In Debian an zero epoch is actually valid; e.g. woff-tools actually has
+a zero epoch (0:2009.10.04-2).
+
+Signed-off-by: Sjoerd Simons 
+---
+ BSSolv.xs | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/BSSolv.xs b/BSSolv.xs
+index ced6823..31c7a7a 100644
+--- a/BSSolv.xs
 b/BSSolv.xs
+@@ -207,8 +207,6 @@ makeevr(Pool *pool, char *e, char *v, char *r)
+ 
+   if (!v)
+ return 0;
+-  if (e && !strcmp(e, "0"))
+-e = 0;
+   if (e)
+ s = pool_tmpjoin(pool, e, ":", v);
+   else
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index ..65e3b6438662
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+1001-accept-0-as-epoch.patch
>From f974c721737f71cde617aab37ba92eb785ac7d14 Mon Sep 17 00:00:00 2001
From: Sjoerd Simons 
Date: Mon, 1 May 2023 15:35:09 +0200
Subject: [PATCH] Accept "0" as an epoch

In Debian an zero epoch is actually valid; e.g. woff-tools actually has
a zero epoch (0:2009.10.04-2).

Signed-off-by: Sjoerd Simons 
---
 BSSolv.xs | 2 --
 1 file changed, 2 deletions(-)

diff --git a/BSSolv.xs b/BSSolv.xs
index ced6823..31c7a7a 100644
--- a/BSSolv.xs
+++ b/BSSolv.xs
@@ -207,8 +207,6 @@ makeevr(Pool *pool, char *e, char *v, char *r)
 
   if (!v)
 return 0;
-  if (e && !strcmp(e, "0"))
-e = 0;
   if (e)
 s = pool_tmpjoin(pool, e, ":", v);
   else
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#1035398: [pre-approval] unblock: dwarves/1.24-4.1

[Aurelien Jarno]

Hi Release team and Salvatore,

On 2023-05-02 20:59, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: dwar...@packages.debian.org, Aurelien Jarno 
> , k...@debian.org, vagr...@debian.org, Domenico Andreoli 
> , car...@debian.org
> Control: affects -1 + src:dwarves
> 
> Dear release team,
> 
> Please unblock package dwarves
> 
> [ Reason ]
> Back in #1033301, Aurelien reported that the arm64 kernel size did
> increase significantly due to issues with BTF deduplication. First
> suspected to be a Linux kernel upstream issue, Aurelien discussed this
> on with upstream and it was found that the issue is caused by a
> src:dwarves regression (applied in 1.24-4).
> 
> Details in https://bugs.debian.org/1033301#31
> 
> The (not yet uploaded) dwarves upload with attache debdiff
> cherry-picks the upstream commit.
> 
> (Please provide enough (but not too much) information to help
> the release team to judge the request efficiently. E.g. by
> filling in the sections below.)
> 
> [ Impact ]
> Increased arm64 kernel size.
> 
> [ Tests ]
> Apart from the report from Aurelien[1], package passes its autopkgtest.
> 
>  [1]  https://lore.kernel.org/linux-arm-kernel/zezhajup21ln5...@aurel32.net/

Thanks a lot for preparing this pre-approval request and the
corresponding upload. I confirm that I tested the exact same change on
arm64, on both native and cross-compiled build and that it fixes the
issue I reported.

> [ Risks ]
> The upstream commit zero-initializes memory which previous was not
> initialized after allocation, and might have contained garbage values
> which were used. The fix is isolated as a oneliner.

I agree that the risk is quite low. The fix also likely improves
reproducibility by removing a dependence on build time random data which
is always good think.

Regards
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net


signature.asc
Description: PGP signature

Processed: Re: Bug#1034336: unblock: openvpn/2.6.3-1 and openvpn-dco-dkms/0.0+git20230324-1 (pre-approval)

[Debian Bug Tracking System]

Processing control commands:

> tags -1 - moreinfo
Bug #1034336 [release.debian.org] unblock: openvpn/2.6.3-1 and 
openvpn-dco-dkms/0.0+git20230324-1 (pre-approval)
Removed tag(s) moreinfo.

-- 
1034336: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034336
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1034336: unblock: openvpn/2.6.3-1 and openvpn-dco-dkms/0.0+git20230324-1 (pre-approval)

[Bernhard Schmidt]

Control: tags -1 - moreinfo

> > in order to reduce the deviation from an upstream tag I'd like to skip
> > 2.6.2 and go for 2.6.3. Updated debdiff attached.
> 
> Please go ahead and remove the moreinfo tag once the packages are
> available in unstable.

Uploaded, accepted and built on all architectures. piuparts is clean,
the autopkgtest of openvpn-dco-dkms also ran fine. The autopkgtest for
openvpn won't run in the Debian infrastructure due to the unsupported
isolation-machine restriction.

Please unblock (and - if possible - age) both packages.

unblock openvpn/2.6.3-1
unblock openvpn-dco-dkms/0.0+git20230324-1

Bernhard


signature.asc
Description: PGP signature

Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1

[Paul Gevers]

Hi Yadd,

On 02-05-2023 10:15, Yadd wrote:

extracting only CVE patch means:
  * keep some (unimportant) bugs in Bullseye
  * publish such version number:
    5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1


Indeed, both are totally acceptable. Can we have a debdiff please?

Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1035398: [pre-approval] unblock: dwarves/1.24-4.1

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: dwar...@packages.debian.org, Aurelien Jarno , 
k...@debian.org, vagr...@debian.org, Domenico Andreoli , 
car...@debian.org
Control: affects -1 + src:dwarves

Dear release team,

Please unblock package dwarves

[ Reason ]
Back in #1033301, Aurelien reported that the arm64 kernel size did
increase significantly due to issues with BTF deduplication. First
suspected to be a Linux kernel upstream issue, Aurelien discussed this
on with upstream and it was found that the issue is caused by a
src:dwarves regression (applied in 1.24-4).

Details in https://bugs.debian.org/1033301#31

The (not yet uploaded) dwarves upload with attache debdiff
cherry-picks the upstream commit.

(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)

[ Impact ]
Increased arm64 kernel size.

[ Tests ]
Apart from the report from Aurelien[1], package passes its autopkgtest.

 [1]  https://lore.kernel.org/linux-arm-kernel/zezhajup21ln5...@aurel32.net/
[ Risks ]
The upstream commit zero-initializes memory which previous was not
initialized after allocation, and might have contained garbage values
which were used. The fix is isolated as a oneliner.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Ideally this enters the archive before a next upload for src:linux is
built (and which would be aimed for bookworm).

unblock dwarves/1.24-4.1

Regards,
Salvatore
diff -Nru dwarves-1.24/debian/changelog dwarves-1.24/debian/changelog
--- dwarves-1.24/debian/changelog   2022-12-10 10:11:28.0 +0100
+++ dwarves-1.24/debian/changelog   2023-05-02 20:37:16.0 +0200
@@ -1,3 +1,13 @@
+dwarves (1.24-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * dwarves: Zero-initialize struct cu in cu__new() to prevent incorrect BTF
+types.
+Fixes BTF deduplication issues causing arm64 kernel size increase.
+Thanks to Aurelien Jarno (Closes: #1033301)
+
+ -- Salvatore Bonaccorso   Tue, 02 May 2023 20:37:16 +0200
+
 dwarves (1.24-4) unstable; urgency=medium
 
   * Backport upstream patches to support newer toolchains.
diff -Nru 
dwarves-1.24/debian/patches/03-dwarves-Zero-initialize-struct-cu-in-cu__new-to-prev.patch
 
dwarves-1.24/debian/patches/03-dwarves-Zero-initialize-struct-cu-in-cu__new-to-prev.patch
--- 
dwarves-1.24/debian/patches/03-dwarves-Zero-initialize-struct-cu-in-cu__new-to-prev.patch
   1970-01-01 01:00:00.0 +0100
+++ 
dwarves-1.24/debian/patches/03-dwarves-Zero-initialize-struct-cu-in-cu__new-to-prev.patch
   2023-05-02 20:37:16.0 +0200
@@ -0,0 +1,94 @@
+From: Alan Maguire 
+Date: Fri, 21 Oct 2022 16:02:03 +0100
+Subject: dwarves: Zero-initialize struct cu in cu__new() to prevent incorrect
+ BTF types
+Origin: 
https://git.kernel.org/pub/scm/devel/pahole/pahole.git/commit?id=b72f5188856df0abf45e1a707856bb4e4e86153c
+Bug-Debian: https://bugs.debian.org/1033301
+
+BTF deduplication was throwing some strange results, where core kernel
+data types were failing to deduplicate due to the return values
+of function type members being void (0) instead of the actual type
+(unsigned int).  An example of this can be seen below, where
+"struct dst_ops" was failing to deduplicate between kernel and
+module:
+
+struct dst_ops {
+short unsigned int family;
+unsigned int gc_thresh;
+int (*gc)(struct dst_ops *);
+struct dst_entry * (*check)(struct dst_entry *, __u32);
+unsigned int (*default_advmss)(const struct dst_entry *);
+unsigned int (*mtu)(const struct dst_entry *);
+...
+
+struct dst_ops___2 {
+short unsigned int family;
+unsigned int gc_thresh;
+int (*gc)(struct dst_ops___2 *);
+struct dst_entry___2 * (*check)(struct dst_entry___2 *, __u32);
+void (*default_advmss)(const struct dst_entry___2 *);
+void (*mtu)(const struct dst_entry___2 *);
+...
+
+This was seen with
+
+bcc648a10cbc ("btf_encoder: Encode DW_TAG_unspecified_type returning routines 
as void")
+
+...which rewrites the return value as 0 (void) when it is marked
+as matching DW_TAG_unspecified_type:
+
+static int32_t btf_encoder__tag_type(struct btf_encoder *encoder, uint32_t 
type_id_off, uint32_t tag_type)
+{
+   if (tag_type == 0)
+   return 0;
+
+   if (encoder->cu->unspecified_type.tag && tag_type == 
encoder->cu->unspecified_type.type) {
+   // No provision for encoding this, turn it into void.
+   return 0;
+   }
+
+   return type_id_off + tag_type;
+}
+
+However the odd thing was that on further examination, the unspecified type
+was not being set, so why was this logic being tripped?  Futher debugging
+showed that the 

Processed: [pre-approval] unblock: dwarves/1.24-4.1

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:dwarves
Bug #1035398 [release.debian.org] [pre-approval] unblock: dwarves/1.24-4.1
Added indication that 1035398 affects src:dwarves

-- 
1035398: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035398
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: retitle 1035316 to unblock: firmware-nonfree/20230210-5

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 1035316 unblock: firmware-nonfree/20230210-5
Bug #1035316 [release.debian.org] [pre-approval request] unblock: 
firmware-nonfree/20230210-5
Changed Bug title to 'unblock: firmware-nonfree/20230210-5' from '[pre-approval 
request] unblock: firmware-nonfree/20230210-5'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1035316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035316
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1033953: unblock: gimp-help/2.10.34-1

[Jordi Mallach]

Hi again,

El dl. 01 de 05 de 2023 a les 20:40 +0200, en/na Jordi Mallach va
escriure:
> Attached is the debdiff of what I uploaded to experimental (new
> translations need to go through NEW, if this ends up being
> acceptable,
> I'll try to get ftp-master to review it asap).

ftp-master already processed this package and is now accepted to
experimental.

-- 
Jordi Mallach 
Debian Project

Bug#1035393: unblock: rust-env-logger-0.7/0.7.1-4

[plugwash]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package rust-env-logger-0.7

A bug was raised regarding missing breaks/replaces in rust-env-logger-0.7,
analysis revealed that debcargo was setting breaks+replaces against a virtual
package, the breaks against the virtual package are considered by dpkg but the
replaces are not leading to the potential for unpack failures during upgrade
from bullseye to bookworm.

This upload manually changes the breaks+replaces to point at the physical
package instead. How this should be handled automatically in debcargo is
under consideration, but a repack with the latest debcargo would probablly not
be appropriate at this point in the release cycle anyway.

unblock rust-env-logger-0.7/0.7.1-4

-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 4.19.0-18-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru rust-env-logger-0.7-0.7.1/debian/changelog 
rust-env-logger-0.7-0.7.1/debian/changelog
--- rust-env-logger-0.7-0.7.1/debian/changelog  2021-10-23 19:30:54.0 
+
+++ rust-env-logger-0.7-0.7.1/debian/changelog  2023-05-02 07:01:45.0 
+
@@ -1,3 +1,11 @@
+rust-env-logger-0.7 (0.7.1-4) unstable; urgency=medium
+
+  * Team upload.
+  * Declare breaks+replaces against physical package, rather than virtual one
+(Closes: #1034949)
+
+ -- Peter Michael Green   Tue, 02 May 2023 07:01:45 +
+
 rust-env-logger-0.7 (0.7.1-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru rust-env-logger-0.7-0.7.1/debian/control 
rust-env-logger-0.7-0.7.1/debian/control
--- rust-env-logger-0.7-0.7.1/debian/control2021-10-23 19:30:54.0 
+
+++ rust-env-logger-0.7-0.7.1/debian/control2023-05-02 07:01:07.0 
+
@@ -39,8 +39,8 @@
  librust-env-logger-dev (= ${binary:Version}),
  librust-env-logger-0-dev (= ${binary:Version}),
  librust-env-logger-0.7.1-dev (= ${binary:Version})
-Replaces: librust-env-logger-0.7.1-dev
-Breaks: librust-env-logger-0.7.1-dev
+Replaces: librust-env-logger-dev (<< 0.7.2)
+Breaks: librust-env-logger-dev (<< 0.7.2)
 Description: Logging implementation for `log` which is configured via an 
environment variable - Rust source code
  This package contains the source for the Rust env_logger crate, packaged by
  debcargo for use with cargo and dh-cargo.

Bug#1035383: unblock (pre-approval): brial/1.2.11-2.1

[plugwash]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

It was discovered about a month ago by Bastian Germann that python3-brial needs
python3-sage, and he added a dependency.

Unfortunately this left the package uninstallable on about half of release
architectures. Normally this would block migration to testing, but elbrus
forced the package in.

I filed a bug 1034443 with grave severity for this based on the following
understanding.

* An uninstallable package is unusable
* The "is this package unusable" criteria is applied to each binary package
  individually and for packages that are built seperately for multiple
  architectures is applied on each arhictecture individually. Or to put it
  another way my understanding the criteria is applied to each "deb"
  individually.

I don't think these are explicitly stated anywhere, but they are consistent
with my experiance of how things are typically done in Debian. They are
consistent with the state of testing (other than python3-brial there are no
uninstallable arch-specific binary packages in testing) and they are consistent
with the rules britney normally enforces for testing migration.

Elbrus replied to my bug report, challangeing why I had filed it as rc, I
explained my position and he seemed somewhat but not totally convinced.

I would like to ask for a release team ruling on this bug. If the release agree
it is rc and should be fixed, I am happy to make an upload doing so. On the
other hand if the release team decide that it is not rc and should not be fixed
at this stage in the release process I'm happy to abide by that descision.

The debdiff for my proposed upload can be found at 
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=1034443;filename=brial.debdiff;msg=40

unblock brial/1.2.11-2.1

Processed: unblock: libapache2-mod-auth-openidc/2.4.12.3-2

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:libapache2-mod-auth-openidc
Bug #1035377 [release.debian.org] unblock: 
libapache2-mod-auth-openidc/2.4.12.3-2
Added indication that 1035377 affects src:libapache2-mod-auth-openidc

-- 
1035377: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035377
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1035377: unblock: libapache2-mod-auth-openidc/2.4.12.3-2

[Moritz Schlarb]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc

Please unblock package libapache2-mod-auth-openidc

Fixes CVE-2023-28625 "segfault DoS when OIDCStripCookies is set".

[ Reason ]
Fixes #1033916 by fixing CVE-2023-28625.

[ Impact ]
The CVE with  Base Score:  7.5 HIGH
Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
would persist in the new stable release.

[ Tests ]
The patch has been verified by upstream and I have successfully
tested the new package version in our infrastructure.

[ Risks ]
The newly added patch changes just two lines by adding a
null pointer check. I don't see anything getting worse by
that.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock libapache2-mod-auth-openidc/2.4.12.3-2

Bug#1035376: unblock: nfs-ganesha/4.3-2

[Christoph Martin]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: mar...@uni-mainz.de

Please unblock package nfs-ganesha

4.3-2 contains a fix for a RC bug which prevents smooth upgrade of
nfs-ganesha-ceph :#1034925.

[ Reason ]
Fixes RC bug #1034925.

[ Impact ]
includes breaks: and replaces: to make upgrade succeed.

[ Tests ]
Installation was successful

[ Risks ]
I don't see any risks.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock nfs-ganesha/4.3-2
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/47/075fa73da0e4bfba1008cb4a432c16795d1646.debug

Files in first .changes but not in second
-
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/c0/969f5415c2e585fa41915d3e0f593b0bd1677d.debug

Control files of package nfs-ganesha: lines which differ (wdiff format)
---
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-ceph: lines which differ (wdiff format)

{+Breaks: nfs-ganesha (<< 4.0-1)+}
Depends: libacl1 (>= 2.2.23), libc6 (>= 2.34), libcephfs2 (>= 16.2.6+ds), 
librados2 (>= [-16.2.10+ds),-] {+16.2.11+ds),+} liburcu8 (>= 0.13.0), 
nfs-ganesha (= [-4.3-1)-] {+4.3-2)+}
{+Replaces: nfs-ganesha (<< 4.0-1)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-ceph-dbgsym: lines which differ (wdiff 
format)
---
Build-Ids: {+47075fa73da0e4bfba1008cb4a432c16795d1646+} 
9e0845a088c12df1b6e7bc74c10af58102f949ac 
[-c0969f5415c2e585fa41915d3e0f593b0bd1677d-] 
ceae296fe799f3feca7b7afd36e68cd64484192b
Depends: nfs-ganesha-ceph (= [-4.3-1)-] {+4.3-2)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-dbgsym: lines which differ (wdiff format)
--
Depends: nfs-ganesha (= [-4.3-1)-] {+4.3-2)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-doc: lines which differ (wdiff format)
---
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-gluster: lines which differ (wdiff format)
---
Depends: libacl1 (>= 2.2.23), libc6 (>= 2.34), libgfapi0 (>= 10.3), liburcu8 
(>= 0.13.0), nfs-ganesha (= [-4.3-1),-] {+4.3-2),+} libglusterfs0 (>= 6.0)
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-gluster-dbgsym: lines which differ (wdiff 
format)
--
Depends: nfs-ganesha-gluster (= [-4.3-1)-] {+4.3-2)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-gpfs: lines which differ (wdiff format)

Depends: libc6 (>= 2.34), libdbus-1-3 (>= 1.9.14), liburcu8 (>= 0.13.0), 
nfs-ganesha (= [-4.3-1)-] {+4.3-2)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-gpfs-dbgsym: lines which differ (wdiff 
format)
---
Depends: nfs-ganesha-gpfs (= [-4.3-1)-] {+4.3-2)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-mem: lines which differ (wdiff format)
---
Depends: libc6 (>= 2.34), nfs-ganesha (= [-4.3-1)-] {+4.3-2)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-mem-dbgsym: lines which differ (wdiff 
format)
--
Depends: nfs-ganesha-mem (= [-4.3-1)-] {+4.3-2)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-mount-9p: lines which differ (wdiff format)

Depends: nfs-ganesha (>= [-4.3-1)-] {+4.3-2)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-nullfs: lines which differ (wdiff format)
--
Depends: libc6 (>= 2.4), nfs-ganesha (= [-4.3-1)-] {+4.3-2)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package nfs-ganesha-nullfs-dbgsym: lines which differ (wdiff 
format)
-
Depends: nfs-ganesha-nullfs (= [-4.3-1)-] {+4.3-2)+}
Version: [-4.3-1-] {+4.3-2+}

Control files of package 

Bug#1034785: unblock: gummi/0.8.3-1

[Martin Dosch]

Dear all,

I prepared a version 0.8.3~really~0.8.1-1.1 which is 0.8.1 with the 
patch to fix the segfault. I am not sure regarding the version, so I ask 
here about it before uploading it to unstable if it's correct. 
Especially as lintian complains:



W: gummi source: changelog-file-missing-explicit-entry 0.8.1-1 -> 
0.8.3~really~0.8.1-1 (missing) -> 0.8.3~really~0.8.1-1.1 [debian/changelog:1]


I attach the changelog as well. Do you have any recommendations? 


Best regards,
Martin
gummi (0.8.3~really~0.8.1-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Apply patch to fix typesetter parsing (Closes: #1012150)

 -- Martin Dosch   Tue, 02 May 2023 08:26:49 +

gummi (0.8.3-1) unstable; urgency=high

  * Team Upload
  * New upstream version 0.8.3 (Closes: #1030293, #1012150)

 -- Martin Dosch   Fri, 21 Apr 2023 05:15:00 +

gummi (0.8.1-1) unstable; urgency=medium

  * Team Upload
  * New upstream version 0.8.1 (Closes: #951634)
  * Add upstream/metadata
  * Add "Rules-Requires-Root:no"
  * Fix control with cme
  * Remove Redundanct Files-Excluded section
+it is not in the upstream anymore
  * Fix spellings
  * Add salsa-ci file (routine-update)

 -- Nilesh Patra   Wed, 25 Mar 2020 18:27:44 +

gummi (0.7.999-1) unstable; urgency=medium

  * New upstream release.
  * Remove all patches: applied upstream.
  * debian/control:
+ Bump Standards-Version to 4.4.1.
+ Build-depend on debhelper-compat = 12 instead of debhelper >= 11.
+ Adjust Build-dependencies for new upstream release. Among others,
  gummi was ported to GTK3 and now Build-Depends on gtksourceview3
  instead of gtksourceview2 (Closes: #885681).
+ Adjust binary description to match new upstream release.
  * Remove debian/compat, useless because of debhelper-compat.
  * Bump copyright years.
  * Run wrap-and-sort -a.

 -- Hugo Lefeuvre   Thu, 31 Oct 2019 09:43:51 +0100

gummi (0.6.6-5) unstable; urgency=high

  * Fix FTBFS again new libsyntex (Closes: #896566).
Ack Samuel Thibault for the patch !
  * Bump Standards-Version to 4.1.4.
  * Bump compat to 11. Update debhelper dependency accordingly.
  * Update Vcs-* fields (salsa migration).
  * Bump copyright years.
  * Bump debian/watch to version 4.
  * Remove unnecessary --parallel build option.
  * Remove trailing whitespaces from debian/changelog.

 -- Hugo Lefeuvre   Tue, 15 May 2018 21:38:45 -0400

gummi (0.6.6-4) unstable; urgency=medium

  * Upload to unstable.
  * Bump Standards-Version to 4.0.0.
  * Remove dependency on dh-autoreconf (useless because compat=10).
  * Remove --with autoreconf in debian/rules.

 -- Hugo Lefeuvre   Tue, 29 Aug 2017 11:50:27 +0200

gummi (0.6.6-3) experimental; urgency=low

  * debian/rules:
+ Enable parallel building (Closes: #820617).
+ Add hardening flags to the build options.
  * Bump compat level to 10, update debhelper dependency accordingly.
  * Bump copyright years in debian/copyright.

 -- Hugo Lefeuvre   Sat, 10 Jun 2017 11:28:49 +0200

gummi (0.6.6-2) unstable; urgency=low

  * New Maintainer (Closes: #816502).
  * debian/control:
+ Add Hugo Lefeuvre in the Uploaders field, remove Daniel Stender.
+ Bump Standards-Version to 3.9.8.
+ Use HTTPS protocol in the Vcs-Browser field.
+ Update Vcs-Git to use an encrypted transport protocol.
+ Run wrap-and-sort.
  * debian/copyright:
+ Add a copyright entry for Hugo Lefeuvre;
+ Update Format field to match DEP5 recommandations.

 -- Hugo Lefeuvre   Mon, 20 Jun 2016 21:29:41 +0200

gummi (0.6.6-1) unstable; urgency=medium

  * New upstream release (Closes: #812577).
  * deb/copyright:
+ installed Files-Excluded (stripping src/gummi, src/syncTeX).
+ expanded copyright spans.
  * Updated use-system-synctex.patch.
  * Dropped:
+ no-predictable-tmpfiles.patch (CVE-2015-7758 solved by upstream).
+ gummi.desktop.patch (applied upstream).
+ upgrade_datadir.patch (applied upstream).
+ add-missing-chooser-title.patch (originated from upstream).
+ libgthread-2.0_link.patch (applied upstream).
+ automake-subdirs.patch (applied upstream, src/Makefile.am).

 -- Daniel Stender   Wed, 27 Jan 2016 21:18:48 +0100

gummi (0.6.5-7) unstable; urgency=medium

  * Added add-missing-chooser-title.patch (Closes: #785605).
  * Added upgrade_datadir.patch (Closes: #808791).

 -- Daniel Stender   Mon, 28 Dec 2015 18:50:39 +0100

gummi (0.6.5-6) unstable; urgency=medium

  * Added no-predictable-tmpfiles.patch, fix of CVE-2015-7758 (Closes: #756432).

 -- Daniel Stender   Sun, 29 Nov 2015 01:35:11 +0100

gummi (0.6.5-5) unstable; urgency=medium

  * deb/copyright:
+ changed "MIT" to "Expat".
+ put deb/* under the same license as upstream.
+ updated Source.
  * deb/gbp.conf: updated a section header (import-orig).
  * Dropped debian/menu because of CTTE #74573 (the binary ships a desktop
file).
  * Updated patch headers.

 -- Daniel Stender   Wed, 28 Oct 2015 22:10:44 +0100

gummi (0.6.5-4) unstable; 

Bug#1034691: nmu: why3_1.5.1-1+b1 frama-c_20220511-manganese-3-10

[Stéphane Glondu]

Dear Sebastian,

Le 23/04/2023 à 11:36, Sebastian Ramacher a écrit :

ocaml 4.13.1-4 causes the ABI to change for at least why3. Do you expect
that the ABI of ther ocaml packages also changes? If so, we should
rebuild the ocaml world before the release to not get any surprises if a
ocaml package gets a stable update.


See also:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030785

The ABI of ocaml-compiler-libs changed (only on native architectures), 
with no visible changes in virtual packages, so anything using that is 
potentially broken. I (thought I) binNMUed all affected packages (there 
were a lot of them), but missed why3 for some reason.


IMHO, the cleanest way to fix the issue for sure is to change the OCaml 
ABI advertised in the virtual package name. But that means an amount of 
work similar to an OCaml transition. Do we really work this kind of move 
at this stage of the freeze? I don't think so.


A pretty good approximation to checking that everything is fine is to 
mass-rebuild everything (as Lucas Nussbaum does regularly), identify the 
(few, I expect) packages that FTBFS, and binNMU them (+ maybe some of 
their dependencies). I suspect why3 is special because it embeds modules 
provided by ocaml in a plugin (dh_ocaml's --nodefined-map is suspicious 
in this context) but this situation should be rare.



Cheers,

--
Stéphane

Bug#1035372: unblock: wbar/2.3.4-13

[Markus Koschany]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: a...@debian.org

Please unblock package wbar

[ Reason ]

There is currently a dpkg unpack error when wbar is upgraded from
Bullseye to Bookworm while the old wbar-config package is still
installed. (#1035001) wbar-config has been removed from Debian.
The error is caused by an old glade file, once needed by wbar-config
but now installed into wbar itself. That was not intentional. Since
the file is not needed, I have simply removed it from the package.

[ Impact ]

There will be a dpkg unpack error when upgrading wbar from Bullseye to
Bookworm.

[ Tests ]

I have confirmed that the glade file has been removed from wbar.

[ Risks ]

None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock wbar/2.3.4-13
diff -Nru wbar-2.3.4/debian/changelog wbar-2.3.4/debian/changelog
--- wbar-2.3.4/debian/changelog 2022-08-23 00:05:18.0 +0200
+++ wbar-2.3.4/debian/changelog 2023-04-27 15:44:41.0 +0200
@@ -1,3 +1,11 @@
+wbar (2.3.4-13) unstable; urgency=medium
+
+  * Do not install wbar.glade because it is not required and breaks wbar on
+upgrade from Bullseye to Bookworm (leftover from the wbar-config removal).
+Thanks to Helmut Grohne for the report. (Closes: #1035001)
+
+ -- Markus Koschany   Thu, 27 Apr 2023 15:44:41 +0200
+
 wbar (2.3.4-12) unstable; urgency=medium
 
   * Declare compliance with Debian Policy 4.6.1.
diff -Nru wbar-2.3.4/debian/rules wbar-2.3.4/debian/rules
--- wbar-2.3.4/debian/rules 2022-08-23 00:05:18.0 +0200
+++ wbar-2.3.4/debian/rules 2023-04-27 15:44:41.0 +0200
@@ -17,6 +17,7 @@
 override_dh_install:
$(RM) -r debian/wbar/etc/bash_completion.d
$(RM) debian/wbar/etc/wbar.d/wbar.desktop
+   $(RM) -r debian/wbar/usr/share/wbar/glade/
dh_install
 
 override_dh_missing:

Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1

[Yadd]

On 4/29/23 16:00, Salvatore Bonaccorso wrote:

Control: severity 1032904 serious

Hi Yadd,

On Wed, Mar 15, 2023 at 09:11:46PM +0100, Paul Gevers wrote:

Control: tags -1 moreinfo

Hi Yadd,

On 15-03-2023 13:38, Yadd wrote:

[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154).


This doesn't look like a targeted fix, but rather seems to include much
more.

How about reverting and providing a fix only for that CVE please?


have you seen Paul's comment/question above? We have now a somehow
unfortunate situation that the CVE is fixed in unstable, and it is
fixed with the last point release as well in bullseye. But it is still
open in bookworm.

I will bump for this reason the severity of #1032904 to RC as it is a
regression on this regards.

Regards,
Salvatore


Hi,

extracting only CVE patch means:
 * keep some (unimportant) bugs in Bullseye
 * publish such version number:
   5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1

Bug#1035345: unblock: libbssolv-perl/0.17-4

[Andrej Shadura]

Hi,

On Tue, 2 May 2023, at 08:44, Sebastian Ramacher wrote:
>> I have not uploaded yet. Are other changes acceptable?
>
> Ah, good. The Standards-Version bump is additional noise, but is
> acceptable. Note though, that the change doesn't bump the version to
> 4.6.2 whichi is the latest version.

Indeed, I’ve dropped that change too and uploaded.
See the updated debdiff.

-- 
Cheers,
  Andrej

libbssolv-perl_0.17-4.debdiff
Description: Binary data

Processed: unblock: node-terser/5.16.5-2

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:node-terser
Bug #1035368 [release.debian.org] unblock: node-terser/5.16.5-2
Added indication that 1035368 affects src:node-terser

-- 
1035368: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035368
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1035368: unblock: node-terser/5.16.5-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-ter...@packages.debian.org
Control: affects -1 + src:node-terser

Please unblock package node-terser

[ Reason ]
node-terser has several bugs in its version 5.16.4:
 * #1034969: missing "Replaces" fields
 * Mutating options.format is unsafe when config is re-used
(https://github.com/terser/terser/issues/1341)
 * Transform functions shouldn't mutate AST arrays

[ Impact ]
 * RC bug: upgrade is broken
 * Transformation issues

[ Tests ]
New tests added, passed.

[ Risks ]
Low risk, the main changes Have been in unstable for 2 months and didn't
generate any regressions.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-terser/5.16.5-2

Bug#1035345: unblock: libbssolv-perl/0.17-4

[Sebastian Ramacher]

On 2023-05-02 08:08:22 +0200, Andrej Shadura wrote:
> Hi,
> 
> On Tue, 2 May 2023, at 07:51, Sebastian Ramacher wrote:
> >> +  [ Debian Janitor ]
> >> +  * Bump debhelper from old 12 to 13.
> 
> > This change is no longer appropriate at this stage of the freeze. See
> > also https://release.debian.org/testing/FAQ.html. Please re-upload
> > without this change.
> 
> I have not uploaded yet. Are other changes acceptable?

Ah, good. The Standards-Version bump is additional noise, but is
acceptable. Note though, that the change doesn't bump the version to
4.6.2 whichi is the latest version.

Cheers
-- 
Sebastian Ramacher

Bug#1035345: unblock: libbssolv-perl/0.17-4

[Andrej Shadura]

Hi,

On Tue, 2 May 2023, at 07:51, Sebastian Ramacher wrote:
>> +  [ Debian Janitor ]
>> +  * Bump debhelper from old 12 to 13.

> This change is no longer appropriate at this stage of the freeze. See
> also https://release.debian.org/testing/FAQ.html. Please re-upload
> without this change.

I have not uploaded yet. Are other changes acceptable?

-- 
Cheers,
  Andrej

Re: Updated Debian 11: 11.7 released

[Ghislaine Foltête]

Hello,

please unsuscribe me from this list.

Thank you

- Mail original -
De: "Ana Guerrero Lopez" 
À: debian-annou...@lists.debian.org
Envoyé: Lundi 1 Mai 2023 22:46:41
Objet: Updated Debian 11: 11.7 released


The Debian Project   https://www.debian.org/
Updated Debian 11: 11.7 releasedpr...@debian.org
April 29th, 2023   https://www.debian.org/News/2023/20230429



The Debian project is pleased to announce the seventh update of its
stable distribution Debian 11 (codename "bullseye"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 11 but only updates some of the packages included. There is no
need to throw away old "bullseye" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
--

This stable update adds a few important corrections to the following
packages:

+++
| Package| Reason |
+++
| akregator [1]  | Fix validity checks, including fixing  |
|| deletion of feeds and folders  |
|||
| apache2 [2]| Don't automatically enable apache2-|
|| doc.conf; fix regressions in http2 and |
|| mod_rewrite introduced in 2.4.56   |
|||
| at-spi2-core [3]   | Set stop timeout to 5 seconds, so as   |
|| not to needlessly block system |
|| shutdowns  |
|||
| avahi [4]  | Fix local denial of service issue  |
|| [CVE-2021-3468]|
|||
| base-files [5] | Update for the 11.7 point release  |
|||
| c-ares [6] | Prevent stack overflow and denial of   |
|| service [CVE-2022-4904]|
|||
| clamav [7] | New upstream stable release; fix   |
|| possible remote code execution issue   |
|| in the HFS+ file parser [CVE-2023- |
|| 20032], possible information leak in   |
|| the DMG file parser [CVE-2023-20052]   |
|||
| command-not-found [8]  | Add new non-free-firmware component,   |
|| fixing upgrades to bookworm|
|||
| containerd [9] | Fix denial of service issue [CVE-2023- |
|| 25153]; fix possible privilege |
|| escalation via incorrect setup of  |
|| supplementary groups [CVE-2023-25173]  |
|||
| crun [10]  | Fix capability escalation issue due to |
|| containers being incorrectly started   |
|| with non-empty default permissions |
|| [CVE-2022-27650]   |
|||
| cwltool [11]   | Add missing dependency on python3- |
|| distutils  |
|||
| debian-archive-|